The Prismo backend now supports Google OAuth authentication, allowing users to sign in with their Google accounts.
Add these to your .env file:
# Google OAuth Configuration
GOOGLE_CLIENT_SECRET=your_google_client_secret_here
GOOGLE_REDIRECT_URI=http://localhost:5000/oauth/google/callback- Go to Google Cloud Console
- Create a new project or select existing one
- Enable Google+ API
- Go to "Credentials" → "Create Credentials" → "OAuth 2.0 Client IDs"
- Set application type to "Web application"
- Add authorized redirect URIs:
http://localhost:5000/oauth/google/callback(development)https://yourdomain.com/oauth/google/callback(production)
GET /oauth/status
Returns OAuth configuration status and available endpoints.
GET /oauth/google/login
Returns Google OAuth URL and state parameter for login initiation.
GET /oauth/google/callback?code=...&state=...
Handles Google OAuth callback and creates/logs in user.
GET /oauth/google/userinfo
Authorization: Bearer <access_token>
Returns user information from Google access token.
POST /oauth/google/revoke
Authorization: Bearer <access_token>
Revokes Google access token.
POST /oauth/google/refresh
Content-Type: application/json
{
"refresh_token": "your_refresh_token"
}
Refreshes Google access token.
curl http://localhost:5000/oauth/google/loginResponse:
{
"auth_url": "https://accounts.google.com/o/oauth2/v2/auth?...",
"state": "random_state_string"
}- User visits the
auth_urlin their browser - User completes Google authentication
- Google redirects to callback URL with authorization code
The callback endpoint automatically:
- Exchanges code for access token
- Gets user info from Google
- Creates new user or logs in existing user
- Returns user data and access token
Use the returned access token for authenticated requests:
curl -H "Authorization: Bearer <access_token>" \
http://localhost:5000/oauth/google/userinfoWhen a user signs in with Google, the following data is stored:
{
"id": "generated_uuid",
"cognito_user_id": "google_user_id",
"email": "user@example.com",
"username": "user",
"profile": {
"name": "User Name",
"picture": "https://...",
"provider": "google"
},
"preferences": {
"theme": "light",
"notifications": true
},
"is_active": true,
"created_at": "2024-01-01T00:00:00Z",
"updated_at": "2024-01-01T00:00:00Z"
}- State Parameter: Prevents CSRF attacks
- Email Verification: Only verified Google emails are accepted
- Token Validation: Access tokens are validated with Google
- Secure Sessions: Flask sessions are used for state management
Run the OAuth test script:
cd backend
uv run test_oauth.pyThis will test:
- OAuth configuration status
- Google login initiation
- Endpoint availability
- HTTPS: Use HTTPS in production
- Domain: Update redirect URIs for production domain
- Secrets: Store client secret securely
- Rate Limiting: Implement rate limiting for OAuth endpoints
- Logging: Add comprehensive logging for OAuth flows
- Error Handling: Implement proper error handling and user feedback
- Invalid Redirect URI: Ensure redirect URI matches Google Console configuration
- Client Secret Missing: Set
GOOGLE_CLIENT_SECRETin environment variables - State Mismatch: Ensure state parameter is properly handled
- Email Not Verified: Only verified Google emails are accepted
Enable Flask debug mode to see detailed error messages:
app.config['DEBUG'] = TrueThe OAuth system integrates with the existing authentication system:
- Users created via OAuth are stored in the same
userstable - OAuth users can access all the same features as regular users
- The system supports both OAuth and traditional authentication
- Set up Google Cloud Console project
- Add client secret to environment variables
- Test OAuth flow with the test script
- Integrate OAuth login into your frontend
- Implement proper session management
- Add OAuth logout functionality