2.5 KiB
2.5 KiB
08. OAuth & Social Login Integration
meta: id: android-production-08 feature: android-production priority: P1 depends_on: [] tags: [auth, security, production]
objective:
- Implement Google Sign-In and other OAuth providers, replacing any stubbed auth with real backend integration
deliverables:
- Google Sign-In integration
- Backend OAuth token exchange
- AuthRepository wired to real API
- Token refresh handling
steps:
- Implement Google Sign-In:
- Configure Google Sign-In in Firebase Console
- Add google-services.json to project
- Integrate Google Sign-In SDK (com.google.android.gms:play-services-auth)
- Handle ID token and send to backend
- Update backend for OAuth:
- Add OAuth endpoints to tRPC user router
- Verify Google ID token with Google certs
- Create/link user accounts from OAuth providers
- Return session token after OAuth login
- Update AuthRepository:
- Modify AuthRepositoryImpl to use real API
- Implement login, signup, forgotPassword with real endpoints
- Handle OAuth token exchange
- Wire into AuthViewModel
- Add token refresh:
- Implement refresh token rotation
- Silent token refresh on expiry
- Handle refresh failure (re-authenticate)
- Add logout:
- Revoke OAuth tokens where possible
- Clear all local auth state
- Notify backend of logout
- Handle errors:
- Map API errors to user-friendly messages
- Handle network errors gracefully
- Handle cancelled sign-in attempts
tests:
- Unit: Test OAuth token parsing
- Integration: Test Google Sign-In flow end-to-end
- Security: Verify token validation rejects invalid tokens
acceptance_criteria:
- Google Sign-In working with Firebase
- OAuth tokens verified server-side
- User accounts created or linked correctly
- AuthRepository uses real API in production
- Token refresh working silently
- Logout clears all auth state and revokes tokens
- Error handling for all auth scenarios
- Unit tests use mock repository
- Production builds use real repository
- No stubbed auth in production code
validation:
- Tap Google Sign-In → Google flow → authenticate → logged in
- Check backend → user created with Google provider
- Wait for token expiry → automatic refresh
- Logout → all tokens cleared, login screen shown
- Check build variant → debug uses staging, release uses production
notes:
- Google Sign-In is the most common OAuth on Android
- Consider adding Apple Sign-In for cross-platform consistency
- Backend must verify Google JWT with Google's public key
- Use Credential Manager for modern Android auth (API 34+)