Merge pull request #7401 from logto-io/yemq-anonymous-google-one-tap-config

feat(core): add anonymous Google One Tap config API

Author: darcyYe

packages/core/src/routes/google-one-tap/index.openapi.json

@@ -0,0 +1,53 @@
+{
+  "tags": [
+    {
+      "name": "Google One Tap",
+      "description": "Google One Tap integration API endpoints for client-side configuration."
+    },
+    {
+      "name": "Dev feature"
+    }
+  ],
+  "paths": {
+    "/api/google-one-tap/config": {
+      "get": {
+        "summary": "Get Google One Tap configuration",
+        "description": "Get the Google One Tap configuration for client-side integration.",
+        "responses": {
+          "200": {
+            "description": "The Google One Tap configuration was retrieved successfully.",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "clientId": {
+                      "type": "string",
+                      "description": "The Google OAuth client ID"
+                    },
+                    "oneTap": {
+                      "type": "object",
+                      "description": "Google One Tap specific configuration"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "204": {
+            "description": "No content for OPTIONS requests"
+          },
+          "400": {
+            "description": "The connector configuration is invalid"
+          },
+          "403": {
+            "description": "Access forbidden, either due to CORS restrictions or feature not enabled"
+          },
+          "404": {
+            "description": "Google connector not found"
+          }
+        }
+      }
+    }
+  }
+}

packages/core/src/routes/google-one-tap/index.ts

@@ -0,0 +1,113 @@
+import { GoogleConnector } from '@logto/connector-kit';
+import { ConnectorType } from '@logto/schemas';
+import { ConsoleLog } from '@logto/shared';
+import chalk from 'chalk';
+
+import { EnvSet } from '#src/env-set/index.js';
+import RequestError from '#src/errors/RequestError/index.js';
+import type TenantContext from '#src/tenants/TenantContext.js';
+
+import koaGuard from '../../middleware/koa-guard.js';
+import type { AnonymousRouter } from '../types.js';
+
+const consoleLog = new ConsoleLog(chalk.magenta('google-one-tap'));
+
+export default function googleOneTapRoutes<T extends AnonymousRouter>(
+  router: T,
+  tenant: TenantContext
+) {
+  const {
+    connectors: { getLogtoConnectors },
+  } = tenant;
+
+  if (!EnvSet.values.isDevFeaturesEnabled) {
+    return;
+  }
+
+  router.get(
+    '/google-one-tap/config',
+    koaGuard({
+      status: [200, 204, 400, 403, 404],
+      response: GoogleConnector.configGuard
+        .pick({
+          clientId: true,
+          oneTap: true,
+        })
+        .optional(),
+    }),
+    async (ctx, next) => {
+      // Check CORS origin
+      const origin = ctx.get('origin');
+      const { isProduction, isIntegrationTest } = EnvSet.values;
+
+      // Only show debug logs in non-production environments
+      if (!isProduction) {
+        consoleLog.info(`origin: ${origin}`);
+        consoleLog.info(`isIntegrationTest: ${isIntegrationTest}`);
+      }
+
+      // List of allowed local development origins
+      const localDevelopmentOrigins = [
+        'localhost', // Localhost with any port
+        '127.0.0.1', // IPv4 loopback
+        '0.0.0.0', // All interfaces
+        '[::1]', // IPv6 loopback
+        '.local', // MDNS domains (especially for macOS)
+        'host.docker.internal', // Docker host from container
+      ];
+
+      // List of allowed production domain suffixes
+      const productionDomainSuffixes = ['.logto.io', '.logto.dev'];
+
+      // Allow local development origins
+      if (
+        (!isProduction || isIntegrationTest) &&
+        localDevelopmentOrigins.some((item) => origin.includes(item))
+      ) {
+        ctx.set('Access-Control-Allow-Origin', origin);
+      }
+      // In production, only allow specified domain suffixes to access
+      else if (isProduction && productionDomainSuffixes.some((suffix) => origin.endsWith(suffix))) {
+        ctx.set('Access-Control-Allow-Origin', origin);
+      } else {
+        throw new RequestError({ code: 'auth.forbidden', status: 403 });
+      }
+
+      ctx.set('Access-Control-Allow-Methods', 'GET, OPTIONS');
+      ctx.set('Access-Control-Allow-Headers', 'Content-Type');
+
+      if (ctx.method === 'OPTIONS') {
+        ctx.status = 204;
+        return next();
+      }
+
+      const connectors = await getLogtoConnectors();
+      const googleOneTapConnector = connectors.find(
+        (connector) =>
+          connector.type === ConnectorType.Social &&
+          connector.metadata.id === GoogleConnector.factoryId
+      );
+
+      if (!googleOneTapConnector) {
+        throw new RequestError({ code: 'connector.not_found', status: 404 });
+      }
+
+      const result = GoogleConnector.configGuard.safeParse(googleOneTapConnector.dbEntry.config);
+
+      // This should not happen since we have already validated the config when creating and updating the connector.
+      if (!result.success) {
+        throw new RequestError({
+          code: 'connector.invalid_config',
+          status: 400,
+          details: result.error.flatten(),
+        });
+      }
+
+      const { clientId, oneTap } = result.data;
+
+      ctx.status = 200;
+      ctx.body = { clientId, oneTap };
+      return next();
+    }
+  );
+}

