rsb-auth-google 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d5eaff5c93953718ff6ae83895766a9176dee666d784319f2a885f697d0b7013
+  data.tar.gz: ddae43ce7cea9750da866de8cb82cdfeb53926d1dff741b9efd4662df44b560a
+SHA512:
+  metadata.gz: fb2815abd4cbafb695b8cb5388d0fe3a86f943a42cd0c0ad100a636aaf9aafc0c6eaa1930c7470ada93265d51f5b2b45f2c92449c837e14304dc12fd06d2aaaa
+  data.tar.gz: df33e7ba3d7202fe718f07167f14c06a643c77a703213e155d0c4d218f68dd164c7c5c2a43e9cfdde26ba0da89eb5609b4ec66c3f9a96afef73cb5a75b51231d

data/Rakefile

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'fileutils'
+require 'rake/testtask'
+
+task :prepare_test_db do
+  ENV['RAILS_ENV'] = 'test'
+  db = File.expand_path('test/dummy/db/test.sqlite3', __dir__)
+  FileUtils.rm_f(db)
+  require_relative 'test/dummy/config/environment'
+  ActiveRecord::Migration.verbose = false
+  ActiveRecord::MigrationContext.new(Rails.application.paths['db/migrate'].to_a).migrate
+  schema = File.expand_path('test/dummy/db/schema.rb', __dir__)
+  File.open(schema, 'w') { |f| ActiveRecord::SchemaDumper.dump(ActiveRecord::Base.connection_pool, f) }
+end
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task test: :prepare_test_db
+task default: :test

data/app/controllers/rsb/auth/google/oauth_controller.rb

@@ -0,0 +1,208 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module Google
+      # Handles Google OAuth redirect and callback.
+      # Mounted at /auth/oauth/google (configured in routes).
+      #
+      # Actions:
+      #   GET /  (redirect) -- Generates state/nonce, redirects to Google consent screen
+      #   GET /callback     -- Validates state, exchanges code, creates/links credential
+      class OauthController < RSB::Auth::ApplicationController
+        GOOGLE_AUTH_URL = 'https://accounts.google.com/o/oauth2/v2/auth'
+
+        include RSB::Auth::RateLimitable
+
+        skip_before_action :verify_authenticity_token, only: :callback
+        before_action -> { throttle!(key: 'google_oauth_redirect', limit: 30, period: 60) }, only: :redirect
+        before_action -> { throttle!(key: 'google_oauth_callback', limit: 20, period: 60) }, only: :callback
+
+        # Initiates the Google OAuth flow.
+        # Generates CSRF state + nonce, stores in session, and redirects
+        # the user to Google's OAuth consent screen.
+        #
+        # @route GET /auth/oauth/google
+        def redirect
+          unless google_enabled?
+            redirect_to main_app_login_path, alert: 'This sign-in method is not available.'
+            return
+          end
+
+          unless google_configured?
+            Rails.logger.error { "#{LOG_TAG} Google OAuth not configured: missing client_id or client_secret" }
+            redirect_to main_app_login_path, alert: 'Google authentication is not configured.'
+            return
+          end
+
+          mode = params[:mode].presence || 'login'
+          if mode == 'link' && !current_identity
+            redirect_to rsb_auth.new_session_path
+            return
+          end
+
+          state = SecureRandom.urlsafe_base64(32)
+          nonce = SecureRandom.urlsafe_base64(32)
+          session[:google_oauth_state] = state
+          session[:google_oauth_nonce] = nonce
+          session[:google_oauth_mode] = mode
+
+          Rails.logger.info { "#{LOG_TAG} Initiating Google OAuth for mode=#{mode}" }
+
+          auth_params = {
+            client_id: RSB::Settings.get('auth.credentials.google.client_id'),
+            redirect_uri: google_callback_url,
+            response_type: 'code',
+            scope: 'openid email',
+            state: state,
+            nonce: nonce
+          }
+
+          login_hint = sanitize_login_hint(params[:login_hint])
+          auth_params[:login_hint] = login_hint if login_hint.present?
+
+          redirect_to "#{GOOGLE_AUTH_URL}?#{auth_params.to_query}", allow_other_host: true
+        end
+
+        # Processes the Google OAuth callback.
+        # Validates state, exchanges authorization code for tokens,
+        # verifies id_token, and delegates to CallbackService.
+        #
+        # @route GET /auth/oauth/google/callback
+        def callback
+          unless google_enabled?
+            clear_oauth_session
+            redirect_to main_app_login_path, alert: 'This sign-in method is not available.'
