Merge pull request from feat/add-oidc-google-auth

ayoub3bidi · web-flow · commit 6ca2aa8a3003 · 2025-02-01T02:56:48.000-08:00
feat: add Google OIDC authentication support
diff --git a/.env.dist b/.env.dist
@@ -1,8 +1,10 @@
 APP_TITLE="Mercury API Docs"
 APP_DESCRIPTION="This is the Swagger documentation of the Mercury API"
 APP_VERSION=1.0
+API_URL="http://localhost:8000"
 API_VERSION="v1"
 APP_ENV=local
+HTTP_REQUEST_TIMEOUT=60
 ## Admin Configuration
 ADMIN_USERNAME="admin"
 ADMIN_EMAIL="admin"
@@ -25,3 +27,9 @@ REDIS_PORT=6379
 JWT_SECRET_KEY="mysecretkey"
 JWT_ALGORITHM="HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES=30
+## OIDC Configuration
+OIDC_GOOGLE_CLIENT_ID="changeme"
+OIDC_GOOGLE_CLIENT_SECRET="changeme"
+GOOGLE_AUTH_URL="https://accounts.google.com/o/oauth2/auth"
+GOOGLE_TOKEN_URL="https://accounts.google.com/o/oauth2/token"
+GOOGLE_USER_INFO_URL="https://www.googleapis.com/oauth2/v1/userinfo"
diff --git a/README.md b/README.md
@@ -25,8 +25,8 @@
 Mercury is a simple and reliable boilerplate that anyone can use from beginners to experts (no deep bullsh*t).   
 
 This project uses:  
-- 🛡️ Basic [OAuth2](https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/?h=jwt) authentication provided by FastApi security nested package.
-- 🔋[PostgreSQL](https://hub.docker.com/_/postgres) as its main database, [Redis](https://hub.docker.com/_/redis) for caching, and [flyway](https://hub.docker.com/r/flyway/flyway) for database migration.
+- 🛡️ Basic [OAuth2](https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/?h=jwt) authentication, utilizing the FastAPI security module. It also supports user authentication via Google integration.
+- 🛢[PostgreSQL](https://hub.docker.com/_/postgres) as its main database, [Redis](https://hub.docker.com/_/redis) for caching, and [flyway](https://hub.docker.com/r/flyway/flyway) for database migration.
 - 🧪  Unit and integration tests.
 - 🔒️ Security scanner (Bandit).
 
@@ -75,6 +75,7 @@ This will create a `.env` file in your project locally.
 APP_TITLE="Mercury API Docs"
 APP_DESCRIPTION="This is the Swagger documentation of the Mercury API"
 APP_VERSION=1.0
+API_URL="http://localhost:8000"
 API_VERSION="v1"
 APP_ENV=local
 ## Admin Configuration
@@ -99,6 +100,12 @@ REDIS_PORT=6379
 JWT_SECRET_KEY="mysecretkey"
 JWT_ALGORITHM="HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES=30
+## OIDC Configuration
+OIDC_GOOGLE_CLIENT_ID="changeme"
+OIDC_GOOGLE_CLIENT_SECRET="changeme"
+GOOGLE_AUTH_URL="https://accounts.google.com/o/oauth2/auth"
+GOOGLE_TOKEN_URL="https://accounts.google.com/o/oauth2/token"
+GOOGLE_USER_INFO_URL="https://www.googleapis.com/oauth2/v1/userinfo"
 ```
 
 ### Run the containers
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,4 +1,4 @@
-version: '3.3'
+version: '3.8'
 services:
 
   mercury_api:
diff --git a/requirements.txt b/requirements.txt
@@ -11,4 +11,5 @@ passlib[bcrypt]
 python-multipart==0.0.18
 pytest
 ruff
-httpx
+httpx
+google-auth
diff --git a/src/constants/environment_variables.py b/src/constants/environment_variables.py
@@ -5,7 +5,9 @@
 APP_VERSION = os.environ['APP_VERSION']
 APP_TITLE = os.environ['APP_TITLE']
 APP_DESCRIPTION = os.environ['APP_DESCRIPTION']
+v = os.environ['API_VERSION']
 APP_ENV = os.getenv('APP_ENV')
+API_URL = os.getenv('API_URL')
 POSTGRES_DB = os.getenv('POSTGRES_DB')
 POSTGRES_USER = os.getenv('POSTGRES_USER')
 POSTGRES_PASSWORD = os.getenv('POSTGRES_PASSWORD')
@@ -19,4 +21,10 @@
 JWT_SECRET_KEY = os.getenv('JWT_SECRET_KEY')
 JWT_ALGORITHM = os.getenv('JWT_ALGORITHM')
 ACCESS_TOKEN_EXPIRE_MINUTES = os.getenv('ACCESS_TOKEN_EXPIRE_MINUTES')
-v = os.environ['API_VERSION']
+HTTP_REQUEST_TIMEOUT = os.getenv('HTTP_REQUEST_TIMEOUT') 
+GOOGLE_AUTH_URL = os.getenv('GOOGLE_AUTH_URL')
+GOOGLE_TOKEN_URL = os.getenv('GOOGLE_TOKEN_URL')
+GOOGLE_USER_INFO_URL = os.getenv('GOOGLE_USER_INFO_URL')
+OIDC_GOOGLE_CLIENT_ID = os.getenv('OIDC_GOOGLE_CLIENT_ID')
+OIDC_GOOGLE_CLIENT_SECRET = os.getenv('OIDC_GOOGLE_CLIENT_SECRET')
+OIDC_GOOGLE_REDIRECT_URI = f"{API_URL}/{v}/auth/google"
diff --git a/src/controllers/oidc/google.py b/src/controllers/oidc/google.py
@@ -0,0 +1,97 @@
+import requests
+from google.auth.transport import requests as google_requests
+from google.oauth2 import id_token
+from models.User import User
+from utils.oidc import update_oidc_info
