Add Google OAuth2 Integration

[peonii]

Google OAuth2 Integration

Implements integration from issue #127.

To-do

• Sign in flow
• Registration flow
• Support for null password fields
• Integration with existing auth system (token creation)
• Account linking
• [X] YouTube channel linking - This will be implemented in a future PR, right now it's just the barebones to get the system going

License Acceptance

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[peonii]

@stadust there's one issue here, maybe you'll have some idea on how to resolve this;
when logging via google to an account that's been linked after previously being created with the register endpoint, the signature of the JWT is invalid

[stadust]

Thank you so much for working on this!!

I've left a bunch of random comments (didn't really go through everything in depth because I have to go to work now 😭). I don't really have an immediate idea why the access tokens have invalid signatures, I'll need to actually play around with it myself a bit I'm afraid :(

Just to clarify though, you don't mean that access tokens from before linking become invalid after linking an account, right (e.g. logging in again fixes it)?

[peonii]

okay Another Problem has arisen
do we force the user to go through the oauth2 flow again each time they'd like to make any change on their profile or do we trust the access token!

for applications that have an oauth2 login flow (im using Notion as a reference) they usually just trust the token and let it do destructive changes but im asking before we implement anything

[stadust]

okay Another Problem has arisen do we force the user to go through the oauth2 flow again each time they'd like to make any change on their profile or do we trust the access token!

for applications that have an oauth2 login flow (im using Notion as a reference) they usually just trust the token and let it do destructive changes but im asking before we implement anything

The current system trusts the access token instead of requiring the user to re-enter their password for everything (with few exceptions, such as changing the password), so I think keeping it like that is fine

[stadust]

config.rs thingy here as well :)

[stadust]

"Change Password" seems to be the wrong text here. Maybe "Link with google"?

[stadust]

Mhh, I was hoping we could use the buttons from the google SDK here instead of our own

[stadust]

nit: maybe do the concatenation in the query?

Suggested change

	// This will never conflict with an existing user
	// According to Google, the account ID is always unique
	// https://developers.google.com/identity/openid-connect/openid-connect#an-id-tokens-payload
	let name = format!("{}#{}", user_info.name, user_info.id);
	let id = sqlx::query!(
	"INSERT INTO
	members (email_address, name, display_name, google_account_id)
	VALUES
	(($1::text)::email, $2, $3, $4) RETURNING member_id
	",
	user_info.email,
	name,
	// This will never conflict with an existing user
	// According to Google, the account ID is always unique
	// https://developers.google.com/identity/openid-connect/openid-connect#an-id-tokens-payload
	let id = sqlx::query!(
	"INSERT INTO
	members (email_address, name, display_name, google_account_id)
	VALUES
	(($1::text)::email, $2 || $3, $4, $5) RETURNING member_id
	",
	user_info.email,
	user_info.name,
	user_info.id,

[stadust]

let's use match instead of unwrap here:

Suggested change

	if self.password_hash.is_none() {
	return Vec::new();
	}
	let raw_parts: Vec<_> = self.password_hash.as_ref().unwrap().split('$').filter(|s| !s.is_empty()).collect();
	let raw_parts = match self.password_hash {
	None => return Vec::new(),
	Some(ref hash) => hash.split('$').filter(|s| !s.is_empty()).collect();
	};

[stadust]

Instead of using a cookie, can we somehow give this information to google, and have google return it to us when it calls our callback? Maybe via query parameter?

[stadust]

Let's factor this entire match arm into some more functions:

• one for updating the google account id of an existing user (can probably go into auth/patch.rs)
• one for creating a new user account from a google account (maybe into auth/post.rs?)

[stadust]

Let's be a bit more descriptive and have this variant be explicitly about changing passwords on oauth accounts :)

[stadust]

I think here is the problem why this flow gives you an invalid access token: this query is missing a SET password_hash = NULL. Right now in line 126 onward, you're constructing an AuthenticatedUser with password_hash: None. This means that if you call generate_access_token() on the user returned here, it will only sign the token with the server secret. However, the database will still contain the user's old password hash. This means that when it comes to validating the token, it will retrieve an AuthenticatedUser with password_hash = hash of password from before account was linked, and thus it tries to validate the token using a secret that's a combination of server secret and password hash. But that's the wrong secret, because we signed the token with only the server secret!

[stadust]

As per discussion on discord: Let's put a UNIQUE constraint here as a failsafe for raceconditions that allow adding the same google account to multiple pointercrate accounts

[stadust]

Suggested change

	UserNotFoundGoogleAccount { google_account_id: String },
	UserNotFoundGoogleAccount { google_account_id: u64 },