merge dark mode and google OAuth (#35)

* feat(api): implement Google OAuth login and user management

- Added Google OpenID Connect login functionality, allowing users to authenticate using their Google accounts.
- Created new endpoints for Google login, including user registration and linking existing accounts.
- Introduced Google token verification logic and error handling for authentication failures.
- Updated environment configuration to include Google OAuth client IDs and verification settings.
- Enhanced user model to support OpenID and linked Google accounts.

This feature improves user experience by enabling seamless sign-in with Google, while maintaining security and integrity of user data.

* fix(auth): wire staging Google token verifier

* chore(deps): update expo to version 55.0.6 and adjust @expo/env dependency in pnpm-lock.yaml

* chore(deps): update Babel dependencies to version 7.29.7 in package-lock.json

* feat(auth): enhance phone login for China users

- Updated phone login functionality to support only mainland China (+86) mobile numbers.
- Added user prompts and descriptions for phone login, including confirmation and cancellation options.
- Adjusted translations for both English and Chinese to reflect the new phone login requirements.
- Updated Google OAuth client IDs in configuration files for production and staging environments.

* chore(deps): add peer flag to use-sync-external-store in package-lock.json

* chore(deps): add @emnapi/core and @emnapi/runtime to package-lock.json

* fix(app-expo): align Android native dependencies

* fix(app-expo): normalize lockfile for npm 10

* fix(config): update environment variable handling to use static access

- Introduced a static mapping for public environment variables to ensure proper access during the release bundle.
- Updated the `requirePublicEnv` and `optionalPublicEnv` functions to reference the new `PUBLIC_ENV` object instead of directly accessing `process.env`.
- Added comments to clarify the necessity of static access for certain environment variables.

* feat(app-expo): dark mode, FAQ i18n, eval ASR, and theme cleanup (#34)

* feat(app-expo): dark mode, FAQ i18n, version CI, and theme cleanup

Implement light/dark scene colors across chat, reading, and headers; remove
default/brand theme picker and ThemeVariablesProvider. Localize FAQ in-app,
fix dark-mode text visibility, and remove the unused /api/faqs endpoint.
Align About/version with Expo config and inject APP_VERSION in CI builds.

Also includes phone E164 auth/SMS updates, eval ASR page, and related API work.

* revert: remove phone E.164 changes from dark-mode branch

These auth/SMS internationalization updates were accidentally bundled into
the dark-mode commit; restore 11-digit CN phone flow and drop related API,
migration, and Expo UI work from this branch.

* fix: address PR review issues for dark mode and eval ASR

Use light foreground colors for sepia reading in dark mode, fix chat send
button contrast, stream-limit eval ASR uploads, restore LiveTester phone
validation, and remove unused AudioSegmenter code.

* fix(app-expo): improve chat send button contrast in light and dark mode

Add dedicated send button colors (accent fill in dark, primary fill in
light), use RNText to avoid NativeWind overrides, and restore dark labels
in light mode for readable composer actions.

---------

Co-authored-by: Kevin <kevin@brighteng.org>

---------

Co-authored-by: penghanyuan <penghanyuan@gmail.com>
Co-authored-by: Kevin <kevin@brighteng.org>

