feat: Use built-in FedCM API instead of Google GSI

Author: AshCorr

dotcom-rendering/src/components/GoogleOneTap.importable.tsx

@@ -1,82 +1,51 @@
-import { loadScript, log } from '@guardian/libs';
+import { log } from '@guardian/libs';
 import { useEffect } from 'react';
 import { useIsSignedIn } from '../lib/useAuthStatus';
-
-const getGSIConfiguration = (): { clientId: string; loginUri: string } => {
-	switch (window.guardian.config.stage) {
-		case 'PROD':
-			return {
-				clientId: 'PROD CLIENT ID',
-				loginUri: 'https://profile.thegulocal.com/signin/google',
-			};
-		case 'CODE':
-			return {
-				clientId: 'CODE CLIENT ID',
-				loginUri: 'https://profile.thegulocal.com/signin/google',
-			};
+import type { StageType } from '../types/config';
+
+const getFedCMProviders = (stage: StageType): IdentityProviderConfig[] => {
+	switch (stage) {
+		// case 'PROD':
+		// 	return [
+		// 		{
+		// 			configURL: 'https://accounts.google.com/gsi/fedcm.json',
+		// 			clientId: '774465807556.apps.googleusercontent.com',
+		// 		},
+		// 	];
+		// case 'CODE':
+		// 	return [
+		// 		{
+		// 			configURL: 'https://accounts.google.com/gsi/fedcm.json',
+		// 			clientId: '774465807556-pkevncqpfs9486ms0bo5q1f2g9vhpior.apps.googleusercontent.com',
+		// 		},
+		// 	];
 		default:
-			return {
-				clientId:
-					'774465807556-pkevncqpfs9486ms0bo5q1f2g9vhpior.apps.googleusercontent.com',
-				loginUri: 'https://profile.thegulocal.com/signin/google',
-			};
+			return [
+				{
+					configURL: 'https://accounts.google.com/gsi/fedcm.json',
+					clientId:
+						'774465807556-pkevncqpfs9486ms0bo5q1f2g9vhpior.apps.googleusercontent.com',
+				},
+			];
 	}
 };
 
-const initializeGoogleOneTap = () => (response: { credential: string }) => {
-	const { credential } = response;
-
-	const queryParams = new URLSearchParams();
-	queryParams.append('got', credential);
-	queryParams.append('returnUrl', window.location.href);
-
-	window.location.replace(
-		`https://profile.thegulocal.com/signin/google?${queryParams.toString()}`,
-	);
+type IdentityCredentials = {
+	token: string;
 };
 
-type PromptMomentNotification = {
-	isSkippedMoment: () => boolean;
-	isDismissedMoment: () => boolean;
-	getDismissedReason: () =>
-		| 'credential_returned'
-		| 'cancel_called'
-		| 'flow_restarted';
-	getMomentType: () => 'display' | 'skipped' | 'dismissed';
+type IdentityProviderConfig = {
+	configURL: string;
+	clientId: string;
 };
 
-export type GoogleIdentityService = {
-	initialize: (config: {
-		client_id: string;
-		login_uri: string;
-		callback: (response: { credential: string }) => void;
-		auto_select?: boolean;
-		cancel_on_tap_outside?: boolean;
-		use_fedcm_for_prompt?: boolean;
-	}) => void;
-	prompt: (
-		callback: (momentNotification: PromptMomentNotification) => void,
-	) => void;
-};
-
-const loadGSI = async (): Promise<GoogleIdentityService> => {
-	log('identity', 'Loading Google Sign-in Services (GSI)');
-	// TODO: Can we invoke the built-in FedCM API instead of using GSI?
-	// This would reduce our dpenedency on a third-party library and all of the privacy
-	// implications that come with it. It would also save loading ~80KB of JS.
-	await loadScript('https://accounts.google.com/gsi/client').catch((e) => {
-		throw new Error(
-			`Failed to initialize Google One Tap: failed to load GSI`,
-			{ cause: e },
-		);
-	});
-
-	if (!window.google?.accounts?.id) {
-		throw new Error('Failed to initialize Google One Tap: GSI not found');
-	}
-
-	log('identity', 'Loaded Google Sign-in Services (GSI)');
-	return window.google.accounts.id;
+type CredentialsProvider = {
+	get: (options: {
+		identity: {
+			context: 'signin';
+			providers: IdentityProviderConfig[];
+		};
+	}) => Promise<IdentityCredentials>;
 };
 
