77 lines
2.5 KiB
Markdown
77 lines
2.5 KiB
Markdown
# 08. OAuth & Social Login Integration
|
|
|
|
meta:
|
|
id: android-production-08
|
|
feature: android-production
|
|
priority: P1
|
|
depends_on: []
|
|
tags: [auth, security, production]
|
|
|
|
objective:
|
|
- Implement Google Sign-In and other OAuth providers, replacing any stubbed auth with real backend integration
|
|
|
|
deliverables:
|
|
- Google Sign-In integration
|
|
- Backend OAuth token exchange
|
|
- AuthRepository wired to real API
|
|
- Token refresh handling
|
|
|
|
steps:
|
|
1. Implement Google Sign-In:
|
|
- Configure Google Sign-In in Firebase Console
|
|
- Add google-services.json to project
|
|
- Integrate Google Sign-In SDK (com.google.android.gms:play-services-auth)
|
|
- Handle ID token and send to backend
|
|
2. Update backend for OAuth:
|
|
- Add OAuth endpoints to tRPC user router
|
|
- Verify Google ID token with Google certs
|
|
- Create/link user accounts from OAuth providers
|
|
- Return session token after OAuth login
|
|
3. Update AuthRepository:
|
|
- Modify AuthRepositoryImpl to use real API
|
|
- Implement login, signup, forgotPassword with real endpoints
|
|
- Handle OAuth token exchange
|
|
- Wire into AuthViewModel
|
|
4. Add token refresh:
|
|
- Implement refresh token rotation
|
|
- Silent token refresh on expiry
|
|
- Handle refresh failure (re-authenticate)
|
|
5. Add logout:
|
|
- Revoke OAuth tokens where possible
|
|
- Clear all local auth state
|
|
- Notify backend of logout
|
|
6. Handle errors:
|
|
- Map API errors to user-friendly messages
|
|
- Handle network errors gracefully
|
|
- Handle cancelled sign-in attempts
|
|
|
|
tests:
|
|
- Unit: Test OAuth token parsing
|
|
- Integration: Test Google Sign-In flow end-to-end
|
|
- Security: Verify token validation rejects invalid tokens
|
|
|
|
acceptance_criteria:
|
|
- Google Sign-In working with Firebase
|
|
- OAuth tokens verified server-side
|
|
- User accounts created or linked correctly
|
|
- AuthRepository uses real API in production
|
|
- Token refresh working silently
|
|
- Logout clears all auth state and revokes tokens
|
|
- Error handling for all auth scenarios
|
|
- Unit tests use mock repository
|
|
- Production builds use real repository
|
|
- No stubbed auth in production code
|
|
|
|
validation:
|
|
- Tap Google Sign-In → Google flow → authenticate → logged in
|
|
- Check backend → user created with Google provider
|
|
- Wait for token expiry → automatic refresh
|
|
- Logout → all tokens cleared, login screen shown
|
|
- Check build variant → debug uses staging, release uses production
|
|
|
|
notes:
|
|
- Google Sign-In is the most common OAuth on Android
|
|
- Consider adding Apple Sign-In for cross-platform consistency
|
|
- Backend must verify Google JWT with Google's public key
|
|
- Use Credential Manager for modern Android auth (API 34+)
|