Add social auth to the backend api. (#103)

anybodys · Jul 7, 2024 · 6269bf3 · 6269bf3
1 parent 22210cc
commit 6269bf3
Show file tree

Hide file tree

Showing 11 changed files with 258 additions and 4 deletions.
diff --git a/api/Pipfile b/api/Pipfile
@@ -8,6 +8,7 @@ django = "*"
 psycopg2-binary = "*"
 google-cloud-storage = "*"
 django-cors-headers = "*"
+django-allauth = {extras = ["socialaccount"], version = "*"}
 
 [dev-packages]
 

diff --git a/api/Pipfile.lock b/api/Pipfile.lock
diff --git a/api/README.md b/api/README.md
@@ -44,3 +44,8 @@ Bump the version in (variables.tf)[../infra/app/variables.tf] and merge PR. The
 ## Learn More
 
 [Tech Spec](docs/tech_spec.md)
+
+
+## Social Auth
+
+http://localhost:8000/accounts/google/login/?process=login
diff --git a/api/api/admin.py b/api/api/admin.py
@@ -0,0 +1,6 @@
+from django.contrib import admin
+
+from api import models
+
+
+admin.site.register(models.Generation)
diff --git a/api/api/urls.py b/api/api/urls.py
@@ -5,4 +5,5 @@
 urlpatterns = [
     path("art", views.art, name="art"),
     path("health", views.health, name="health"),
+    path("me", views.me, name="me"),
 ]
diff --git a/api/api/views.py b/api/api/views.py
@@ -16,3 +16,14 @@ def art(request):
 
   # Return a list of all the requested generation's art metadata.
   return JsonResponse(art_storage.ArtStorage().get_art(gen))
+
+
+def me(request):
+  ret = {}
+  if request.user.is_authenticated:
+    ret.update({
+      'username': request.user.get_username(),
+      'name': request.user.first_name,
+      'email': request.user.email,
+    })
+  return JsonResponse(ret)
diff --git a/api/app/settings.py b/api/app/settings.py
@@ -46,6 +46,7 @@
   "http://localhost:3000",
   "http://127.0.0.1:3000",
 ]
+CORS_ALLOW_CREDENTIALS = True
 
 
 # Application definition
@@ -59,8 +60,12 @@
   'django.contrib.staticfiles',
 
   'corsheaders',
-
   'api',
+
+  'allauth',
+  'allauth.account',
+  'allauth.socialaccount',
+  'allauth.socialaccount.providers.google',
 ]
 
 MIDDLEWARE = [
@@ -71,6 +76,9 @@
   #'django.middleware.csrf.CsrfViewMiddleware',
   'django.contrib.auth.middleware.AuthenticationMiddleware',
   'django.contrib.messages.middleware.MessageMiddleware',
+
+  'allauth.account.middleware.AccountMiddleware',
+
   #'django.middleware.clickjacking.XFrameOptionsMiddleware',
 ]
 
@@ -147,3 +155,38 @@
 # https://docs.djangoproject.com/en/5.0/ref/settings/#default-auto-field
 
 DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
+
+
+# Social Auth with allauth
+
+AUTHENTICATION_BACKENDS = [
+    # Needed to login by username in Django admin, regardless of `allauth`
+    'django.contrib.auth.backends.ModelBackend',
+
+    # `allauth` specific authentication methods, such as login by email
+    'allauth.account.auth_backends.AuthenticationBackend',
+]
+
+# Provider specific settings
+SOCIALACCOUNT_PROVIDERS = {
+  'google': {
+    # For each OAuth based provider, either add a ``SocialApp``
+    # (``socialaccount`` app) containing the required client
+    # credentials, or list them here:
+    'APP': {
+      'client_id': os.environ['GOOGLE_OAUTH2_KEY'],
+      'secret': os.environ['GOOGLE_OAUTH2_SECRET'],
+      'key': '',
+    },
+    'SCOPE': [
+      'profile',
+      'email',
+    ],
+    'AUTH_PARAMS': {
+      'access_type': 'online',
+    },
+  },
+}
+
+SOCIALACCOUNT_ONLY = True
+ACCOUNT_EMAIL_VERIFICATION = 'none'
diff --git a/api/app/urls.py b/api/app/urls.py
@@ -20,6 +20,10 @@
 urlpatterns = [
   # Local endpoints.
   path("api/", include("api.urls")),
+
   # Django built-ins
   path("admin/", admin.site.urls),
+
+  # Social Auth
+  path('accounts/', include('allauth.urls')),
 ]
diff --git a/infra/app/app.tf b/infra/app/app.tf
@@ -111,6 +111,25 @@ resource "google_cloud_run_v2_service" "api" {
           }
         }
       }
+      env {
+        name = "GOOGLE_OAUTH2_KEY"
+        value_source {
+          secret_key_ref {
+            secret  = "google-oauth-key"
+            version = "latest"
+          }
+        }
+      }
+      env {
+        name = "GOOGLE_OAUTH2_SECRET"
+        value_source {
+          secret_key_ref {
+            secret  = "google-oauth-secret"
+            version = "latest"
+          }
+        }
+      }
+
       volume_mounts {
         name       = "cloudsql"
         mount_path = "/cloudsql"
@@ -131,14 +150,32 @@ resource "google_cloud_run_service_iam_binding" "api" {
   ]
 }
 
-## DB things.
+## Secrets and access.
 
 resource "google_secret_manager_secret_iam_member" "storage-db-api" {
   secret_id = google_secret_manager_secret.storageapi-db-pass.id
   role      = "roles/secretmanager.secretAccessor"
   member    = "serviceAccount:${google_service_account.api.email}"
 }
 
+resource "google_secret_manager_secret" "api-secrets" {
+  for_each  = toset(["google-oauth-key", "google-oauth-secret"])
+  secret_id = each.key
+
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_iam_member" "api-secrets" {
+  for_each  = google_secret_manager_secret.api-secrets
+  secret_id = each.value.secret_id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.api.email}"
+}
+
+## DB things.
+
 resource "google_project_iam_member" "cloudsql" {
   project = var.project
   role    = "roles/cloudsql.client"

diff --git a/infra/app/networking.tf b/infra/app/networking.tf
@@ -196,6 +196,12 @@ resource "google_compute_url_map" "default" {
   path_matcher {
     name            = "api"
     default_service = google_compute_backend_service.api.id
+
+    path_rule {
+      paths   = ["/accounts/google/*"]
+      service = google_compute_backend_service.api.id
+    }
+
     path_rule {
       paths   = ["/*"]
       service = google_compute_backend_service.api.id
@@ -205,5 +211,6 @@ resource "google_compute_url_map" "default" {
         }
       }
     }
+
   }
 }