treewide: add Google OAuth login and 401 redirect

- Add Google OAuth authentication using arctic library
- Redirect to /signin on 401 API responses
- Update signin page to use Google button

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: aster-void

.env.sample

@@ -6,3 +6,6 @@ PUBLIC_API_BASE_URL=http://localhost:3000
 DATABASE_URL=postgres://localhost:5432/prism
 # JWT
 JWT_SECRET=your-secret-key
+# Google OAuth
+GOOGLE_CLIENT_ID=your-google-client-id
+GOOGLE_CLIENT_SECRET=your-google-client-secret

apps/api-client/src/index.ts

@@ -11,15 +11,21 @@ export type * from "./types.ts";
 
 export interface ApiConfig {
   baseUrl: string;
-  fetch?: typeof fetch;
+  onUnauthorized?: () => void;
 }
 
 /**
  * Creates an API client instance using Eden Treaty.
  * The client provides type-safe access to all API endpoints.
  */
 export function createApiClient(config: ApiConfig) {
-  return treaty<App>(config.baseUrl);
+  return treaty<App>(config.baseUrl, {
+    onResponse: (response) => {
+      if (response.status === 401 && config.onUnauthorized) {
+        config.onUnauthorized();
+      }
+    },
+  });
 }
 
 export type ApiClient = ReturnType<typeof createApiClient>;

apps/desktop/src/components/channels/ChannelList.svelte

@@ -25,7 +25,7 @@
     return unwrapResponse(response);
   });
 
-  const unreadManager = new UnreadManager(api, organizationId);
+  const unreadManager = $derived(new UnreadManager(api, organizationId));
   let showUserSearch = $state(false);
 
   onMount(() => {

apps/desktop/src/lib/api.svelte.ts

@@ -8,6 +8,7 @@ import {
   getTask,
   getVote,
 } from "@apps/api-client";
+import { goto } from "$app/navigation";
 
 // Re-export helper functions
 export { getChannel, getFile, getMessage, getOrganization, getTask, getVote };
@@ -30,7 +31,10 @@ export function setupApi(baseUrl?: string) {
       "API base URL is required. Provide baseUrl or set PUBLIC_API_BASE_URL environment variable",
     );
   }
-  apiClient = createApiClient({ baseUrl: url });
+  apiClient = createApiClient({
+    baseUrl: url,
+    onUnauthorized: () => goto("/signin", { replaceState: true }),
+  });
   return apiClient;
 }
 

apps/desktop/src/routes/signin/+page.svelte

@@ -1,65 +1,33 @@
 <script lang="ts">
   import { useAuth } from "@/lib/auth.svelte.ts";
   import { goto } from "$app/navigation";
+  import GoogleButton from "./GoogleButton.svelte";
 
   const auth = useAuth();
   const isAuthenticated = $derived(auth.isAuthenticated);
   const isLoading = $derived(auth.isLoading);
 
-  let email = $state("");
-  let submitting = $state(false);
-
   $effect(() => {
     if (isAuthenticated) {
       goto("/", { replaceState: true });
     }
   });
 
-  async function handleSubmit(event: Event) {
-    event.preventDefault();
-    submitting = true;
-    try {
-      await auth.signIn(email);
-      goto("/", { replaceState: true });
-    } catch {
-      alert("Sign in failed");
-    } finally {
-      submitting = false;
-    }
+  function handleGoogleSignIn() {
+    const apiUrl = import.meta.env.PUBLIC_API_BASE_URL;
+    window.location.href = `${apiUrl}/auth/google/authorize`;
   }
 </script>
 