+            return
+          end
+
+          if params[:error] == 'access_denied'
+            clear_oauth_session
+            redirect_to main_app_login_path, alert: 'Google authentication was cancelled.'
+            return
+          end
+
+          Rails.logger.info { "#{LOG_TAG} Google OAuth callback received" }
+
+          unless valid_state?
+            Rails.logger.warn { "#{LOG_TAG} Google OAuth state mismatch (possible CSRF)" }
+            clear_oauth_session
+            redirect_to main_app_login_path, alert: 'Authentication failed. Please try again.'
+            return
+          end
+
+          oauth_result = OauthService.new.exchange_and_verify(
+            code: params[:code],
+            redirect_uri: google_callback_url,
+            nonce: session[:google_oauth_nonce]
+          )
+
+          unless oauth_result.success?
+            clear_oauth_session
+            redirect_to main_app_login_path, alert: 'Authentication failed. Please try again.'
+            return
+          end
+
+          mode = session[:google_oauth_mode] || 'login'
+          callback_result = CallbackService.new.call(
+            email: oauth_result.email,
+            google_uid: oauth_result.google_uid,
+            mode: mode,
+            current_identity: current_identity
+          )
+
+          clear_oauth_session
+
+          if callback_result.success?
+            handle_success(callback_result, mode)
+          else
+            handle_failure(callback_result, mode)
+          end
+        end
+
+        private
+
+        def google_enabled?
+          RSB::Auth.credentials.enabled?(:google)
+        rescue StandardError
+          false
+        end
+
+        def google_configured?
+          client_id = RSB::Settings.get('auth.credentials.google.client_id')
+          client_secret = RSB::Settings.get('auth.credentials.google.client_secret')
+          client_id.present? && client_secret.present?
+        end
+
+        def valid_state?
+          params[:state].present? &&
+            session[:google_oauth_state].present? &&
+            ActiveSupport::SecurityUtils.secure_compare(
+              params[:state].to_s,
+              session[:google_oauth_state].to_s
+            )
+        end
+
+        def handle_success(result, _mode)
+          case result.action
+          when :linked, :already_linked
+            flash_msg = result.action == :linked ? 'Google account linked successfully.' : 'Google account is already linked.'
+            redirect_to rsb_auth.account_path, notice: flash_msg
+          else # :logged_in, :registered
+            create_auth_session(result.identity)
+            if result.identity.complete?
+              redirect_to main_app.root_path, notice: 'Signed in.'
+            else
+              redirect_to rsb_auth.account_path, alert: 'Please complete your profile.'
+            end
+          end
+        end
+
+        def handle_failure(result, mode)
+          redirect_path = mode == 'link' ? rsb_auth.account_path : main_app_login_path
+          redirect_to redirect_path, alert: result.error
+        end
+
+        def create_auth_session(identity)
+          session_record = RSB::Auth::SessionService.new.create(
+            identity: identity,
+            ip_address: request.remote_ip,
+            user_agent: request.user_agent
+          )
+          cookies.signed[:rsb_session_token] = {
+            value: session_record.token,
+            httponly: true,
+            same_site: :lax,
+            secure: Rails.env.production?
+          }
+        end
+
+        def clear_oauth_session
+          session.delete(:google_oauth_state)
+          session.delete(:google_oauth_nonce)
+          session.delete(:google_oauth_mode)
+        end
+
+        def sanitize_login_hint(hint)
+          return nil if hint.blank?
+
+          hint.strip.truncate(255, omission: '')
+        end
+
+        def google_callback_url
+          url_for(action: :callback, only_path: false)
+        end
+
+        def main_app_login_path
+          rsb_auth.new_session_path
+        rescue StandardError
+          '/auth/session/new'
+        end
+
+        def rsb_auth
+          RSB::Auth::Engine.routes.url_helpers
+        end
+      end
+    end
+  end
+end

