OWASP · ahmedxgouda · Aug 6, 2025 · Aug 7, 2025 · Aug 9, 2025 · Aug 9, 2025
@@ -10,6 +10,13 @@ DJANGO_DB_NAME=None
 DJANGO_DB_PASSWORD=None
 DJANGO_DB_PORT=None
 DJANGO_DB_USER=None
+DJANGO_GOOGLE_AUTH_AUTH_URI=https://accounts.google.com/o/oauth2/auth
+DJANGO_GOOGLE_AUTH_CLIENT_ID=None
+DJANGO_GOOGLE_AUTH_CLIENT_SECRET=None
+DJANGO_GOOGLE_AUTH_REDIRECT_URI=http://localhost:8000/auth/google/callback/
+DJANGO_GOOGLE_AUTH_SCOPES=https://www.googleapis.com/auth/calendar.readonly
+DJANGO_GOOGLE_AUTH_TOKEN_URI=https://oauth2.googleapis.com/token
+DJANGO_IS_GOOGLE_AUTH_ENABLED=False
 DJANGO_OPEN_AI_SECRET_KEY=None
 DJANGO_PUBLIC_IP_ADDRESS="127.0.0.1"
 DJANGO_REDIS_HOST=None

@@ -0,0 +1,20 @@
+"""Common API Clients."""
+
+from django.conf import settings
+from google_auth_oauthlib.flow import Flow
+
+
+def get_google_auth_client():
+    """Get a Google OAuth client."""
+    return Flow.from_client_config(
+        client_config={
+            "web": {
+                "client_id": settings.GOOGLE_AUTH_CLIENT_ID,
+                "client_secret": settings.GOOGLE_AUTH_CLIENT_SECRET,
+                "redirect_uris": [settings.GOOGLE_AUTH_REDIRECT_URI],
+                "auth_uri": settings.GOOGLE_AUTH_AUTH_URI,
+                "token_uri": settings.GOOGLE_AUTH_TOKEN_URI,
+            }
+        },
+        scopes=settings.GOOGLE_AUTH_SCOPES,
+    )
diff --git a/backend/apps/nest/migrations/0004_membergooglecredentials.py b/backend/apps/nest/migrations/0004_membergooglecredentials.py
@@ -0,0 +1,41 @@
+# Generated by Django 5.2.4 on 2025-08-20 18:53
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("nest", "0003_badge"),
+        ("slack", "0023_delete_googleauth"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="MemberGoogleCredentials",
+            fields=[
+                (
+                    "id",
+                    models.BigAutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("access_token", models.BinaryField(null=True, verbose_name="Access Token")),
+                ("refresh_token", models.BinaryField(null=True, verbose_name="Refresh Token")),
+                ("expires_at", models.DateTimeField(null=True, verbose_name="Token Expiry")),
+                (
+                    "member",
+                    models.OneToOneField(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="google_auth",
+                        to="slack.member",
+                        verbose_name="Slack Member",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name_plural": "Google Auths",
+                "db_table": "slack_google_auths",
+            },
+        ),
+    ]
diff --git a/backend/apps/nest/migrations/0005_alter_membergooglecredentials_options_and_more.py b/backend/apps/nest/migrations/0005_alter_membergooglecredentials_options_and_more.py
@@ -0,0 +1,20 @@
+# Generated by Django 5.2.4 on 2025-08-20 18:55
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("nest", "0004_membergooglecredentials"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="membergooglecredentials",
+            options={"verbose_name_plural": "Member's Google Credentials"},
+        ),
+        migrations.AlterModelTable(
+            name="membergooglecredentials",
+            table="nest_member_google_credentials",
+        ),
+    ]
diff --git a/backend/apps/nest/migrations/0006_alter_membergooglecredentials_member.py b/backend/apps/nest/migrations/0006_alter_membergooglecredentials_member.py
@@ -0,0 +1,24 @@
+# Generated by Django 5.2.4 on 2025-08-20 19:08
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("nest", "0005_alter_membergooglecredentials_options_and_more"),
+        ("slack", "0023_delete_googleauth"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="membergooglecredentials",
+            name="member",
+            field=models.OneToOneField(
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="member_google_credentials",
+                to="slack.member",
+                verbose_name="Slack Member",
+            ),
+        ),
+    ]
@@ -1,3 +1,4 @@
 from .api_key import ApiKey
 from .badge import Badge
+from .member_google_credentials import MemberGoogleCredentials
 from .user import User
@@ -0,0 +1,131 @@
+"""Slack Google OAuth Authentication Model."""
