merge dark mode and google OAuth (#35)

* feat(api): implement Google OAuth login and user management - Added Google OpenID Connect login functionality, allowing users to authenticate using their Google accounts. - Created new endpoints for Google login, including user registration and linking existing accounts. - Introduced Google token verification logic and error handling for authentication failures. - Updated environment configuration to include Google OAuth client IDs and verification settings. - Enhanced user model to support OpenID and linked Google accounts. This feature improves user experience by enabling seamless sign-in with Google, while maintaining security and integrity of user data. * fix(auth): wire staging Google token verifier * chore(deps): update expo to version 55.0.6 and adjust @expo/env dependency in pnpm-lock.yaml * chore(deps): update Babel dependencies to version 7.29.7 in package-lock.json * feat(auth): enhance phone login for China users - Updated phone login functionality to support only mainland China (+86) mobile numbers. - Added user prompts and descriptions for phone login, including confirmation and cancellation options. - Adjusted translations for both English and Chinese to reflect the new phone login requirements. - Updated Google OAuth client IDs in configuration files for production and staging environments. * chore(deps): add peer flag to use-sync-external-store in package-lock.json * chore(deps): add @emnapi/core and @emnapi/runtime to package-lock.json * fix(app-expo): align Android native dependencies * fix(app-expo): normalize lockfile for npm 10 * fix(config): update environment variable handling to use static access - Introduced a static mapping for public environment variables to ensure proper access during the release bundle. - Updated the `requirePublicEnv` and `optionalPublicEnv` functions to reference the new `PUBLIC_ENV` object instead of directly accessing `process.env`. - Added comments to clarify the necessity of static access for certain environment variables. * feat(app-expo): dark mode, FAQ i18n, eval ASR, and theme cleanup (#34) * feat(app-expo): dark mode, FAQ i18n, version CI, and theme cleanup Implement light/dark scene colors across chat, reading, and headers; remove default/brand theme picker and ThemeVariablesProvider. Localize FAQ in-app, fix dark-mode text visibility, and remove the unused /api/faqs endpoint. Align About/version with Expo config and inject APP_VERSION in CI builds. Also includes phone E164 auth/SMS updates, eval ASR page, and related API work. * revert: remove phone E.164 changes from dark-mode branch These auth/SMS internationalization updates were accidentally bundled into the dark-mode commit; restore 11-digit CN phone flow and drop related API, migration, and Expo UI work from this branch. * fix: address PR review issues for dark mode and eval ASR Use light foreground colors for sepia reading in dark mode, fix chat send button contrast, stream-limit eval ASR uploads, restore LiveTester phone validation, and remove unused AudioSegmenter code. * fix(app-expo): improve chat send button contrast in light and dark mode Add dedicated send button colors (accent fill in dark, primary fill in light), use RNText to avoid NativeWind overrides, and restore dark labels in light mode for readable composer actions. --------- Co-authored-by: Kevin <kevin@brighteng.org> --------- Co-authored-by: penghanyuan <penghanyuan@gmail.com> Co-authored-by: Kevin <kevin@brighteng.org>
2026-06-09 11:14:36 +08:00
parent 10d9e13f14
commit 105b50a277
105 changed files with 22363 additions and 6105 deletions
--- a/api/app/features/auth/google.py
+++ b/api/app/features/auth/google.py
@@ -0,0 +1,191 @@
+"""Google OpenID Connect token verification."""
+
+from __future__ import annotations
+
+from collections.abc import Mapping
+from dataclasses import dataclass
+from typing import Any
+
+import httpx
+import jwt
+from jwt import PyJWKClient
+
+from app.core.config import settings
+from app.core.errors import ProviderError, ServiceUnavailableError
+from app.core.logging import get_logger
+from app.features.auth.service_errors import AuthError
+
+logger = get_logger(__name__)
+
+GOOGLE_JWKS_URL = "https://www.googleapis.com/oauth2/v3/certs"
+GOOGLE_ISSUERS = {"accounts.google.com", "https://accounts.google.com"}
+
+_jwks_client = PyJWKClient(GOOGLE_JWKS_URL)
+
+
+@dataclass(frozen=True)
+class GoogleIdentity:
+    subject: str
+    email: str
+    email_verified: bool
+    name: str
+    picture: str | None
+    audience: str = ""
+
+
+def _configured_client_ids() -> list[str]:
+    raw = (settings.google_oauth_client_ids or "").strip()
+    return [part.strip() for part in raw.split(",") if part.strip()]
+
+
+def verify_google_id_token(id_token: str) -> GoogleIdentity:
+    """Verify a Google ID token and return the minimal identity claims."""
+    client_ids = _configured_client_ids()
+    if not client_ids:
+        raise ServiceUnavailableError("Google 登录尚未配置")
+
+    verifier_url = (settings.google_token_verifier_url or "").strip()
+    if verifier_url:
+        return _verify_google_id_token_remotely(id_token, client_ids, verifier_url)
