feat: Firebase Auth integration with Google SSO login flow#1
Merged
Conversation
Implement server-mediated Google OAuth flow for Tauri desktop app: - API: complete auth middleware with Firebase token verification (production via Admin SDK, emulator via REST), add auth routes (Google OAuth start/callback/poll, dev signin, user profile) - Desktop: add auth module with token management, localStorage persistence, and automatic refresh. Gate app behind login screen with Google SSO button (production) or email input (emulator). Add UserMenu component with avatar and sign-out dropdown. - Spec: add specs/r1a/02.firebase-auth-google-sso.md Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove unused Postgres/Redis references from requirements.txt, service.yaml, deploy.sh, and secrets.example - Add Secret Manager resources for google-client-id and google-client-secret (per-environment) with IAM bindings - Inject OAuth secrets + API_BASE_URL into Cloud Run via Terraform - Add api_base_url variable to each environment config - Enable secretmanager.googleapis.com API in Terraform Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cloud Run fails to deploy when referencing a secret that has no versions. Add initial placeholder versions with ignore_changes so Terraform won't revert after real values are set via gcloud CLI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The desktop app checks this env var to show the dev sign-in form instead of triggering Google OAuth. Without it, local dev hits the Google OAuth start endpoint which fails because no client ID is configured. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace the server-mediated start/callback/poll OAuth flow with a loopback redirect approach: the Tauri app binds a one-shot local HTTP listener, Google redirects the auth code to it, and the desktop exchanges the code for Firebase tokens via a single API endpoint. This eliminates server-side session state, polling, and the emulator sign-in path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Architecture
Uses a server-mediated OAuth flow since Tauri v2's webview doesn't support
signInWithPopup():POST /api/auth/google/startto get a session ID and Google OAuth URLtauri-plugin-shellGET /api/auth/google/callbackGET /api/auth/google/polluntil complete, stores tokens locallyTest plan
make lintandmake typecheckpass (verified)pnpm --filter desktop testpasses (verified)make dev— app shows login screen on launch🤖 Generated with Claude Code