feat(core): add Google One Tap api

darcyYe · darcyYe · commit ae4326485f98 · 2025-05-29T17:08:20.000+08:00
diff --git a/packages/core/src/routes/google-one-tap/index.openapi.json b/packages/core/src/routes/google-one-tap/index.openapi.json
@@ -48,6 +48,71 @@
           }
         }
       }
+    },
+    "/api/google-one-tap/verify": {
+      "post": {
+        "summary": "Verify Google One Tap ID Token and generate magic link",
+        "description": "Verify the Google One Tap ID Token, check if the user exists, and generate a magic link for authentication. If the user exists, generates a login magic link; otherwise, generates a registration magic link.",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "idToken": {
+                    "type": "string",
+                    "description": "The Google ID Token from Google One Tap"
+                  },
+                  "redirectUri": {
+                    "type": "string",
+                    "format": "uri",
+                    "description": "Optional redirect URI for the magic link. If not provided, uses the request origin."
+                  }
+                },
+                "required": ["idToken"]
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "The ID Token was verified successfully and magic link was generated.",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "magicLink": {
+                      "type": "string",
+                      "format": "uri",
+                      "description": "The generated magic link URL for authentication"
+                    },
+                    "isNewUser": {
+                      "type": "boolean",
+                      "description": "Whether this is a new user (registration) or existing user (login)"
+                    },
+                    "email": {
+                      "type": "string",
+                      "format": "email",
+                      "description": "The verified email address from the Google ID Token"
+                    }
+                  },
+                  "required": ["magicLink", "isNewUser", "email"]
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Invalid ID Token, unverified email, or other validation errors"
+          },
+          "403": {
+            "description": "Access forbidden, either due to CORS restrictions or feature not enabled"
+          },
+          "404": {
+            "description": "Google connector not found"
+          }
+        }
+      }
     }
   }
 }
diff --git a/packages/core/src/routes/google-one-tap/index.ts b/packages/core/src/routes/google-one-tap/index.ts
@@ -1,23 +1,112 @@
 import { GoogleConnector } from '@logto/connector-kit';
 import { ConnectorType } from '@logto/schemas';
-import { ConsoleLog } from '@logto/shared';
+import { ConsoleLog, generateStandardId, generateStandardSecret } from '@logto/shared';
 import chalk from 'chalk';
+import { addSeconds } from 'date-fns';
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+import type { Context } from 'koa';
+import { z } from 'zod';
 
 import { EnvSet } from '#src/env-set/index.js';
 import RequestError from '#src/errors/RequestError/index.js';
 import type TenantContext from '#src/tenants/TenantContext.js';
+import type { LogtoConnector } from '#src/utils/connectors/types.js';
 
 import koaGuard from '../../middleware/koa-guard.js';
 import type { AnonymousRouter } from '../types.js';
 
 const consoleLog = new ConsoleLog(chalk.magenta('google-one-tap'));
 
