Enable Google SSO account creation in Flutter app (#1164)

* Add Google SSO onboarding flow for Flutter mobile app

Previously, mobile users attempting Google SSO without a linked OIDC
identity received an error telling them to link from the web app first.
This adds the same account linking/creation flow that exists on the PWA.

Backend changes:
- sessions_controller: Cache pending OIDC auth with a linking code and
  redirect back to the app instead of returning an error
- api/v1/auth_controller: Add sso_link endpoint to link Google identity
  to an existing account via email/password, and sso_create_account
  endpoint to create a new SSO-only account (respects JIT config)
- routes: Add POST auth/sso_link and auth/sso_create_account

Flutter changes:
- auth_service: Detect account_not_linked callback status, add ssoLink
  and ssoCreateAccount API methods
- auth_provider: Track SSO onboarding state, expose linking/creation
  methods and cancelSsoOnboarding
- sso_onboarding_screen: New screen with tabs to link existing account
  or create new account, pre-filled with Google profile data
- main.dart: Show SsoOnboardingScreen when ssoOnboardingPending is true

https://claude.ai/code/session_011ag1qSfriUg6j7TqFgbS5c

* Fix broken SSO tests: use MemoryStore cache and correct redirect param

- Sessions test: check `status` param instead of `error` since
  handle_mobile_sso_onboarding sends linking info with status key
- API auth tests: swap null_store for MemoryStore so cache-based
  linking code validation works in test environment

https://claude.ai/code/session_011ag1qSfriUg6j7TqFgbS5c

* Delay linking-code consumption until SSO link/create succeeds

Split validate_and_consume_linking_code into validate_linking_code
(read-only) and consume_linking_code! (delete). The code is now only
consumed after password verification (sso_link) or successful user
save (sso_create_account), so recoverable errors no longer burn the
one-time code and force a full Google SSO roundtrip.

https://claude.ai/code/session_011ag1qSfriUg6j7TqFgbS5c

* Make linking-code consumption atomic to prevent race conditions

Move consume_linking_code! (backed by Rails.cache.delete) to after
recoverable checks (bad password, policy rejection) but before
side-effecting operations (identity/user creation). Only the first
caller to delete the cache key gets true, so concurrent requests
with the same code cannot both succeed.

- sso_link: consume after password auth, before OidcIdentity creation
- sso_create_account: consume after allow_account_creation check,
  before User creation
- Bad password still preserves the code for retry
- Add single-use regression tests for both endpoints

https://claude.ai/code/session_011ag1qSfriUg6j7TqFgbS5c

* Add missing sso_create_account test coverage for blank code and validation failure

- Test blank linking_code returns 400 (bad_request) with proper error
- Test duplicate email triggers user.save failure → 422 with validation errors

https://claude.ai/code/session_011ag1qSfriUg6j7TqFgbS5c

* Verify cache payload in mobile SSO onboarding test with MemoryStore

The test environment uses :null_store which silently discards cache
writes, so handle_mobile_sso_onboarding's Rails.cache.write was never
verified. Swap in a MemoryStore for this test and assert the full
cached payload (provider, uid, email, name, device_info,
allow_account_creation) at the linking_code key from the redirect URL.

https://claude.ai/code/session_011ag1qSfriUg6j7TqFgbS5c

* Add rswag/OpenAPI specs for sso_link and sso_create_account endpoints

POST /api/v1/auth/sso_link: documents linking_code + email/password
params, 200 (tokens), 400 (missing code), 401 (invalid creds/expired).

POST /api/v1/auth/sso_create_account: documents linking_code +
optional first_name/last_name params, 200 (tokens), 400 (missing code),
401 (expired code), 403 (creation disabled), 422 (validation errors).

Note: RAILS_ENV=test bundle exec rake rswag:specs:swaggerize should be
run to regenerate docs/api/openapi.yaml once the runtime environment
matches the Gemfile Ruby version.

https://claude.ai/code/session_011ag1qSfriUg6j7TqFgbS5c

* Preserve OIDC issuer through mobile SSO onboarding flow

handle_mobile_sso_onboarding now caches the issuer from
auth.extra.raw_info.iss so it survives the linking-code round trip.
build_omniauth_hash populates extra.raw_info.iss from the cached
issuer so OidcIdentity.create_from_omniauth stores it correctly.

