feat(auth+admin): Sign in with Google (OAuth) + Integrations config panel

Backend (identity-svc): - oauth_config table (mig 22) + OAuthConfig entity - OAuthService: admin config CRUD + Google authorization-code flow (build consent URL, exchange code, fetch userinfo, find/create RegisterMode.Google user, issue session via AuthService.IssueOAuthSessionAsync) - AuthController: GET /v1/auth/google/{start,callback} (public); tokens handed to frontend via URL fragment - AdminController: GET/PUT /v1/admin/oauth/{provider} (admin, secret masked) Frontend: - "ورود با گوگل" button on /auth → identity start endpoint - /auth/callback reads fragment tokens → /api/auth/oauth-session sets httpOnly cookies - /admin/integrations: Google client_id/secret/redirect_uri + enable, with setup guide - nav + fa/en labels Client ID/Secret are configured entirely in the admin panel — no redeploy needed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 00:08:21 +03:30
parent 88a44b1349
commit 675b60d858
17 changed files with 469 additions and 6 deletions
@@ -0,0 +1,19 @@
 -- =====================================================================
 -- IDENTITY SCHEMA — Part 22: external OAuth provider config (Google, …)
 -- Admin-editable client credentials for social login. Read by identity at
 -- login time; secrets never leave the server (masked in the admin API).
 -- =====================================================================
 SET search_path TO identity, public;
 CREATE TABLE IF NOT EXISTS oauth_config (
    provider      TEXT PRIMARY KEY,            -- 'google' (extensible: 'github', …)
    client_id     TEXT,
    client_secret TEXT,
    redirect_uri  TEXT,                         -- must match the provider console
    enabled       BOOLEAN     NOT NULL DEFAULT FALSE,
    updated_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 INSERT INTO oauth_config (provider) VALUES ('google')
 ON CONFLICT (provider) DO NOTHING;
@@ -332,7 +332,8 @@
      "music": "Music",
      "homeEvents": "Home Events",
      "comments": "Comments",
-      "routes": "Internal Routes"
+      "routes": "Internal Routes",
      "integrations": "Integrations"
    },
    "appAdminNodesPage": {
      "title": "Render Nodes",
@@ -444,7 +445,9 @@
      "passwordLabel": "Password",
      "forgotPassword": "Forgot password?",
      "createAccount": "Create Account",
-      "legalNotice": "By continuing, you agree to our <terms>Terms</terms> and <privacy>Privacy Policy</privacy>."
+      "legalNotice": "By continuing, you agree to our <terms>Terms</terms> and <privacy>Privacy Policy</privacy>.",
      "orContinueWith": "or continue with",
      "continueWithGoogle": "Continue with Google"
    },
    "componentsAuthSupabaseSetupNotice": {
      "title": "Supabase not configured",
@@ -332,7 +332,8 @@
      "music": "موسیقی",
      "homeEvents": "رویدادهای صفحه اصلی",
      "comments": "نظرات",
-      "routes": "مسیرهای داخلی"
+      "routes": "مسیرهای داخلی",
      "integrations": "یکپارچه‌سازی‌ها"
    },
    "appAdminNodesPage": {
      "title": "نودهای رندر",
@@ -444,7 +445,9 @@
      "passwordLabel": "رمز عبور",
      "forgotPassword": "رمز عبور را فراموش کرده‌اید؟",
      "createAccount": "ساخت حساب",
-      "legalNotice": "با ادامه دادن، با <terms>قوانین</terms> و <privacy>سیاست حفظ حریم خصوصی</privacy> ما موافقت می‌کنید."
