feat(auth+admin): Sign in with Google (OAuth) + Integrations config panel
Build backend images / build content-svc (push) Failing after 1m2s
Build backend images / build file-svc (push) Failing after 3m11s
Build backend images / build gateway (push) Failing after 5m39s
Build backend images / build identity-svc (push) Failing after 38s
Build backend images / build notification-svc (push) Failing after 2m0s
Build backend images / build render-svc (push) Failing after 58s
Build backend images / build studio-svc (push) Failing after 58s
Build backend images / build content-svc (push) Failing after 1m2s
Build backend images / build file-svc (push) Failing after 3m11s
Build backend images / build gateway (push) Failing after 5m39s
Build backend images / build identity-svc (push) Failing after 38s
Build backend images / build notification-svc (push) Failing after 2m0s
Build backend images / build render-svc (push) Failing after 58s
Build backend images / build studio-svc (push) Failing after 58s
Backend (identity-svc):
- oauth_config table (mig 22) + OAuthConfig entity
- OAuthService: admin config CRUD + Google authorization-code flow (build consent
URL, exchange code, fetch userinfo, find/create RegisterMode.Google user, issue
session via AuthService.IssueOAuthSessionAsync)
- AuthController: GET /v1/auth/google/{start,callback} (public); tokens handed to
frontend via URL fragment
- AdminController: GET/PUT /v1/admin/oauth/{provider} (admin, secret masked)
Frontend:
- "ورود با گوگل" button on /auth → identity start endpoint
- /auth/callback reads fragment tokens → /api/auth/oauth-session sets httpOnly cookies
- /admin/integrations: Google client_id/secret/redirect_uri + enable, with setup guide
- nav + fa/en labels
Client ID/Secret are configured entirely in the admin panel — no redeploy needed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
@@ -415,6 +415,10 @@ public class AuthService(
|
||||
return new AuthTokensResponse(accessToken, refreshToken, "Bearer", 15 * 60, userResponse, tenantResponse);
|
||||
}
|
||||
|
||||
/// <summary>Issue a session for an externally-authenticated (OAuth/social) user.</summary>
|
||||
public Task<AuthTokensResponse> IssueOAuthSessionAsync(User user, Tenant tenant, string? deviceName, string? ipAddress)
|
||||
=> CreateSessionAsync(user, tenant, null, deviceName, ipAddress);
|
||||
|
||||
private async Task CreateConfirmationTokenAsync(
|
||||
Guid userId, Guid tenantId, TokenPurpose purpose, string identifier, string? ipAddress)
|
||||
{
|
||||
|
||||
@@ -0,0 +1,142 @@
|
||||
using System.Net.Http.Headers;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using FlatRender.IdentitySvc.Domain.Entities;
|
||||
using FlatRender.IdentitySvc.Domain.Enums;
|
||||
using FlatRender.IdentitySvc.Infrastructure.Data;
|
||||
using FlatRender.IdentitySvc.Models.Responses;
|
||||
using Microsoft.AspNetCore.WebUtilities;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
|
||||
namespace FlatRender.IdentitySvc.Application.Services;
|
||||
|
||||
/// <summary>External OAuth (Google) — admin config + the authorization-code login flow.</summary>
|
||||
public class OAuthService(
|
||||
IdentityDbContext db,
|
||||
AuthService authService,
|
||||
IHttpClientFactory httpFactory,
|
||||
IConfiguration config)
|
||||
{
|
||||
private const string GoogleAuthEndpoint = "https://accounts.google.com/o/oauth2/v2/auth";
|
||||
private const string GoogleTokenEndpoint = "https://oauth2.googleapis.com/token";
|
||||
private const string GoogleUserInfo = "https://www.googleapis.com/oauth2/v3/userinfo";
|
||||
|
||||
private string DefaultTenantSlug => config["DefaultTenantSlug"] ?? "flatrender";
|
||||
|
||||
// ── Config ───────────────────────────────────────────────────────────────
|
||||
|
||||
public async Task<OAuthConfig?> GetConfigAsync(string provider) =>
|
||||
await db.OAuthConfigs.FindAsync(provider);
|
||||
|
||||
public async Task<OAuthConfig> UpsertConfigAsync(string provider, string? clientId, string? clientSecret, string? redirectUri, bool enabled)
|
||||
{
|
||||
var cfg = await db.OAuthConfigs.FindAsync(provider);
|
||||
if (cfg == null)
|
||||
{
|
||||
cfg = new OAuthConfig { Provider = provider };
|
||||
db.OAuthConfigs.Add(cfg);
|
||||
}
|
||||
if (clientId != null) cfg.ClientId = clientId;
|
||||
// Keep the existing secret if the client sent it blank/masked.