Previously the issuer was always nil for mobile SSO-created identities
because build_omniauth_hash passed an empty raw_info OpenStruct.

https://claude.ai/code/session_011ag1qSfriUg6j7TqFgbS5c

* Block MFA users from bypassing second factor via sso_link

sso_link authenticated with email/password but never checked
user.otp_required?, allowing MFA users to obtain tokens without
a second factor. The mobile SSO callback already rejects MFA users
with "mfa_not_supported"; apply the same guard in sso_link before
consuming the linking code or creating an identity.

Returns 401 with mfa_required: true, consistent with the login
action's MFA response shape.

https://claude.ai/code/session_011ag1qSfriUg6j7TqFgbS5c

* Fix NoMethodError in SSO link MFA test

Replace non-existent User.generate_otp_secret class method with
ROTP::Base32.random(32), matching the pattern used in User#setup_mfa!.

https://claude.ai/code/session_011ag1qSfriUg6j7TqFgbS5c

* Assert linking code survives rejected SSO create account

Add cache persistence assertion to "should reject SSO create account
when not allowed" test, verifying the linking code is not consumed on
the 403 path. This mirrors the pattern used in the invalid-password
sso_link test.

The other rejection tests (expired/missing linking code) don't have a
valid cached code to check, so no assertion is needed there.

https://claude.ai/code/session_011ag1qSfriUg6j7TqFgbS5c

---------

Co-authored-by: Claude <noreply@anthropic.com>

test/controllers/api/v1/auth_controller_test.rb

@@ -22,6 +22,14 @@ class Api::V1::AuthControllerTest < ActionDispatch::IntegrationTest
 
     # Clear the memoized class variable so it picks up the test record
     MobileDevice.instance_variable_set(:@shared_oauth_application, nil)
+
+    # Use a real cache store for SSO linking tests (test env uses :null_store by default)
+    @original_cache = Rails.cache
+    Rails.cache = ActiveSupport::Cache::MemoryStore.new
+  end
+
+  teardown do
+    Rails.cache = @original_cache if @original_cache
   end
 
   test "should signup new user and return OAuth tokens" do
@@ -488,6 +496,311 @@ class Api::V1::AuthControllerTest < ActionDispatch::IntegrationTest
     assert_response :unauthorized
   end
 