+      "legalNotice": "با ادامه دادن، با <terms>قوانین</terms> و <privacy>سیاست حفظ حریم خصوصی</privacy> ما موافقت می‌کنید.",
      "orContinueWith": "یا ادامه با",
      "continueWithGoogle": "ورود با گوگل"
    },
    "componentsAuthSupabaseSetupNotice": {
      "title": "Supabase پیکربندی نشده است",
@@ -415,6 +415,10 @@ public class AuthService(
        return new AuthTokensResponse(accessToken, refreshToken, "Bearer", 15 * 60, userResponse, tenantResponse);
    }
    /// <summary>Issue a session for an externally-authenticated (OAuth/social) user.</summary>
    public Task<AuthTokensResponse> IssueOAuthSessionAsync(User user, Tenant tenant, string? deviceName, string? ipAddress)
        => CreateSessionAsync(user, tenant, null, deviceName, ipAddress);
    private async Task CreateConfirmationTokenAsync(
        Guid userId, Guid tenantId, TokenPurpose purpose, string identifier, string? ipAddress)
    {
@@ -0,0 +1,142 @@
 using System.Net.Http.Headers;
 using System.Text;
 using System.Text.Json;
 using FlatRender.IdentitySvc.Domain.Entities;
 using FlatRender.IdentitySvc.Domain.Enums;
 using FlatRender.IdentitySvc.Infrastructure.Data;
 using FlatRender.IdentitySvc.Models.Responses;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.EntityFrameworkCore;
 namespace FlatRender.IdentitySvc.Application.Services;
 /// <summary>External OAuth (Google) — admin config + the authorization-code login flow.</summary>
 public class OAuthService(
    IdentityDbContext db,
    AuthService authService,
    IHttpClientFactory httpFactory,
    IConfiguration config)
 {
    private const string GoogleAuthEndpoint = "https://accounts.google.com/o/oauth2/v2/auth";
    private const string GoogleTokenEndpoint = "https://oauth2.googleapis.com/token";
    private const string GoogleUserInfo = "https://www.googleapis.com/oauth2/v3/userinfo";
    private string DefaultTenantSlug => config["DefaultTenantSlug"] ?? "flatrender";
    // ── Config ───────────────────────────────────────────────────────────────
    public async Task<OAuthConfig?> GetConfigAsync(string provider) =>
        await db.OAuthConfigs.FindAsync(provider);
    public async Task<OAuthConfig> UpsertConfigAsync(string provider, string? clientId, string? clientSecret, string? redirectUri, bool enabled)
    {
        var cfg = await db.OAuthConfigs.FindAsync(provider);
        if (cfg == null)
        {
            cfg = new OAuthConfig { Provider = provider };
            db.OAuthConfigs.Add(cfg);
        }
        if (clientId != null) cfg.ClientId = clientId;
        // Keep the existing secret if the client sent it blank/masked.
        if (!string.IsNullOrEmpty(clientSecret) && !clientSecret.Contains('•')) cfg.ClientSecret = clientSecret;
        if (redirectUri != null) cfg.RedirectUri = redirectUri;
        cfg.Enabled = enabled;
        cfg.UpdatedAt = DateTime.UtcNow;
        await db.SaveChangesAsync();
        return cfg;
    }
    // ── Google authorization-code flow ─────────────────────────────────────────
    public async Task<string> BuildGoogleAuthUrlAsync(string returnUrl)
    {
        var cfg = await GetConfigAsync("google");
        if (cfg is not { Enabled: true } || string.IsNullOrEmpty(cfg.ClientId) || string.IsNullOrEmpty(cfg.RedirectUri))
            throw new InvalidOperationException("Google login is not configured");
        var state = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(returnUrl));
        var query = new Dictionary<string, string?>
        {
            ["client_id"] = cfg.ClientId,
            ["redirect_uri"] = cfg.RedirectUri,
            ["response_type"] = "code",
            ["scope"] = "openid email profile",
            ["state"] = state,
            ["access_type"] = "online",
            ["prompt"] = "select_account",
        };
        return QueryHelpers.AddQueryString(GoogleAuthEndpoint, query);
    }
    public record GoogleResult(AuthTokensResponse Tokens, string ReturnUrl);
    public async Task<GoogleResult> HandleGoogleCallbackAsync(string code, string state, string? ipAddress)
    {
        var returnUrl = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(state));
        var cfg = await GetConfigAsync("google")
            ?? throw new InvalidOperationException("Google login is not configured");
        var http = httpFactory.CreateClient();
        // 1) Exchange the authorization code for tokens.
