user: Implement backend part of google accoutn linking

stadust · stadust · commit 1e175b314b8e · 2025-03-09T19:42:41.000Z
When reaching the /oauth/google endpoint fully authenticated, and the
provided google credentials are valid, link the authenticated
pointercrate account with the google account. Only do so it the google
account is not already linked to another pointercrate account, and if
the pointercrate account is not already linked to a google account (e.g.
re-linking from one google account to a different one is not possible
right now).

Signed-off-by: stadust &lt;43299462+stadust@users.noreply.github.com&gt;
diff --git a/pointercrate-user-api/src/pages.rs b/pointercrate-user-api/src/pages.rs
@@ -117,8 +117,8 @@ pub async fn logout(_auth: Auth<NonMutating>, cookies: &CookieJar<'_>) -> Redire
 #[cfg(feature = "oauth2")]
 #[rocket::post("/oauth/google", data = "<payload>")]
 pub async fn google_oauth_login(
-    payload: Json<GoogleOauthPayload>, key_store: &State<GoogleCertificateStore>, pool: &State<PointercratePool>,
-    cookies: &rocket::http::CookieJar<'_>,
+    payload: Json<GoogleOauthPayload>, auth: Option<Auth<PasswordOrBrowser>>, key_store: &State<GoogleCertificateStore>,
+    pool: &State<PointercratePool>, cookies: &rocket::http::CookieJar<'_>,
 ) -> pointercrate_core_api::error::Result<Status> {
     if key_store.needs_refresh().await {
         key_store
@@ -132,7 +132,25 @@ pub async fn google_oauth_login(
         .await
         .ok_or(CoreError::Unauthorized)?;
 
-    let authenticated_user = AuthenticatedUser::by_validated_google_creds(&validated_credentials, &mut *pool.connection().await?).await?;
+    let maybe_linked_user = AuthenticatedUser::by_validated_google_creds(&validated_credentials, &mut *pool.connection().await?).await;
+
+    let authenticated_user = match auth {
+        None => maybe_linked_user?,
+        Some(mut signed_in_user) => {
+            // Unauthorized = No linked account found. But in the flow that is supposed to establish the link,
+            // that is exactly what we need.
+            if !matches!(maybe_linked_user, Err(UserError::Core(CoreError::Unauthorized))) {
+                return Err(CoreError::Unauthorized.into());
+            }
+
+            signed_in_user
+                .user
+                .link_google_account(&validated_credentials, &mut signed_in_user.connection)
+                .await?;
+            signed_in_user.connection.commit().await.map_err(UserError::from)?;
+            signed_in_user.user
+        },
+    };
 
     build_cookies(&authenticated_user, cookies)?;
 
diff --git a/pointercrate-user-pages/static/js/account/profile.js b/pointercrate-user-pages/static/js/account/profile.js
@@ -155,8 +155,21 @@ function setupInvalidateToken() {
   });
 }
 
+function googleOauthCallback (response) { 
+  let error = document.getElementById("g-signin-error");
+
+  post("/api/v1/auth/oauth/google", {}, response) 
+      .then(() => window.location.reload())
+      .catch(response => {
+        error.innerText = response.data.message;
+        error.style.display = "block";
+      });
+}
+
 export function initialize() {
   setupGetAccessToken();
   setupEditAccount();
   setupInvalidateToken();
+
+  window.googleOauthCallback = googleOauthCallback;
 }
diff --git a/pointercrate-user/src/auth/oauth/mod.rs b/pointercrate-user/src/auth/oauth/mod.rs
@@ -1,6 +1,8 @@
 #[cfg(feature = "oauth2")]
 mod get;
 #[cfg(feature = "oauth2")]
+mod patch;
+#[cfg(feature = "oauth2")]
 mod post;
 
 #[cfg(feature = "oauth2")]
diff --git a/pointercrate-user/src/auth/oauth/patch.rs b/pointercrate-user/src/auth/oauth/patch.rs
@@ -3,7 +3,7 @@ use sqlx::PgConnection;
 use crate::auth::legacy::LegacyAuthenticatedUser;
 use crate::Result;
 
-use super::{ValidatedGoogleCredentials};
+use super::ValidatedGoogleCredentials;
 
 impl LegacyAuthenticatedUser {
     pub async fn set_linked_google_account(&mut self, creds: &ValidatedGoogleCredentials, connection: &mut PgConnection) -> Result<()> {
@@ -17,4 +17,4 @@ impl LegacyAuthenticatedUser {
 
         Ok(())
     }
-}
+}
diff --git a/pointercrate-user/src/auth/patch.rs b/pointercrate-user/src/auth/patch.rs
@@ -86,6 +86,18 @@ impl AuthenticatedUser<PasswordOrBrowser> {
 
         Ok(())
     }
+
+    #[cfg(feature = "oauth2")]
+    pub async fn link_google_account(
+        &mut self, creds: &super::oauth::ValidatedGoogleCredentials, connection: &mut PgConnection,
+    ) -> Result<()> {
+        match &mut self.auth_type {
+            AuthenticationType::Legacy(legacy) => legacy.set_linked_google_account(creds, connection).await?,
+            _ => return Err(CoreError::Unauthorized.into()),
+        }
+
+        self.increment_generation_id(connection).await
+    }
 }
 
 #[cfg(test)]