 <div class="hero bg-base-200 min-h-screen">
   <div class="card bg-base-100 w-full max-w-sm shrink-0 shadow-2xl">
-    <form class="card-body" onsubmit={handleSubmit}>
+    <div class="card-body">
       <h1 class="text-2xl font-bold">Sign In to Prism</h1>
-
-      <div class="form-control">
-        <label class="label" for="email">
-          <span class="label-text">Email</span>
-        </label>
-        <input
-          id="email"
-          type="email"
-          placeholder="[email protected]"
-          class="input input-bordered"
-          bind:value={email}
-          required
-        />
-      </div>
-
-      <div class="form-control mt-6">
-        <button
-          type="submit"
-          class="btn btn-primary"
-          disabled={isLoading || submitting}
-        >
-          {#if isLoading || submitting}
-            <span class="loading loading-spinner"></span>
-          {/if}
-          Sign In
-        </button>
-      </div>
-    </form>
+      {#if isLoading}
+        <span class="loading loading-spinner mx-auto"></span>
+      {:else}
+        <GoogleButton onclick={handleGoogleSignIn} />
+      {/if}
+    </div>
   </div>
 </div>

apps/server/package.json

@@ -15,6 +15,7 @@
     "@elysiajs/cors": "^1.4.0",
     "@elysiajs/jwt": "^1.4.0",
     "@sinclair/typebox": "^0.34.41",
+    "arctic": "^3.7.0",
     "drizzle-orm": "^0.45.0",
     "elysia": "^1.4.18",
     "postgres": "^3.4.7",

apps/server/src/domains/auth/google.ts

@@ -0,0 +1,148 @@
+import {
+  decodeIdToken,
+  Google,
+  generateCodeVerifier,
+  generateState,
+} from "arctic";
+import { and, eq } from "drizzle-orm";
+import { Elysia, t } from "elysia";
+import { db } from "../../db/index.ts";
+import { accounts, users } from "../../db/schema.ts";
+import { env } from "../../env.ts";
+import { authMiddleware } from "../../middleware/auth.ts";
+
+const google = new Google(
+  env.GOOGLE_CLIENT_ID,
+  env.GOOGLE_CLIENT_SECRET,
+  `${env.CORS_ORIGIN}/auth/google/callback`,
+);
+
+export const googleAuthRoutes = new Elysia({ prefix: "/auth/google" })
+  .use(authMiddleware)
+  .get("/authorize", async ({ cookie, redirect }) => {
+    const state = generateState();
+    const codeVerifier = generateCodeVerifier();
+    const url = google.createAuthorizationURL(state, codeVerifier, [
+      "openid",
+      "email",
+      "profile",
+    ]);
+
+    cookie.google_oauth_state?.set({
+      value: state,
+      httpOnly: true,
+      maxAge: 60 * 10,
+      path: "/",
+    });
+    cookie.google_code_verifier?.set({
+      value: codeVerifier,
+      httpOnly: true,
+      maxAge: 60 * 10,
+      path: "/",
+    });
+
+    return redirect(url.toString());
+  })
+  .get(
+    "/callback",
+    async ({ query, cookie, jwt, redirect }) => {
+      const { code, state } = query;
+      const storedState = cookie.google_oauth_state?.value;
+      const codeVerifier = cookie.google_code_verifier?.value;
+
+      if (state !== storedState || typeof codeVerifier !== "string") {
+        return redirect(`${env.CORS_ORIGIN}/signin?error=invalid_state`);
+      }
+
+      const tokens = await google.validateAuthorizationCode(code, codeVerifier);
+      const idToken = tokens.idToken();
+      const claims = decodeIdToken(idToken) as {
+        sub: string;
+        email: string;
+        name?: string;
+        picture?: string;
+      };
+
+      // Find existing account
+      const [existingAccount] = await db
+        .select()
+        .from(accounts)
+        .where(
+          and(
+            eq(accounts.provider, "google"),
+            eq(accounts.providerAccountId, claims.sub),
+          ),
+        );
+
+      let user: typeof users.$inferSelect | undefined;
+      if (existingAccount) {
+        [user] = await db
+          .select()
+          .from(users)
+          .where(eq(users.id, existingAccount.userId));
+      } else {
+        // Check if user with email exists
+        [user] = await db
+          .select()
+          .from(users)
+          .where(eq(users.email, claims.email));
+
+        if (!user) {
+          [user] = await db
+            .insert(users)
+            .values({
+              email: claims.email,
+              name: claims.name ?? claims.email.split("@")[0],
+              image: claims.picture,
+              emailVerified: new Date(),
+            })
+            .returning();
+        }
+
+        if (!user) {
+          return redirect(
+            `${env.CORS_ORIGIN}/signin?error=user_creation_failed`,
+          );
+        }
+
+        // Link account
+        await db.insert(accounts).values({
+          userId: user.id,
+          type: "oauth",
+          provider: "google",
+          providerAccountId: claims.sub,
+          accessToken: tokens.accessToken(),
+          idToken: idToken,
+        });
+      }
+
+      if (!user) {
+        return redirect(`${env.CORS_ORIGIN}/signin?error=user_not_found`);
+      }
+
+      const token = await jwt.sign({
+        id: user.id,
+        email: user.email,
+        name: user.name,
+      });
+
+      cookie.token?.set({
+        value: token,
+        httpOnly: true,
+        maxAge: 7 * 24 * 60 * 60,
+        path: "/",
+      });
+
+      // Clear OAuth cookies
+      cookie.google_oauth_state?.set({ value: "", maxAge: 0, path: "/" });
+      cookie.google_code_verifier?.set({ value: "", maxAge: 0, path: "/" });
+
+      return redirect(env.CORS_ORIGIN);
+    },
+    {
+      query: t.Object({
+        code: t.String(),
+        state: t.String(),
+      }),
+    },
+  );