        var tokenResp = await http.PostAsync(GoogleTokenEndpoint, new FormUrlEncodedContent(new Dictionary<string, string>
        {
            ["code"] = code,
            ["client_id"] = cfg.ClientId ?? "",
            ["client_secret"] = cfg.ClientSecret ?? "",
            ["redirect_uri"] = cfg.RedirectUri ?? "",
            ["grant_type"] = "authorization_code",
        }));
        var tokenBody = await tokenResp.Content.ReadAsStringAsync();
        if (!tokenResp.IsSuccessStatusCode)
            throw new InvalidOperationException($"Google token exchange failed: {tokenBody}");
        using var tokenDoc = JsonDocument.Parse(tokenBody);
        var accessToken = tokenDoc.RootElement.GetProperty("access_token").GetString();
        // 2) Fetch the user's profile.
        var infoReq = new HttpRequestMessage(HttpMethod.Get, GoogleUserInfo);
        infoReq.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
        var infoResp = await http.SendAsync(infoReq);
        var infoBody = await infoResp.Content.ReadAsStringAsync();
        if (!infoResp.IsSuccessStatusCode)
            throw new InvalidOperationException($"Google userinfo failed: {infoBody}");
        using var infoDoc = JsonDocument.Parse(infoBody);
        var root = infoDoc.RootElement;
        var email = root.TryGetProperty("email", out var e) ? e.GetString() : null;
        var name = root.TryGetProperty("name", out var n) ? n.GetString() : null;
        var picture = root.TryGetProperty("picture", out var p) ? p.GetString() : null;
        if (string.IsNullOrEmpty(email))
            throw new InvalidOperationException("Google account has no email");
        email = email.ToLowerInvariant();
        // 3) Find or create the user in the default tenant.
        var tenant = await db.Tenants.FirstOrDefaultAsync(t => t.Slug == DefaultTenantSlug && t.DeletedAt == null)
            ?? await db.Tenants.FirstOrDefaultAsync(t => t.DeletedAt == null)
            ?? throw new InvalidOperationException("No tenant configured");
        var user = await db.Users.FirstOrDefaultAsync(u => u.TenantId == tenant.Id && u.Email == email && u.DeletedAt == null);
        if (user == null)
        {
            user = new User
            {
                TenantId = tenant.Id,
                Email = email,
                FullName = name,
                AvatarUrl = picture,
                EmailVerified = true,
                RegisterMode = RegisterMode.Google,
                RegisterDate = DateTime.UtcNow,
            };
            db.Users.Add(user);
            await db.SaveChangesAsync();
        }
        else if (!user.EmailVerified)
        {
            user.EmailVerified = true;
            await db.SaveChangesAsync();
        }
        var tokens = await authService.IssueOAuthSessionAsync(user, tenant, "Google", ipAddress);
        return new GoogleResult(tokens, returnUrl);
    }
 }
@@ -26,6 +26,22 @@ public class AdminController(AdminService svc) : ControllerBase
    [HttpGet("v1/admin/plan-statistics")]
    public async Task<IActionResult> PlanStats() => Ok(await svc.GetPlanStatisticsAsync(TenantId));
    // ── OAuth provider config ──────────────────────────────────────────────────
    [HttpGet("v1/admin/oauth/{provider}")]
    public async Task<IActionResult> GetOAuth(string provider, [FromServices] OAuthService oauth)
    {
        var c = await oauth.GetConfigAsync(provider);
        return Ok(new OAuthConfigResponse(provider, c?.ClientId, c?.RedirectUri, c?.Enabled ?? false,
            !string.IsNullOrEmpty(c?.ClientSecret)));
    }
    [HttpPut("v1/admin/oauth/{provider}")]
    public async Task<IActionResult> PutOAuth(string provider, [FromBody] UpsertOAuthConfigRequest req, [FromServices] OAuthService oauth)
    {
