Google authentication

app/config/config.exs

@@ -61,6 +61,9 @@ config :logger, :console,
 # Use Jason for JSON parsing in Phoenix
 config :phoenix, :json_library, Jason
 
+config :joken,
+  default_signer: "431265" # Replace with the same key used in Flask
+
 # Import environment specific config. This must remain at the bottom
 # of this file so it overrides the configuration defined above.
 import_config "#{config_env()}.exs"

app/google_auth/README.md

@@ -1,36 +1,22 @@
 # Google Authentication
 
-This module provides Google OAuth authentication specifically for IIITD domain users (@iiitd.ac.in).
+This module provides Google OAuth authentication specifically for IIITD domain users (@iiitd.ac.in) and integrates with a Phoenix (Elixir) frontend.
 
 ## Setup Instructions
 
-1. Install the required Python packages:
+1. **Install the required Python packages:**
    ```bash
    pip install -r requirements.txt
    ```
-
-2. Set up Google OAuth credentials:
-   - Go to the [Google Cloud Console](https://console.cloud.google.com/)
-   - Create a new project or select an existing one
-   - Enable the Google+ API
-   - Go to Credentials
-   - Create OAuth 2.0 Client ID
-   - Choose "Desktop app" as the application type
-   - Download the credentials file and save it as `credentials.json` in this directory
-
-3. Set up PostgreSQL Database:
-   ```bash
-   # Install PostgreSQL (if not already installed)
-   brew install postgresql@14
-
-   # Start PostgreSQL service
-   brew services start postgresql@14
-
-   # Create the database
-   createdb google_auth_db
-   ```
-
-4. Configure Database Connection:
+   This will install:
+   - Flask (for the Google Auth server)
+   - Flask-Session
+   - PyJWT
+   - google-auth, google-auth-oauthlib, google-api-python-client
+   - psycopg2-binary (for PostgreSQL)
+   - requests
+
+2. **Configure Database Connection:**
    - Open `google_auth.py`
    - Update the `DB_CONFIG` dictionary if needed:
      ```python
@@ -45,22 +31,25 @@ This module provides Google OAuth authentication specifically for IIITD domain u
 
 ## Usage
 
-To run on CLI:
-1. Run the authentication script:
+### To run the Flask Google Auth server:
+1. Start the server:
    ```bash
-   python google_auth.py
+   python3 google_auth_server.py
    ```
+   The server will run on http://127.0.0.1:5000
 
-2. Enter your IIITD email address when prompted
+2. The main endpoints are:
+   - `/login/google` — Initiates Google OAuth login
+   - `/auth/google/callback` — Handles the OAuth callback and issues a JWT
+   - `/api/session/validate?token=...` — Validates a JWT and returns user info
 
-3. A browser window will open asking you to sign in with your Google account
-
-4. After successful authentication, you'll see your user information displayed
-
-To run through phoenix:
-1. run python server using python3 google_auth_server.py
-
-2. run phoenix app using mix phx.server
+### To run with the Phoenix app:
+1. Start the Flask server as above.
+2. In a separate terminal, start the Phoenix app:
+   ```bash
+   mix phx.server
+   ```
+3. The Phoenix app will redirect users to Google login via the Flask server, and use the `/api/session/validate` endpoint to validate sessions.
 
 ## Viewing the Database
 
@@ -81,12 +70,6 @@ You can view the stored data in several ways:
    \q
    ```
 
-2. Using pgAdmin (GUI Tool):
-   - Download and install [pgAdmin](https://www.pgadmin.org/download/)
-   - Connect to your PostgreSQL server
-   - Navigate to google_auth_db > Schemas > public > Tables
-   - Right-click on 'users' table and select "View/Edit Data"
-
 ## Database Schema
 
 The `users` table contains the following columns:
@@ -100,6 +83,7 @@ The `users` table contains the following columns:
 - `locale` (VARCHAR): Language/location settings
 - `hd` (VARCHAR): Hosted domain (iiitd.ac.in)
 - `last_login` (TIMESTAMP): Last authentication time
+- `session_token` (TEXT): JWT session token for the user
 
 ## Google OAuth API Fields
 
@@ -117,7 +101,8 @@ The Google OAuth API returns the following user information fields:
 
