Add Google Sign-In (SSO) support to Flutter mobile app (#860)

* Add mobile SSO support to sessions controller Add /auth/mobile/:provider route and mobile_sso_start action that captures device params in session and renders an auto-submitting POST form to OmniAuth (required by omniauth-rails_csrf_protection). Modify openid_connect callback to detect mobile_sso session, issue Doorkeeper tokens via MobileDevice, and redirect to sureapp://oauth/callback with tokens. Handles MFA users and unlinked accounts with error redirects. Validates provider name against configured SSO providers and device info before proceeding. * Add SSO auth flow to Flutter service and provider Add buildSsoUrl() and handleSsoCallback() to AuthService for constructing the mobile SSO URL and parsing tokens from the deep link callback. Add startSsoLogin() and handleSsoCallback() to AuthProvider for launching browser-based SSO and processing the redirect. * Register deep link listener for SSO callback Listen for sureapp://oauth/* deep links via app_links package, handling both cold start (getInitialLink) and warm (uriLinkStream) scenarios. Routes callbacks to AuthProvider.handleSsoCallback(). * Add Google Sign-In button to Flutter login screen Add "or" divider and outlined Google Sign-In button that triggers browser-based SSO via startSsoLogin('google_oauth2'). Add app_links and url_launcher dependencies to pubspec.yaml. * Fix mobile SSO failure handling to redirect back to app When OmniAuth fails during mobile SSO flow, redirect to sureapp://oauth/callback with the error instead of the web login page. Cleans up mobile_sso session data on failure. * Address PR review feedback for mobile SSO flow - Use strong params for device info in mobile_sso_start - Guard against nil session data in handle_mobile_sso_callback - Add error handling for AppLinks initialization and stream - Handle launchUrl false return value in SSO login - Use user-friendly error messages instead of exposing exceptions - Reject empty token strings in SSO callback validation * Consolidate mobile device token logic into MobileDevice model Extract duplicated device upsert and token issuance code from AuthController and SessionsController into MobileDevice. Add CALLBACK_URL constant and URL builder helpers to eliminate repeated deep-link strings. Add mobile SSO integration tests covering the full flow, MFA rejection, unlinked accounts, and failure handling. * Fix CI: resolve Brakeman redirect warnings and rubocop empty line Move mobile SSO redirect into a private controller method with an inline string literal so Brakeman can statically verify the target. Remove unused URL builder helpers from MobileDevice. Fix extra empty line at end of AuthController class body. * Use authorization code exchange for mobile SSO and add signup error handling Replace passing plaintext tokens in mobile SSO redirect URLs with a one-time authorization code pattern. Tokens are now stored server-side in Rails.cache (5min TTL) and exchanged via a secure POST to /api/v1/auth/sso_exchange. Also wraps device/token creation in the signup action with error handling and sanitizes device error messages. * Add error handling for login device registration and blank SSO code guard * Address PR #860 review: fix SSO race condition, add OpenAPI spec, and cleanup - Fix race condition in sso_exchange by checking Rails.cache.delete return value to ensure only one request can consume an authorization code - Use strong parameters (params.require) for sso_exchange code param - Move inline HTML from mobile_sso_start to a proper view template - Clear stale session[:mobile_sso] flag on web login paths to prevent abandoned mobile flows from hijacking subsequent web SSO logins - Add OpenAPI/rswag spec for all auth API endpoints Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Fix mobile SSO test to match authorization code exchange pattern The test was asserting tokens directly in the callback URL, but the code uses an authorization code exchange pattern. Updated to exchange the code via the sso_exchange API endpoint. Also swaps in a MemoryStore for this test since the test environment uses null_store which discards writes. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Refactor mobile OAuth to use single shared application Replace per-device Doorkeeper::Application creation with a shared "Sure Mobile" OAuth app. Device tracking uses mobile_device_id on access tokens instead of oauth_application_id on mobile_devices. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-04-07 22:34:47 +00:00 · 2026-02-05 18:45:11 -05:00
parent 4938c44a68
commit ca3abd5d8b
16 changed files with 1100 additions and 69 deletions
--- a/app/controllers/api/v1/auth_controller.rb
+++ b/app/controllers/api/v1/auth_controller.rb
@@ -46,8 +46,13 @@ module Api
          InviteCode.claim!(params[:invite_code]) if params[:invite_code].present?