data/app/models/rsb/auth/google/credential.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module Google
+      class Credential < RSB::Auth::Credential
+        PLACEHOLDER_DIGEST = '$2a$04$placeholder.digest.for.google.oauth.credentials.only'
+
+        before_validation :set_placeholder_digest, if: -> { password_digest.blank? }
+
+        validates :identifier, format: { with: URI::MailTo::EMAIL_REGEXP }
+        validates :provider_uid, presence: true
+        validates :provider_uid, uniqueness: { scope: :type, conditions: -> { where(revoked_at: nil) } }
+
+        def authenticate(_password)
+          false
+        end
+
+        def google_email
+          identifier
+        end
+
+        private
+
+        def password_required?
+          false
+        end
+
+        def set_placeholder_digest
+          self.password_digest = PLACEHOLDER_DIGEST
+        end
+      end
+    end
+  end
+end

data/app/services/rsb/auth/google/callback_service.rb

@@ -0,0 +1,216 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module Google
+      # Processes verified Google claims into a credential/identity.
+      # Handles three modes: login (find or register), signup (register),
+      # and link (add to existing identity).
+      #
+      # @example
+      #   service = RSB::Auth::Google::CallbackService.new
+      #   result = service.call(
+      #     email: 'user@gmail.com',
+      #     google_uid: '118234567890',
+      #     mode: 'login',
+      #     current_identity: nil
+      #   )
+      class CallbackService
+        Result = Data.define(:success?, :identity, :credential, :error, :action)
+
+        # Processes the Google OAuth callback.
+        #
+        # @param email [String] verified Google email
+        # @param google_uid [String] Google user ID (sub claim)
+        # @param mode [String] "login", "signup", or "link"
+        # @param current_identity [RSB::Auth::Identity, nil] current identity for link mode
+        # @return [CallbackService::Result]
+        def call(email:, google_uid:, mode:, current_identity: nil)
+          case mode.to_s
+          when 'link'
+            handle_link(email: email, google_uid: google_uid, current_identity: current_identity)
+          when 'signup'
+            handle_signup(email: email, google_uid: google_uid)
+          else # 'login' or default
+            handle_login(email: email, google_uid: google_uid)
+          end
+        end
+
+        private
+
+        # --- LOGIN MODE ---
+
+        def handle_login(email:, google_uid:)
+          # Step 1: Look up by provider_uid (primary lookup)
+          credential = find_active_credential_by_uid(google_uid)
+          if credential
+            update_email_if_changed(credential, email)
+            return success(identity: credential.identity, credential: credential, action: :logged_in)
+          end
+
+          # Step 2: Look up by email among active Google credentials
+          credential = find_active_credential_by_email(email)
+          if credential
+            return success(identity: credential.identity, credential: credential, action: :logged_in)
+          end
+
+          # Step 3: Auto-merge or auto-register
+          handle_no_credential(email: email, google_uid: google_uid)
+        end
+
+        # --- SIGNUP MODE ---
+
+        def handle_signup(email:, google_uid:)
+          # If existing credential found, treat as login
+          credential = find_active_credential_by_uid(google_uid) || find_active_credential_by_email(email)
+          if credential
+            update_email_if_changed(credential, email) if credential.provider_uid == google_uid
+            return success(identity: credential.identity, credential: credential, action: :logged_in)
+          end
+
+          # Check registration is allowed
+          unless registration_allowed?
+            return failure('Registration is currently disabled.')
+          end
+
+          # Check for email conflict -> auto-merge or error
+          handle_no_credential(email: email, google_uid: google_uid)
+        end
+
+        # --- LINK MODE ---
+
+        def handle_link(email:, google_uid:, current_identity:)
+          unless current_identity
+            return failure('Not authenticated. Please log in first.')
+          end
+
+          # Check if this Google account is already linked
+          existing = find_active_credential_by_uid(google_uid)
+          if existing
+            return success(identity: current_identity, credential: existing, action: :already_linked) if existing.identity_id == current_identity.id
+
+            return failure('This Google account is already linked to another account.')
+
+          end
+
+          # Check if email is linked to different identity via Google credential
+          email_match = find_active_credential_by_email(email)
+          if email_match && email_match.identity_id != current_identity.id
+            return failure('This Google account is already linked to another account.')
+          end
+
+          # Create Google credential on current identity
+          credential = create_google_credential(
+            identity: current_identity,
+            email: email,
+            google_uid: google_uid
+          )
+
+          Rails.logger.info { "#{LOG_TAG} Linked Google credential to identity id=#{current_identity.id}" }
+          success(identity: current_identity, credential: credential, action: :linked)
+        end
+
+        # --- SHARED LOGIC ---
+
+        def handle_no_credential(email:, google_uid:)
+          # Look for any active credential (any type) with the same email
+          email_credential = RSB::Auth::Credential.active.find_by(identifier: email)
+
+          if email_credential
+            # Email exists on another identity
+            return handle_email_conflict(
+              email: email,
+              google_uid: google_uid,
+              existing_identity: email_credential.identity
+            )
+          end
+
+          # No email match -- register new identity (if allowed)
+          register_new_identity(email: email, google_uid: google_uid)
+        end
+
+        def handle_email_conflict(email:, google_uid:, existing_identity:)
+          auto_merge = RSB::Settings.get('auth.credentials.google.auto_merge_by_email')
+
+          if auto_merge
+            # Auto-merge: create Google credential on existing identity
+            credential = create_google_credential(
+              identity: existing_identity,
+              email: email,
+              google_uid: google_uid
+            )
+            Rails.logger.info { "#{LOG_TAG} Auto-merged Google credential to existing identity id=#{existing_identity.id}" }
+            return success(identity: existing_identity, credential: credential, action: :logged_in)
+          end
+
+          # No auto-merge: return error
+          Rails.logger.info { "#{LOG_TAG} Google login blocked: email conflict for #{email}, auto_merge disabled" }
+
+          generic_errors = RSB::Settings.get('auth.generic_error_messages')
+          if generic_errors
+            failure('Invalid credentials.')
+          else
+            failure('An account with this email already exists. Please log in with your password and link Google from your account page.')
+          end
+        end
+
+        def register_new_identity(email:, google_uid:)
+          unless registration_allowed?
+            return failure('Registration is currently disabled.')
+          end
+
+          identity = RSB::Auth::Identity.create!(status: :active)
+          credential = create_google_credential(
+            identity: identity,
+            email: email,
+            google_uid: google_uid
+          )
+
+          Rails.logger.info { "#{LOG_TAG} Created Google credential for new identity id=#{identity.id}" }
+
+          success(identity: identity, credential: credential, action: :registered)
+        end
+
+        def create_google_credential(identity:, email:, google_uid:)
+          RSB::Auth::Google::Credential.create!(
+            identity: identity,
+            identifier: email,
+            provider_uid: google_uid,
+            verified_at: Time.current
+          )
+        end
+
+        def find_active_credential_by_uid(google_uid)
+          RSB::Auth::Google::Credential.active.find_by(provider_uid: google_uid)
+        end
+
+        def find_active_credential_by_email(email)
+          RSB::Auth::Google::Credential.active.find_by(identifier: email.downcase)
+        end
+
+        def update_email_if_changed(credential, email)
+          return if credential.identifier == email.downcase
+
+          credential.update!(identifier: email)
+          Rails.logger.info { "#{LOG_TAG} Updated Google credential email to #{email} for identity id=#{credential.identity_id}" }
+        end
+
+        def registration_allowed?
+          mode = RSB::Settings.get('auth.registration_mode').to_s
+          return false if %w[disabled invite_only].include?(mode)
+
+          registerable = RSB::Settings.get('auth.credentials.google.registerable')
+          ActiveModel::Type::Boolean.new.cast(registerable)
+        end
+
+        def success(identity:, credential:, action:)
+          Result.new(success?: true, identity: identity, credential: credential, error: nil, action: action)
+        end
+
+        def failure(error)
+          Result.new(success?: false, identity: nil, credential: nil, error: error, action: nil)
+        end
+      end
+    end
+  end
+end