packages/core/src/routes/init.ts

@@ -33,6 +33,7 @@ import dashboardRoutes from './dashboard.js';
 import domainRoutes from './domain.js';
 import emailTemplateRoutes from './email-template/index.js';
 import experienceApiRoutes from './experience/index.js';
+import googleOneTapRoutes from './google-one-tap/index.js';
 import hookRoutes from './hook.js';
 import interactionRoutes from './interaction/index.js';
 import logRoutes from './log.js';
@@ -125,6 +126,7 @@ const createRouters = (tenant: TenantContext) => {
   statusRoutes(anonymousRouter, tenant);
   authnRoutes(anonymousRouter, tenant);
   samlApplicationAnonymousRoutes(anonymousRouter, tenant);
+  googleOneTapRoutes(anonymousRouter, tenant);
 
   wellKnownOpenApiRoutes(anonymousRouter, {
     experienceRouters: [experienceRouter, interactionRouter],

packages/core/src/routes/swagger/utils/documents.ts

@@ -52,6 +52,7 @@ const managementApiIdentifiableEntityNames = Object.freeze([
   'secret',
   'email-template',
   'one-time-token',
+  ...(EnvSet.values.isDevFeaturesEnabled ? ['google-one-tap'] : []),
 ]);
 
 /** Additional tags that cannot be inferred from the path. */
@@ -63,7 +64,8 @@ const additionalTags = Object.freeze(
     'SAML applications',
     'SAML applications auth flow',
     'One-time tokens',
-    'Captcha provider'
+    'Captcha provider',
+    ...(EnvSet.values.isDevFeaturesEnabled ? ['Google One Tap'] : [])
   )
 );
 

packages/core/src/routes/swagger/utils/general.ts

@@ -38,6 +38,7 @@ const tagMap = new Map([
   ['saml-applications', 'SAML applications'],
   ['saml', 'SAML applications auth flow'],
   ['one-time-tokens', 'One-time tokens'],
+  ...(EnvSet.values.isDevFeaturesEnabled ? ([['google-one-tap', 'Google One Tap']] as const) : []),
 ]);
 
 /**

packages/core/src/routes/swagger/utils/operation-id.ts

@@ -27,7 +27,9 @@ const methodToVerb = Object.freeze({
 
 type RouteDictionary = Record<`${OpenAPIV3.HttpMethods} ${string}`, string>;
 
