feat: Google OAuth (XOAUTH2) sign-in alongside password login#4
Open
Aravinda-HWK wants to merge 1 commit into
Open
feat: Google OAuth (XOAUTH2) sign-in alongside password login#4Aravinda-HWK wants to merge 1 commit into
Aravinda-HWK wants to merge 1 commit into
Conversation
Implements the proposal's "gateway runs the OAuth flow and hands the token
to IMAP over SASL XOAUTH2/OAUTHBEARER" path. Adds "Sign in with Google"
next to the existing app-password login; non-Google providers are
unaffected.
Backend:
- internal/oauth: Google provider (consent URL, code exchange, userinfo
email lookup, token auto-refresh). Disabled (endpoints 404) when no
client ID is configured.
- internal/imap/xoauth2.go: XOAUTH2 SASL mechanism (go-sasl ships none);
client authenticates via XOAUTH2 for OAuth sessions, LOGIN otherwise.
- internal/smtp: SMTPAuthXOAUTH2 for OAuth sessions.
- mail.Credentials gains AuthType/AccessToken/RefreshToken/TokenExpiry.
- session.Store refreshes the access token (and re-seals the session) on
every IMAP reconnect and SMTP send, keeping long-lived sessions alive.
- handlers/oauth.go: /api/v1/auth/google/{start,callback} with a CSRF
state cookie; hands the JWT to the SPA via the URL fragment.
- config + .env.example: GOOGLE_OAUTH_* and FRONTEND_OAUTH_CALLBACK.
Frontend:
- OAuthCallbackPage + /auth/callback route: reads the JWT from the
fragment, persists the session, scrubs the URL.
- AuthContext.loginWithOAuth and a "Sign in with Google" button.
Adds dep: golang.org/x/oauth2.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds "Sign in with Google" next to the existing app-password login, implementing the proposal's "gateway runs the OAuth flow and hands the token to IMAP over SASL XOAUTH2" path. Non-Google providers and app-password login are unaffected. Targets
mainand contains only the OAuth changes (independent of the client-cache PR).Flow
Backend
internal/oauth— Google provider: consent URL, code exchange, userinfo email lookup, token auto-refresh. Disabled (endpoints 404) when no client ID is configured.internal/imap/xoauth2.go— XOAUTH2 SASL mechanism (go-saslships none); IMAP client authenticates via XOAUTH2 for OAuth sessions,LOGINotherwise.internal/smtp—SMTPAuthXOAUTH2for OAuth sessions.mail.CredentialsgainsAuthType/AccessToken/RefreshToken/TokenExpiry.session.Storerefreshes the access token (and re-seals the session) on every IMAP reconnect and SMTP send, so long-lived sessions survive token expiry.handlers/oauth.go—/api/v1/auth/google/{start,callback}with an anti-CSRF state cookie; passes the JWT to the SPA via the URL fragment..env.example—GOOGLE_OAUTH_CLIENT_ID/SECRET/REDIRECT_URL,FRONTEND_OAUTH_CALLBACK.Frontend
OAuthCallbackPage+/auth/callbackroute — reads the JWT from the fragment, persists the session, scrubs the URL.AuthContext.loginWithOAuthand a "Sign in with Google" button on the login page.New dep:
golang.org/x/oauth2.Operator setup (required to enable)
OAuth is off until configured. Create a Google Cloud OAuth client (Web application) with:
http://localhost:3000/api/v1/auth/google/callbackhttps://mail.google.com/(restricted; testing mode + test users for personal use)then set the
QUICKSILVER_GOOGLE_OAUTH_*env vars.Verification
go build ./...,go vet ./...,go test ./...all pass.npm run buildpasses; typecheck clean for changed files.