|
||||
if (!string.IsNullOrEmpty(clientSecret) && !clientSecret.Contains('•')) cfg.ClientSecret = clientSecret;
|
||||
if (redirectUri != null) cfg.RedirectUri = redirectUri;
|
||||
cfg.Enabled = enabled;
|
||||
cfg.UpdatedAt = DateTime.UtcNow;
|
||||
await db.SaveChangesAsync();
|
||||
return cfg;
|
||||
}
|
||||
|
||||
// ── Google authorization-code flow ─────────────────────────────────────────
|
||||
|
||||
public async Task<string> BuildGoogleAuthUrlAsync(string returnUrl)
|
||||
{
|
||||
var cfg = await GetConfigAsync("google");
|
||||
if (cfg is not { Enabled: true } || string.IsNullOrEmpty(cfg.ClientId) || string.IsNullOrEmpty(cfg.RedirectUri))
|
||||
throw new InvalidOperationException("Google login is not configured");
|
||||
|
||||
var state = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(returnUrl));
|
||||
var query = new Dictionary<string, string?>
|
||||
{
|
||||
["client_id"] = cfg.ClientId,
|
||||
["redirect_uri"] = cfg.RedirectUri,
|
||||
["response_type"] = "code",
|
||||
["scope"] = "openid email profile",
|
||||
["state"] = state,
|
||||
["access_type"] = "online",
|
||||
["prompt"] = "select_account",
|
||||
};
|
||||
return QueryHelpers.AddQueryString(GoogleAuthEndpoint, query);
|
||||
}
|
||||
|
||||
public record GoogleResult(AuthTokensResponse Tokens, string ReturnUrl);
|
||||
|
||||
public async Task<GoogleResult> HandleGoogleCallbackAsync(string code, string state, string? ipAddress)
|
||||
{
|
||||
var returnUrl = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(state));
|
||||
var cfg = await GetConfigAsync("google")
|
||||
?? throw new InvalidOperationException("Google login is not configured");
|
||||
|
||||
var http = httpFactory.CreateClient();
|
||||
|
||||
// 1) Exchange the authorization code for tokens.
|
||||
var tokenResp = await http.PostAsync(GoogleTokenEndpoint, new FormUrlEncodedContent(new Dictionary<string, string>
|
||||
{
|
||||
["code"] = code,
|
||||
["client_id"] = cfg.ClientId ?? "",
|
||||
["client_secret"] = cfg.ClientSecret ?? "",
|
||||
["redirect_uri"] = cfg.RedirectUri ?? "",
|
||||
["grant_type"] = "authorization_code",
|
||||
}));
|
||||
var tokenBody = await tokenResp.Content.ReadAsStringAsync();
|
||||
if (!tokenResp.IsSuccessStatusCode)
|
||||
throw new InvalidOperationException($"Google token exchange failed: {tokenBody}");
|
||||
using var tokenDoc = JsonDocument.Parse(tokenBody);
|
||||
var accessToken = tokenDoc.RootElement.GetProperty("access_token").GetString();
|
||||
|
||||
// 2) Fetch the user's profile.
|
||||
var infoReq = new HttpRequestMessage(HttpMethod.Get, GoogleUserInfo);
|
||||
infoReq.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
|
||||
var infoResp = await http.SendAsync(infoReq);
|
||||
var infoBody = await infoResp.Content.ReadAsStringAsync();
|
||||
if (!infoResp.IsSuccessStatusCode)
|
||||
throw new InvalidOperationException($"Google userinfo failed: {infoBody}");
|
||||
using var infoDoc = JsonDocument.Parse(infoBody);
|
||||
var root = infoDoc.RootElement;
|
||||
var email = root.TryGetProperty("email", out var e) ? e.GetString() : null;
|
||||
var name = root.TryGetProperty("name", out var n) ? n.GetString() : null;
|
||||
var picture = root.TryGetProperty("picture", out var p) ? p.GetString() : null;
|
||||
if (string.IsNullOrEmpty(email))
|
||||
throw new InvalidOperationException("Google account has no email");
|
||||
email = email.ToLowerInvariant();
|
||||
|
||||
// 3) Find or create the user in the default tenant.
