Skip to content

1004: Add new endpoint for google token exchange #609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

1004: Add new endpoint for google token exchange #609

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a3bed8f
1004: Add new endpoint for google token exchange
danhalson Nov 5, 2025
91f13ce
Merge branch 'main' into danhalson/1004-update-google-auth
danhalson Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,3 +47,7 @@ ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=deterministic-key
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=derivation-salt

EDITOR_ENCRYPTION_KEY=a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0

# The sandbox creds can be found in 1password under "Google Cloud Console: CEfE Sandbox"
GOOGLE_CLIENT_ID=changeme.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=changeme
45 changes: 45 additions & 0 deletions app/controllers/api/google_auth_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# frozen_string_literal: true

module Api
class GoogleAuthController < ApiController
TOKEN_EXCHANGE_URL = 'https://oauth2.googleapis.com/token'

before_action :authorize_user
authorize_resource :google_auth, class: false

def exchange_code
payload = google_token_params

request_body = {
code: payload[:code],
client_id: ENV.fetch('GOOGLE_CLIENT_ID'),
client_secret: ENV.fetch('GOOGLE_CLIENT_SECRET'),
redirect_uri: payload[:redirect_uri],
grant_type: 'authorization_code'
}

conn = Faraday.new do |f|
f.request :url_encoded
Copy link

Copilot AI Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] No timeout configuration for external API call. While Faraday has default timeouts, it's a best practice to explicitly configure timeouts for external API calls to prevent long-running requests from blocking server resources.

Consider adding explicit timeout configuration:

conn = Faraday.new do |f|
  f.request :url_encoded
  f.options.timeout = 10      # connection open timeout
  f.options.open_timeout = 5  # connection initialization timeout
end
Suggested change
f.request :url_encoded
f.request :url_encoded
f.options.timeout = 10 # connection open timeout
f.options.open_timeout = 5 # connection initialization timeout

Copilot uses AI. Check for mistakes.
end

response = conn.post(TOKEN_EXCHANGE_URL, request_body)
@token_response = JSON.parse(response.body)
Copy link

Copilot AI Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing error handling for JSON parsing. If Google returns an invalid or malformed JSON response, JSON.parse(response.body) will raise a JSON::ParserError which is not caught by the Faraday::Error rescue block. This could lead to an unhandled exception and a 500 Internal Server Error response to the client.

Consider wrapping the JSON parsing in a rescue block or rescuing JSON::ParserError separately to handle this case gracefully.

Suggested change
@token_response = JSON.parse(response.body)
begin
@token_response = JSON.parse(response.body)
rescue JSON::ParserError => e
render json: { error: "Invalid response from Google: #{e.message}" }, status: :bad_gateway
return
end

Copilot uses AI. Check for mistakes.

if response.success?
render :exchange_code, status: :ok
else
render json: { error: @token_response['error_description'] }, status: :unauthorized
Copy link

Copilot AI Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential nil error message. If Google returns an error response without an error_description field, @token_response['error_description'] will be nil, resulting in { error: nil } being returned to the client. This could be confusing for API consumers.

Consider providing a fallback error message or using @token_response['error'] as a fallback if error_description is not present.

Suggested change
render json: { error: @token_response['error_description'] }, status: :unauthorized
error_message = @token_response['error_description'] || @token_response['error'] || 'Unknown error'
render json: { error: error_message }, status: :unauthorized

