get to prod tasks
This commit is contained in:
76
tasks/android-production/08-oauth-social-login.md
Normal file
76
tasks/android-production/08-oauth-social-login.md
Normal file
@@ -0,0 +1,76 @@
|
||||
# 08. OAuth & Social Login Integration
|
||||
|
||||
meta:
|
||||
id: android-production-08
|
||||
feature: android-production
|
||||
priority: P1
|
||||
depends_on: []
|
||||
tags: [auth, security, production]
|
||||
|
||||
objective:
|
||||
- Implement Google Sign-In and other OAuth providers, replacing any stubbed auth with real backend integration
|
||||
|
||||
deliverables:
|
||||
- Google Sign-In integration
|
||||
- Backend OAuth token exchange
|
||||
- AuthRepository wired to real API
|
||||
- Token refresh handling
|
||||
|
||||
steps:
|
||||
1. Implement Google Sign-In:
|
||||
- Configure Google Sign-In in Firebase Console
|
||||
- Add google-services.json to project
|
||||
- Integrate Google Sign-In SDK (com.google.android.gms:play-services-auth)
|
||||
- Handle ID token and send to backend
|
||||
2. Update backend for OAuth:
|
||||
- Add OAuth endpoints to tRPC user router
|
||||
- Verify Google ID token with Google certs
|
||||
- Create/link user accounts from OAuth providers
|
||||
- Return session token after OAuth login
|
||||
3. Update AuthRepository:
|
||||
- Modify AuthRepositoryImpl to use real API
|
||||
- Implement login, signup, forgotPassword with real endpoints
|
||||
- Handle OAuth token exchange
|
||||
- Wire into AuthViewModel
|
||||
4. Add token refresh:
|
||||
- Implement refresh token rotation
|
||||
- Silent token refresh on expiry
|
||||
- Handle refresh failure (re-authenticate)
|
||||
5. Add logout:
|
||||
- Revoke OAuth tokens where possible
|
||||
- Clear all local auth state
|
||||
- Notify backend of logout
|
||||
6. Handle errors:
|
||||
- Map API errors to user-friendly messages
|
||||
- Handle network errors gracefully
|
||||
- Handle cancelled sign-in attempts
|
||||
|
||||
tests:
|
||||
- Unit: Test OAuth token parsing
|
||||
- Integration: Test Google Sign-In flow end-to-end
|
||||
- Security: Verify token validation rejects invalid tokens
|
||||
|
||||
acceptance_criteria:
|
||||
- Google Sign-In working with Firebase
|
||||
- OAuth tokens verified server-side
|
||||
- User accounts created or linked correctly
|
||||
- AuthRepository uses real API in production
|
||||
- Token refresh working silently
|
||||
- Logout clears all auth state and revokes tokens
|
||||
- Error handling for all auth scenarios
|
||||
- Unit tests use mock repository
|
||||
- Production builds use real repository
|
||||
- No stubbed auth in production code
|
||||
|
||||
validation:
|
||||
- Tap Google Sign-In → Google flow → authenticate → logged in
|
||||
- Check backend → user created with Google provider
|
||||
- Wait for token expiry → automatic refresh
|
||||
- Logout → all tokens cleared, login screen shown
|
||||
- Check build variant → debug uses staging, release uses production
|
||||
|
||||
notes:
|
||||
- Google Sign-In is the most common OAuth on Android
|
||||
- Consider adding Apple Sign-In for cross-platform consistency
|
||||
- Backend must verify Google JWT with Google's public key
|
||||
- Use Credential Manager for modern Android auth (API 34+)
|
||||
Reference in New Issue
Block a user