pubkeyapp · beeman · Jan 9, 2024 · Jan 9, 2024
diff --git a/.env.example b/.env.example
@@ -14,6 +14,13 @@ API_URL=http://localhost:3000/api
 #AUTH_GITHUB_CLIENT_SECRET=
 # Enable login with GitHub
 #AUTH_GITHUB_ENABLED=true
+# Google Admin IDs (comma-separated)
+#AUTH_GOOGLE_ADMIN_IDS=
+# Google OAuth
+#AUTH_GOOGLE_CLIENT_ID=
+#AUTH_GOOGLE_CLIENT_SECRET=
+# Enable login with Google
+#AUTH_GOOGLE_ENABLED=true
 # Twitter Admin IDs (comma-separated)
 #AUTH_TWITTER_ADMIN_IDS=386584531353862154
 # Twitter OAuth2 Consumer Key and Consumer Secret

diff --git a/api-schema.graphql b/api-schema.graphql
@@ -38,6 +38,7 @@ input AdminUpdateUserInput {
 type AppConfig {
   authDiscordEnabled: Boolean!
   authGithubEnabled: Boolean!
+  authGoogleEnabled: Boolean!
   authPasswordEnabled: Boolean!
   authRegisterEnabled: Boolean!
   authSolanaEnabled: Boolean!
@@ -80,6 +81,7 @@ type IdentityChallenge {
 enum IdentityProvider {
   Discord
   GitHub
+  Google
   Solana
   Twitter
 }

diff --git a/libs/api/auth/data-access/src/index.ts b/libs/api/auth/data-access/src/index.ts
@@ -9,4 +9,5 @@ export * from './lib/guards/api-auth-graphql-user-guard'
 export * from './lib/interfaces/api-auth.request'
 export * from './lib/strategies/oauth/api-auth-strategy-discord-guard'
 export * from './lib/strategies/oauth/api-auth-strategy-github-guard'
+export * from './lib/strategies/oauth/api-auth-strategy-google-guard'
 export * from './lib/strategies/oauth/api-auth-strategy-twitter-guard'
diff --git a/libs/api/auth/data-access/src/lib/strategies/api-auth-strategy.module.ts b/libs/api/auth/data-access/src/lib/strategies/api-auth-strategy.module.ts
@@ -2,6 +2,7 @@ import { type DynamicModule, Module } from '@nestjs/common'
 
 import { ApiAuthStrategyDiscordModule } from './oauth/api-auth-strategy-discord.module'
 import { ApiAuthStrategyGithubModule } from './oauth/api-auth-strategy-github.module'
+import { ApiAuthStrategyGoogleModule } from './oauth/api-auth-strategy-google.module'
 import { ApiAuthStrategyTwitterModule } from './oauth/api-auth-strategy-twitter.module'
 
 @Module({})
@@ -12,6 +13,7 @@ export class ApiAuthStrategyModule {
       imports: [
         ApiAuthStrategyDiscordModule.register(),
         ApiAuthStrategyGithubModule.register(),
+        ApiAuthStrategyGoogleModule.register(),
         ApiAuthStrategyTwitterModule.register(),
       ],
     }