+
+    return _verify_google_id_token_locally(id_token, client_ids)
+
+
+def _verify_google_id_token_locally(
+    id_token: str,
+    client_ids: list[str],
+) -> GoogleIdentity:
+    try:
+        signing_key = _jwks_client.get_signing_key_from_jwt(id_token)
+        payload = jwt.decode(
+            id_token,
+            signing_key.key,
+            algorithms=["RS256"],
+            audience=client_ids,
+            options={"verify_iss": False},
+        )
+    except jwt.InvalidAudienceError as exc:
+        raise AuthError("Google 登录客户端不匹配", "INVALID_TOKEN") from exc
+    except jwt.ExpiredSignatureError as exc:
+        raise AuthError("Google 登录凭证已过期，请重试", "INVALID_TOKEN") from exc
+    except jwt.InvalidTokenError as exc:
+        raise AuthError("Google 登录凭证无效", "INVALID_TOKEN") from exc
+    except Exception as exc:
+        logger.exception("Google JWKS/token verification failed: {}", exc)
+        raise ProviderError("Google 登录校验暂时不可用，请稍后重试") from exc
+
+    issuer = str(payload.get("iss") or "")
+    if issuer not in GOOGLE_ISSUERS:
+        raise AuthError("Google 登录凭证来源无效", "INVALID_TOKEN")
+
+    audience = _matched_audience(payload, client_ids)
+    return _identity_from_claims(payload, audience=audience)
+
+
+def _verify_google_id_token_remotely(
+    id_token: str,
+    client_ids: list[str],
+    verifier_url: str,
+) -> GoogleIdentity:
+    secret = (settings.google_token_verifier_secret or "").strip()
+    if not secret:
+        raise ServiceUnavailableError("Google 登录校验代理未配置")
+
+    try:
+        response = httpx.post(
+            verifier_url,
+            json={"id_token": id_token},
+            headers={
+                "Accept": "application/json",
+                "Authorization": f"Bearer {secret}",
+            },
+            timeout=settings.google_token_verifier_timeout_seconds or 5.0,
+        )
+    except (httpx.TimeoutException, httpx.RequestError) as exc:
+        logger.warning("Google token verifier request failed: {}", exc)
+        raise ProviderError("Google 登录校验暂时不可用，请稍后重试") from exc
+
+    try:
+        data = response.json()
+    except ValueError as exc:
+        logger.warning(
+            "Google token verifier returned non-JSON response: status={}",
+            response.status_code,
+        )
+        raise ProviderError("Google 登录校验暂时不可用，请稍后重试") from exc
+
+    if not isinstance(data, dict):
+        logger.warning(
+            "Google token verifier returned invalid JSON shape: status={}",
+            response.status_code,
+        )
+        raise ProviderError("Google 登录校验暂时不可用，请稍后重试")
+
+    if response.status_code != 200:
+        _raise_remote_verifier_error(response.status_code, data)
+
+    audience = str(data.get("audience") or "").strip()
+    if audience not in client_ids:
+        raise AuthError("Google 登录客户端不匹配", "INVALID_TOKEN")
+
+    return _identity_from_claims(data, audience=audience)
+
+
+def _raise_remote_verifier_error(
+    status_code: int,
+    data: Mapping[str, Any],
+) -> None:
+    code = str(data.get("error") or "")
+    if code == "INVALID_TOKEN" or (status_code in (400, 401) and not code):
+        raise AuthError("Google 登录凭证无效", "INVALID_TOKEN")
+    if code == "INVALID_REQUEST":
+        raise AuthError("Google 登录凭证无效", "INVALID_TOKEN")
+    if code in {"CONFIGURATION_ERROR", "UNAUTHORIZED"}:
+        raise ServiceUnavailableError("Google 登录校验代理配置错误")
+
+    logger.warning(
+        "Google token verifier returned error: status={} code={}",
+        status_code,
+        code or "<empty>",
+    )
+    raise ProviderError("Google 登录校验暂时不可用，请稍后重试")
+
+
+def _matched_audience(payload: Mapping[str, Any], client_ids: list[str]) -> str:
+    raw_audience = payload.get("aud")
+    audiences = (
+        raw_audience
+        if isinstance(raw_audience, list)
+        else [raw_audience]
+        if raw_audience is not None
+        else []
+    )
+    for audience in audiences:
+        audience_str = str(audience or "").strip()
+        if audience_str in client_ids:
+            return audience_str
+    raise AuthError("Google 登录客户端不匹配", "INVALID_TOKEN")
+
+
+def _identity_from_claims(
+    payload: Mapping[str, Any],
+    *,
+    audience: str,
+) -> GoogleIdentity:
+    subject = str(payload.get("sub") or payload.get("subject") or "").strip()
+    email = str(payload.get("email") or "").strip().lower()
+    email_verified = (
+        payload.get("email_verified") is True
+        or str(payload.get("email_verified")).lower() == "true"
+    )
+    if not subject or not email or not email_verified:
+        raise AuthError("Google 账号邮箱未验证，无法登录", "INVALID_TOKEN")
+
+    return GoogleIdentity(
+        subject=subject,
+        email=email,
+        email_verified=email_verified,
+        name=str(payload.get("name") or "").strip(),
+        picture=str(payload.get("picture") or "").strip() or None,
+        audience=audience,
+    )
--- a/api/app/features/auth/repo.py
+++ b/api/app/features/auth/repo.py
@@ -24,6 +24,12 @@ async def get_user_by_email(email: str, db: AsyncSession) -> User | None:
    return result.scalar_one_or_none()


