Merge pull request #33 from Sheldenburg/feature/add-oauth

Feature/add oauth

Author: Sheldenburg

.github/workflows/fastapi-to-gcr.yml

@@ -43,6 +43,6 @@ jobs:
           gcloud run deploy $SERVICE_NAME \
             --image ${{ env.DOCKER_IMAGE_URL }}:latest \
             --platform managed \
-            --set-env-vars POSTGRES_SERVER=${{ secrets.POSTGRES_SERVER }},POSTGRES_PORT=${{ secrets.POSTGRES_PORT }},POSTGRES_DB=${{ secrets.POSTGRES_DB }},POSTGRES_USER=${{ secrets.POSTGRES_USER }},POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }},ENCRYPTION_KEY=${{ secrets.ENCRYPTION_KEY }},PROJECT_NAME=${{ env.PROJECT_ID }},FIRST_SUPERUSER=${{ secrets.FIRST_SUPERUSER }},FIRST_SUPERUSER_PASSWORD=${{ secrets.FIRST_SUPERUSER_PASSWORD }},USERS_OPEN_REGISTRATION=${{ env.USERS_OPEN_REGISTRATION }} \
+            --set-env-vars POSTGRES_SERVER=${{ secrets.POSTGRES_SERVER }},POSTGRES_PORT=${{ secrets.POSTGRES_PORT }},POSTGRES_DB=${{ secrets.POSTGRES_DB }},POSTGRES_USER=${{ secrets.POSTGRES_USER }},POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }},ENCRYPTION_KEY=${{ secrets.ENCRYPTION_KEY }},PROJECT_NAME=${{ env.PROJECT_ID }},FIRST_SUPERUSER=${{ secrets.FIRST_SUPERUSER }},FIRST_SUPERUSER_PASSWORD=${{ secrets.FIRST_SUPERUSER_PASSWORD }},USERS_OPEN_REGISTRATION=${{ env.USERS_OPEN_REGISTRATION }},GOOGLE_CLIENT_ID=${{ secrets.GOOGLE_CLIENT_ID }},GOOGLE_CLIENT_SECRET=${{ secrets.GOOGLE_CLIENT_SECRET }},GOOGLE_REDIRECT_URI=${{ secrets.GOOGLE_REDIRECT_URI }},GH_CLIENT_ID=${{ secrets.GH_CLIENT_ID }},GH_CLIENT_SECRET=${{ secrets.GH_CLIENT_SECRET }} \
             --region australia-southeast1 \
             --allow-unauthenticated

backend/src/.env.example

@@ -37,3 +37,8 @@ SENTRY_DSN=
 # Configure these with your own Docker registry images
 DOCKER_IMAGE_BACKEND=backend
 DOCKER_IMAGE_FRONTEND=frontend
+
+# Google auth
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_REDIRECT_URI=

backend/src/app/alembic/versions/0bab391507d0_add_oauth_provider_to_user_table.py

@@ -0,0 +1,37 @@
+"""add oauth provider to user table
+
+Revision ID: 0bab391507d0
+Revises: ae5a34f2895e
+Create Date: 2024-10-21 18:13:27.236901
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel
+
+
+# revision identifiers, used by Alembic.
+revision: str = '0bab391507d0'
+down_revision: Union[str, None] = 'ae5a34f2895e'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('user', sa.Column('provider', sqlmodel.sql.sqltypes.AutoString(), nullable=True))
+    op.alter_column('user', 'hashed_password',
+               existing_type=sa.VARCHAR(),
+               nullable=True)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('user', 'hashed_password',
+               existing_type=sa.VARCHAR(),
+               nullable=False)
+    op.drop_column('user', 'provider')
+    # ### end Alembic commands ###

backend/src/app/api/routes/login.py

@@ -1,16 +1,17 @@
 from datetime import timedelta
 from typing import Annotated, Any
 