        var c = await oauth.UpsertConfigAsync(provider, req.ClientId, req.ClientSecret, req.RedirectUri, req.Enabled);
        return Ok(new OAuthConfigResponse(provider, c.ClientId, c.RedirectUri, c.Enabled, !string.IsNullOrEmpty(c.ClientSecret)));
    }
    // ── CRM notes / tags ───────────────────────────────────────────────────────
    [HttpGet("v1/users/{userId:guid}/crm")]
    public async Task<IActionResult> GetCrm(Guid userId) => Ok(await svc.GetUserCrmAsync(userId));
@@ -9,7 +9,7 @@ namespace FlatRender.IdentitySvc.Controllers;
 [ApiController]
 [Route("v1/auth")]
-public class AuthController(IAuthService authService) : ControllerBase
+public class AuthController(IAuthService authService, OAuthService oauthService) : ControllerBase
 {
    [HttpPost("register")]
    [AllowAnonymous]
@@ -20,6 +20,43 @@ public class AuthController(IAuthService authService) : ControllerBase
        return StatusCode(201, result);
    }
    // ── Google OAuth ────────────────────────────────────────────────────────────
    [HttpGet("google/start")]
    [AllowAnonymous]
    public async Task<IActionResult> GoogleStart([FromQuery] string return_url)
    {
        try
        {
            var url = await oauthService.BuildGoogleAuthUrlAsync(return_url ?? "");
            return Redirect(url);
        }
        catch (InvalidOperationException ex)
        {
            return BadRequest(new { error = new { message = ex.Message } });
        }
    }
    [HttpGet("google/callback")]
    [AllowAnonymous]
    public async Task<IActionResult> GoogleCallback([FromQuery] string? code, [FromQuery] string? state, [FromQuery] string? error)
    {
        if (!string.IsNullOrEmpty(error) || string.IsNullOrEmpty(code) || string.IsNullOrEmpty(state))
            return BadRequest(new { error = new { message = error ?? "Missing authorization code" } });
        try
        {
            var result = await oauthService.HandleGoogleCallbackAsync(code, state, GetClientIp());
            // Hand tokens back to the frontend via URL fragment (not sent to servers/logs).
            var sep = result.ReturnUrl.Contains('#') ? "&" : "#";
            var redirect = $"{result.ReturnUrl}{sep}access_token={Uri.EscapeDataString(result.Tokens.AccessToken)}" +
                           $"&refresh_token={Uri.EscapeDataString(result.Tokens.RefreshToken)}&expires_in={result.Tokens.ExpiresIn}";
            return Redirect(redirect);
        }
        catch (Exception ex)
        {
            return BadRequest(new { error = new { message = ex.Message } });
        }
    }
    [HttpPost("login")]
    [AllowAnonymous]
    [ProducesResponseType(typeof(AuthTokensResponse), 200)]
@@ -0,0 +1,12 @@
 namespace FlatRender.IdentitySvc.Domain.Entities;
 /// <summary>Admin-editable external OAuth provider credentials (Google, …).</summary>
 public class OAuthConfig
 {
    public string Provider { get; set; } = default!; // "google"
    public string? ClientId { get; set; }
    public string? ClientSecret { get; set; }
    public string? RedirectUri { get; set; }
    public bool Enabled { get; set; }
    public DateTime UpdatedAt { get; set; } = DateTime.UtcNow;
 }
@@ -31,6 +31,9 @@ public class IdentityDbContext(DbContextOptions<IdentityDbContext> options) : Db
    // CRM
    public DbSet<UserCrm> UserCrms => Set<UserCrm>();
    // OAuth providers
    public DbSet<OAuthConfig> OAuthConfigs => Set<OAuthConfig>();
    // Gamification
    public DbSet<Quest> Quests => Set<Quest>();
    public DbSet<UserQuestProgress> UserQuestProgresses => Set<UserQuestProgress>();
@@ -56,6 +59,12 @@ public class IdentityDbContext(DbContextOptions<IdentityDbContext> options) : Db
            e.ToTable("user_crm");
            e.HasKey(x => x.UserId);
        });
        mb.Entity<OAuthConfig>(e =>
        {