+// Default expiration time: 10 minutes.
+const defaultExpiresTime = 10 * 60;
+
+// Google JWKS URI for token verification
+const googleJwksUri = 'https://www.googleapis.com/oauth2/v3/certs';
+
+// List of allowed local development origins
+const localDevelopmentOrigins = [
+  'localhost', // Localhost with any port
+  '127.0.0.1', // IPv4 loopback
+  '0.0.0.0', // All interfaces
+  '[::1]', // IPv6 loopback
+  '.local', // MDNS domains (especially for macOS)
+  'host.docker.internal', // Docker host from container
+];
+
+/**
+ * Check CORS origin and set appropriate headers
+ */
+const setCorsHeaders = (ctx: Context, allowedMethods: string) => {
+  const origin = ctx.get('origin');
+  consoleLog.info(`origin: ${origin}`);
+
+  const { isProduction, isIntegrationTest } = EnvSet.values;
+
+  // Allow local development origins
+  if (
+    (!isProduction || isIntegrationTest) &&
+    localDevelopmentOrigins.some((item) => origin.includes(item))
+  ) {
+    ctx.set('Access-Control-Allow-Origin', origin);
+  }
+  // In production, only allow *.logto.io or *.logto.dev domains to access
+  else if (isProduction && (origin.endsWith('.logto.io') || origin.endsWith('.logto.dev'))) {
+    ctx.set('Access-Control-Allow-Origin', origin);
+  } else {
+    throw new RequestError({ code: 'auth.forbidden', status: 403 });
+  }
+
+  ctx.set('Access-Control-Allow-Methods', allowedMethods);
+  ctx.set('Access-Control-Allow-Headers', 'Content-Type');
+};
+
+/**
+ * Handle OPTIONS preflight requests
+ */
+const handleOptionsRequest = async (ctx: Context, next: () => Promise<void>) => {
+  if (ctx.method === 'OPTIONS') {
+    ctx.status = 204;
+    return next();
+  }
+};
+
+/**
+ * Get and validate Google One Tap connector configuration
+ */
+const getGoogleOneTapConnector = async (getLogtoConnectors: () => Promise<LogtoConnector[]>) => {
+  const connectors = await getLogtoConnectors();
+  const googleOneTapConnector = connectors.find(
+    (connector) =>
+      connector.type === ConnectorType.Social && connector.metadata.id === GoogleConnector.factoryId
+  );
+
+  if (!googleOneTapConnector) {
+    throw new RequestError({ code: 'connector.not_found', status: 404 });
+  }
+
+  const configResult = GoogleConnector.configGuard.safeParse(googleOneTapConnector.dbEntry.config);
+
+  if (!configResult.success) {
+    throw new RequestError({
+      code: 'connector.invalid_config',
+      status: 400,
+      details: configResult.error.flatten(),
+    });
+  }
+
+  return { connector: googleOneTapConnector, config: configResult.data };
+};
+
 export default function googleOneTapRoutes<T extends AnonymousRouter>(
   router: T,
   tenant: TenantContext
 ) {
   const {
     connectors: { getLogtoConnectors },
+    queries: {
+      users: { findUserByIdentity },
+      oneTimeTokens: { insertOneTimeToken, updateExpiredOneTimeTokensStatusByEmail },
+    },
   } = tenant;
 
   if (!EnvSet.values.isDevFeaturesEnabled) {
@@ -36,72 +125,98 @@ export default function googleOneTapRoutes<T extends AnonymousRouter>(
         .optional(),
     }),
     async (ctx, next) => {
-      // Check CORS origin
-      const origin = ctx.get('origin');
-      consoleLog.info(`origin: ${origin}`);
+      setCorsHeaders(ctx, 'GET, OPTIONS');
+
+      await handleOptionsRequest(ctx, next);
 
       const { isProduction, isIntegrationTest } = EnvSet.values;
       consoleLog.info(`isProduction: ${isProduction}`);
       consoleLog.info(`isIntegrationTest: ${isIntegrationTest}`);
 
-      // List of allowed local development origins
-      const localDevelopmentOrigins = [
-        'localhost', // Localhost with any port
-        '127.0.0.1', // IPv4 loopback
-        '0.0.0.0', // All interfaces
-        '[::1]', // IPv6 loopback
-        '.local', // MDNS domains (especially for macOS)
-        'host.docker.internal', // Docker host from container
-      ];
-
-      // Allow local development origins
-      if (
-        (!isProduction || isIntegrationTest) &&
-        localDevelopmentOrigins.some((item) => origin.includes(item))
-      ) {
-        ctx.set('Access-Control-Allow-Origin', origin);
-      }
-      // In production, only allow *.logto.io or *.logto.dev domains to access
-      else if (isProduction && (origin.endsWith('.logto.io') || origin.endsWith('.logto.dev'))) {
-        ctx.set('Access-Control-Allow-Origin', origin);
-      } else {
-        throw new RequestError({ code: 'auth.forbidden', status: 403 });
-      }
+      const { config } = await getGoogleOneTapConnector(getLogtoConnectors);
+      const { clientId, oneTap } = config;
 
