feat: authenticate onboarding with a verified Google token#113
feat: authenticate onboarding with a verified Google token#113jaspermayone wants to merge 4 commits into
Conversation
Send a chrome.identity Google access token to /user/onboard instead of a raw email/name. The backend verifies the token with Google and derives the account email, closing the account-takeover hole where any email could mint a session. Adds the oauth2 manifest block, a 401 re-onboard retry, and a 403 (non-@wit.edu) error state.
|
I fixed the id thing, I can add personal emails back, I lowkey forgot about that |
Identity is the user's own (personal) Google account, verified server-side and used for both sign-in and calendar sync. Removes the @wit.edu-only restriction and its error state.
|
Good catches — both addressed: The placeholder in your screenshot is now the real prod OAuth client ID ( On personal emails — you're right, and I reworked it so it doesn't force a WIT account. Quick context on why the endpoint had to change at all: the old The first pass I pushed verified a Google token but wrongly restricted it to
Net effect for users: one Google sign-in (their personal account) that covers both identity and calendar sync, instead of the old unverified email flow. Latest commits on this branch + WITCodingClub/calendar-backend#493 reflect this. |

Matches WITCodingClub/calendar-backend#493. Merge together — the backend now rejects the old email-based onboarding.
What changed
loading/+page.sveltesignIn()now fetches a Google OAuth access token viachrome.identity.getAuthTokenand POSTs{ google_access_token, preferred_name }to/user/onboard(instead of{ email, preferred_name }). The backend verifies the token with Google and derives the email server-side, so a client can no longer mint a session for an arbitrary account.not_wit_accounterror state for non-@wit.eduGoogle accounts.manifest.json: added theoauth2block (getAuthTokenrequires it) and pinned the extensionkey.Why the pinned
keygetAuthTokenonly works when the OAuth client is registered against a specific extension ID, and unpacked dev builds otherwise get unstable per-machine IDs. Thekeypins dev builds to the stable production IDaceelinogfcceklkpacakdeddnaakicj(the value is the published extension's own public key, verified to hash to that ID), so a single OAuth client + single trusted backend client_id covers both dev and prod.🔧 Required setup before merge
aceelinogfcceklkpacakdeddnaakicj), scopesemail profile.manifest.json→oauth2.client_id(currently a placeholder).GOOGLE_OAUTH_CLIENT_IDSenv (comma-separated). Because dev now shares the prod ID, one entry covers both.Notes
svelte-checkpasses on the changed file (the 19 pre-existing errors are all incalendar/+page.svelte, untouched here).