+
+from django.conf import settings
+from django.core.exceptions import ValidationError
+from django.db import models
+from django.utils import timezone
+from google.auth.transport.requests import Request
+from google.oauth2.credentials import Credentials
+
+from apps.common.clients import get_google_auth_client
+from apps.slack.models.member import Member
+
+AUTH_ERROR_MESSAGE = (
+    "Google OAuth client ID, secret, and redirect URI must be set in environment variables."
+)
+
+
+class MemberGoogleCredentials(models.Model):
+    """Model to store Google OAuth tokens for Slack integration."""
+
+    class Meta:
+        db_table = "nest_member_google_credentials"
+        verbose_name_plural = "Member's Google Credentials"
+
+    member = models.OneToOneField(
+        "slack.Member",
+        on_delete=models.CASCADE,
+        related_name="member_google_credentials",
+        verbose_name="Slack Member",
+    )
+    access_token = models.BinaryField(verbose_name="Access Token", null=True)
+    refresh_token = models.BinaryField(verbose_name="Refresh Token", null=True)
+    expires_at = models.DateTimeField(
+        verbose_name="Token Expiry",
+        null=True,
+    )
+
+    @staticmethod
+    def authenticate(member):
+        """Authenticate a member.
+
+        Returns:
+            - MemberGoogleCredentials instance if a valid/refreshable token exists, or
+            - (authorization_url, state) tuple to complete the OAuth flow.
+
+        """
+        if not settings.IS_GOOGLE_AUTH_ENABLED:
+            raise ValueError(AUTH_ERROR_MESSAGE)
+        auth = MemberGoogleCredentials.objects.get_or_create(member=member)[0]
+        if auth.access_token and not auth.is_token_expired:
+            return auth
+        if auth.access_token:
+            # If the access token is present but expired, refresh it
+            MemberGoogleCredentials.refresh_access_token(auth)
+            return auth
+        # If no access token is present, redirect to Google OAuth
+        flow = MemberGoogleCredentials.get_flow()
+        flow.redirect_uri = settings.GOOGLE_AUTH_REDIRECT_URI
+        state = member.slack_user_id
+        return flow.authorization_url(
+            access_type="offline",
+            prompt="consent",
+            state=state,
+        )
+
+    @staticmethod
+    def authenticate_callback(auth_response, member_id):
+        """Authenticate a member and return a MemberGoogleCredentials instance."""
+        if not settings.IS_GOOGLE_AUTH_ENABLED:
+            raise ValueError(AUTH_ERROR_MESSAGE)
+
+        member = None
+        try:
+            member = Member.objects.get(slack_user_id=member_id)
+        except Member.DoesNotExist as e:
+            error_message = f"Member with Slack ID {member_id} does not exist."
+            raise ValidationError(error_message) from e
+
+        auth = MemberGoogleCredentials.objects.get_or_create(member=member)[0]
+        # This is the first time authentication, so we need to fetch a new token
+        flow = MemberGoogleCredentials.get_flow()
+        flow.redirect_uri = settings.GOOGLE_AUTH_REDIRECT_URI
+        flow.fetch_token(authorization_response=auth_response)
+        auth.access_token = flow.credentials.token
+        auth.refresh_token = flow.credentials.refresh_token
+        expires_at = flow.credentials.expiry
+        if expires_at and timezone.is_naive(expires_at):
+            expires_at = timezone.make_aware(expires_at)
+        auth.expires_at = expires_at
+        auth.save()
+        return auth
-        auth.access_token = flow.credentials.token
-        auth.refresh_token = flow.credentials.refresh_token
-        expires_at = flow.credentials.expiry
-        if expires_at and timezone.is_naive(expires_at):
-            expires_at = timezone.make_aware(expires_at)
-        auth.expires_at = expires_at
-        auth.save()
-        return auth
+        access = flow.credentials.token
+        refresh = flow.credentials.refresh_token
+        if isinstance(access, str):
+            access = access.encode("utf-8")
+        if isinstance(refresh, str) and refresh is not None:
+            refresh = refresh.encode("utf-8")
+        auth.access_token = access
+        auth.refresh_token = refresh
+        expires_at = flow.credentials.expiry
+        if expires_at and timezone.is_naive(expires_at):
+            expires_at = timezone.make_aware(expires_at)
+        auth.expires_at = expires_at
+        auth.save()
+        return auth
-        auth.access_token = flow.credentials.token
-        auth.refresh_token = flow.credentials.refresh_token
-        expires_at = flow.credentials.expiry
-        if expires_at and timezone.is_naive(expires_at):
-            expires_at = timezone.make_aware(expires_at)
-        auth.expires_at = expires_at
-        auth.save()
-        return auth
+        access = flow.credentials.token
+        refresh = flow.credentials.refresh_token
+        if isinstance(access, str):
+            access = access.encode("utf-8")
+        if isinstance(refresh, str) and refresh is not None:
+            refresh = refresh.encode("utf-8")
+        auth.access_token = access
+        auth.refresh_token = refresh
+        expires_at = flow.credentials.expiry
+        if expires_at and timezone.is_naive(expires_at):
+            expires_at = timezone.make_aware(expires_at)
+        auth.expires_at = expires_at
+        auth.save()
+        return auth
+
+    @staticmethod
+    def get_flow():
+        """Create a Google OAuth flow instance."""