+  # SSO Link tests
+  test "should link existing account via SSO and return tokens" do
+    user = users(:family_admin)
+
+    linking_code = SecureRandom.urlsafe_base64(32)
+    Rails.cache.write("mobile_sso_link:#{linking_code}", {
+      provider: "google_oauth2",
+      uid: "google-uid-123",
+      email: "google@example.com",
+      first_name: "Google",
+      last_name: "User",
+      name: "Google User",
+      device_info: @device_info.stringify_keys,
+      allow_account_creation: true
+    }, expires_in: 10.minutes)
+
+    assert_difference("OidcIdentity.count", 1) do
+      post "/api/v1/auth/sso_link", params: {
+        linking_code: linking_code,
+        email: user.email,
+        password: user_password_test
+      }
+    end
+
+    assert_response :success
+    response_data = JSON.parse(response.body)
+    assert response_data["access_token"].present?
+    assert response_data["refresh_token"].present?
+    assert_equal user.id.to_s, response_data["user"]["id"]
+
+    # Linking code should be consumed
+    assert_nil Rails.cache.read("mobile_sso_link:#{linking_code}")
+  end
+
+  test "should reject SSO link with invalid password" do
+    user = users(:family_admin)
+
+    linking_code = SecureRandom.urlsafe_base64(32)
+    Rails.cache.write("mobile_sso_link:#{linking_code}", {
+      provider: "google_oauth2",
+      uid: "google-uid-123",
+      email: "google@example.com",
+      device_info: @device_info.stringify_keys,
+      allow_account_creation: true
+    }, expires_in: 10.minutes)
+
+    assert_no_difference("OidcIdentity.count") do
+      post "/api/v1/auth/sso_link", params: {
+        linking_code: linking_code,
+        email: user.email,
+        password: "wrong_password"
+      }
+    end
+
+    assert_response :unauthorized
+    response_data = JSON.parse(response.body)
+    assert_equal "Invalid email or password", response_data["error"]
+
+    # Linking code should NOT be consumed on failed password
+    assert Rails.cache.read("mobile_sso_link:#{linking_code}").present?, "Expected linking code to survive a failed attempt"
+  end
+
+  test "should reject SSO link when user has MFA enabled" do
+    user = users(:family_admin)
+    user.update!(otp_required: true, otp_secret: ROTP::Base32.random(32))
+
+    linking_code = SecureRandom.urlsafe_base64(32)
+    Rails.cache.write("mobile_sso_link:#{linking_code}", {
+      provider: "google_oauth2",
+      uid: "google-uid-mfa",
+      email: "mfa@example.com",
+      first_name: "MFA",
+      last_name: "User",
+      name: "MFA User",
+      device_info: @device_info.stringify_keys,
+      allow_account_creation: true
+    }, expires_in: 10.minutes)
+
+    assert_no_difference("OidcIdentity.count") do
+      post "/api/v1/auth/sso_link", params: {
+        linking_code: linking_code,
+        email: user.email,
+        password: user_password_test
+      }
+    end
+
+    assert_response :unauthorized
+    response_data = JSON.parse(response.body)
+    assert_equal true, response_data["mfa_required"]
+    assert_match(/MFA/, response_data["error"])
+
+    # Linking code should NOT be consumed on MFA rejection
+    assert Rails.cache.read("mobile_sso_link:#{linking_code}").present?, "Expected linking code to survive MFA rejection"
+  end
+
+  test "should reject SSO link with expired linking code" do
+    post "/api/v1/auth/sso_link", params: {
+      linking_code: "expired-code",
+      email: "test@example.com",
+      password: "password"
+    }
+
+    assert_response :unauthorized
+    response_data = JSON.parse(response.body)
+    assert_equal "Linking code is invalid or expired", response_data["error"]
+  end
+
+  test "should reject SSO link without linking code" do
+    post "/api/v1/auth/sso_link", params: {
+      email: "test@example.com",
+      password: "password"
+    }
+
+    assert_response :bad_request
+    response_data = JSON.parse(response.body)
+    assert_equal "Linking code is required", response_data["error"]
+  end
+
+  test "linking_code is single-use under race" do
+    user = users(:family_admin)
+
+    linking_code = SecureRandom.urlsafe_base64(32)
+    Rails.cache.write("mobile_sso_link:#{linking_code}", {
+      provider: "google_oauth2",
+      uid: "google-uid-race-test",
+      email: "race@example.com",
+      first_name: "Race",
+      last_name: "Test",
+      name: "Race Test",
+      device_info: @device_info.stringify_keys,
+      allow_account_creation: true
+    }, expires_in: 10.minutes)
+
+    # First request succeeds
+    assert_difference("OidcIdentity.count", 1) do
+      post "/api/v1/auth/sso_link", params: {
+        linking_code: linking_code,
+        email: user.email,
+        password: user_password_test
+      }
+    end
+    assert_response :success
+
+    # Second request with the same code is rejected
+    assert_no_difference("OidcIdentity.count") do
+      post "/api/v1/auth/sso_link", params: {
+        linking_code: linking_code,
+        email: user.email,
+        password: user_password_test
+      }
+    end
+    assert_response :unauthorized
+    assert_equal "Linking code is invalid or expired", JSON.parse(response.body)["error"]
+    assert_nil Rails.cache.read("mobile_sso_link:#{linking_code}")
+  end
+
+  # SSO Create Account tests
+  test "should create new account via SSO and return tokens" do