-      ctx.set('Access-Control-Allow-Methods', 'GET, OPTIONS');
-      ctx.set('Access-Control-Allow-Headers', 'Content-Type');
+      ctx.status = 200;
+      ctx.body = { clientId, oneTap };
+      return next();
+    }
+  );
 
-      if (ctx.method === 'OPTIONS') {
-        ctx.status = 204;
-        return next();
-      }
+  router.post(
+    '/google-one-tap/verify',
+    koaGuard({
+      body: z.object({
+        idToken: z.string(),
+        redirectUri: z.string().url().optional(),
+      }),
+      response: z.object({
+        magicLink: z.string().url(),
+        isNewUser: z.boolean(),
+        email: z.string(),
+      }),
+      status: [200, 204, 400, 403, 404],
+    }),
+    async (ctx, next) => {
+      setCorsHeaders(ctx, 'POST, OPTIONS');
 
-      const connectors = await getLogtoConnectors();
-      const googleOneTapConnector = connectors.find(
-        (connector) =>
-          connector.type === ConnectorType.Social &&
-          connector.metadata.id === GoogleConnector.factoryId
-      );
+      await handleOptionsRequest(ctx, next);
 
-      if (!googleOneTapConnector) {
-        throw new RequestError({ code: 'connector.not_found', status: 404 });
-      }
+      const { idToken, redirectUri } = ctx.guard.body;
+
+      const { config } = await getGoogleOneTapConnector(getLogtoConnectors);
+      const { clientId } = config;
 
-      const result = GoogleConnector.configGuard.safeParse(googleOneTapConnector.dbEntry.config);
+      // Verify Google ID Token
+      const { payload } = await jwtVerify(idToken, createRemoteJWKSet(new URL(googleJwksUri)), {
+        issuer: ['https://accounts.google.com', 'accounts.google.com'],
+        audience: clientId,
+        clockTolerance: 10,
+      });
 
-      // This should not happen since we have already validated the config when creating and updating the connector.
-      if (!result.success) {
+      const { sub: googleUserId, email, email_verified } = payload;
+
+      if (!email || !email_verified) {
         throw new RequestError({
-          code: 'connector.invalid_config',
+          code: 'session.invalid_credentials',
           status: 400,
-          details: result.error.flatten(),
         });
       }
 
-      const { clientId, oneTap } = result.data;
+      // Check if user exists with this Google identity
+      const existingUser = await findUserByIdentity(GoogleConnector.target, String(googleUserId));
+      const isNewUser = !existingUser;
+
+      // Create one-time token with appropriate context
+      const expiresAt = addSeconds(new Date(), defaultExpiresTime);
+      const oneTimeToken = await insertOneTimeToken({
+        id: generateStandardId(),
+        email: String(email),
+        token: generateStandardSecret(),
+        expiresAt: expiresAt.getTime(),
+        context: {
+          // Add jitOrganizationIds if this is for registration
+          ...(isNewUser && { jitOrganizationIds: [] }),
+        },
+      });
+
+      // Clean up any expired tokens for this email
+      await updateExpiredOneTimeTokensStatusByEmail(String(email)).catch(() => {
+        // Ignore errors for cleanup operation
+      });
+
+      // Generate magic link
+      const baseUrl = redirectUri ?? ctx.origin;
+      const magicLinkUrl = new URL('/auth/magic-link', baseUrl);
+      magicLinkUrl.searchParams.set('token', oneTimeToken.token);
+      magicLinkUrl.searchParams.set('email', String(email));
 
       ctx.status = 200;
-      ctx.body = { clientId, oneTap };
+      ctx.body = {
+        magicLink: magicLinkUrl.toString(),
+        isNewUser,
+        email: String(email),
+      };
+
       return next();
     }
   );