+from constants.environment_variables import (
+    OIDC_GOOGLE_CLIENT_ID,
+    OIDC_GOOGLE_CLIENT_SECRET,
+    OIDC_GOOGLE_REDIRECT_URI,
+    GOOGLE_TOKEN_URL,
+    GOOGLE_USER_INFO_URL,
+    HTTP_REQUEST_TIMEOUT
+)
+
+def get_user_infos_from_google_token_url(code):
+    token_data = {
+        "code": code,
+        "client_id": OIDC_GOOGLE_CLIENT_ID,
+        "client_secret": OIDC_GOOGLE_CLIENT_SECRET,
+        "redirect_uri": OIDC_GOOGLE_REDIRECT_URI,
+        "grant_type": "authorization_code",
+    }
+
+    token_response = requests.post(GOOGLE_TOKEN_URL, data=token_data, timeout=HTTP_REQUEST_TIMEOUT)
+    access_token = token_response.json().get("access_token")
+    
+    user_infos_response = requests.get(GOOGLE_USER_INFO_URL, headers={"Authorization": f"Bearer {access_token}"}, timeout=HTTP_REQUEST_TIMEOUT)
+    user_infos = user_infos_response.json()
+
+    if not user_infos:
+        return {
+            "status": False,
+            "user_infos": user_infos
+        }
+    
+    return {
+        "status": True,
+        "user_infos": user_infos
+    }
+
+def get_user_infos_from_google_token(id_token_str):
+    id_info = id_token.verify_oauth2_token(id_token_str, google_requests.Request(), OIDC_GOOGLE_CLIENT_ID)
+    user_id = id_info['sub']
+    email = id_info.get('email')
+    
+    user_infos = {
+        'id': user_id,
+        'email': email,
+    }
+    
+    if not user_infos:
+        return {
+            "status": False,
+            "user_infos": user_infos
+        }
+    
+    return {
+        "status": True,
+        "user_infos": user_infos
+    }
+
+
+def create_user(user_infos, db):
+    user_exists = db.query(User).filter(User.email == user_infos['email']).first()
+
+    if user_exists:
+        got_updated = update_oidc_info(
+            user_exists.id,
+            'google',
+            user_infos['id'],
+            user_infos['email'],
+            db
+        )
+        if got_updated is False:
+            return {
+                "status": False,
+                "message": "Failed to update user"
+            }
+
+        return {
+            "status": True,
+            "user": user_exists
+        }
+
+    new_user = User(
+        email=user_infos['email'],
+        oidc_configs=[{
+            "provider": "google",
+            "id": user_infos['id'],
+            "email": user_infos['email']
+        }]
+    )
+    new_user.save(db)
+    return {
+        "status": True,
+        "user": new_user
+    }
diff --git a/src/main.py b/src/main.py
@@ -4,7 +4,7 @@
 from database.postgres_db import dbEngine, Base
 import database.redis_db as redis
 from restful_ressources import import_resources
-from utils.security import create_admin_user
+# from utils.security import create_admin_user
 
 Base.metadata.create_all(bind=dbEngine)
 redis.init()
@@ -25,6 +25,6 @@
         allow_headers=["*"],
     )
 
-create_admin_user()
+# create_admin_user()
 
 import_resources(app)
diff --git a/src/migrations/V1/V1.2__create_user_table.sql b/src/migrations/V1/V1.2__create_user_table.sql
@@ -4,5 +4,6 @@ CREATE TABLE IF NOT EXISTS public.user (
     email VARCHAR(200),
     password VARCHAR(200),
     is_admin BOOLEAN,
-    disabled BOOLEAN
+    disabled BOOLEAN,
+    oidc_configs JSONB DEFAULT '[]'::jsonb;
 );
diff --git a/src/models/User.py b/src/models/User.py
@@ -1,7 +1,6 @@
-import uuid
 from database.postgres_db import Base
-from sqlalchemy import Column, Integer, String, Boolean, Numeric
-from sqlalchemy.sql import func
+from sqlalchemy import Column, String, Boolean
+from sqlalchemy.dialects.postgresql import JSONB
 from fastapi_utils.guid_type import GUID, GUID_SERVER_DEFAULT_POSTGRESQL
 
 class User(Base):
@@ -11,4 +10,5 @@ class User(Base):
     email = Column(String, nullable=False, unique=True)
     password = Column(String, nullable=False)
     is_admin = Column(Boolean, nullable=True, default=False)
-    disabled = Column(Boolean, nullable=True, default=False)
+    disabled = Column(Boolean, nullable=True, default=False)
+    oidc_configs = Column(JSONB, default=lambda: [], nullable=False)
diff --git a/src/restful_ressources.py b/src/restful_ressources.py
@@ -1,13 +1,13 @@
-
-import os
 from routes import health
 import middleware.auth_guard as auth_guard
 from routes.user import user
 from routes.admin import user as admin_user