data/app/services/rsb/auth/google/oauth_service.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'json'
+
+module RSB
+  module Auth
+    module Google
+      # Exchanges a Google authorization code for tokens and verifies the id_token JWT.
+      #
+      # @example
+      #   service = RSB::Auth::Google::OauthService.new
+      #   result = service.exchange_and_verify(
+      #     code: params[:code],
+      #     redirect_uri: callback_url,
+      #     nonce: session[:google_oauth_nonce]
+      #   )
+      #   if result.success?
+      #     # result.email, result.google_uid available
+      #   end
+      class OauthService
+        GOOGLE_TOKEN_URI = 'https://oauth2.googleapis.com/token'
+        VALID_ISSUERS = ['https://accounts.google.com', 'accounts.google.com'].freeze
+
+        Result = Data.define(:success?, :email, :google_uid, :error)
+
+        # Exchanges the authorization code for tokens, then verifies the id_token JWT.
+        #
+        # @param code [String] the authorization code from Google
+        # @param redirect_uri [String] the callback URL (must match what was sent to Google)
+        # @param nonce [String] the nonce stored in the session for replay prevention
+        # @return [OauthService::Result] result with email and google_uid on success, error on failure
+        def exchange_and_verify(code:, redirect_uri:, nonce:)
+          # Step 1: Exchange code for tokens
+          token_response = exchange_code(code, redirect_uri)
+          return failure(:token_exchange_failed) unless token_response
+
+          id_token = token_response['id_token']
+          return failure(:token_exchange_failed) unless id_token.present?
+
+          # Step 2: Verify the id_token JWT
+          claims = verify_id_token(id_token, nonce)
+          return failure(:jwt_verification_failed) unless claims
+
+          email = claims['email']
+          google_uid = claims['sub']
+
+          Rails.logger.info { "#{LOG_TAG} Google token exchange successful for email=#{email}" }
+
+          Result.new(
+            success?: true,
+            email: email,
+            google_uid: google_uid,
+            error: nil
+          )
+        end
+
+        private
+
+        def exchange_code(code, redirect_uri)
+          client_id = RSB::Settings.get('auth.credentials.google.client_id')
+          client_secret = RSB::Settings.get('auth.credentials.google.client_secret')
+
+          uri = URI(GOOGLE_TOKEN_URI)
+          response = Net::HTTP.post_form(uri, {
+                                           'code' => code,
+                                           'client_id' => client_id,
+                                           'client_secret' => client_secret,
+                                           'redirect_uri' => redirect_uri,
+                                           'grant_type' => 'authorization_code'
+                                         })
+
+          unless response.is_a?(Net::HTTPSuccess)
+            Rails.logger.error { "#{LOG_TAG} Google token exchange failed: HTTP #{response.code} — #{response.body}" }
+            return nil
+          end
+
+          JSON.parse(response.body)
+        rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, SocketError, JSON::ParserError => e
+          Rails.logger.error { "#{LOG_TAG} Google token exchange failed: #{e.class}: #{e.message}" }
+          nil
+        end
+
+        def verify_id_token(id_token, nonce)
+          # Decode header to get kid (key ID)
+          header = JWT.decode(id_token, nil, false).last
+          kid = header['kid']
+
+          # Find the matching public key
+          key = JwksLoader.find_key(kid)
+          unless key
+            Rails.logger.warn { "#{LOG_TAG} Google id_token verification failed: unknown kid=#{kid}" }
+            return nil
+          end
+
+          # Verify signature and decode claims
+          client_id = RSB::Settings.get('auth.credentials.google.client_id')
+          claims = JWT.decode(
+            id_token,
+            key,
+            true,
+            {
+              algorithm: 'RS256',
+              verify_iss: true,
+              iss: VALID_ISSUERS,
+              verify_aud: true,
+              aud: client_id,
+              verify_expiration: true
+            }
+          ).first
+
+          # Validate nonce (replay prevention)
+          if nonce.present? && claims['nonce'] != nonce
+            Rails.logger.warn { "#{LOG_TAG} Google id_token verification failed: nonce mismatch" }
+            return nil
+          end
+
+          claims
+        rescue JWT::DecodeError, JWT::VerificationError, JWT::ExpiredSignature,
+               JWT::InvalidIssuerError, JWT::InvalidAudError => e
+          Rails.logger.warn { "#{LOG_TAG} Google id_token verification failed: #{e.class}: #{e.message}" }
+          nil
+        end
+
+        def failure(error)
+          Result.new(success?: false, email: nil, google_uid: nil, error: error)
+        end
+      end
+    end
+  end
+end

data/app/views/rsb/auth/credentials/_icon_google.html.erb

@@ -0,0 +1,6 @@
+<svg class="w-5 h-5" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+  <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92a5.06 5.06 0 01-2.2 3.32v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.1z" fill="#4285F4"/>
+  <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" fill="#34A853"/>
+  <path d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" fill="#FBBC05"/>
+  <path d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" fill="#EA4335"/>
+</svg>