+async def get_user_by_openid(openid: str, db: AsyncSession) -> User | None:
+    stmt = select(User).where(User.openid == openid)
+    result = await db.execute(stmt)
+    return result.scalar_one_or_none()
+
+
 async def get_refresh_token_by_token(
    token_str: str, db: AsyncSession
 ) -> RefreshToken | None:
--- a/api/app/features/auth/router.py
+++ b/api/app/features/auth/router.py
@@ -25,6 +25,7 @@ from app.features.auth.schemas import (
    AvatarPresetItem,
    ChangePasswordRequest,
    ChangePhoneRequest,
+    GoogleLoginRequest,
    LoginRequest,
    MockSmsLoginRequest,
    RefreshTokenRequest,
@@ -53,6 +54,7 @@ AVATAR_DIR = Path("uploads/avatars")

 # ── helpers ──────────────────────────────────────────────────

+
 def _user_response(user: User) -> UserResponse:
    raw_lang = getattr(user, "language_preference", "zh")
    lang = str(raw_lang).strip().lower() if isinstance(raw_lang, str) else "zh"
@@ -366,6 +368,36 @@ async def login_with_sms(
    )


+@router.post(
+    "/login/google",
+    response_model=TokenResponse,
+    summary="Google 账号登录（新用户自动注册）",
+    responses=error_responses(
+        400,
+        401,
+        503,
+        descriptions={
+            400: "未同意协议或参数错误",
+            401: "Google 登录凭证无效",
+            503: "Google 登录尚未配置",
+        },
+    ),
+)
+async def login_with_google(
+    request: GoogleLoginRequest,
+    service: AuthService = Depends(get_auth_service),
+):
+    _check_terms(request.agreed_to_terms)
+    result = await service.login_with_google(
+        id_token=request.id_token,
+        language=request.language,
+    )
+    return TokenResponse(
+        access_token=result["access_token"],
+        refresh_token=result["refresh_token"],
+    )
+
+
@router.post(
    "/mock/sms-login",
    response_model=TokenResponse,
--- a/api/app/features/auth/schemas.py
+++ b/api/app/features/auth/schemas.py
@@ -70,6 +70,15 @@ class SmsLoginRequest(BaseModel):
    )