|
||||
var tenant = await db.Tenants.FirstOrDefaultAsync(t => t.Slug == DefaultTenantSlug && t.DeletedAt == null)
|
||||
?? await db.Tenants.FirstOrDefaultAsync(t => t.DeletedAt == null)
|
||||
?? throw new InvalidOperationException("No tenant configured");
|
||||
|
||||
var user = await db.Users.FirstOrDefaultAsync(u => u.TenantId == tenant.Id && u.Email == email && u.DeletedAt == null);
|
||||
if (user == null)
|
||||
{
|
||||
user = new User
|
||||
{
|
||||
TenantId = tenant.Id,
|
||||
Email = email,
|
||||
FullName = name,
|
||||
AvatarUrl = picture,
|
||||
EmailVerified = true,
|
||||
RegisterMode = RegisterMode.Google,
|
||||
RegisterDate = DateTime.UtcNow,
|
||||
};
|
||||
db.Users.Add(user);
|
||||
await db.SaveChangesAsync();
|
||||
}
|
||||
else if (!user.EmailVerified)
|
||||
{
|
||||
user.EmailVerified = true;
|
||||
await db.SaveChangesAsync();
|
||||
}
|
||||
|
||||
var tokens = await authService.IssueOAuthSessionAsync(user, tenant, "Google", ipAddress);
|
||||
return new GoogleResult(tokens, returnUrl);
|
||||
}
|
||||
}
|
||||
@@ -26,6 +26,22 @@ public class AdminController(AdminService svc) : ControllerBase
|
||||
[HttpGet("v1/admin/plan-statistics")]
|
||||
public async Task<IActionResult> PlanStats() => Ok(await svc.GetPlanStatisticsAsync(TenantId));
|
||||
|
||||
// ── OAuth provider config ──────────────────────────────────────────────────
|
||||
[HttpGet("v1/admin/oauth/{provider}")]
|
||||
public async Task<IActionResult> GetOAuth(string provider, [FromServices] OAuthService oauth)
|
||||
{
|
||||
var c = await oauth.GetConfigAsync(provider);
|
||||
return Ok(new OAuthConfigResponse(provider, c?.ClientId, c?.RedirectUri, c?.Enabled ?? false,
|
||||
!string.IsNullOrEmpty(c?.ClientSecret)));
|
||||
}
|
||||
|
||||
[HttpPut("v1/admin/oauth/{provider}")]
|
||||
public async Task<IActionResult> PutOAuth(string provider, [FromBody] UpsertOAuthConfigRequest req, [FromServices] OAuthService oauth)
|
||||
{
|
||||
var c = await oauth.UpsertConfigAsync(provider, req.ClientId, req.ClientSecret, req.RedirectUri, req.Enabled);
|
||||
return Ok(new OAuthConfigResponse(provider, c.ClientId, c.RedirectUri, c.Enabled, !string.IsNullOrEmpty(c.ClientSecret)));
|
||||
}
|
||||
|
||||
// ── CRM notes / tags ───────────────────────────────────────────────────────
|
||||
[HttpGet("v1/users/{userId:guid}/crm")]
|
||||
public async Task<IActionResult> GetCrm(Guid userId) => Ok(await svc.GetUserCrmAsync(userId));
|
||||
|
||||
@@ -9,7 +9,7 @@ namespace FlatRender.IdentitySvc.Controllers;
|
||||
|
||||
[ApiController]
|
||||
[Route("v1/auth")]
|
||||
public class AuthController(IAuthService authService) : ControllerBase
|
||||
public class AuthController(IAuthService authService, OAuthService oauthService) : ControllerBase
|
||||
{
|
||||
[HttpPost("register")]
|
||||
[AllowAnonymous]
|
||||
@@ -20,6 +20,43 @@ public class AuthController(IAuthService authService) : ControllerBase
|
||||
return StatusCode(201, result);
|
||||
}
|
||||
|
||||
// ── Google OAuth ────────────────────────────────────────────────────────────
|
||||
[HttpGet("google/start")]
|
||||
[AllowAnonymous]
|
||||
public async Task<IActionResult> GoogleStart([FromQuery] string return_url)
|
||||
{
|
||||
try
|
||||
{
|
||||
var url = await oauthService.BuildGoogleAuthUrlAsync(return_url ?? "");
|
||||
return Redirect(url);
|
||||
}
|
||||
catch (InvalidOperationException ex)
|
||||
{
|
||||
return BadRequest(new { error = new { message = ex.Message } });
|
||||
}
|
||||
}
|
||||
|
||||
[HttpGet("google/callback")]
|
||||
[AllowAnonymous]
|
||||
public async Task<IActionResult> GoogleCallback([FromQuery] string? code, [FromQuery] string? state, [FromQuery] string? error)
|
||||
{
|
||||
if (!string.IsNullOrEmpty(error) || string.IsNullOrEmpty(code) || string.IsNullOrEmpty(state))
|
||||
return BadRequest(new { error = new { message = error ?? "Missing authorization code" } });
|
||||
try
|
||||
{
|
||||
var result = await oauthService.HandleGoogleCallbackAsync(code, state, GetClientIp());
|
||||
// Hand tokens back to the frontend via URL fragment (not sent to servers/logs).