data/app/views/rsb/auth/google/credentials/_google.html.erb

@@ -0,0 +1,21 @@
+<%# Google OAuth sign-in button partial.
+    Rendered by the credential selector via redirect_url, but also available
+    for direct use in custom views.
+
+    Variables:
+      mode: String -- "login", "signup", or "link" (optional, default: "login")
+%>
+<% mode = local_assigns[:mode] || 'login' %>
+<% oauth_url = "/auth/oauth/google?mode=#{mode}" %>
+
+<%= link_to oauth_url, class: "inline-flex items-center justify-center w-full px-4 py-2.5 border border-gray-300 rounded-lg shadow-sm bg-white hover:bg-gray-50 transition-colors duration-150 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-indigo-500" do %>
+  <svg class="w-5 h-5 mr-3" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+    <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92a5.06 5.06 0 01-2.2 3.32v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.1z" fill="#4285F4"/>
+    <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" fill="#34A853"/>
+    <path d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" fill="#FBBC05"/>
+    <path d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" fill="#EA4335"/>
+  </svg>
+  <span class="text-sm font-medium text-gray-700">
+    <%= mode == 'signup' ? 'Sign up with Google' : 'Sign in with Google' %>
+  </span>
+<% end %>

data/config/routes.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+RSB::Auth::Google::Engine.routes.draw do
+  get '/', to: 'oauth#redirect', as: :google_oauth_redirect
+  get '/callback', to: 'oauth#callback', as: :google_oauth_callback
+end

data/db/migrate/20260305000001_add_provider_uid_to_rsb_auth_credentials.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class AddProviderUidToRSBAuthCredentials < ActiveRecord::Migration[8.0]
+  def change
+    return unless table_exists?(:rsb_auth_credentials)
+
+    unless column_exists?(:rsb_auth_credentials, :provider_uid)
+      add_column :rsb_auth_credentials, :provider_uid, :string
+    end
+
+    return if index_exists?(:rsb_auth_credentials, %i[type provider_uid], name: 'idx_rsb_auth_credentials_type_provider_uid')
+
+    add_index :rsb_auth_credentials, %i[type provider_uid],
+              unique: true,
+              where: 'provider_uid IS NOT NULL',
+              name: 'idx_rsb_auth_credentials_type_provider_uid'
+  end
+end

data/lib/generators/rsb/auth/google/install/install_generator.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module Google
+      class InstallGenerator < Rails::Generators::Base
+        namespace 'rsb:auth:google:install'
+        source_root File.expand_path('templates', __dir__)
+
+        desc 'Install rsb-auth-google: copy migrations (if needed), mount routes, create initializer.'
+
+        # Copies the provider_uid migration only if the column does not already
+        # exist on the rsb_auth_credentials table. This enables multiple OAuth
+        # gems to share the same column without migration conflicts.
+        #
+        # @return [void]
+        def copy_migrations
+          if provider_uid_column_exists?
+            say 'provider_uid column already exists on rsb_auth_credentials, skipping migration', :yellow
+          else
+            rake 'rsb_auth_google:install:migrations'
+          end
+        end
+
+        # Mounts the rsb-auth-google engine at /auth/oauth/google in the
+        # host application's routes.rb.
+        #
+        # @return [void]
+        def mount_routes
+          route 'mount RSB::Auth::Google::Engine => "/auth/oauth/google"'
+        end
+
+        # Copies the initializer template with client_id / client_secret
+        # placeholders.
+        #
+        # @return [void]
+        def create_initializer
+          template 'initializer.rb', 'config/initializers/rsb_auth_google.rb'
+        end
+
+        # Prints post-installation instructions.
+        #
+        # @return [void]
+        def print_post_install
+          say ''
+          say 'rsb-auth-google installed successfully!', :green
+          say ''
+          say 'Next steps:'
+          say '  1. rails db:migrate'
+          say '  2. Set your Google OAuth credentials:'
+          say '     - In config/initializers/rsb_auth_google.rb, OR'
+          say '     - In the admin panel under Settings > Google OAuth, OR'
+          say '     - Via ENV: RSB_AUTH_CREDENTIALS_GOOGLE_CLIENT_ID and RSB_AUTH_CREDENTIALS_GOOGLE_CLIENT_SECRET'
+          say '  3. Register your callback URL with Google Cloud Console:'
+          say '     https://your-app.com/auth/oauth/google/callback'
+          say '  4. Visit /auth/session/new to see the Google sign-in button'
+          say ''
+        end
+
+        private
+
+        def provider_uid_column_exists?
+          require 'active_record'
+          ActiveRecord::Base.connection.column_exists?(:rsb_auth_credentials, :provider_uid)
+        rescue StandardError
+          false
+        end
+      end
+    end
+  end
+end

data/lib/generators/rsb/auth/google/install/templates/initializer.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+# RSB Auth Google configuration
+# See: https://github.com/Rails-SaaS-Builder/rails-saas-builder
+
+RSB::Auth::Google.configure do |config|
+  # Google OAuth credentials from Google Cloud Console
+  # Get yours at: https://console.cloud.google.com/apis/credentials
+  #
+  # You can also set these via:
+  #   - Admin panel: Settings > Google OAuth
+  #   - ENV: RSB_AUTH_CREDENTIALS_GOOGLE_CLIENT_ID
+  #   - ENV: RSB_AUTH_CREDENTIALS_GOOGLE_CLIENT_SECRET
+  #   - RSB::Settings.set('auth.credentials.google.client_id', 'xxx')
+
+  # config.client_id = 'your-client-id.apps.googleusercontent.com'
+  # config.client_secret = 'GOCSPX-your-client-secret'
+end
+
+# Optional: configure Google OAuth settings via RSB::Settings
+# RSB::Settings.set('auth.credentials.google.auto_merge_by_email', true)
+# RSB::Settings.set('auth.credentials.google.enabled', true)