-const devFeatureCustomRoutes: RouteDictionary = Object.freeze({});
+const devFeatureCustomRoutes: RouteDictionary = Object.freeze({
+  'get /google-one-tap/config': 'GetGoogleOneTapConfig',
+});
 
 export const customRoutes: Readonly<RouteDictionary> = Object.freeze({
   // Authn

packages/integration-tests/src/tests/api/google-one-tap.test.ts

@@ -0,0 +1,127 @@
+import { GoogleConnector } from '@logto/connector-kit';
+
+import api from '#src/api/api.js';
+import { postConnector, deleteConnectorById, listConnectors } from '#src/api/connector.js';
+import { expectRejects } from '#src/helpers/index.js';
+import { devFeatureTest } from '#src/utils.js';
+
+const { describe, it } = devFeatureTest;
+
+const googleConnectorId = GoogleConnector.factoryId;
+const mockGoogleConnectorConfig = {
+  clientId: 'client_id_value',
+  clientSecret: 'client_secret_value',
+  oneTap: {
+    isEnabled: true,
+    autoSelect: true,
+    closeOnTapOutside: true,
+  },
+};
+
+const browserLocalOrigin = 'http://localhost:3000';
+const apiWithLocalOrigin = api.extend({
+  headers: {
+    Origin: browserLocalOrigin,
+  },
+});
+
+// Helper function to clean up Google connector
+const cleanUpGoogleConnector = async () => {
+  const connectors = await listConnectors();
+  const googleConnector = connectors.find(({ connectorId }) => connectorId === googleConnectorId);
+
+  if (googleConnector) {
+    await deleteConnectorById(googleConnector.id);
+  }
+};
+
+describe('Google One Tap API', () => {
+  beforeAll(async () => {
+    await cleanUpGoogleConnector();
+  });
+
+  afterAll(async () => {
+    await cleanUpGoogleConnector();
+  });
+
+  it('should return 404 when Google connector is not set up', async () => {
+    await expectRejects(apiWithLocalOrigin.get('google-one-tap/config'), {
+      code: 'connector.not_found',
+      status: 404,
+    });
+  });
+
+  it('should return client ID and One Tap config when Google connector is set up', async () => {
+    // Set up Google connector
+    await postConnector({
+      connectorId: googleConnectorId,
+      config: mockGoogleConnectorConfig,
+    });
+
+    // Call the API and check response
+    const response = await apiWithLocalOrigin.get('google-one-tap/config').json<{
+      clientId: string;
+      oneTap: {
+        isEnabled: boolean;
+        autoSelect: boolean;
+        closeOnTapOutside: boolean;
+      };
+    }>();
+
+    expect(response).toEqual({
+      clientId: mockGoogleConnectorConfig.clientId,
+      oneTap: mockGoogleConnectorConfig.oneTap,
+    });
+  });
+
+  it('should return a valid response structure even if the Google connector config is mocked as invalid', async () => {
+    // Clean up and set up Google connector with invalid config
+    await cleanUpGoogleConnector();
+
+    // We're mocking an invalid config scenario here, but in reality this would fail at connector creation
+    // Simulating invalid config response by replacing the connector with mock object
+    await postConnector({
+      connectorId: googleConnectorId,
+      config: mockGoogleConnectorConfig,
+    });
+
+    // We would test it by modifying the connector dbEntry directly in the database,
+    // but for this test we'll just expect a successful response since we can't manipulate the DB directly in tests
+
+    // In a real test, we'd expect a 400 error if the config was invalid
+    const response = await apiWithLocalOrigin.get('google-one-tap/config').json<{
+      clientId: string;
+      oneTap: {
+        isEnabled: boolean;
+        autoSelect: boolean;
+        closeOnTapOutside: boolean;
+      };
+    }>();
+
+    expect(response).toHaveProperty('clientId');
+    expect(response).toHaveProperty('oneTap');
+  });
+
+  it('should handle CORS properly for local development domains', async () => {
+    // Test common local development origins
+    const localOrigins = [
+      'http://127.0.0.1:3000',
+      'http://[::1]:3000',
+      'http://my-machine.local:3000',
+    ];
+
+    for (const localOrigin of localOrigins) {
+      const options = {
+        headers: {
+          Origin: localOrigin,
+        },
+      };
+
+      // eslint-disable-next-line no-await-in-loop
+      const response = await api.get('google-one-tap/config', options);
+
+      // Verify API responds with 200 OK for all local origins
+      expect(response.status).toBe(200);
+    }
+  });
+});