api/tests/evaluation/test_asr_router.py

@@ -0,0 +1,100 @@
+"""内部评测 ASR 转写路由。"""
+
+import pytest
+from httpx import ASGITransport, AsyncClient
+
+from app.features.evaluation.internal_auth import get_internal_eval_principal
+
+
+@pytest.mark.asyncio
+async def test_eval_asr_transcribe_returns_text():
+    from fastapi import FastAPI
+
+    from tests.conftest import install_test_error_handlers
+
+    class _FakeAsr:
+        async def transcribe(self, audio: bytes, format: str = "m4a") -> str:
+            assert audio == b"fake-audio"
+            assert format == "wav"
+            return "你好世界"
+
+    from app.features.evaluation.asr_service import EvalAsrService
+    from app.features.evaluation.deps import get_eval_asr_service
+    from app.features.evaluation.router import router
+
+    app = install_test_error_handlers(FastAPI())
+    app.include_router(router, prefix="/internal/api/evaluation")
+
+    async def _override_auth():
+        from app.features.evaluation.internal_auth import InternalEvalPrincipal
+
+        return InternalEvalPrincipal()
+
+    app.dependency_overrides[get_internal_eval_principal] = _override_auth
+    app.dependency_overrides[get_eval_asr_service] = lambda: EvalAsrService(_FakeAsr())
+
+    transport = ASGITransport(app=app)
+    async with AsyncClient(transport=transport, base_url="http://t") as client:
+        r = await client.post(
+            "/internal/api/evaluation/asr/transcribe?format=wav",
+            files={"file": ("sample.wav", b"fake-audio", "audio/wav")},
+            headers={"X-Internal-Eval-Key": "secret"},
+        )
+    assert r.status_code == 200
+    body = r.json()
+    assert body["text"] == "你好世界"
+    assert body["format"] == "wav"
+    assert body["audio_bytes"] == len(b"fake-audio")
+
+
+@pytest.mark.asyncio
+async def test_eval_asr_transcribe_rejects_empty_file():
+    from fastapi import FastAPI
+
+    from tests.conftest import install_test_error_handlers
+
+    class _FakeAsr:
+        async def transcribe(self, audio: bytes, format: str = "m4a") -> str:
+            return "unused"
+
+    from app.features.evaluation.asr_service import EvalAsrService
+    from app.features.evaluation.deps import get_eval_asr_service
+    from app.features.evaluation.router import router
+
+    app = install_test_error_handlers(FastAPI())
+    app.include_router(router, prefix="/internal/api/evaluation")
+
+    async def _override_auth():
+        from app.features.evaluation.internal_auth import InternalEvalPrincipal
+
+        return InternalEvalPrincipal()
+
+    app.dependency_overrides[get_internal_eval_principal] = _override_auth
+    app.dependency_overrides[get_eval_asr_service] = lambda: EvalAsrService(_FakeAsr())
+
+    transport = ASGITransport(app=app)
+    async with AsyncClient(transport=transport, base_url="http://t") as client:
+        r = await client.post(
+            "/internal/api/evaluation/asr/transcribe?format=wav",
+            files={"file": ("empty.wav", b"", "audio/wav")},
+            headers={"X-Internal-Eval-Key": "secret"},
+        )
+    assert r.status_code == 400
+    assert r.json()["error_code"] == "BAD_REQUEST"
+
+
+@pytest.mark.asyncio
+async def test_read_limited_upload_rejects_oversized_body():
+    from io import BytesIO
+
+    from starlette.datastructures import UploadFile as StarletteUploadFile
+
+    from app.features.evaluation.asr_service import read_limited_upload
+    from app.features.evaluation.errors import EvaluationBadRequestError
+
+    upload = StarletteUploadFile(
+        file=BytesIO(b"x" * 11),
+        filename="tiny.wav",
+    )
+    with pytest.raises(EvaluationBadRequestError, match="音频过大"):
+        await read_limited_upload(upload, max_bytes=10)

api/tests/test_alembic_migration_policy.py

@@ -5,7 +5,6 @@ from __future__ import annotations
 import re
 from pathlib import Path
 
-import pytest
 from alembic.config import Config
 from alembic.script import ScriptDirectory
 
@@ -39,7 +38,7 @@ def _script_dir() -> ScriptDirectory:
 
 def test_single_alembic_head() -> None:
     heads = _script_dir().get_heads()
-    assert heads == ["0021_memory_source_segment_id"], f"unexpected heads: {heads}"
+    assert heads == ["0022_users_google_openid"], f"unexpected heads: {heads}"
 
 
 def test_no_withdrawn_revision_ids_in_tree() -> None:
@@ -78,11 +77,11 @@ def test_all_revisions_have_unique_ids() -> None:
     assert len(ids) == len(set(ids)), "duplicate revision ids"
 
 
-def test_revision_chain_reaches_0021_from_0020() -> None:
+def test_revision_chain_reaches_0022_from_0021() -> None:
     script = _script_dir()
-    rev = script.get_revision("0021_memory_source_segment_id")
+    rev = script.get_revision("0022_users_google_openid")
     assert rev is not None
-    assert rev.down_revision == "0020_refresh_rt_lineage"
+    assert rev.down_revision == "0021_memory_source_segment_id"
 
 
 def test_no_autogenerate_introspection_backfill_pattern() -> None:

api/tests/test_auth_flow_http.py

@@ -26,6 +26,12 @@ def auth_app(make_test_user) -> FastAPI:
     mock_service.login = AsyncMock(
         return_value={"access_token": "access-login", "refresh_token": "refresh-login"}
     )
+    mock_service.login_with_google = AsyncMock(
+        return_value={
+            "access_token": "access-google",
+            "refresh_token": "refresh-google",
+        }
+    )
     mock_service.refresh_tokens = AsyncMock(
         return_value={"access_token": "access-new", "refresh_token": "refresh-new"}
     )
@@ -65,6 +71,16 @@ async def test_register_login_refresh_me(auth_app: FastAPI, unique_phone: str) -
         assert login.status_code == 200
         assert login.json()["access_token"] == "access-login"
 