|
||||
var sep = result.ReturnUrl.Contains('#') ? "&" : "#";
|
||||
var redirect = $"{result.ReturnUrl}{sep}access_token={Uri.EscapeDataString(result.Tokens.AccessToken)}" +
|
||||
$"&refresh_token={Uri.EscapeDataString(result.Tokens.RefreshToken)}&expires_in={result.Tokens.ExpiresIn}";
|
||||
return Redirect(redirect);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
return BadRequest(new { error = new { message = ex.Message } });
|
||||
}
|
||||
}
|
||||
|
||||
[HttpPost("login")]
|
||||
[AllowAnonymous]
|
||||
[ProducesResponseType(typeof(AuthTokensResponse), 200)]
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
namespace FlatRender.IdentitySvc.Domain.Entities;
|
||||
|
||||
/// <summary>Admin-editable external OAuth provider credentials (Google, …).</summary>
|
||||
public class OAuthConfig
|
||||
{
|
||||
public string Provider { get; set; } = default!; // "google"
|
||||
public string? ClientId { get; set; }
|
||||
public string? ClientSecret { get; set; }
|
||||
public string? RedirectUri { get; set; }
|
||||
public bool Enabled { get; set; }
|
||||
public DateTime UpdatedAt { get; set; } = DateTime.UtcNow;
|
||||
}
|
||||
@@ -31,6 +31,9 @@ public class IdentityDbContext(DbContextOptions<IdentityDbContext> options) : Db
|
||||
// CRM
|
||||
public DbSet<UserCrm> UserCrms => Set<UserCrm>();
|
||||
|
||||
// OAuth providers
|
||||
public DbSet<OAuthConfig> OAuthConfigs => Set<OAuthConfig>();
|
||||
|
||||
// Gamification
|
||||
public DbSet<Quest> Quests => Set<Quest>();
|
||||
public DbSet<UserQuestProgress> UserQuestProgresses => Set<UserQuestProgress>();
|
||||
@@ -56,6 +59,12 @@ public class IdentityDbContext(DbContextOptions<IdentityDbContext> options) : Db
|
||||
e.ToTable("user_crm");
|
||||
e.HasKey(x => x.UserId);
|
||||
});
|
||||
|
||||
mb.Entity<OAuthConfig>(e =>
|
||||
{
|
||||
e.ToTable("oauth_config");
|
||||
e.HasKey(x => x.Provider);
|
||||
});
|
||||
}
|
||||
|
||||
private static void ConfigureTenants(ModelBuilder mb)
|
||||
|
||||
@@ -14,6 +14,12 @@ public record CrmAnalyticsResponse(
|
||||
List<CrmDailyPoint> Daily
|
||||
);
|
||||
|
||||
// ── OAuth provider config ─────────────────────────────────────────────────────
|
||||
|
||||
public record OAuthConfigResponse(string Provider, string? ClientId, string? RedirectUri, bool Enabled, bool HasSecret);
|
||||
|
||||
public record UpsertOAuthConfigRequest(string? ClientId, string? ClientSecret, string? RedirectUri, bool Enabled);
|
||||
|
||||
// ── Plan statistics breakdown ────────────────────────────────────────────────
|
||||
|
||||
public record PlanStatRow(string PlanName, int Total, int Active, long RevenueMinor);
|
||||
|
||||
@@ -71,7 +71,8 @@ builder.Services.AddAuthorization();
|
||||
|
||||
// ── Services ──────────────────────────────────────────────────────────────
|
||||
builder.Services.AddScoped<ITokenService, TokenService>();
|
||||
builder.Services.AddScoped<IAuthService, AuthService>();
|
||||
builder.Services.AddScoped<AuthService>();
|
||||
builder.Services.AddScoped<IAuthService>(sp => sp.GetRequiredService<AuthService>());
|
||||
builder.Services.AddScoped<IUserService, UserService>();
|
||||
builder.Services.AddScoped<ITenantService, TenantService>();
|
||||
builder.Services.AddScoped<IPlanService, PlanService>();
|
||||
@@ -79,6 +80,8 @@ builder.Services.AddScoped<IDiscountService, DiscountService>();
|
||||
builder.Services.AddScoped<IGamificationService, GamificationService>();
|
||||
builder.Services.AddScoped<IPaymentService, PaymentService>();
|
||||
builder.Services.AddScoped<AdminService>();
|
||||
builder.Services.AddScoped<OAuthService>();
|
||||
builder.Services.AddHttpClient();
|
||||
|
||||
// ── HTTP clients ───────────────────────────────────────────────────────────
|
||||
builder.Services.AddHttpClient("zarinpal", client =>
|
||||
|
||||
Reference in New Issue
Block a user