apps/server/src/env.ts

@@ -5,6 +5,8 @@ const envSchema = v.object({
   JWT_SECRET: v.pipe(v.string(), v.minLength(1)),
   CORS_ORIGIN: v.pipe(v.string(), v.url()),
   PORT: v.optional(v.pipe(v.string(), v.transform(Number)), "3000"),
+  GOOGLE_CLIENT_ID: v.pipe(v.string(), v.minLength(1)),
+  GOOGLE_CLIENT_SECRET: v.pipe(v.string(), v.minLength(1)),
 });
 
 const result = v.safeParse(envSchema, process.env);

apps/server/src/index.ts

@@ -1,5 +1,6 @@
 import { cors } from "@elysiajs/cors";
 import { Elysia } from "elysia";
+import { googleAuthRoutes } from "./domains/auth/google.ts";
 import { authRoutes } from "./domains/auth/routes.ts";
 import { channelRoutes } from "./domains/channels/routes.ts";
 import { dmRoutes } from "./domains/dms/routes.ts";
@@ -19,6 +20,7 @@ const app = new Elysia()
   .get("/", () => ({ message: "Prism API Server" }))
   .get("/health", () => ({ status: "ok", timestamp: Date.now() }))
   .use(authRoutes)
+  .use(googleAuthRoutes)
   .use(organizationRoutes)
   .use(channelRoutes)
   .use(dmRoutes)

bun.lock

@@ -77,6 +77,7 @@
         "@elysiajs/cors": "^1.4.0",
         "@elysiajs/jwt": "^1.4.0",
         "@sinclair/typebox": "^0.34.41",
+        "arctic": "^3.7.0",
         "drizzle-orm": "^0.45.0",
         "elysia": "^1.4.18",
         "postgres": "^3.4.7",
@@ -326,6 +327,16 @@
 
     "@marijn/find-cluster-break": ["@marijn/[email protected]", "", {}, "sha512-l0h88YhZFyKdXIFNfSWpyjStDjGHwZ/U7iobcK1cQQD8sejsONdQtTVU+1wVN1PBw40PiiHB1vA5S7VTfQiP9g=="],
 