 export const GoogleOneTap = () => {
@@ -98,34 +67,44 @@ export const GoogleOneTap = () => {
 			return;
 		}
 
-		const { clientId, loginUri } = getGSIConfiguration();
-
-		void loadGSI().then((gsi) => {
-			log('identity', 'Initializing Google One Tap', {
-				clientId,
-				loginUri,
-			});
-
-			gsi.initialize({
-				client_id: clientId,
-				login_uri: loginUri,
-				callback: initializeGoogleOneTap,
-				auto_select: true,
-				cancel_on_tap_outside: false,
-				use_fedcm_for_prompt: true,
-			});
-
-			log('identity', 'Requesting Google One Tap prompt');
-			gsi.prompt((notifcation) => {
-				// TODO: Handle tracking of the prompt moment notification. Ophan?
-				log('identity', 'Google One Tap prompt notification received', {
-					isSkippedMoment: notifcation.isSkippedMoment(),
-					isDismissedMoment: notifcation.isDismissedMoment(),
-					dismissedReason: notifcation.getDismissedReason(),
-					momentType: notifcation.getMomentType(),
-				});
+		const credentialsProvider = window.navigator
+			.credentials as unknown as CredentialsProvider;
+
+		void credentialsProvider
+			.get({
+				identity: {
+					context: 'signin',
+					providers: getFedCMProviders(window.guardian.config.stage),
+				},
+			})
+			.catch((error) => {
+				/**
+				 * The fedcm API hides issues with the user's federated login state
+				 * behind a generic NetworkError. This error is thrown up to 60
+				 * seconds after the prompt is triggered to avoid timing attacks.
+				 *
+				 * This allows the browser to avoid leaking sensitive information
+				 * about the user's login state to the website.
+				 *
+				 * Unfortunately for us it means we can't differentiate between
+				 * a genuine network error and a user declining the FedCM prompt.
+				 */
+				if (error instanceof Error && error.name === 'NetworkError') {
+					log(
+						'identity',
+						'FedCM prompt failed, potentially due to user declining',
+					);
+				}
+			})
+			.then((credentials) => {
+				if (credentials) {
+					log('identity', 'FedCM credentials received', {
+						credentials,
+					});
+				} else {
+					log('identity', 'No FedCM credentials received');
+				}
 			});
-		});
 	}, [isSignedIn]);
 
 	return <></>;

dotcom-rendering/window.guardian.ts

@@ -7,7 +7,6 @@ import type {
 } from '@guardian/libs';
 import type ophan from '@guardian/ophan-tracker-js';
 import type { WeeklyArticleHistory } from '@guardian/support-dotcom-components/dist/dotcom/types';
-import type { GoogleIdentityService } from './src/components/GoogleOneTap.importable';
 import type { google } from './src/components/YoutubeAtom/ima';
 import type { DailyArticleHistory } from './src/lib/dailyArticleCount';
 import type { ReaderRevenueDevUtils } from './src/lib/readerRevenueDevUtils';
@@ -68,11 +67,7 @@ declare global {
 			) => boolean;
 		};
 		mockLiveUpdate: (data: LiveUpdateType) => void;
-		google?: typeof google & {
-			accounts?: {
-				id?: GoogleIdentityService;
-			};
-		};
+		google?: typeof google;
 		YT?: typeof YT;
 		onYouTubeIframeAPIReady?: () => void;
 	}