+class GoogleLoginRequest(BaseModel):
+    id_token: str = Field(min_length=20, description="Google OpenID Connect ID token")
+    agreed_to_terms: bool = Field(description="是否同意用户协议和隐私政策")
+    language: Optional[LanguagePreference] = Field(
+        None,
+        description="device language at signup; only used when creating a new user",
+    )
+
+
 class MockSmsLoginRequest(BaseModel):
    """开发/评测专用：与 MOCK_SMS_LOGIN_ENABLED 联用，跳过短信校验。"""

--- a/api/app/features/auth/service.py
+++ b/api/app/features/auth/service.py
@@ -16,7 +16,6 @@ from app.core.cos_url_keys import (
 )
 from app.core.db import transactional, transactional_nested, utc_now
 from app.core.errors import (
-    AppError,
    BadRequestError,
    ProviderError,
    RateLimitedError,
@@ -33,8 +32,13 @@ from app.core.security import (
    create_refresh_token as generate_refresh_token_str,
 )
 from app.features.auth import repo
-from app.features.auth.integrity import is_user_phone_unique_violation, user_integrity_auth_code
+from app.features.auth.google import GoogleIdentity, verify_google_id_token
+from app.features.auth.integrity import (
+    is_user_phone_unique_violation,
+    user_integrity_auth_code,
+)
 from app.features.auth.models import RefreshToken, SmsVerificationCode
+from app.features.auth.service_errors import AuthError
 from app.features.user.models import User
 from app.ports.sms import SmsSender
 from app.ports.storage import ObjectStorage
@@ -75,29 +79,6 @@ def _as_utc(dt: datetime) -> datetime:
    return dt.astimezone(timezone.utc)


-_AUTH_CODE_MAP: dict[str, tuple[int, str]] = {
-    "INVALID_CREDENTIALS": (401, "AUTHENTICATION_FAILED"),
-    "INVALID_TOKEN": (401, "AUTHENTICATION_FAILED"),
-    "TOKEN_REVOKED": (401, "AUTHENTICATION_FAILED"),
-    "TOKEN_EXPIRED": (401, "AUTHENTICATION_FAILED"),
-    "REFRESH_TOKEN_REUSE": (401, "REFRESH_TOKEN_REUSE"),
-    "USER_NOT_FOUND": (404, "NOT_FOUND"),
-    "PHONE_EXISTS": (400, "PHONE_EXISTS"),
-    "EMAIL_EXISTS": (400, "EMAIL_EXISTS"),
-    "PHONE_TAKEN": (409, "PHONE_TAKEN"),
-    "INVALID_SMS_CODE": (400, "INVALID_SMS_CODE"),
-    "WRONG_PASSWORD": (400, "WRONG_PASSWORD"),
-    "AUTH_ERROR": (400, "BAD_REQUEST"),
-}
-
-
-class AuthError(AppError):
-    def __init__(self, message: str, code: str = "AUTH_ERROR"):
-        status_code, error_code = _AUTH_CODE_MAP.get(code, (400, code))
-        super().__init__(message, status_code=status_code, error_code=error_code)
-        self.code = code
-
-
 def _raise_auth_error_from_user_integrity(
    exc: IntegrityError,
    *,
@@ -134,6 +115,22 @@ def _public_tokens(issued: dict) -> dict:
    }


+def _google_openid(subject: str) -> str:
+    return f"google:{subject}"
+
+
+def _google_internal_phone(subject: str) -> str:
+    return f"google:{subject}"
+
+
+def _nickname_from_google_identity(identity: GoogleIdentity) -> str:
+    name = identity.name.strip()
+    if name:
+        return name[:50]
+    local_part = identity.email.split("@", 1)[0].strip()
+    return (local_part or "Google User")[:50]
+
+
 class AuthService:
    def __init__(
        self,
@@ -369,6 +366,54 @@ class AuthService:
            tokens = await self._issue_tokens(user.id, device_info)
        return {"user": user, **_public_tokens(tokens)}