diff --git a/libs/api/auth/data-access/src/lib/strategies/oauth/api-auth-strategy-google-guard.ts b/libs/api/auth/data-access/src/lib/strategies/oauth/api-auth-strategy-google-guard.ts
@@ -0,0 +1,5 @@
+import { Injectable } from '@nestjs/common'
+import { AuthGuard } from '@nestjs/passport'
+
+@Injectable()
+export class ApiAuthStrategyGoogleGuard extends AuthGuard('google') {}
diff --git a/libs/api/auth/data-access/src/lib/strategies/oauth/api-auth-strategy-google.module.ts b/libs/api/auth/data-access/src/lib/strategies/oauth/api-auth-strategy-google.module.ts
@@ -0,0 +1,33 @@
+import { type DynamicModule, Logger, Module } from '@nestjs/common'
+import { ApiCoreDataAccessModule } from '@pubkey-stack/api-core-data-access'
+import { ApiAuthStrategyService } from '../api-auth-strategy.service'
+import { ApiAuthStrategyGoogle } from './api-auth-strategy-google'
+
+@Module({})
+export class ApiAuthStrategyGoogleModule {
+  static logger = new Logger(ApiAuthStrategyGoogleModule.name)
+  static register(): DynamicModule {
+    const enabled = this.enabled
+    if (!enabled) {
+      this.logger.warn(`Google Auth DISABLED`)
+      return { module: ApiAuthStrategyGoogleModule }
+    }
+    this.logger.verbose(`Google Auth ENABLED`)
+    return {
+      module: ApiAuthStrategyGoogleModule,
+      imports: [ApiCoreDataAccessModule],
+      providers: [ApiAuthStrategyGoogle, ApiAuthStrategyService],
+    }
+  }
+
+  // TODO: These should be coming from the ApiCoreConfigService instead of process.env
+  private static get enabled(): boolean {
+    return (
+      // Google auth needs to be enabled
+      !!process.env['AUTH_GOOGLE_ENABLED'] &&
+      // And we need to have the client ID and secret set
+      !!process.env['AUTH_GOOGLE_CLIENT_ID'] &&
+      !!process.env['AUTH_GOOGLE_CLIENT_SECRET']
+    )
+  }
+}
diff --git a/libs/api/auth/data-access/src/lib/strategies/oauth/api-auth-strategy-google.ts b/libs/api/auth/data-access/src/lib/strategies/oauth/api-auth-strategy-google.ts
@@ -0,0 +1,34 @@
+import { Injectable } from '@nestjs/common'
+import { PassportStrategy } from '@nestjs/passport'
+import { IdentityProvider } from '@prisma/client'
+import { ApiCoreService } from '@pubkey-stack/api-core-data-access'
+import { Profile, Strategy } from 'passport-google-oauth20'
+import type { ApiAuthRequest } from '../../interfaces/api-auth.request'
+import { ApiAuthStrategyService } from '../api-auth-strategy.service'
+
+@Injectable()
+export class ApiAuthStrategyGoogle extends PassportStrategy(Strategy, 'google') {
+  constructor(private core: ApiCoreService, private service: ApiAuthStrategyService) {
+    super(core.config.authGoogleStrategyOptions)
+  }
+
+  async validate(req: ApiAuthRequest, accessToken: string, refreshToken: string, profile: Profile) {
+    return this.service.validateRequest({
+      req,
+      providerId: profile.id,
+      provider: IdentityProvider.Google,
+      accessToken,
+      refreshToken,
+      profile: createGoogleProfile(profile),
+    })
+  }
+}
+
+function createGoogleProfile(profile: Profile) {
+  return {
+    externalId: profile.id,
+    username: profile.username,
+    avatarUrl: profile.photos?.[0].value,
+    name: profile.displayName,
+  }
+}
diff --git a/libs/api/auth/feature/src/lib/api-auth-feature.module.ts b/libs/api/auth/feature/src/lib/api-auth-feature.module.ts
@@ -2,6 +2,7 @@ import { Module } from '@nestjs/common'
 import { ApiAuthDataAccessModule } from '@pubkey-stack/api-auth-data-access'
 import { ApiAuthStrategyDiscordController } from './api-auth-strategy-discord.controller'
 import { ApiAuthStrategyGithubController } from './api-auth-strategy-github.controller'
+import { ApiAuthStrategyGoogleController } from './api-auth-strategy-google.controller'
 import { ApiAuthStrategyTwitterController } from './api-auth-strategy-twitter.controller'
 import { ApiAuthController } from './api-auth.controller'
 import { ApiAuthResolver } from './api-auth.resolver'
@@ -11,6 +12,7 @@ import { ApiAuthResolver } from './api-auth.resolver'
     ApiAuthController,
     ApiAuthStrategyDiscordController,
     ApiAuthStrategyGithubController,
+    ApiAuthStrategyGoogleController,
     ApiAuthStrategyTwitterController,
   ],
   imports: [ApiAuthDataAccessModule],