+        if not settings.IS_GOOGLE_AUTH_ENABLED:
+            raise ValueError(AUTH_ERROR_MESSAGE)
+        return get_google_auth_client()
+
+    @property
+    def is_token_expired(self):
+        """Check if the access token is expired."""
+        return self.expires_at is None or self.expires_at <= timezone.now() + timezone.timedelta(
+            seconds=60
+        )
+
+    @staticmethod
+    def refresh_access_token(auth):
+        """Refresh the access token using the refresh token."""
+        if not settings.IS_GOOGLE_AUTH_ENABLED:
+            raise ValueError(AUTH_ERROR_MESSAGE)
+        refresh_error = "Google OAuth refresh token is not set or expired."
+        if not auth.refresh_token:
+            raise ValidationError(refresh_error)
+        credentials = Credentials(
+            token=auth.access_token,
+            refresh_token=auth.refresh_token,
+            token_uri=settings.GOOGLE_AUTH_TOKEN_URI,
+            client_id=settings.GOOGLE_AUTH_CLIENT_ID,
+            client_secret=settings.GOOGLE_AUTH_CLIENT_SECRET,
+        )
+        credentials.refresh(Request())
+
+        auth.access_token = credentials.token
+        auth.refresh_token = credentials.refresh_token
+        auth.expires_at = credentials.expiry
+        auth.save()
-        credentials = Credentials(
-            token=auth.access_token,
-            refresh_token=auth.refresh_token,
-            token_uri=settings.GOOGLE_AUTH_TOKEN_URI,
-            client_id=settings.GOOGLE_AUTH_CLIENT_ID,
-            client_secret=settings.GOOGLE_AUTH_CLIENT_SECRET,
-        )
-        credentials.refresh(Request())
-
-        auth.access_token = credentials.token
-        auth.refresh_token = credentials.refresh_token
-        auth.expires_at = credentials.expiry
-        auth.save()
+        token_str = (
+            auth.access_token.decode("utf-8")
+            if isinstance(auth.access_token, (bytes, memoryview))
+            else auth.access_token
+        )
+        refresh_str = (
+            auth.refresh_token.decode("utf-8")
+            if isinstance(auth.refresh_token, (bytes, memoryview))
+            else auth.refresh_token
+        )
+        credentials = Credentials(
+            token=token_str,
+            refresh_token=refresh_str,
+            token_uri=settings.GOOGLE_AUTH_TOKEN_URI,
+            client_id=settings.GOOGLE_AUTH_CLIENT_ID,
+            client_secret=settings.GOOGLE_AUTH_CLIENT_SECRET,
+        )
+        credentials.refresh(Request())
+
+        # Store refreshed tokens back as bytes
+        new_token = credentials.token
+        new_refresh = credentials.refresh_token
+        if isinstance(new_token, str):
+            new_token = new_token.encode("utf-8")
+        if isinstance(new_refresh, str) and new_refresh is not None:
+            new_refresh = new_refresh.encode("utf-8")
+        auth.access_token = new_token
+        auth.refresh_token = new_refresh
+
+        expires_at = credentials.expiry
+        if expires_at and timezone.is_naive(expires_at):
+            expires_at = timezone.make_aware(expires_at)
+        auth.expires_at = expires_at
+
+        auth.save()
-        credentials = Credentials(
-            token=auth.access_token,
-            refresh_token=auth.refresh_token,
-            token_uri=settings.GOOGLE_AUTH_TOKEN_URI,
-            client_id=settings.GOOGLE_AUTH_CLIENT_ID,
-            client_secret=settings.GOOGLE_AUTH_CLIENT_SECRET,
-        )
-        credentials.refresh(Request())
-
-        auth.access_token = credentials.token
-        auth.refresh_token = credentials.refresh_token
-        auth.expires_at = credentials.expiry
-        auth.save()
+        token_str = (
+            auth.access_token.decode("utf-8")
+            if isinstance(auth.access_token, (bytes, memoryview))
+            else auth.access_token
+        )
+        refresh_str = (
+            auth.refresh_token.decode("utf-8")
+            if isinstance(auth.refresh_token, (bytes, memoryview))
+            else auth.refresh_token
+        )
+        credentials = Credentials(
+            token=token_str,
+            refresh_token=refresh_str,
+            token_uri=settings.GOOGLE_AUTH_TOKEN_URI,
+            client_id=settings.GOOGLE_AUTH_CLIENT_ID,
+            client_secret=settings.GOOGLE_AUTH_CLIENT_SECRET,
+        )
+        credentials.refresh(Request())
+
+        # Store refreshed tokens back as bytes
+        new_token = credentials.token
+        new_refresh = credentials.refresh_token
+        if isinstance(new_token, str):
+            new_token = new_token.encode("utf-8")
+        if isinstance(new_refresh, str) and new_refresh is not None:
+            new_refresh = new_refresh.encode("utf-8")
+        auth.access_token = new_token
+        auth.refresh_token = new_refresh
+
+        expires_at = credentials.expiry
+        if expires_at and timezone.is_naive(expires_at):
+            expires_at = timezone.make_aware(expires_at)
+        auth.expires_at = expires_at
+
+        auth.save()
+
+    def __str__(self):
+        """Return a string representation of the MemberGoogleCredentials instance."""