+    "@oslojs/asn1": ["@oslojs/[email protected]", "", { "dependencies": { "@oslojs/binary": "1.0.0" } }, "sha512-zw/wn0sj0j0QKbIXfIlnEcTviaCzYOY3V5rAyjR6YtOByFtJiT574+8p9Wlach0lZH9fddD4yb9laEAIl4vXQA=="],
+
+    "@oslojs/binary": ["@oslojs/[email protected]", "", {}, "sha512-9RCU6OwXU6p67H4NODbuxv2S3eenuQ4/WFLrsq+K/k682xrznH5EVWA7N4VFk9VYVcbFtKqur5YQQZc0ySGhsQ=="],
+
+    "@oslojs/crypto": ["@oslojs/[email protected]", "", { "dependencies": { "@oslojs/asn1": "1.0.0", "@oslojs/binary": "1.0.0" } }, "sha512-7n08G8nWjAr/Yu3vu9zzrd0L9XnrJfpMioQcvCMxBIiF5orECHe5/3J0jmXRVvgfqMm/+4oxlQ+Sq39COYLcNQ=="],
+
+    "@oslojs/encoding": ["@oslojs/[email protected]", "", {}, "sha512-70wQhgYmndg4GCPxPPxPGevRKqTIJ2Nh4OkiMWmDAVYsTQ+Ta7Sq+rPevXyXGdzr30/qZBnyOalCszoMxlyldQ=="],
+
+    "@oslojs/jwt": ["@oslojs/[email protected]", "", { "dependencies": { "@oslojs/encoding": "0.4.1" } }, "sha512-bLE7BtHrURedCn4Mco3ma9L4Y1GR2SMBuIvjWr7rmQ4/W/4Jy70TIAgZ+0nIlk0xHz1vNP8x8DCns45Sb2XRbg=="],
+
     "@panva/hkdf": ["@panva/[email protected]", "", {}, "sha512-6oclG6Y3PiDFcoyk8srjLfVKyMfVCKJ27JwNPViuXziFpmdz+MZnZN/aKY0JGXgYuO/VghU0jcOAZgWXZ1Dmrw=="],
 
     "@pinojs/redact": ["@pinojs/[email protected]", "", {}, "sha512-k2ENnmBugE/rzQfEcdWHcCY+/FM3VLzH9cYEsbdsoqrvzAKRhUZeRNhAZvB8OitQJ1TBed3yqWtdjzS6wJKBwg=="],
@@ -486,6 +497,8 @@
 
     "ansi-styles": ["[email protected]", "", { "dependencies": { "color-convert": "^2.0.1" } }, "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg=="],
 
+    "arctic": ["[email protected]", "", { "dependencies": { "@oslojs/crypto": "1.0.1", "@oslojs/encoding": "1.1.0", "@oslojs/jwt": "0.2.0" } }, "sha512-ZMQ+f6VazDgUJOd+qNV+H7GohNSYal1mVjm5kEaZfE2Ifb7Ss70w+Q7xpJC87qZDkMZIXYf0pTIYZA0OPasSbw=="],
+
     "argparse": ["[email protected]", "", {}, "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q=="],
 
     "aria-query": ["[email protected]", "", {}, "sha512-COROpnaoap1E2F000S62r6A60uHZnmlvomhfyT2DlTcrY1OrBKn2UhH7qn5wTC9zMvD0AY7csdPSNwKP+7WiQw=="],
@@ -944,6 +957,8 @@
 
     "@eslint-community/eslint-utils/eslint-visitor-keys": ["[email protected]", "", {}, "sha512-wpc+LXeiyiisxPlEkUzU6svyS1frIO3Mgxj1fdy7Pm8Ygzguax2N3Fa/D/ag1WqbOprdI+uY6wMUl8/a2G+iag=="],
 
+    "@oslojs/jwt/@oslojs/encoding": ["@oslojs/[email protected]", "", {}, "sha512-hkjo6MuIK/kQR5CrGNdAPZhS01ZCXuWDRJ187zh6qqF2+yMHZpD9fAYpX8q2bOO6Ryhl3XpCT6kUX76N8hhm4Q=="],
+
     "@poppinss/dumper/supports-color": ["[email protected]", "", {}, "sha512-SS+jx45GF1QjgEXQx4NJZV9ImqmO2NPz5FNsIHrsDjh2YsHnawpan7SNQ1o8NuhrbHZy9AZhIoCUiCeaW/C80g=="],
 
     "@tailwindcss/oxide-wasm32-wasi/@emnapi/core": ["@emnapi/[email protected]", "", { "dependencies": { "@emnapi/wasi-threads": "1.1.0", "tslib": "^2.4.0" }, "bundled": true }, "sha512-o1uhUASyo921r2XtHYOHy7gdkGLge8ghBEQHMWmyJFoXlpU58kIrhhN3w26lpQb6dspetweapMn2CSNwQ8I4wg=="],