+from routes.oidc import google
 from constants.environment_variables import v
 
 def import_resources(app):
     app.include_router(health.router, tags=['Information'], prefix=f'/{v}')
     app.include_router(auth_guard.router, tags=['Access Token'], prefix=f'/{v}')
+    app.include_router(google.router, tags=['OIDC'], prefix=f'/{v}/oidc')
     app.include_router(admin_user.router, tags=['Admin'], prefix=f'/{v}/admin/user')
     app.include_router(user.router, tags=['User'], prefix=f'/{v}/user')
diff --git a/src/routes/oidc/google.py b/src/routes/oidc/google.py
@@ -0,0 +1,70 @@
+from sqlalchemy.orm import Session
+from datetime import timedelta
+from fastapi import Depends, APIRouter, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from utils.security import create_access_token
+from database.postgres_db import get_db
+from jose import jwt
+from models.User import User
+from controllers.oidc.google import get_user_infos_from_google_token_url, get_user_infos_from_google_token, create_user
+from constants.environment_variables import (
+    ACCESS_TOKEN_EXPIRE_MINUTES,
+    OIDC_GOOGLE_CLIENT_ID,
+    OIDC_GOOGLE_CLIENT_SECRET,
+    OIDC_GOOGLE_REDIRECT_URI,
+    GOOGLE_AUTH_URL,
+)
+
+router = APIRouter()
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
+
+@router.get("/google/login")
+async def login_google():
+    params = {
+        "response_type": "code",
+        "client_id": OIDC_GOOGLE_CLIENT_ID,
+        "redirect_uri": OIDC_GOOGLE_REDIRECT_URI,
+        "scope": "openid email profile",
+        "access_type": "offline",
+        "prompt": "consent",
+    }
+
+    query_string = "&".join(f"{key}={value}" for key, value in params.items())
+    authorization_url = f"{GOOGLE_AUTH_URL}?{query_string}"
+    
+    return {"url": authorization_url}
+
+@router.get("/google")
+async def auth_google(code: str = None, credential: str = None, db: Session = Depends(get_db)):
+    if code:
+        check = get_user_infos_from_google_token_url(code)
+        if check['status'] is False:
+            raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid code")
+        
+        user_infos = check['user_infos']
+    elif credential:
+        check = get_user_infos_from_google_token(credential)
+        if check['status'] is False:
+            raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid credential")
+        
+        user_infos = check['user_infos']
+    else:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Neither code nor credential provided.")
+
+    user = db.query(User).filter(User.oidc_configs.contains([{ "provider": "google", "id": user_infos['id'] }])).first()
+
+    if not user:
+        check = create_user(user_infos, db)
+        if check['status'] is False:
+            raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=check["message"])
+        user = check['user']
+        
+
+    access_token_expires = timedelta(minutes=int(ACCESS_TOKEN_EXPIRE_MINUTES))
+    access_token = create_access_token(data={"sub": user.email}, expires_delta=access_token_expires)
+
+    return { "token": access_token }
+
+@router.get("/google/token")
+async def get_google_token(token: str = Depends(oauth2_scheme)):
+    return jwt.decode(token, OIDC_GOOGLE_CLIENT_SECRET, algorithms=["HS256"])
diff --git a/src/utils/oidc.py b/src/utils/oidc.py
@@ -0,0 +1,27 @@
+from sqlalchemy.orm.attributes import flag_modified
+from models.User import User
+
+def update_oidc_info(user_id: int, provider: str, id: str, email: str, db):
+        user = db.query(User).filter(User.id == user_id).first()
+        if not user:
+            return False
+        
+        if not isinstance(user.oidc_configs, list):
+            user.oidc_configs = []
+        
+        #? Remove existing config for this provider if it exists
+        user.oidc_configs = [
+            config for config in user.oidc_configs
+            if not (config.get("provider") == provider and "id" in config)
+        ]
+
+        user.oidc_configs.append({
+            "provider": provider,
+            "id": id,
+            "email": email
+        })
+
+        flag_modified(user, "oidc_configs")
+        db.commit()
+
+        return True

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-version: '3.3'`
	`1`	`+version: '3.8'`
`2`	`2`	`services:`
`3`	`3`
`4`	`4`	`mercury_api:`