Copilot uses AI. Check for mistakes.
end
rescue Faraday::Error => e
render json: { error: e.message }, status: :service_unavailable
end

private

def google_token_params
params.require(:google_auth).require(:code)
params.require(:google_auth).require(:redirect_uri)
params.require(:google_auth).permit(:code, :redirect_uri)
end
end
end
4 changes: 0 additions & 4 deletions app/controllers/auth_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
# frozen_string_literal: true

class AuthController < ApplicationController
# def index

# end

def callback
Rails.logger.debug { "callback: #{omniauth_params}" }
# Prevent session fixation. If the session has been initialized before
Expand Down
2 changes: 2 additions & 0 deletions app/models/ability.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ def define_school_owner_abilities(school:)
can(%i[read create create_batch update destroy], :school_student)
can(%i[create create_copy], Lesson, school_id: school.id)
can(%i[read update destroy], Lesson, school_id: school.id, visibility: %w[teachers students public])
can(%i[exchange_code], :google_auth)
end

def define_school_teacher_abilities(user:, school:)
Expand Down Expand Up @@ -98,6 +99,7 @@ def define_school_teacher_abilities(user:, school:)
can(%i[read], Project, remixed_from_id: teacher_project_ids)
can(%i[show_status unsubmit return complete], SchoolProject, project: { remixed_from_id: teacher_project_ids })
can(%i[read create], Feedback, school_project: { project: { remixed_from_id: teacher_project_ids } })
can(%i[exchange_code], :google_auth)
end

def define_school_student_abilities(user:, school:)
Expand Down
10 changes: 10 additions & 0 deletions app/views/api/google_auth/exchange_code.json.jbuilder
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# frozen_string_literal: true

json.call(
@token_response,
'access_token',
'expires_in',
'token_type',
'scope',
'id_token'
Copy link

Copilot AI Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The view does not include refresh_token in the response. Google's OAuth 2.0 token endpoint can return a refresh_token when certain conditions are met (e.g., access_type=offline is requested). If the classroom importer needs to maintain long-term access to Google APIs, the refresh token will be needed.

Consider whether refresh_token should be included in the response, or add a comment explaining why it's intentionally excluded if it's not needed for this use case.

Suggested change
'id_token'
'id_token',
'refresh_token'

Copilot uses AI. Check for mistakes.
)
2 changes: 2 additions & 0 deletions config/routes.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,8 @@
end

resources :user_jobs, only: %i[index show]

post '/google/auth/exchange-code', to: 'google_auth#exchange_code', defaults: { format: :json }
end

resource :github_webhooks, only: :create, defaults: { formats: :json }
Expand Down
47 changes: 47 additions & 0 deletions spec/models/ability_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -593,4 +593,51 @@
it { is_expected.not_to be_able_to(:destroy, other_school_class_saved) }
end
end

describe 'Google Auth' do
context 'with no user' do
let(:user) { nil }

it { is_expected.not_to be_able_to(:exchange_code, :google_auth) }
end

context 'with a standard user (no school)' do
let(:user) { build(:user) }

it { is_expected.not_to be_able_to(:exchange_code, :google_auth) }
end

context 'with a school teacher' do
let(:user) { create(:user) }
let(:school) { create(:school) }

before do
create(:teacher_role, user_id: user.id, school:)
end

it { is_expected.to be_able_to(:exchange_code, :google_auth) }
end

context 'with a school owner' do
let(:user) { create(:user) }
let(:school) { create(:school) }

before do
create(:owner_role, user_id: user.id, school:)
end

it { is_expected.to be_able_to(:exchange_code, :google_auth) }
end

context 'with a school student' do
let(:user) { create(:user) }
let(:school) { create(:school) }

before do
create(:student_role, user_id: user.id, school:)
end

it { is_expected.not_to be_able_to(:exchange_code, :google_auth) }
end
end
end
184 changes: 184 additions & 0 deletions spec/requests/api/google_auth_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
# frozen_string_literal: true

require 'rails_helper'