diff --git a/libs/api/auth/feature/src/lib/api-auth-strategy-google.controller.ts b/libs/api/auth/feature/src/lib/api-auth-strategy-google.controller.ts
@@ -0,0 +1,26 @@
+import { Controller, Get, Req, Res, UseGuards } from '@nestjs/common'
+
+import {
+  ApiAnonJwtGuard,
+  ApiAuthRequest,
+  ApiAuthService,
+  ApiAuthStrategyGoogleGuard,
+} from '@pubkey-stack/api-auth-data-access'
+import { Response } from 'express-serve-static-core'
+
+@Controller('auth/google')
+export class ApiAuthStrategyGoogleController {
+  constructor(private readonly service: ApiAuthService) {}
+
+  @Get()
+  @UseGuards(ApiAuthStrategyGoogleGuard)
+  redirect() {
+    // This method triggers the OAuth2 flow
+  }
+
+  @Get('callback')
+  @UseGuards(ApiAnonJwtGuard, ApiAuthStrategyGoogleGuard)
+  async callback(@Req() req: ApiAuthRequest, @Res({ passthrough: true }) res: Response) {
+    return this.service.userCookieRedirect(req, res)
+  }
+}
diff --git a/libs/api/core/data-access/src/lib/api-core-config.service.ts b/libs/api/core/data-access/src/lib/api-core-config.service.ts
@@ -18,6 +18,7 @@ export class ApiCoreConfigService {
     return {
       authDiscordEnabled: this.authDiscordEnabled,
       authGithubEnabled: this.authGithubEnabled,
+      authGoogleEnabled: this.authGoogleEnabled,
       authPasswordEnabled: this.authPasswordEnabled,
       authRegisterEnabled: this.authRegisterEnabled,
       authSolanaEnabled: this.authSolanaEnabled,
@@ -92,6 +93,41 @@ export class ApiCoreConfigService {
       !this.service.get<boolean>('authGithubEnabled')
     )
   }
+
+  get authGoogleAdminIds() {
+    return this.service.get<string[]>('authGoogleAdminIds')
+  }
+
+  get authGoogleClientId() {
+    return this.service.get<string>('authGoogleClientId')
+  }
+
+  get authGoogleClientSecret() {
+    return this.service.get<string>('authGoogleClientSecret')
+  }
+
+  get authGoogleScope(): string[] {
+    return ['email', 'profile']
+  }
+
+  get authGoogleStrategyOptions() {
+    return {
+      clientID: this.authGoogleClientId,
+      clientSecret: this.authGoogleClientSecret,
+      callbackURL: this.webUrl + '/api/auth/google/callback',
+      scope: this.authGoogleScope,
+      passReqToCallback: true,
+    }
+  }
+
+  get authGoogleEnabled(): boolean {
+    return !(
+      !this.authGoogleClientId ||
+      !this.authGoogleClientSecret ||
+      !this.service.get<boolean>('authGoogleEnabled')
+    )
+  }
+
   get authTwitterAdminIds() {
     return this.service.get<string[]>('authTwitterAdminIds')
   }
@@ -212,6 +248,8 @@ export class ApiCoreConfigService {
         return this.authDiscordAdminIds?.includes(providerId) ?? false
       case IdentityProvider.GitHub:
         return this.authGithubAdminIds?.includes(providerId) ?? false
+      case IdentityProvider.Google:
+        return this.authGoogleAdminIds?.includes(providerId) ?? false
       case IdentityProvider.Solana:
         return this.authSolanaAdminIds?.includes(providerId) ?? false
       case IdentityProvider.Twitter:

diff --git a/libs/api/core/data-access/src/lib/config/configuration.ts b/libs/api/core/data-access/src/lib/config/configuration.ts
@@ -30,6 +30,11 @@ export interface ApiCoreConfig {
   authGithubClientId: string
   authGithubClientSecret: string
   authGithubEnabled: boolean
+  // Google Authentication
+  authGoogleAdminIds: string[]
+  authGoogleClientId: string
+  authGoogleClientSecret: string
+  authGoogleEnabled: boolean
   // Twitter Authentication
   authTwitterAdminIds: string[]
   authTwitterConsumerKey: string
@@ -71,6 +76,10 @@ export function configuration(): ApiCoreConfig {
     authGithubClientId: process.env['AUTH_GITHUB_CLIENT_ID'] as string,
     authGithubClientSecret: process.env['AUTH_GITHUB_CLIENT_SECRET'] as string,
     authGithubEnabled: process.env['AUTH_GITHUB_ENABLED'] === 'true',
+    authGoogleAdminIds: getFromEnvironment('AUTH_GOOGLE_ADMIN_IDS'),
+    authGoogleClientId: process.env['AUTH_GOOGLE_CLIENT_ID'] as string,
+    authGoogleClientSecret: process.env['AUTH_GOOGLE_CLIENT_SECRET'] as string,
+    authGoogleEnabled: process.env['AUTH_GOOGLE_ENABLED'] === 'true',
     authTwitterAdminIds: getFromEnvironment('AUTH_TWITTER_ADMIN_IDS'),
     authTwitterConsumerKey: process.env['AUTH_TWITTER_CONSUMER_KEY'] as string,
     authTwitterConsumerSecret: process.env['AUTH_TWITTER_CONSUMER_SECRET'] as string,