            e.ToTable("oauth_config");
            e.HasKey(x => x.Provider);
        });
    }
    private static void ConfigureTenants(ModelBuilder mb)
@@ -14,6 +14,12 @@ public record CrmAnalyticsResponse(
    List<CrmDailyPoint> Daily
 );
 // ── OAuth provider config ─────────────────────────────────────────────────────
 public record OAuthConfigResponse(string Provider, string? ClientId, string? RedirectUri, bool Enabled, bool HasSecret);
 public record UpsertOAuthConfigRequest(string? ClientId, string? ClientSecret, string? RedirectUri, bool Enabled);
 // ── Plan statistics breakdown ────────────────────────────────────────────────
 public record PlanStatRow(string PlanName, int Total, int Active, long RevenueMinor);
@@ -71,7 +71,8 @@ builder.Services.AddAuthorization();
 // ── Services ──────────────────────────────────────────────────────────────
 builder.Services.AddScoped<ITokenService, TokenService>();
-builder.Services.AddScoped<IAuthService, AuthService>();
+builder.Services.AddScoped<AuthService>();
 builder.Services.AddScoped<IAuthService>(sp => sp.GetRequiredService<AuthService>());
 builder.Services.AddScoped<IUserService, UserService>();
 builder.Services.AddScoped<ITenantService, TenantService>();
 builder.Services.AddScoped<IPlanService, PlanService>();
@@ -79,6 +80,8 @@ builder.Services.AddScoped<IDiscountService, DiscountService>();
 builder.Services.AddScoped<IGamificationService, GamificationService>();
 builder.Services.AddScoped<IPaymentService, PaymentService>();
 builder.Services.AddScoped<AdminService>();
 builder.Services.AddScoped<OAuthService>();
 builder.Services.AddHttpClient();
 // ── HTTP clients ───────────────────────────────────────────────────────────
 builder.Services.AddHttpClient("zarinpal", client =>
@@ -0,0 +1,7 @@
 "use client";
 import { IntegrationsAdmin } from "@/components/admin/IntegrationsAdmin";
 export default function Page() {
  return <IntegrationsAdmin />;
 }
@@ -31,6 +31,7 @@ export default async function AdminLayout({
    { href: "/admin/files", label: t("media") },
    { href: "/admin/ai", label: t("aiContent") },
    { href: "/admin/messaging", label: t("messaging") },
    { href: "/admin/integrations", label: t("integrations") },
    { href: "/admin/marketing", label: t("marketing") },
    { href: "/admin/crm", label: t("crm") },
    { href: "/admin/users", label: t("users") },
@@ -0,0 +1,61 @@
 "use client";
 import { useEffect, useState } from "react";
 import { useRouter, useSearchParams } from "next/navigation";
 /**
 * OAuth landing page. Identity redirects here with tokens in the URL fragment
 * (#access_token=…&refresh_token=…&expires_in=…). We hand them to a server route
 * that sets httpOnly session cookies, then continue to the app.
 */
 export default function OAuthCallbackPage() {
  const router = useRouter();
  const searchParams = useSearchParams();
  const [error, setError] = useState<string | null>(null);
  useEffect(() => {
    const hash = typeof window !== "undefined" ? window.location.hash.replace(/^#/, "") : "";
    const params = new URLSearchParams(hash);
    const accessToken = params.get("access_token");
    const refreshToken = params.get("refresh_token");
    const expiresIn = Number(params.get("expires_in") ?? "900");
    if (!accessToken || !refreshToken) {
      setError("ورود ناموفق بود. لطفاً دوباره تلاش کنید.");
      return;
    }
    const next = searchParams.get("next") || "/dashboard";
    (async () => {
      try {
        const res = await fetch("/api/auth/oauth-session", {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ access_token: accessToken, refresh_token: refreshToken, expires_in: expiresIn }),
        });
        if (!res.ok) throw new Error("session");
        // Clear the fragment from history, then continue.
