feat: Google Sign-In (replaces Magic) — data-preserving#2
Merged
Conversation
The old GoogleCloudPlatform/github-actions/setup-gcloud@master action was retired by Google and no longer resolves, breaking the deploy job at setup. Switch to google-github-actions/auth@v2 + setup-gcloud@v2 (auth is now a separate step using credentials_json), and bump checkout/setup-go versions. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Magic (magic.link) is being retired; switch authentication to Google ID tokens. User content is keyed on user.id, so no data moves — only how a returning user is identified changes. - middleware/auth.go: verify Google ID tokens via google.golang.org/api/idtoken (checks signature, audience=GOOGLE_CLIENT_ID, issuer, expiry); store the Google subject (in user.iss) + verified email on the context - AuthUser (user + list): resolve by Google subject, then fall back to a verified-email match that re-links a legacy Magic account to the Google identity (UpdateIss) — preserves all lists/items/favs/profile - Create: derive email from the verified token, not the request body - Login: identity comes entirely from the token; 401 lets the client create - config: add GOOGLE_CLIENT_ID; thread it into the auth middleware - go.mod: bump to go 1.22, drop go-magic, add google.golang.org/api - Dockerfile: golang:1.12 -> golang:1.22-alpine Verified: go build, go test ./..., and the production docker build are green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Prevents an in-progress PR (e.g. one that still needs a new env var) from deploying to the production Cloud Run service. See backend-deploys-on-pr note. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replaces Magic auth with Google ID-token verification.⚠️ Do not merge until the OAuth Client ID +
GOOGLE_CLIENT_IDenv are configured (see below) — otherwise the deployed backend rejects all tokens.What
middleware/auth.go: verify Google ID tokens viagoogle.golang.org/api/idtoken(signature,aud=GOOGLE_CLIENT_ID,iss, expiry); set Google subject (user.iss) + verified email on contextAuthUser(user + list): resolve by Google subject; fallback: match verified email → re-link the existing (Magic) account to the Google identity so all lists/items/favs/profile carry overCreate: email taken from the verified token (not the body)config:GOOGLE_CLIENT_ID;go.mod: go 1.22 + drop go-magic; Dockerfile: golang:1.22-alpineDeploy prerequisite
Set the env var on Cloud Run (and ideally in CI):
Verification
go build,go test ./..., and the productiondocker buildare all green locally.🤖 Generated with Claude Code