+    linking_code = SecureRandom.urlsafe_base64(32)
+    Rails.cache.write("mobile_sso_link:#{linking_code}", {
+      provider: "google_oauth2",
+      uid: "google-uid-456",
+      email: "newgoogleuser@example.com",
+      first_name: "New",
+      last_name: "GoogleUser",
+      name: "New GoogleUser",
+      device_info: @device_info.stringify_keys,
+      allow_account_creation: true
+    }, expires_in: 10.minutes)
+
+    assert_difference([ "User.count", "OidcIdentity.count" ], 1) do
+      post "/api/v1/auth/sso_create_account", params: {
+        linking_code: linking_code,
+        first_name: "New",
+        last_name: "GoogleUser"
+      }
+    end
+
+    assert_response :success
+    response_data = JSON.parse(response.body)
+    assert response_data["access_token"].present?
+    assert response_data["refresh_token"].present?
+    assert_equal "newgoogleuser@example.com", response_data["user"]["email"]
+    assert_equal "New", response_data["user"]["first_name"]
+    assert_equal "GoogleUser", response_data["user"]["last_name"]
+
+    # Linking code should be consumed
+    assert_nil Rails.cache.read("mobile_sso_link:#{linking_code}")
+  end
+
+  test "should reject SSO create account when not allowed" do
+    linking_code = SecureRandom.urlsafe_base64(32)
+    Rails.cache.write("mobile_sso_link:#{linking_code}", {
+      provider: "google_oauth2",
+      uid: "google-uid-789",
+      email: "blocked@example.com",
+      first_name: "Blocked",
+      last_name: "User",
+      device_info: @device_info.stringify_keys,
+      allow_account_creation: false
+    }, expires_in: 10.minutes)
+
+    assert_no_difference("User.count") do
+      post "/api/v1/auth/sso_create_account", params: {
+        linking_code: linking_code,
+        first_name: "Blocked",
+        last_name: "User"
+      }
+    end
+
+    assert_response :forbidden
+    response_data = JSON.parse(response.body)
+    assert_match(/disabled/, response_data["error"])
+
+    # Linking code should NOT be consumed on rejection
+    assert Rails.cache.read("mobile_sso_link:#{linking_code}").present?, "Expected linking code to survive a rejected create account attempt"
+  end
+
+  test "should reject SSO create account with expired linking code" do
+    post "/api/v1/auth/sso_create_account", params: {
+      linking_code: "expired-code",
+      first_name: "Test",
+      last_name: "User"
+    }
+
+    assert_response :unauthorized
+    response_data = JSON.parse(response.body)
+    assert_equal "Linking code is invalid or expired", response_data["error"]
+  end
+
+  test "should reject SSO create account without linking code" do
+    post "/api/v1/auth/sso_create_account", params: {
+      first_name: "Test",
+      last_name: "User"
+    }
+
+    assert_response :bad_request
+    response_data = JSON.parse(response.body)
+    assert_equal "Linking code is required", response_data["error"]
+  end
+
+  test "should return 422 when SSO create account fails user validation" do
+    existing_user = users(:family_admin)
+
+    linking_code = SecureRandom.urlsafe_base64(32)
+    Rails.cache.write("mobile_sso_link:#{linking_code}", {
+      provider: "google_oauth2",
+      uid: "google-uid-dup-email",
+      email: existing_user.email,
+      first_name: "Duplicate",
+      last_name: "Email",
+      name: "Duplicate Email",
+      device_info: @device_info.stringify_keys,
+      allow_account_creation: true
+    }, expires_in: 10.minutes)
+
+    assert_no_difference([ "User.count", "OidcIdentity.count" ]) do
+      post "/api/v1/auth/sso_create_account", params: {
+        linking_code: linking_code,
+        first_name: "Duplicate",
+        last_name: "Email"
+      }
+    end
+
+    assert_response :unprocessable_entity
+    response_data = JSON.parse(response.body)
+    assert response_data["errors"].any? { |e| e.match?(/email/i) }, "Expected email validation error in: #{response_data["errors"]}"
+  end
+
+  test "sso_create_account linking_code single-use under race" do
+    linking_code = SecureRandom.urlsafe_base64(32)
+    Rails.cache.write("mobile_sso_link:#{linking_code}", {
+      provider: "google_oauth2",
+      uid: "google-uid-race-create",
+      email: "raceuser@example.com",
+      first_name: "Race",
+      last_name: "CreateUser",
+      name: "Race CreateUser",
+      device_info: @device_info.stringify_keys,
+      allow_account_creation: true
+    }, expires_in: 10.minutes)
+
+    # First request succeeds
+    assert_difference([ "User.count", "OidcIdentity.count" ], 1) do
+      post "/api/v1/auth/sso_create_account", params: {
+        linking_code: linking_code,
+        first_name: "Race",
+        last_name: "CreateUser"
+      }
+    end
+    assert_response :success
+
+    # Second request with the same code is rejected
+    assert_no_difference([ "User.count", "OidcIdentity.count" ]) do
+      post "/api/v1/auth/sso_create_account", params: {
+        linking_code: linking_code,
+        first_name: "Race",
+        last_name: "CreateUser"
+      }
+    end
+    assert_response :unauthorized
+    assert_equal "Linking code is invalid or expired", JSON.parse(response.body)["error"]
+    assert_nil Rails.cache.read("mobile_sso_link:#{linking_code}")
+  end
+
   test "should return forbidden when ai is not available" do
     user = users(:family_admin)
     user.update!(ai_enabled: false)