        window.history.replaceState(null, "", window.location.pathname);
        router.replace(next.startsWith("/") ? next : "/dashboard");
        router.refresh();
      } catch {
        setError("برقراری نشست ناموفق بود.");
      }
    })();
  }, [router, searchParams]);
  return (
    <main className="flex min-h-screen items-center justify-center bg-neutral-50 text-neutral-700" dir="rtl">
      <div className="text-center">
        {error ? (
          <>
            <p className="text-sm text-red-600">{error}</p>
            <a href="/auth" className="mt-3 inline-block text-sm text-primary-600 hover:underline">بازگشت به ورود</a>
          </>
        ) : (
          <p className="text-sm">در حال ورود…</p>
        )}
      </div>
    </main>
  );
 }
@@ -0,0 +1,18 @@
 import { NextResponse } from "next/server";
 import { setAuthCookies } from "@/lib/auth/cookies";
 export const dynamic = "force-dynamic";
 /** Receives OAuth tokens from the client callback and sets httpOnly session cookies. */
 export async function POST(req: Request) {
  const body = await req.json().catch(() => null);
  const accessToken = body?.access_token;
  const refreshToken = body?.refresh_token;
  const expiresIn = Number(body?.expires_in ?? 900);
  if (!accessToken || !refreshToken) {
    return NextResponse.json({ error: "Missing tokens" }, { status: 400 });
  }
  const out = NextResponse.json({ ok: true });
  return setAuthCookies(out, accessToken, refreshToken, expiresIn);
 }
@@ -0,0 +1,96 @@
 "use client";
 import { useCallback, useEffect, useState } from "react";
 const card = "rounded-xl border border-[#1e2235] bg-[#0f1120] p-5";
 const btn = "rounded-lg bg-indigo-600 px-4 py-2 text-sm font-medium text-white hover:bg-indigo-500 disabled:opacity-50";
 const inp = "w-full rounded-lg border border-[#262b40] bg-[#0c0e1a] px-3 py-2 text-sm text-gray-100 outline-none focus:border-indigo-500";
 const lbl = "mb-1 block text-xs font-medium text-gray-400";
 export function IntegrationsAdmin() {
  const [clientId, setClientId] = useState("");
  const [clientSecret, setClientSecret] = useState("");
  const [redirectUri, setRedirectUri] = useState("");
  const [enabled, setEnabled] = useState(false);
  const [hasSecret, setHasSecret] = useState(false);
  const [msg, setMsg] = useState<string | null>(null);
  const [saving, setSaving] = useState(false);
  // Suggested redirect URI = gateway base (…/v1) + /auth/google/callback
  const suggested = ((process.env.NEXT_PUBLIC_API_URL ?? "") + "/auth/google/callback").replace(/([^:])\/\//g, "$1/");
  const load = useCallback(async () => {
    const r = await fetch("/api/admin/resource/admin/oauth/google", { cache: "no-store" }).then((x) => x.json()).catch(() => null);
    if (r) {
      setClientId(r.client_id ?? "");
      setRedirectUri(r.redirect_uri ?? "");
      setEnabled(!!r.enabled);
      setHasSecret(!!r.has_secret);
    }
  }, []);
  useEffect(() => { load(); }, [load]);
  const save = async () => {
    setSaving(true); setMsg(null);
    const res = await fetch("/api/admin/resource/admin/oauth/google", {
      method: "PUT", headers: { "Content-Type": "application/json" },
      body: JSON.stringify({
        client_id: clientId,
        client_secret: clientSecret || null, // blank keeps existing
        redirect_uri: redirectUri || suggested,
        enabled,
      }),
    });
    const d = await res.json().catch(() => null);
    setMsg(res.ok ? "ذخیره شد ✓" : (d?.error?.message ?? "خطا در ذخیره"));
    setSaving(false);
    if (res.ok) { setClientSecret(""); load(); }
  };
  return (
    <div className="space-y-6" dir="rtl">
      <div>
        <h1 className="text-xl font-semibold text-white">یکپارچه‌سازی‌ها</h1>
        <p className="mt-1 text-sm text-gray-400">پیکربندی ورود با حساب‌های خارجی. کلیدها را از کنسول مربوطه دریافت و اینجا وارد کنید.</p>
      </div>
      <section className={card}>
        <div className="flex items-center justify-between">
          <h2 className="text-sm font-semibold text-white">ورود با گوگل (Google OAuth)</h2>
          <label className="flex items-center gap-2 text-sm text-gray-300">