data/lib/rsb/auth/google/configuration.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module Google
+      class Configuration
+        attr_accessor :client_id, :client_secret
+
+        def initialize
+          @client_id = nil
+          @client_secret = nil
+        end
+      end
+    end
+  end
+end

data/lib/rsb/auth/google/engine.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module Google
+      class Engine < ::Rails::Engine
+        isolate_namespace RSB::Auth::Google
+
+        initializer 'rsb_auth_google.register_settings', after: 'rsb_settings.ready' do
+          RSB::Settings.registry.register(RSB::Auth::Google::SettingsSchema.build)
+        end
+
+        initializer 'rsb_auth_google.register_credential', after: 'rsb_auth.ready' do
+          RSB::Auth.credentials.register(
+            RSB::Auth::CredentialDefinition.new(
+              key: :google,
+              class_name: 'RSB::Auth::Google::Credential',
+              authenticatable: true,
+              registerable: true,
+              label: 'Google',
+              icon: 'google',
+              form_partial: 'rsb/auth/google/credentials/google',
+              redirect_url: '/auth/oauth/google',
+              admin_form_partial: nil
+            )
+          )
+
+          RSB::Auth::CredentialSettingsRegistrar.register_enabled_settings
+
+          # Override per-credential defaults for Google via initializer-level config.
+          # These are resolved without DB access (resolver chain: DB > initializer > ENV > default).
+          RSB::Settings.configure do |config|
+            config.set 'auth.credentials.google.verification_required', false
+            config.set 'auth.credentials.google.auto_verify_on_signup', true
+            config.set 'auth.credentials.google.allow_login_unverified', true
+
+            if RSB::Auth::Google.configuration.client_id.present?
+              config.set 'auth.credentials.google.client_id', RSB::Auth::Google.configuration.client_id
+            end
+            if RSB::Auth::Google.configuration.client_secret.present?
+              config.set 'auth.credentials.google.client_secret', RSB::Auth::Google.configuration.client_secret
+            end
+          end
+        end
+
+        initializer 'rsb_auth_google.admin_hooks' do
+          ActiveSupport.on_load(:rsb_admin) do |_admin_registry|
+            # Google credentials are visible through rsb-auth's Identity admin resource.
+            # No additional admin resources needed for v1.
+          end
+        end
+
+        initializer 'rsb_auth_google.append_migrations' do |app|
+          config.paths['db/migrate'].expanded.each do |path|
+            app.config.paths['db/migrate'] << path unless app.config.paths['db/migrate'].include?(path)
+          end
+        end
+
+        config.generators do |g|
+          g.test_framework :minitest, fixture: false
+          g.assets false
+          g.helper false
+        end
+      end
+    end
+  end
+end

data/lib/rsb/auth/google/jwks_loader.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'json'
+
+module RSB
+  module Auth
+    module Google
+      # Fetches and caches Google's public keys (JWKS) for JWT verification.
+      #
+      # Keys are cached in Rails.cache with a 1-hour TTL. On kid mismatch
+      # (key rotation), the cache is invalidated and keys are re-fetched once.
+      #
+      # @example
+      #   key = RSB::Auth::Google::JwksLoader.find_key('kid-123')
+      #   JWT.decode(token, key, true, algorithm: 'RS256')
+      class JwksLoader
+        GOOGLE_JWKS_URI = 'https://www.googleapis.com/oauth2/v3/certs'
+        CACHE_KEY = 'rsb:auth:google:jwks'
+        CACHE_TTL = 3600 # 1 hour in seconds
+
+        class FetchError < StandardError; end
+
+        class << self
+          # Fetches Google's JWKS keys. Uses an in-memory cache with 1-hour TTL.
+          #
+          # @return [Array<JWT::JWK>] array of JWK key objects
+          # @raise [FetchError] if the HTTP request fails
+          def fetch_keys
+            if @cached_keys && @cached_at && (Time.current - @cached_at) < CACHE_TTL
+              Rails.logger.debug { "#{RSB::Auth::Google::LOG_TAG} Using cached Google JWKS keys" }
+              return @cached_keys
+            end
+
+            Rails.logger.debug { "#{RSB::Auth::Google::LOG_TAG} Fetching Google JWKS keys" }
+            @cached_keys = fetch_keys_from_google
+            @cached_at = Time.current
+            @cached_keys
+          end
+
+          # Finds a JWK key by its key ID (kid).
+          # If the kid is not found in the cached keys, invalidates the cache
+          # and retries once (handles Google key rotation).
+          #
+          # @param kid [String] the key ID from the JWT header
+          # @return [OpenSSL::PKey::RSA, nil] the RSA public key, or nil if not found
+          def find_key(kid)
+            keys = fetch_keys
+            key = find_in_keyset(keys, kid)
+            return key if key
+
+            # Key rotation: invalidate cache and retry once
+            Rails.logger.debug { "#{RSB::Auth::Google::LOG_TAG} kid=#{kid} not found, refreshing JWKS" }
+            invalidate_cache!
+            keys = fetch_keys
+            find_in_keyset(keys, kid)
+          end
+
+          # Invalidates the cached JWKS keys, forcing a fresh fetch.
+          #
+          # @return [void]
+          def invalidate_cache!
+            @cached_keys = nil
+            @cached_at = nil
+          end
+
+          private
+
+          def fetch_keys_from_google
+            uri = URI(GOOGLE_JWKS_URI)
+            response = Net::HTTP.get_response(uri)
+
+            unless response.is_a?(Net::HTTPSuccess)
+              raise FetchError, "Google JWKS fetch failed: HTTP #{response.code}"
+            end
+
+            jwks_data = JSON.parse(response.body)
+            jwks_data['keys'].map { |key_data| JWT::JWK.new(key_data) }
+          rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, SocketError => e
+            raise FetchError, "Google JWKS fetch failed: #{e.class}: #{e.message}"
+          end
+
+          def find_in_keyset(keys, kid)
+            jwk = keys.find { |k| k[:kid] == kid }
+            jwk&.verify_key
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rsb/auth/google/settings_schema.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module Google
+      class SettingsSchema
+        def self.build
+          RSB::Settings::Schema.new('auth') do
+            setting :'credentials.google.client_id',
+                    type: :string,
+                    default: '',
+                    group: 'Google OAuth',
+                    label: 'Client ID',
+                    description: 'Google OAuth client ID from Google Cloud Console'
+
+            setting :'credentials.google.client_secret',
+                    type: :string,
+                    default: '',
+                    encrypted: true,
+                    group: 'Google OAuth',
+                    label: 'Client Secret',
+                    description: 'Google OAuth client secret (stored encrypted)'
+
+            setting :'credentials.google.auto_merge_by_email',
+                    type: :boolean,
+                    default: false,
+                    group: 'Google OAuth',
+                    label: 'Auto-merge by Email',
+                    description: 'Automatically link Google to existing accounts with matching email'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rsb/auth/google/test_helper.rb