+        return f"MemberGoogleCredentials(member={self.member})"
diff --git a/backend/apps/slack/migrations/0019_googleauth.py b/backend/apps/slack/migrations/0019_googleauth.py
@@ -0,0 +1,39 @@
+# Generated by Django 5.2.4 on 2025-08-11 04:45
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("slack", "0018_conversation_sync_messages"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="GoogleAuth",
+            fields=[
+                (
+                    "id",
+                    models.BigAutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("access_token", models.TextField(blank=True, verbose_name="Access Token")),
+                ("refresh_token", models.TextField(blank=True, verbose_name="Refresh Token")),
+                (
+                    "expires_at",
+                    models.DateTimeField(blank=True, null=True, verbose_name="Token Expiry"),
+                ),
+                (
+                    "member",
+                    models.OneToOneField(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="google_auth",
+                        to="slack.member",
+                        verbose_name="Slack Member",
+                    ),
+                ),
+            ],
+        ),
+    ]
diff --git a/backend/apps/slack/migrations/0020_alter_googleauth_access_token_and_more.py b/backend/apps/slack/migrations/0020_alter_googleauth_access_token_and_more.py
@@ -0,0 +1,22 @@
+# Generated by Django 5.2.4 on 2025-08-12 17:31
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("slack", "0019_googleauth"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="googleauth",
+            name="access_token",
+            field=models.BinaryField(blank=True, verbose_name="Access Token"),
+        ),
+        migrations.AlterField(
+            model_name="googleauth",
+            name="refresh_token",
+            field=models.BinaryField(blank=True, verbose_name="Refresh Token"),
+        ),
+    ]
diff --git a/backend/apps/slack/migrations/0021_alter_googleauth_access_token_and_more.py b/backend/apps/slack/migrations/0021_alter_googleauth_access_token_and_more.py
@@ -0,0 +1,27 @@
+# Generated by Django 5.2.4 on 2025-08-13 16:01
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("slack", "0020_alter_googleauth_access_token_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="googleauth",
+            name="access_token",
+            field=models.BinaryField(null=True, verbose_name="Access Token"),
+        ),
+        migrations.AlterField(
+            model_name="googleauth",
+            name="expires_at",
+            field=models.DateTimeField(null=True, verbose_name="Token Expiry"),
+        ),
+        migrations.AlterField(
+            model_name="googleauth",
+            name="refresh_token",
+            field=models.BinaryField(null=True, verbose_name="Refresh Token"),
+        ),
+    ]
diff --git a/backend/apps/slack/migrations/0022_alter_googleauth_options_alter_googleauth_table.py b/backend/apps/slack/migrations/0022_alter_googleauth_options_alter_googleauth_table.py
@@ -0,0 +1,20 @@
+# Generated by Django 5.2.4 on 2025-08-16 12:19
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("slack", "0021_alter_googleauth_access_token_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="googleauth",
+            options={"verbose_name_plural": "Google Auths"},
+        ),
+        migrations.AlterModelTable(
+            name="googleauth",
+            table="slack_google_auths",
+        ),
+    ]
diff --git a/backend/apps/slack/migrations/0023_delete_googleauth.py b/backend/apps/slack/migrations/0023_delete_googleauth.py
@@ -0,0 +1,15 @@
+# Generated by Django 5.2.4 on 2025-08-20 18:53
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("slack", "0022_alter_googleauth_options_alter_googleauth_table"),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name="GoogleAuth",
+        ),
+    ]