RSpec.describe 'Google Auth requests' do
let(:headers) { { Authorization: UserProfileMock::TOKEN } }
let(:school) { create(:school) }
let(:owner) { create(:owner, school:) }

before do
authenticated_in_hydra_as(owner)
end

describe 'POST /api/google_auth/exchange_code' do
let(:params) do
{
google_auth: {
code: 'test-authorization-code',
redirect_uri: 'https://example.com/callback'
}
}
end

let(:google_token_response) do
{
'access_token' => 'test-access-token',
'expires_in' => 3599,
'token_type' => 'Bearer',
'scope' => 'openid email profile',
'id_token' => 'test-id-token'
}
end

around do |example|
ClimateControl.modify(
GOOGLE_CLIENT_ID: 'test-client-id',
GOOGLE_CLIENT_SECRET: 'test-client-secret'
) do
example.run
end
end

context 'when token exchange is successful' do
before do
stub_request(:post, Api::GoogleAuthController::TOKEN_EXCHANGE_URL)
.with(
body: {
code: 'test-authorization-code',
client_id: 'test-client-id',
client_secret: 'test-client-secret',
redirect_uri: 'https://example.com/callback',
grant_type: 'authorization_code'
}
)
.to_return(
status: 200,
body: google_token_response.to_json,
headers: { 'Content-Type' => 'application/json' }
)
end

it 'returns success response' do
post('/api/google/auth/exchange-code', params:, headers:)
expect(response).to have_http_status(:ok)
end

it 'returns token response from Google' do
post('/api/google/auth/exchange-code', params:, headers:)
expect(response.parsed_body).to eq(google_token_response)
end

it 'includes access_token in response' do
post('/api/google/auth/exchange-code', params:, headers:)
expect(response.parsed_body['access_token']).to eq('test-access-token')
end
end

context 'when token exchange fails with error from Google' do
let(:error_response) do
{
'error' => 'invalid_grant',
'error_description' => 'Bad Request'
}
end

before do
stub_request(:post, Api::GoogleAuthController::TOKEN_EXCHANGE_URL)
.to_return(
status: 400,
body: error_response.to_json,
headers: { 'Content-Type' => 'application/json' }
)
end

it 'returns unauthorized response' do
post('/api/google/auth/exchange-code', params:, headers:)
expect(response).to have_http_status(:unauthorized)
end

it 'returns error message' do
post('/api/google/auth/exchange-code', params:, headers:)
expect(response.parsed_body['error']).to eq('Bad Request')
end
end

context 'when network error occurs' do
before do
stub_request(:post, Api::GoogleAuthController::TOKEN_EXCHANGE_URL)
.to_raise(Faraday::ConnectionFailed.new('Connection failed'))
end

it 'returns service unavailable response' do
post('/api/google/auth/exchange-code', params:, headers:)
expect(response).to have_http_status(:service_unavailable)
end

it 'returns error message' do
post('/api/google/auth/exchange-code', params:, headers:)
expect(response.parsed_body['error']).to eq('Connection failed')
end
end

context 'when code parameter is missing' do
let(:params) do
{
google_auth: {
redirect_uri: 'https://example.com/callback'
}
}
end

it 'returns bad request response' do
post('/api/google/auth/exchange-code', params:, headers:)
expect(response).to have_http_status(:bad_request)
end
end

context 'when redirect_uri parameter is missing' do
let(:params) do
{
google_auth: {
code: 'test-authorization-code'
}
}
end

it 'returns bad request response' do
post('/api/google/auth/exchange-code', params:, headers:)
expect(response).to have_http_status(:bad_request)
end
end

context 'when google_auth params are missing' do
it 'returns bad request response' do
post('/api/google/auth/exchange-code', headers:)
expect(response).to have_http_status(:bad_request)
end
end

context 'when user is not authenticated' do
before do
unauthenticated_in_hydra
end

it 'returns unauthorized response' do
post('/api/google/auth/exchange-code', params:, headers:)
expect(response).to have_http_status(:unauthorized)
end
end

context 'when user is not authorized' do
let(:student) { create(:student, school:) }

before do
authenticated_in_hydra_as(student)
end

it 'returns forbidden response' do
post('/api/google/auth/exchange-code', params:, headers:)
expect(response).to have_http_status(:forbidden)
end
end
end
end
Loading