@@ -0,0 +1,191 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module Google
+      # Test helper for offline Google OAuth testing.
+      # Provides stubs and helpers so host app tests never hit Google's servers.
+      #
+      # @example Include in test helper
+      #   class ActiveSupport::TestCase
+      #     include RSB::Auth::Google::TestHelper
+      #   end
+      #
+      # @example Use in a test
+      #   test 'google login works' do
+      #     register_test_google_credential
+      #     stub_google_oauth(email: 'user@gmail.com', google_uid: '12345')
+      #     response = simulate_google_login(email: 'user@gmail.com', google_uid: '12345')
+      #     assert_response :redirect
+      #   end
+      module TestHelper
+        extend ActiveSupport::Concern
+
+        included do
+          setup do
+            RSB::Auth::Google.reset!
+          end
+
+          teardown do
+            unstub_google_oauth
+            RSB::Auth::Google.reset!
+          end
+        end
+
+        # Registers the Google credential type with test-safe settings.
+        # Call this in test setup when you need Google OAuth available.
+        #
+        # @return [void]
+        def register_test_google_credential
+          # Register Google settings if not already registered
+          register_google_settings_for_test
+
+          # Register the credential type if not already registered
+          unless google_credential_registered?
+            RSB::Auth.credentials.register(
+              RSB::Auth::CredentialDefinition.new(
+                key: :google,
+                class_name: 'RSB::Auth::Google::Credential',
+                authenticatable: true,
+                registerable: true,
+                label: 'Google',
+                icon: 'google',
+                form_partial: 'rsb/auth/google/credentials/google',
+                redirect_url: '/auth/oauth/google',
+                admin_form_partial: nil
+              )
+            )
+          end
+
+          # Set test credentials
+          RSB::Settings.set('auth.credentials.google.client_id', 'test-google-client-id')
+          RSB::Settings.set('auth.credentials.google.client_secret', 'test-google-client-secret')
+          RSB::Settings.set('auth.credentials.google.enabled', true)
+        end
+
+        # Stubs OauthService to return a successful result with the given claims.
+        # No HTTP calls are made to Google -- fully offline.
+        #
+        # @param email [String] Google email to return
+        # @param google_uid [String] Google user ID (sub claim) to return
+        # @return [void]
+        def stub_google_oauth(email:, google_uid:)
+          result = OauthService::Result.new(
+            success?: true,
+            email: email,
+            google_uid: google_uid,
+            error: nil
+          )
+
+          # Replace OauthService#exchange_and_verify with a stub
+          @_original_exchange_and_verify = OauthService.instance_method(:exchange_and_verify)
+          OauthService.define_method(:exchange_and_verify) { |**_kwargs| result }
+        end
+
+        # Removes the OauthService stub, restoring original behavior.
+        #
+        # @return [void]
+        def unstub_google_oauth
+          return unless @_original_exchange_and_verify
+
+          OauthService.define_method(:exchange_and_verify, @_original_exchange_and_verify)
+          @_original_exchange_and_verify = nil
+        end
+
+        # Performs the full Google OAuth login flow in a test.
+        # Visits the redirect endpoint (stores state in session),
+        # then hits the callback with the stubbed Google response.
+        #
+        # @param email [String] Google email
+        # @param google_uid [String] Google user ID
+        # @param mode [String] "login" or "signup" (default: "login")
+        # @return [ActionDispatch::Response] the callback response
+        def simulate_google_login(email:, google_uid:, mode: 'login')
+          stub_google_oauth(email: email, google_uid: google_uid)
+
+          # Step 1: GET redirect endpoint (stores state in session)
+          get "/auth/oauth/google?mode=#{mode}"
+
+          # Extract state from session
+          state = session[:google_oauth_state]
+
+          # Step 2: GET callback with code + state
+          get "/auth/oauth/google/callback?code=test-auth-code&state=#{state}"
+
+          response
+        end
+
+        # Performs the Google OAuth link flow for an authenticated identity.
+        #
+        # @param identity [RSB::Auth::Identity] the identity to link Google to
+        # @param email [String] Google email
+        # @param google_uid [String] Google user ID
+        # @return [ActionDispatch::Response] the callback response
+        def simulate_google_link(identity:, email:, google_uid:) # rubocop:disable Lint/UnusedMethodArgument
+          stub_google_oauth(email: email, google_uid: google_uid)
+
+          # Step 1: GET redirect endpoint with mode=link
+          get '/auth/oauth/google?mode=link'
+
+          # Extract state from session
+          state = session[:google_oauth_state]
+
+          # Step 2: GET callback
+          get "/auth/oauth/google/callback?code=test-auth-code&state=#{state}"
+
+          response
+        end
+
+        # Builds a fake id_token claims hash for unit testing services directly.
+        # Does NOT create a signed JWT -- just the claims hash.
+        #
+        # @param email [String] Google email
+        # @param google_uid [String] Google user ID (sub claim)
+        # @param nonce [String, nil] optional nonce
+        # @return [Hash] id_token claims hash
+        def build_google_id_token(email:, google_uid:, nonce: nil)
+          client_id = begin
+            RSB::Settings.get('auth.credentials.google.client_id')
+          rescue StandardError
+            'test-google-client-id'
+          end
+
+          {
+            'iss' => 'https://accounts.google.com',
+            'aud' => client_id,
+            'sub' => google_uid,
+            'email' => email,
+            'email_verified' => true,
+            'exp' => 1.hour.from_now.to_i,
+            'iat' => Time.current.to_i,
+            'nonce' => nonce
+          }.compact
+        end
+
+        private
+
+        def google_credential_registered?
+          RSB::Auth.credentials.find(:google).present?
+        rescue StandardError
+          false
+        end
+
+        def register_google_settings_for_test
+          schema = RSB::Settings::Schema.new('auth') do
+            setting :'credentials.google.client_id', type: :string, default: ''
+            setting :'credentials.google.client_secret', type: :string, default: ''
+            setting :'credentials.google.auto_merge_by_email', type: :boolean, default: false
+            setting :'credentials.google.enabled', type: :boolean, default: true
+            setting :'credentials.google.registerable', type: :boolean, default: true
+            setting :'credentials.google.verification_required', type: :boolean, default: false
+            setting :'credentials.google.auto_verify_on_signup', type: :boolean, default: true
+            setting :'credentials.google.allow_login_unverified', type: :boolean, default: true
+          end
+          RSB::Settings.registry.register(schema)
+        rescue RSB::Settings::DuplicateSettingError
+          # Already registered by engine or previous test
+        end
+      end
+    end
+  end
+end

