Skip to content

Google OAuth2 authentication for Quarto Hub#18

Merged
cscheid merged 29 commits intomainfrom
feature/auth
Feb 27, 2026
Merged

Google OAuth2 authentication for Quarto Hub#18
cscheid merged 29 commits intomainfrom
feature/auth

Conversation

@shikokuchuo
Copy link
Collaborator

@shikokuchuo shikokuchuo commented Feb 24, 2026
edited
Loading

Summary

Adds optional Google Sign-In across the Hub server and and web client.
Auth is off by default and enabled by passing --google-client-id <ID> to the hub server.

Architecture

   Browser (Google Sign-In)                                                  
            │                                                            
       ID token (JWT)                                         
            │
            ▼                                                               
    ┌───────────────────────────────┐
    │       Hub Server (Axum)       │                                       
    │                               │                       
    │  ── auth boundary ──────────  │
    │                               │
    │  REST API    Automerge sync   │
    └───────────────────────────────┘

Auth is enforced at the transport layer (HTTP/WebSocket upgrade) before any request processing begins.
The sync protocol (samod/Automerge) is completely unaware of authentication — unauthenticated connections are rejected before they reach it. This keeps auth concerns out of the collaboration engine entirely.

Server (quarto-hub)

  • New auth module that validates Google ID tokens locally using cached public keys (no per-request call to Google).
  • All endpoints (/health, /api/*, and WebSocket sync) require a valid token when auth is enabled.
  • Operators can restrict access to specific email addresses or domains via --allowed-emails and --allowed-domains.
  • Env vars QUARTO_HUB_GOOGLE_CLIENT_ID, QUARTO_HUB_ALLOWED_EMAILS and QUARTO_HUB_ALLOWED_DOMAINS allowed in place of arguments.
  • Startup check ensures TLS is accounted for before accepting tokens.

Web client (hub-client)

  • When a Google client ID is configured, unauthenticated users see a login screen with Google's standard Sign-In
    button.
  • After sign-in, the ID token is stored as an HttpOnly cookie, which is included by the browser as a header for all sync and API connections.
  • Token expiry is monitored automatically; silent refresh renews the session without interrupting the user when possible.
  • Sign-out button with Google avatar shown in the ProjectSelector header.

@shikokuchuo shikokuchuo force-pushed the feature/auth branch 5 times, most recently from 384985a to 205c0ec Compare February 26, 2026 16:41
@shikokuchuo shikokuchuo requested a review from cscheid February 27, 2026 17:18
cscheid
cscheid reviewed Feb 27, 2026
View reviewed changes
@cscheid cscheid merged commit aca66fb into main Feb 27, 2026
4 checks passed
@shikokuchuo shikokuchuo deleted the feature/auth branch February 27, 2026 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cscheid cscheid cscheid left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shikokuchuo @cscheid