-from fastapi import APIRouter, Depends, HTTPException
-from fastapi.responses import HTMLResponse
+import requests
+from fastapi import APIRouter, Depends, HTTPException, Response
+from fastapi.responses import HTMLResponse, RedirectResponse
 from fastapi.security import OAuth2PasswordRequestForm
 
 from app import crud
 from app.api.deps import CurrentUser, SessionDep, get_current_active_superuser
 from app.core import security
 from app.core.config import settings
 from app.core.security import get_password_hash
-from app.models import Message, NewPassword, Token, UserPublic
+from app.models import Message, NewPassword, Token, UserCreateOauth, UserPublic
 from app.utils import (
     generate_password_reset_token,
     generate_reset_password_email,
@@ -123,3 +124,155 @@ def recover_password_html_content(email: str, session: SessionDep) -> Any:
     return HTMLResponse(
         content=email_data.html_content, headers={"subject:": email_data.subject}
     )
+
+
+# Redirect user to Google's OAuth2 login page
+@router.get("/login/google")
+def login_google():
+    google_auth_url = (
+        "https://accounts.google.com/o/oauth2/v2/auth?"
+        f"client_id={settings.GOOGLE_CLIENT_ID}&"
+        "redirect_uri={settings.GOOGLE_REDIRECT_URI}&"
+        "response_type=code&"
+        "scope=email profile"
+    )
+    return RedirectResponse(google_auth_url)
+
+
+# Handle Google OAuth callback
+@router.get("/auth/google")
+def google_oauth(session: SessionDep, code: str, response: Response):
+    token_url = "https://oauth2.googleapis.com/token"
+    token_data = {
+        "code": code,
+        "client_id": settings.GOOGLE_CLIENT_ID,
+        "client_secret": settings.GOOGLE_CLIENT_SECRET,
+        "redirect_uri": settings.GOOGLE_REDIRECT_URI,
+        "grant_type": "authorization_code",
+    }
+
+    token_r = requests.post(token_url, data=token_data)
+    token_json = token_r.json()
+
+    if "error" in token_json:
+        raise HTTPException(
+            status_code=400, detail="Failed to retrieve token from Google"
+        )
+
+    access_token = token_json["access_token"]
+
+    # Get user info from Google
+    user_info = requests.get(
+        "https://www.googleapis.com/oauth2/v2/userinfo",
+        headers={"Authorization": f"Bearer {access_token}"},
+    ).json()
+
+    # Check if the user already exists
+    user = crud.get_user_by_email(session=session, email=user_info["email"])
+    access_token_expires = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
+    if user:
+        response = RedirectResponse("http://localhost:3000/dashboard")
+        response.set_cookie(
+            key="access_token",
+            value=security.create_access_token(
+                user.id, expires_delta=access_token_expires
+            ),
+            httponly=True,
+        )
+        return response
+
+    # Check if the app is open for new user registration
+    if not settings.USERS_OPEN_REGISTRATION:
+        raise HTTPException(
+            status_code=403,
+            detail="Open user registration is forbidden on this server",
+        )
+    # Create a new user
+    user_create = UserCreateOauth.model_validate(
+        {
+            "email": user_info["email"],
+            "is_active": True,
+            "is_superuser": False,
+            "full_name": user_info["name"],
+            "provider": "google",
+        }
+    )
+    user = crud.create_user_oauth(session=session, user_create=user_create)
+
+    response = RedirectResponse("http://localhost:3000/dashboard")
+    response.set_cookie(
+        key="access_token",
+        value=security.create_access_token(user.id, expires_delta=access_token_expires),
+        httponly=True,
+    )
+    return response
+
+
+# Handle Github OAuth callback
+@router.get("/auth/github")
+def github_oauth(session: SessionDep, code: str, response: Response):
+    token_url = "https://github.com/login/oauth/access_token"
+    token_data = {
+        "code": code,
+        "client_id": settings.GITHUB_CLIENT_ID,
+        "client_secret": settings.GITHUB_CLIENT_SECRET,
+    }
+    headers = {"Accept": "application/json"}
+
+    token_r = requests.post(token_url, data=token_data, headers=headers)
+    token_json = token_r.json()
+    if "error" in token_json:
+        raise HTTPException(
+            status_code=400, detail="Failed to retrieve token from Github"
+        )
+    access_token = token_json["access_token"]
+    # Get user info from Github
+    user_info = requests.get(
+        "https://api.github.com/user",
+        headers={"Authorization": f"Bearer {access_token}"},
+    ).json()
+
+    user_emails = requests.get(
+        "https://api.github.com/user/emails",
+        headers={"Authorization": f"Bearer {access_token}"},
+    ).json()
+
+    # Check if the user already exists
+    user = crud.get_user_by_email(session=session, email=user_emails[0]["email"])
+    access_token_expires = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
+    if user:
+        response = RedirectResponse("http://localhost:3000/dashboard")
+        response.set_cookie(
+            key="access_token",
+            value=security.create_access_token(
+                user.id, expires_delta=access_token_expires
+            ),
+            httponly=True,
+        )
+        return response
+
+    # Check if the app is open for new user registration
+    if not settings.USERS_OPEN_REGISTRATION:
+        raise HTTPException(
+            status_code=403,
+            detail="Open user registration is forbidden on this server",
+        )
+    # Create a new user
+    user_create = UserCreateOauth.model_validate(
+        {
+            "email": user_emails[0]["email"],
+            "is_active": True,
+            "is_superuser": False,
+            "full_name": user_info["login"],
+            "provider": "github",
+        }
+    )
+    user = crud.create_user_oauth(session=session, user_create=user_create)
+
+    response = RedirectResponse("http://localhost:3000/dashboard")
+    response.set_cookie(
+        key="access_token",
+        value=security.create_access_token(user.id, expires_delta=access_token_expires),
+        httponly=True,
+    )
+    return response