data/lib/rsb/auth/google/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module Google
+      VERSION = '0.1.1'
+    end
+  end
+end

data/lib/rsb/auth/google.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'rsb/auth'
+require 'rsb/auth/google/version'
+require 'rsb/auth/google/engine'
+require 'rsb/auth/google/configuration'
+require 'rsb/auth/google/settings_schema'
+require 'rsb/auth/google/jwks_loader'
+require 'rsb/auth/google/test_helper'
+
+module RSB
+  module Auth
+    module Google
+      LOG_TAG = '[RSB::Auth::Google]'
+
+      class << self
+        def configuration
+          @configuration ||= Configuration.new
+        end
+
+        def configure
+          yield(configuration)
+        end
+
+        def reset!
+          @configuration = Configuration.new
+        end
+      end
+    end
+  end
+end

data/lib/rsb-auth-google.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'rsb/auth/google'

metadata

@@ -0,0 +1,106 @@
+--- !ruby/object:Gem::Specification
+name: rsb-auth-google
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Aleksandr Marchenko
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '8.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '8.0'
+- !ruby/object:Gem::Dependency
+  name: rsb-auth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+description: Adds Google OAuth as a credential type to RSB's auth system. Registers
+  into the credential registry, provides OAuth redirect/callback endpoints, and verifies
+  id_tokens via Google JWKS.
+email:
+- alex@marchenko.me
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Rakefile
+- app/controllers/rsb/auth/google/oauth_controller.rb
+- app/models/rsb/auth/google/credential.rb
+- app/services/rsb/auth/google/callback_service.rb
+- app/services/rsb/auth/google/oauth_service.rb
+- app/views/rsb/auth/credentials/_icon_google.html.erb
+- app/views/rsb/auth/google/credentials/_google.html.erb
+- config/routes.rb
+- db/migrate/20260305000001_add_provider_uid_to_rsb_auth_credentials.rb
+- lib/generators/rsb/auth/google/install/install_generator.rb
+- lib/generators/rsb/auth/google/install/templates/initializer.rb
+- lib/rsb-auth-google.rb
+- lib/rsb/auth/google.rb
+- lib/rsb/auth/google/configuration.rb
+- lib/rsb/auth/google/engine.rb
+- lib/rsb/auth/google/jwks_loader.rb
+- lib/rsb/auth/google/settings_schema.rb
+- lib/rsb/auth/google/test_helper.rb
+- lib/rsb/auth/google/version.rb
+homepage: https://github.com/Rails-SaaS-Builder/rails-saas-builder
+licenses:
+- LGPL-3.0
+metadata:
+  source_code_uri: https://github.com/Rails-SaaS-Builder/rails-saas-builder
+  bug_tracker_uri: https://github.com/Rails-SaaS-Builder/rails-saas-builder/issues
+  changelog_uri: https://github.com/Rails-SaaS-Builder/rails-saas-builder/blob/master/CHANGELOG.md
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.8
+specification_version: 4
+summary: Google OAuth authentication for Rails SaaS Builder
+test_files: []