          # Create device and OAuth token
-          device = create_or_update_device(user)
-          token_response = create_oauth_token_for_device(user, device)
+          begin
+            device = MobileDevice.upsert_device!(user, device_params)
+            token_response = device.issue_token!
+          rescue ActiveRecord::RecordInvalid => e
+            render json: { error: "Failed to register device: #{e.message}" }, status: :unprocessable_entity
+            return
+          end

          render json: token_response.merge(
            user: {
@@ -84,8 +89,13 @@ module Api
          end

          # Create device and OAuth token
-          device = create_or_update_device(user)
-          token_response = create_oauth_token_for_device(user, device)
+          begin
+            device = MobileDevice.upsert_device!(user, device_params)
+            token_response = device.issue_token!
+          rescue ActiveRecord::RecordInvalid => e
+            render json: { error: "Failed to register device: #{e.message}" }, status: :unprocessable_entity
+            return
+          end

          render json: token_response.merge(
            user: {
@@ -100,6 +110,44 @@ module Api
        end
      end

+      def sso_exchange
+        code = sso_exchange_params
+
+        if code.blank?
+          render json: { error: "invalid_or_expired_code", message: "Authorization code is required" }, status: :unauthorized
+          return
+        end
+
+        cache_key = "mobile_sso:#{code}"
+        cached = Rails.cache.read(cache_key)
+
+        unless cached.present?
+          render json: { error: "invalid_or_expired_code", message: "Authorization code is invalid or expired" }, status: :unauthorized
+          return
+        end
+
+        # Atomic delete — only the request that successfully deletes the key may proceed.
+        # This prevents a race where two concurrent requests both read the same code.
+        unless Rails.cache.delete(cache_key)
+          render json: { error: "invalid_or_expired_code", message: "Authorization code is invalid or expired" }, status: :unauthorized
+          return
+        end
+
+        render json: {
+          access_token: cached[:access_token],
+          refresh_token: cached[:refresh_token],
+          token_type: cached[:token_type],
+          expires_in: cached[:expires_in],
+          created_at: cached[:created_at],
+          user: {
+            id: cached[:user_id],
+            email: cached[:user_email],
+            first_name: cached[:user_first_name],
+            last_name: cached[:user_last_name]
+          }
+        }
+      end
+
      def refresh
        # Find the refresh token
        refresh_token = params[:refresh_token]
@@ -121,6 +169,7 @@ module Api
        new_token = Doorkeeper::AccessToken.create!(
          application: access_token.application,
          resource_owner_id: access_token.resource_owner_id,
+          mobile_device_id: access_token.mobile_device_id,
          expires_in: 30.days.to_i,
          scopes: access_token.scopes,
          use_refresh_token: true
@@ -173,38 +222,12 @@ module Api
          required_fields.all? { |field| device[field].present? }
        end

-        def create_or_update_device(user)
-          # Handle both string and symbol keys
-          device_data = params[:device].permit(:device_id, :device_name, :device_type, :os_version, :app_version)
-
-          device = user.mobile_devices.find_or_initialize_by(device_id: device_data[:device_id])
-          device.update!(device_data.merge(last_seen_at: Time.current))
-          device
+        def device_params
+          params.require(:device).permit(:device_id, :device_name, :device_type, :os_version, :app_version)
        end

-        def create_oauth_token_for_device(user, device)
-          # Create OAuth application for this device if needed
-          oauth_app = device.create_oauth_application!
-
-          # Revoke any existing tokens for this device
-          device.revoke_all_tokens!
-
-          # Create new access token with 30-day expiration
-          access_token = Doorkeeper::AccessToken.create!(
-            application: oauth_app,
-            resource_owner_id: user.id,
-            expires_in: 30.days.to_i,
-            scopes: "read_write",
-            use_refresh_token: true
-          )
-
-          {
-            access_token: access_token.plaintext_token,
-            refresh_token: access_token.plaintext_refresh_token,
-            token_type: "Bearer",
-            expires_in: access_token.expires_in,
-            created_at: access_token.created_at.to_i
-          }
+        def sso_exchange_params
+          params.require(:code)
        end
    end
  end