diff --git a/libs/api/core/data-access/src/lib/config/validation-schema.ts b/libs/api/core/data-access/src/lib/config/validation-schema.ts
@@ -6,17 +6,22 @@ export const validationSchema = Joi.object({
   AUTH_DISCORD_ADMIN_IDS: Joi.string(),
   AUTH_DISCORD_CLIENT_ID: Joi.string(),
   AUTH_DISCORD_CLIENT_SECRET: Joi.string(),
-  AUTH_DISCORD_ENABLED: Joi.boolean().default(true), // Client ID and Client Secret are also required
+  AUTH_DISCORD_ENABLED: Joi.boolean().default(true),
   // GitHub Authentication
   AUTH_GITHUB_ADMIN_IDS: Joi.string(),
   AUTH_GITHUB_CLIENT_ID: Joi.string(),
   AUTH_GITHUB_CLIENT_SECRET: Joi.string(),
-  AUTH_GITHUB_ENABLED: Joi.boolean().default(true), // Client ID and Client Secret are also required
-  // GitHub Authentication
+  AUTH_GITHUB_ENABLED: Joi.boolean().default(true),
+  // Google Authentication
+  AUTH_GOOGLE_ADMIN_IDS: Joi.string(),
+  AUTH_GOOGLE_CLIENT_ID: Joi.string(),
+  AUTH_GOOGLE_CLIENT_SECRET: Joi.string(),
+  AUTH_GOOGLE_ENABLED: Joi.boolean().default(true),
+  // Twitter Authentication
   AUTH_TWITTER_ADMIN_IDS: Joi.string(),
   AUTH_TWITTER_CONSUMER_KEY: Joi.string(),
   AUTH_TWITTER_CONSUMER_SECRET: Joi.string(),
-  AUTH_TWITTER_ENABLED: Joi.boolean().default(true), // Client ID and Client Secret are also required
+  AUTH_TWITTER_ENABLED: Joi.boolean().default(true),
   // Username and Password Authentication
   AUTH_PASSWORD_ENABLED: Joi.boolean().default(true),
   AUTH_REGISTER_ENABLED: Joi.boolean().default(true),

diff --git a/libs/api/core/data-access/src/lib/entity/app-config.entity.ts b/libs/api/core/data-access/src/lib/entity/app-config.entity.ts
@@ -7,6 +7,8 @@ export class AppConfig {
   @Field()
   authGithubEnabled!: boolean
   @Field()
+  authGoogleEnabled!: boolean
+  @Field()
   authPasswordEnabled!: boolean
   @Field()
   authRegisterEnabled!: boolean

diff --git a/libs/sdk/src/generated/graphql-sdk.ts b/libs/sdk/src/generated/graphql-sdk.ts
@@ -61,6 +61,7 @@ export type AppConfig = {
   __typename?: 'AppConfig'
   authDiscordEnabled: Scalars['Boolean']['output']
   authGithubEnabled: Scalars['Boolean']['output']
+  authGoogleEnabled: Scalars['Boolean']['output']
   authPasswordEnabled: Scalars['Boolean']['output']
   authRegisterEnabled: Scalars['Boolean']['output']
   authSolanaEnabled: Scalars['Boolean']['output']
@@ -100,6 +101,7 @@ export type IdentityChallenge = {
 export enum IdentityProvider {
   Discord = 'Discord',
   GitHub = 'GitHub',
+  Google = 'Google',
   Solana = 'Solana',
   Twitter = 'Twitter',
 }
@@ -373,6 +375,7 @@ export type AppConfigDetailsFragment = {
   __typename?: 'AppConfig'
   authDiscordEnabled: boolean
   authGithubEnabled: boolean
+  authGoogleEnabled: boolean
   authPasswordEnabled: boolean
   authRegisterEnabled: boolean
   authSolanaEnabled: boolean
@@ -402,6 +405,7 @@ export type AppConfigQuery = {
     __typename?: 'AppConfig'
     authDiscordEnabled: boolean
     authGithubEnabled: boolean
+    authGoogleEnabled: boolean
     authPasswordEnabled: boolean
     authRegisterEnabled: boolean
     authSolanaEnabled: boolean
@@ -854,6 +858,7 @@ export const AppConfigDetailsFragmentDoc = gql`
   fragment AppConfigDetails on AppConfig {
     authDiscordEnabled
     authGithubEnabled
+    authGoogleEnabled
     authPasswordEnabled
     authRegisterEnabled
     authSolanaEnabled

diff --git a/libs/sdk/src/graphql/feature-core.graphql b/libs/sdk/src/graphql/feature-core.graphql
@@ -1,6 +1,7 @@
 fragment AppConfigDetails on AppConfig {
   authDiscordEnabled
   authGithubEnabled
+  authGoogleEnabled
   authPasswordEnabled
   authRegisterEnabled
   authSolanaEnabled