 ## Security Notes
 
-- The script stores authentication tokens in `token.pickle`
+- The script stores authentication tokens in `token.pickle` (for CLI usage)
 - Only @iiitd.ac.in email addresses are allowed
 - The credentials are verified to match the provided email address
 - Database passwords should be properly secured in production environments
+- JWT tokens are used for session management and are validated by the Phoenix app via the Flask server

app/google_auth/google_auth.py

@@ -48,21 +48,20 @@ def init_db():
             verified_email BOOLEAN DEFAULT FALSE,
             locale VARCHAR(10),
             hd VARCHAR(255),
-            last_login TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+            last_login TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+            session_token TEXT
         )
     ''')
 
     conn.commit()
     cur.close()
     conn.close()
 
-def store_user_data(user_info):
-    """Store user information in the database."""
+def store_user_data(user_info, session_token=None):
+    """Store user information in the database, including session token if provided."""
     conn = get_db_connection()
     cur = conn.cursor()
-
     try:
-        # Prepare data for insertion
         data = (
             user_info.get('id'),
             user_info.get('email'),
@@ -73,15 +72,14 @@ def store_user_data(user_info):
             user_info.get('verified_email', False),
             user_info.get('locale'),
             user_info.get('hd'),
-            datetime.now()
+            datetime.now(),
+            session_token
         )
-
-        # Insert or update user data
         cur.execute('''
             INSERT INTO users 
                 (id, email, name, given_name, family_name, picture, 
-                 verified_email, locale, hd, last_login)
-            VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
+                 verified_email, locale, hd, last_login, session_token)
+            VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
             ON CONFLICT (id) DO UPDATE SET
                 email = EXCLUDED.email,
                 name = EXCLUDED.name,
@@ -91,9 +89,9 @@ def store_user_data(user_info):
                 verified_email = EXCLUDED.verified_email,
                 locale = EXCLUDED.locale,
                 hd = EXCLUDED.hd,
-                last_login = EXCLUDED.last_login
+                last_login = EXCLUDED.last_login,
+                session_token = EXCLUDED.session_token
         ''', data)
-
         conn.commit()
     except Exception as e:
         print(f"Error storing user data: {str(e)}")
@@ -103,6 +101,23 @@ def store_user_data(user_info):
         cur.close()
         conn.close()
 
+def store_user_token(user_id, session_token):
+    """Update the session token for a user."""
+    conn = get_db_connection()
+    cur = conn.cursor()
+    try:
+        cur.execute('''
+            UPDATE users SET session_token = %s, last_login = %s WHERE id = %s
+        ''', (session_token, datetime.now(), user_id))
+        conn.commit()
+    except Exception as e:
+        print(f"Error updating user token: {str(e)}")
+        conn.rollback()
+        raise
+    finally:
+        cur.close()
+        conn.close()
+
 def get_credentials():
     """Gets valid user credentials from storage."""
     creds = None

app/google_auth/google_auth_server.py

@@ -2,7 +2,10 @@
 from google_auth_oauthlib.flow import Flow
 import os
 import secrets
-from google_auth import init_db, store_user_data, verify_iiitd_domain
+from google_auth import init_db, store_user_data, verify_iiitd_domain, get_db_connection
+import jwt  # Add this import
+from datetime import datetime, timedelta
+import uuid
 
 app = Flask(__name__)
 app.secret_key = secrets.token_hex(16)
@@ -15,6 +18,7 @@
     'https://www.googleapis.com/auth/userinfo.profile'
 ]
 REDIRECT_URI = "http://127.0.0.1:5000/auth/google/callback"
+SECRET_KEY = "431265"  # Use a secure key and store it in an environment variable
 
 @app.route("/login/google")
 def login():
@@ -47,18 +51,56 @@ def callback():
     if not verify_iiitd_domain(user_info.get('email', '')):
         return "Error: Only @iiitd.ac.in email addresses are allowed.", 403
 
-    # Initialize DB and store user
+    # Generate a signed JWT token with standard claims
+    now = datetime.utcnow()
+    payload = {
+        "sub": user_info["id"],
+        "email": user_info["email"],
+        "name": user_info["name"],
+        "exp": now + timedelta(hours=1),  # Token expires in 1 hour
+        "iat": now,
+        "nbf": now,
+        "jti": str(uuid.uuid4()),
+        "iss": "google_auth_server",
+        "aud": "evalio_app"
+    }
+    token = jwt.encode(payload, SECRET_KEY, algorithm="HS256")
+
+    # Initialize DB and store user with session token
     try:
         init_db()
-        store_user_data(user_info)
+        store_user_data(user_info, session_token=token)
     except Exception as e:
         return f"Error storing user data: {str(e)}", 500
 