            <input type="checkbox" checked={enabled} onChange={(e) => setEnabled(e.target.checked)} /> فعال
          </label>
        </div>
        <div className="mt-4 grid gap-3">
          <div>
            <label className={lbl}>Client ID</label>
            <input className={inp} value={clientId} onChange={(e) => setClientId(e.target.value)} placeholder="xxxxxx.apps.googleusercontent.com" dir="ltr" />
          </div>
          <div>
            <label className={lbl}>Client Secret {hasSecret && <span className="text-emerald-400">(ذخیره‌شده — برای حفظ خالی بگذارید)</span>}</label>
            <input className={inp} type="password" value={clientSecret} onChange={(e) => setClientSecret(e.target.value)} placeholder={hasSecret ? "••••••••" : "GOCSPX-…"} dir="ltr" />
          </div>
          <div>
            <label className={lbl}>Redirect URI (در کنسول گوگل ثبت کنید)</label>
            <input className={inp} value={redirectUri} onChange={(e) => setRedirectUri(e.target.value)} placeholder={suggested} dir="ltr" />
            <p className="mt-1 text-[11px] text-gray-500">مقدار پیشنهادی: <code className="text-gray-400" dir="ltr">{suggested}</code></p>
          </div>
        </div>
        <div className="mt-4 flex items-center gap-3">
          <button className={btn} onClick={save} disabled={saving || !clientId}>{saving ? "در حال ذخیره…" : "ذخیره تنظیمات"}</button>
          {msg && <span className="text-xs text-gray-400">{msg}</span>}
        </div>
        <div className="mt-4 rounded-lg border border-[#262b40] bg-[#0c0e1a] p-3 text-xs leading-6 text-gray-400">
          <p className="font-medium text-gray-300">راهنمای سریع:</p>
          <p>۱) به <span dir="ltr">console.cloud.google.com</span> بروید و یک «OAuth 2.0 Client ID» از نوع Web بسازید.</p>
          <p>۲) مقدار Redirect URI بالا را در «Authorized redirect URIs» ثبت کنید.</p>
          <p>۳) Client ID و Secret را اینجا وارد کنید، «فعال» را بزنید و ذخیره کنید.</p>
          <p>۴) دکمهٔ «ورود با گوگل» در صفحهٔ ورود ظاهر و فعال می‌شود.</p>
        </div>
      </section>
    </div>
  );
 }
@@ -92,6 +92,13 @@ export function AuthPageContent() {
    setResetNewPassword("");
  };
  // ── Google OAuth — redirect to identity's start endpoint ──────────────────
  const googleSignIn = () => {
    const base = process.env.NEXT_PUBLIC_API_URL ?? "";
    const returnUrl = `${window.location.origin}/auth/callback?next=${encodeURIComponent(nextPath)}`;
    window.location.href = `${base}/auth/google/start?return_url=${encodeURIComponent(returnUrl)}`;
  };
  // ── Main sign-in / sign-up submit ──────────────────────────────────────────
  const onSubmit = async (values: AuthFormValues) => {
    setSubmitting(true);
@@ -376,6 +383,25 @@ export function AuthPageContent() {
            {activeTab === "sign-in" ? t("signInTab") : t("createAccount")}
          </Button>
        </form>
        <div className="relative my-5 flex items-center">
          <div className="flex-grow border-t border-gray-100" />
          <span className="mx-3 text-xs text-neutral-400">{t("orContinueWith")}</span>
          <div className="flex-grow border-t border-gray-100" />
        </div>
        <button
          type="button"
          onClick={googleSignIn}
          className="flex w-full items-center justify-center gap-2 rounded-lg border border-gray-200 bg-white px-3 py-2.5 text-sm font-medium text-neutral-700 transition-colors hover:bg-neutral-50"
        >
          <svg className="h-4 w-4" viewBox="0 0 24 24" aria-hidden>
            <path fill="#4285F4" d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92a5.06 5.06 0 0 1-2.2 3.32v2.77h3.57c2.08-1.92 3.27-4.74 3.27-8.1Z" />
            <path fill="#34A853" d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84A11 11 0 0 0 12 23Z" />
            <path fill="#FBBC05" d="M5.84 14.1a6.6 6.6 0 0 1 0-4.2V7.06H2.18a11 11 0 0 0 0 9.88l3.66-2.84Z" />
            <path fill="#EA4335" d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1A11 11 0 0 0 2.18 7.06l3.66 2.84C6.71 7.31 9.14 5.38 12 5.38Z" />
          </svg>
          {t("continueWithGoogle")}
        </button>
      </div>
      <p className="mt-6 text-center text-xs text-neutral-500">