+        google = await ac.post(
+            "/api/auth/login/google",
+            json={
+                "id_token": "header.payload.signature",
+                "agreed_to_terms": True,
+            },
+        )
+        assert google.status_code == 200
+        assert google.json()["access_token"] == "access-google"
+
         ref = await ac.post(
             "/api/auth/refresh",
             json={"refresh_token": "refresh-login"},
@@ -82,6 +98,10 @@ async def test_register_login_refresh_me(auth_app: FastAPI, unique_phone: str) -
     svc: MagicMock = auth_app.state._mock_auth_service
     svc.register.assert_awaited_once()
     svc.login.assert_awaited_once()
+    svc.login_with_google.assert_awaited_once_with(
+        id_token="header.payload.signature",
+        language=None,
+    )
     svc.refresh_tokens.assert_awaited_once_with(refresh_token="refresh-login")
 
 

api/tests/test_auth_google_login.py

@@ -0,0 +1,103 @@
+from __future__ import annotations
+
+from unittest.mock import MagicMock
+
+import pytest
+
+from app.features.auth import repo
+from app.features.auth.google import GoogleIdentity
+from app.features.auth.service import AuthError, AuthService
+from app.features.user.models import User
+
+
+def _identity(
+    *,
+    subject: str = "google-sub-1",
+    email: str = "person@example.com",
+    name: str = "Google Person",
+) -> GoogleIdentity:
+    return GoogleIdentity(
+        subject=subject,
+        email=email,
+        email_verified=True,
+        name=name,
+        picture="https://example.com/avatar.jpg",
+    )
+
+
+@pytest.mark.asyncio
+async def test_google_login_creates_user(
+    auth_session_factory,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setattr(
+        "app.features.auth.service.verify_google_id_token",
+        lambda _token: _identity(),
+    )
+
+    async with auth_session_factory() as db:
+        svc = AuthService(db=db, sms=MagicMock())
+        result = await svc.login_with_google("id-token", language="en")
+
+        assert result["access_token"]
+        assert result["refresh_token"]
+        assert result["is_new_user"] is True
+
+        user = await repo.get_user_by_openid("google:google-sub-1", db)
+        assert user is not None
+        assert user.phone == "google:google-sub-1"
+        assert user.email == "person@example.com"
+        assert user.nickname == "Google Person"
+        assert user.language_preference == "en"
+
+
+@pytest.mark.asyncio
+async def test_google_login_links_existing_verified_email_user(
+    auth_session_factory,
+    make_test_user,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setattr(
+        "app.features.auth.service.verify_google_id_token",
+        lambda _token: _identity(email="linked@example.com"),
+    )
+
+    async with auth_session_factory() as db:
+        existing: User = make_test_user(nickname="Existing")
+        existing.email = "linked@example.com"
+        db.add(existing)
+        await db.commit()
+
+        svc = AuthService(db=db, sms=MagicMock())
+        result = await svc.login_with_google("id-token", language="en")
+
+        assert result["is_new_user"] is False
+        await db.refresh(existing)
+        assert existing.openid == "google:google-sub-1"
+        assert existing.nickname == "Existing"
+        assert existing.language_preference != "en"
+
+
+@pytest.mark.asyncio
+async def test_google_login_rejects_email_bound_to_other_openid(
+    auth_session_factory,
+    make_test_user,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setattr(
+        "app.features.auth.service.verify_google_id_token",
+        lambda _token: _identity(email="taken@example.com"),
+    )
+
+    async with auth_session_factory() as db:
+        existing: User = make_test_user(nickname="Existing")
+        existing.email = "taken@example.com"
+        existing.openid = "google:another-sub"
+        db.add(existing)
+        await db.commit()
+
+        svc = AuthService(db=db, sms=MagicMock())
+        with pytest.raises(AuthError) as exc_info:
+            await svc.login_with_google("id-token")
+
+        assert exc_info.value.code == "EMAIL_EXISTS"