-    # For demo: create a simple token (in production, use JWT or similar)
-    token = user_info["id"]  # Or sign a JWT with user_info
-
     # Redirect back to Phoenix with the token
-    return redirect("http://127.0.0.1:4000/auth/google/callback?token={token}")
+    return redirect(f"http://127.0.0.1:4000/auth/google/callback?token={token}")
+
+from google_auth import get_db_connection
+@app.route("/api/session/validate")
+def validate_session():
+    token = request.args.get("token")
+    if not token:
+        return {"error": "Token required"}, 400
+    conn = get_db_connection()
+    cur = conn.cursor()
+    try:
+        cur.execute("SELECT id, email, name, given_name, family_name, picture FROM users WHERE session_token = %s", (token,))
+        user = cur.fetchone()
+        if not user:
+            return {"error": "Invalid token"}, 401
+        user_info = {
+            "id": user[0],
+            "email": user[1],
+            "name": user[2],
+            "given_name": user[3],
+            "family_name": user[4],
+            "picture": user[5]
+        }
+        return user_info, 200
+    finally:
+        cur.close()
+        conn.close()
 
 if __name__ == "__main__":
     app.run(port=5000, debug=True)

app/google_auth/requirements.txt

@@ -2,4 +2,7 @@ google-auth-oauthlib==1.0.0
 google-auth==2.17.3
 google-api-python-client==2.86.0
 psycopg2-binary==2.9.9
-requests==2.31.0 
+requests==2.31.0
+Flask==2.3.2
+Flask-Session==0.5.0
+PyJWT==2.7.0 

app/lib/evalio_app/token_verifier.ex

@@ -0,0 +1,17 @@
+defmodule EvalioApp.TokenVerifier do
+  use Joken.Config
+
+  @impl true
+  def token_config do
+    default_claims(aud: "evalio_app")
+    |> add_claim("iss", fn -> "google_auth_server" end, &(&1 == "google_auth_server"))
+  end
+
+  def verify_token(token) do
+    signer = Joken.Signer.create("HS256", Application.get_env(:joken, :default_signer))
+    case __MODULE__.verify_and_validate(token, signer) do
+      {:ok, claims} -> {:ok, claims}
+      {:error, reason} -> {:error, reason}
+    end
+  end
+end

app/lib/evalio_app_web/controllers/auth_controller.ex

@@ -1,14 +1,33 @@
 defmodule EvalioAppWeb.AuthController do
   use EvalioAppWeb, :controller
+  alias EvalioApp.TokenVerifier
 
   def python_callback(conn, %{"token" => token}) do
-    # In production, verify the token (e.g., call Python service or decode JWT)
-    # For demo, just use the token as user_id
-    user = %{id: token}
+    case TokenVerifier.verify_token(token) do
+      {:ok, claims} ->
+        # Extract user information from claims
+        user = %{
+          id: claims["sub"],
+          email: claims["email"],
+          name: claims["name"]
+        }
 
+        conn
+        |> put_session(:user, user)
+        |> put_flash(:info, "Logged in with Google!")
+        |> redirect(to: "/notes")
+
+      {:error, reason} ->
+        conn
+        |> put_flash(:error, "Invalid token: #{inspect(reason)}")
+        |> redirect(to: "/login")
+    end
+  end
+
+  def logout(conn, _params) do
     conn
-    |> put_session(:user, user)
-    |> put_flash(:info, "Logged in with Google!")
-    |> redirect(to: "/notes")
+    |> configure_session(drop: true)
+    |> put_flash(:info, "Logged out successfully.")
+    |> redirect(to: "/login")
   end
 end

app/lib/evalio_app_web/live/note/notes_live.ex

@@ -277,7 +277,7 @@ defmodule EvalioAppWeb.NotesLive do
 
   @impl true
   def handle_event("logout", _params, socket) do
-    {:noreply, push_navigate(socket, to: ~p"/login")}
+    {:noreply, push_redirect(socket, to: "/logout")}
   end
 
   @impl true

app/lib/evalio_app_web/plugs/require_authenticated_user.ex

@@ -5,17 +5,8 @@ defmodule EvalioAppWeb.Plugs.RequireAuthenticatedUser do
   def init(opts), do: opts
 
   def call(conn, _opts) do
-    if user_token = get_session(conn, :user_token) do
-      # In a real app, you would fetch the user from the database
-      # For now, we'll just check if the token matches our allowed user
-      if user_token == "admin@evalio.com" do
-        conn
-      else
-        conn
-        |> put_flash(:error, "You must log in to access this page.")
-        |> redirect(to: "/login")
-        |> halt()
-      end
+    if get_session(conn, :user) do
+      conn
     else
       conn
       |> put_flash(:error, "You must log in to access this page.")