backend/src/app/api/routes/users.py

@@ -169,7 +169,9 @@ def register_user(session: SessionDep, user_in: UserRegister) -> Any:
             status_code=400,
             detail="The user with this email already exists in the system",
         )
-    user_create = UserCreate.model_validate(user_in)
+    user_create = UserCreate.model_validate(
+        {"email": user_in.email, "password": user_in.password}
+    )
     user = crud.create_user(session=session, user_create=user_create)
     return user
 

backend/src/app/core/config.py

@@ -118,5 +118,12 @@ def _enforce_non_default_secrets(self) -> Self:
 
         return self
 
+    GOOGLE_CLIENT_ID: str
+    GOOGLE_CLIENT_SECRET: str
+    GOOGLE_REDIRECT_URI: str
+
+    GH_CLIENT_ID: str
+    GH_CLIENT_SECRET: str
+
 
 settings = Settings()  # type: ignore

backend/src/app/crud.py

@@ -3,7 +3,7 @@
 from sqlmodel import Session, select
 
 from app.core.security import get_password_hash, verify_password
-from app.models import Item, ItemCreate, User, UserCreate, UserUpdate
+from app.models import Item, ItemCreate, User, UserCreate, UserCreateOauth, UserUpdate
 
 
 def create_user(*, session: Session, user_create: UserCreate) -> User:
@@ -16,6 +16,14 @@ def create_user(*, session: Session, user_create: UserCreate) -> User:
     return db_obj
 
 
+def create_user_oauth(*, session: Session, user_create: UserCreateOauth) -> User:
+    db_obj = User.model_validate(user_create)
+    session.add(db_obj)
+    session.commit()
+    session.refresh(db_obj)
+    return db_obj
+
+
 def update_user(*, session: Session, db_user: User, user_in: UserUpdate) -> Any:
     user_data = user_in.model_dump(exclude_unset=True)
     extra_data = {}

backend/src/app/models.py

@@ -19,6 +19,10 @@ class UserCreate(UserBase):
     password: str
 
 
+class UserCreateOauth(UserBase):
+    provider: str
+
+
 # TODO replace email str with EmailStr when sqlmodel supports it
 class UserRegister(SQLModel):
     email: str
@@ -47,8 +51,9 @@ class UpdatePassword(SQLModel):
 # Database model, database table inferred from class name
 class User(UserBase, table=True):
     id: int | None = Field(default=None, primary_key=True)
-    hashed_password: str
+    hashed_password: str | None = None
     items: list["Item"] = Relationship(back_populates="owner")
+    provider: str | None = None
 
 
 # Properties to return via API, id is always required

frontend/.env.example

@@ -1,2 +1,4 @@
 API_BASE_URL=http://localhost:8000
 NEXT_PUBLIC_API_BASE_URL=http://localhost:8000
+NEXT_PUBLIC_GOOGLE_CLIENT_ID=
+NEXT_PUBLIC_GOOGLE_REDIRECT_URI=