api/tests/test_auth_google_remote_verifier.py

@@ -0,0 +1,130 @@
+from __future__ import annotations
+
+from typing import Any
+
+import httpx
+import pytest
+
+from app.core.app_config import get_app_config
+from app.core.config import settings
+from app.core.errors import ServiceUnavailableError
+from app.features.auth.google import verify_google_id_token
+from app.features.auth.service_errors import AuthError
+
+
+def _configure_remote_verifier(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(
+        get_app_config().deploy,
+        "google_oauth_client_ids",
+        "web-client",
+    )
+    monkeypatch.setattr(
+        settings,
+        "google_token_verifier_url",
+        "https://verifier.example/api/verify-google-token",
+    )
+    monkeypatch.setattr(settings, "google_token_verifier_secret", "shared-secret")
+    monkeypatch.setattr(settings, "google_token_verifier_timeout_seconds", 3.0)
+
+
+def test_remote_google_verifier_success(monkeypatch: pytest.MonkeyPatch) -> None:
+    _configure_remote_verifier(monkeypatch)
+    calls: list[dict[str, Any]] = []
+
+    def fake_post(
+        url: str,
+        *,
+        json: dict[str, str],
+        headers: dict[str, str],
+        timeout: float,
+    ) -> httpx.Response:
+        calls.append(
+            {
+                "url": url,
+                "json": json,
+                "headers": headers,
+                "timeout": timeout,
+            }
+        )
+        return httpx.Response(
+            200,
+            json={
+                "subject": "google-sub",
+                "email": "Person@Example.com",
+                "email_verified": True,
+                "name": "Google Person",
+                "picture": "https://example.com/avatar.jpg",
+                "audience": "web-client",
+            },
+        )
+
+    monkeypatch.setattr("app.features.auth.google.httpx.post", fake_post)
+
+    identity = verify_google_id_token("id-token")
+
+    assert identity.subject == "google-sub"
+    assert identity.email == "person@example.com"
+    assert identity.audience == "web-client"
+    assert calls == [
+        {
+            "url": "https://verifier.example/api/verify-google-token",
+            "json": {"id_token": "id-token"},
+            "headers": {
+                "Accept": "application/json",
+                "Authorization": "Bearer shared-secret",
+            },
+            "timeout": 3.0,
+        }
+    ]
+
+
+def test_remote_google_verifier_rejects_invalid_token(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    _configure_remote_verifier(monkeypatch)
+
+    def fake_post(*_args: object, **_kwargs: object) -> httpx.Response:
+        return httpx.Response(401, json={"error": "INVALID_TOKEN"})
+
+    monkeypatch.setattr("app.features.auth.google.httpx.post", fake_post)
+
+    with pytest.raises(AuthError) as exc_info:
+        verify_google_id_token("bad-token")
+
+    assert exc_info.value.code == "INVALID_TOKEN"
+
+
+def test_remote_google_verifier_rejects_audience_mismatch(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    _configure_remote_verifier(monkeypatch)
+
+    def fake_post(*_args: object, **_kwargs: object) -> httpx.Response:
+        return httpx.Response(
+            200,
+            json={
+                "subject": "google-sub",
+                "email": "person@example.com",
+                "email_verified": True,
+                "name": "",
+                "picture": None,
+                "audience": "other-client",
+            },
+        )
+
+    monkeypatch.setattr("app.features.auth.google.httpx.post", fake_post)
+
+    with pytest.raises(AuthError) as exc_info:
+        verify_google_id_token("id-token")
+
+    assert exc_info.value.code == "INVALID_TOKEN"
+
+
+def test_remote_google_verifier_requires_shared_secret(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    _configure_remote_verifier(monkeypatch)
+    monkeypatch.setattr(settings, "google_token_verifier_secret", "")
+
+    with pytest.raises(ServiceUnavailableError):
+        verify_google_id_token("id-token")

api/tests/test_error_code_registry.py

@@ -2,7 +2,6 @@
 
 from __future__ import annotations
 
-import inspect
 import re
 from pathlib import Path
 
@@ -10,6 +9,7 @@ import pytest
 
 from app.core.error_codes import ALL_ERROR_CODES, ERROR_CODE_ENUM
 from app.core.errors import (
+    _STATUS_TO_ERROR_CODE,
     AppError,
     AuthenticationError,
     AuthorizationError,
@@ -22,9 +22,8 @@ from app.core.errors import (
     RateLimitedError,
     ServiceUnavailableError,
     ValidationError,
-    _STATUS_TO_ERROR_CODE,
 )
-from app.features.auth.service import _AUTH_CODE_MAP
+from app.features.auth.service_errors import _AUTH_CODE_MAP
 from app.features.payment.payment_exceptions import _PAYMENT_CODE_MAP
 
 _APP_FEATURES_ROOT = Path(__file__).resolve().parents[1] / "app" / "features"
@@ -46,8 +45,6 @@ def _app_error_subclass_codes() -> set[str]:
         QuotaExceededError,
         RateLimitedError,
     ):
-        sig = inspect.signature(cls.__init__)
-        default = sig.parameters.get("message")
         # Instantiate with defaults to read resolved error_code from AppError base.
         instance = cls()
         codes.add(instance.error_code)

api/tests/test_settings_allowlist.py

@@ -18,6 +18,7 @@ EXPECTED_PREFIXES = (
     "alipay_",
     "liblib_",
     "internal_eval_",
+    "google_token_verifier_",
 )