+    async def login_with_google(
+        self,
+        id_token: str,
+        device_info: str = "",
+        language: str | None = None,
+    ) -> dict:
+        """Google OpenID Connect login. Auto-registers a user on first sign-in."""
+        identity = await asyncio.to_thread(verify_google_id_token, id_token)
+        openid = _google_openid(identity.subject)
+
+        user = await repo.get_user_by_openid(openid, self._db)
+        is_new_user = False
+
+        async with transactional(self._db):
+            if user is None:
+                user = await repo.get_user_by_email(identity.email, self._db)
+                if user is not None:
+                    if user.openid and user.openid != openid:
+                        raise AuthError("该邮箱已绑定其他第三方账号", "EMAIL_EXISTS")
+                    user.openid = openid
+                    if not user.email:
+                        user.email = identity.email
+                    if identity.picture and not user.avatar_url:
+                        user.avatar_url = identity.picture
+                else:
+                    is_new_user = True
+                    user = User(
+                        id=str(uuid.uuid4()),
+                        phone=_google_internal_phone(identity.subject),
+                        password_hash=hash_password(secrets.token_urlsafe(32)),
+                        email=identity.email,
+                        openid=openid,
+                        nickname=_nickname_from_google_identity(identity),
+                        avatar_url=identity.picture,
+                        subscription_type="free",
+                        created_at=datetime.now(timezone.utc),
+                        language_preference=_normalize_language(language),
+                    )
+                    await _create_user_with_integrity_check(
+                        self._db, user, phone_conflict="PHONE_EXISTS"
+                    )
+
+            tokens = await self._issue_tokens(user.id, device_info)
+
+        if is_new_user:
+            await self._db.refresh(user)
+        return {"user": user, "is_new_user": is_new_user, **_public_tokens(tokens)}
+
    async def _revoke_all_active_tokens_in_session(self, user_id: str) -> int:
        """Revoke all active refresh tokens on the current session (no commit)."""
        tokens = await repo.get_active_tokens_for_user(user_id, self._db)
@@ -413,9 +458,7 @@ class AuthService:
                if idempotent is None and not token_record.replaced_by_token_id:
                    # Concurrent refresh may observe revoke before lineage commits.
                    token_record = (
-                        await repo.get_refresh_token_by_token(
-                            refresh_token, self._db
-                        )
+                        await repo.get_refresh_token_by_token(refresh_token, self._db)
                        or token_record
                    )
                    idempotent = await self._try_idempotent_refresh_within_grace(
@@ -733,7 +776,9 @@ class AuthService:

        jpeg_bytes = await _process_avatar_jpeg_async(file_content)
        cos_key = f"avatars/{user_id}.jpg"
-        old_key = extract_cos_object_key_if_owned(old_avatar_url) if old_avatar_url else None
+        old_key = (
+            extract_cos_object_key_if_owned(old_avatar_url) if old_avatar_url else None
+        )

        if not self._object_storage:
            raise ServiceUnavailableError("头像存储服务未配置，请稍后再试")
--- a/api/app/features/auth/service_errors.py
+++ b/api/app/features/auth/service_errors.py
@@ -0,0 +1,25 @@
+"""Shared auth-specific exceptions."""
+
+from app.core.errors import AppError
+
+_AUTH_CODE_MAP: dict[str, tuple[int, str]] = {
+    "INVALID_CREDENTIALS": (401, "AUTHENTICATION_FAILED"),
+    "INVALID_TOKEN": (401, "AUTHENTICATION_FAILED"),
+    "TOKEN_REVOKED": (401, "AUTHENTICATION_FAILED"),
+    "TOKEN_EXPIRED": (401, "AUTHENTICATION_FAILED"),
+    "REFRESH_TOKEN_REUSE": (401, "REFRESH_TOKEN_REUSE"),
+    "USER_NOT_FOUND": (404, "NOT_FOUND"),
+    "PHONE_EXISTS": (400, "PHONE_EXISTS"),
+    "EMAIL_EXISTS": (400, "EMAIL_EXISTS"),
+    "PHONE_TAKEN": (409, "PHONE_TAKEN"),
+    "INVALID_SMS_CODE": (400, "INVALID_SMS_CODE"),
+    "WRONG_PASSWORD": (400, "WRONG_PASSWORD"),
+    "AUTH_ERROR": (400, "BAD_REQUEST"),
+}
+
+
+class AuthError(AppError):
+    def __init__(self, message: str, code: str = "AUTH_ERROR"):
+        status_code, error_code = _AUTH_CODE_MAP.get(code, (400, code))
+        super().__init__(message, status_code=status_code, error_code=error_code)
+        self.code = code