# 08. OAuth & Social Login Integration

meta:
  id: android-production-08
  feature: android-production
  priority: P1
  depends_on: []
  tags: [auth, security, production]

objective:
- Implement Google Sign-In and other OAuth providers, replacing any stubbed auth with real backend integration

deliverables:
- Google Sign-In integration
- Backend OAuth token exchange
- AuthRepository wired to real API
- Token refresh handling

steps:
1. Implement Google Sign-In:
   - Configure Google Sign-In in Firebase Console
   - Add google-services.json to project
   - Integrate Google Sign-In SDK (com.google.android.gms:play-services-auth)
   - Handle ID token and send to backend
2. Update backend for OAuth:
   - Add OAuth endpoints to tRPC user router
   - Verify Google ID token with Google certs
   - Create/link user accounts from OAuth providers
   - Return session token after OAuth login
3. Update AuthRepository:
   - Modify AuthRepositoryImpl to use real API
   - Implement login, signup, forgotPassword with real endpoints
   - Handle OAuth token exchange
   - Wire into AuthViewModel
4. Add token refresh:
   - Implement refresh token rotation
   - Silent token refresh on expiry
   - Handle refresh failure (re-authenticate)
5. Add logout:
   - Revoke OAuth tokens where possible
   - Clear all local auth state
   - Notify backend of logout
6. Handle errors:
   - Map API errors to user-friendly messages
   - Handle network errors gracefully
   - Handle cancelled sign-in attempts

tests:
- Unit: Test OAuth token parsing
- Integration: Test Google Sign-In flow end-to-end
- Security: Verify token validation rejects invalid tokens

acceptance_criteria:
- Google Sign-In working with Firebase
- OAuth tokens verified server-side
- User accounts created or linked correctly
- AuthRepository uses real API in production
- Token refresh working silently
- Logout clears all auth state and revokes tokens
- Error handling for all auth scenarios
- Unit tests use mock repository
- Production builds use real repository
- No stubbed auth in production code

validation:
- Tap Google Sign-In → Google flow → authenticate → logged in
- Check backend → user created with Google provider
- Wait for token expiry → automatic refresh
- Logout → all tokens cleared, login screen shown
- Check build variant → debug uses staging, release uses production

notes:
- Google Sign-In is the most common OAuth on Android
- Consider adding Apple Sign-In for cross-platform consistency
- Backend must verify Google JWT with Google's public key
- Use Credential Manager for modern Android auth (API 34+)