| | | 1 | | using Syki.Back.Google; |
| | | 2 | | using Syki.Back.Domain.Identity; |
| | | 3 | | using Syki.Back.Domain.Institutions; |
| | | 4 | | using Syki.Back.Features.Cross.SignIn; |
| | | 5 | | |
| | | 6 | | namespace Syki.Back.Features.Identity.GoogleOneTapLogin; |
| | | 7 | | |
| | 0 | 8 | | public class GoogleOneTapLoginService( |
| | 0 | 9 | | SykiDbContext ctx, |
| | 0 | 10 | | SignInService signInService, |
| | 0 | 11 | | IGoogleService googleService, |
| | 0 | 12 | | UserManager<SykiUser> userManager, |
| | 0 | 13 | | SocialLoginSettings socialLoginSettings) : ISykiService |
| | | 14 | | { |
| | | 15 | | private class Validator : AbstractValidator<GoogleOneTapLoginIn> |
| | | 16 | | { |
| | 0 | 17 | | public Validator() |
| | | 18 | | { |
| | 0 | 19 | | RuleFor(x => x.Credential).NotEmpty().WithError(GoogleOneTapLoginInvalidToken.I); |
| | 0 | 20 | | } |
| | | 21 | | } |
| | 0 | 22 | | private static readonly Validator V = new(); |
| | | 23 | | |
| | | 24 | | public async Task<OneOf<GoogleOneTapLoginOut, SykiError>> Login(GoogleOneTapLoginIn data) |
| | | 25 | | { |
| | 0 | 26 | | if (V.Run(data, out var error)) return error; |
| | | 27 | | |
| | 0 | 28 | | if (!socialLoginSettings.Google.Enabled) return GoogleOneTapLoginDisabled.I; |
| | | 29 | | |
| | 0 | 30 | | var payload = await googleService.ValidateIdTokenAsync(data.Credential, socialLoginSettings.Google.ClientId); |
| | 0 | 31 | | if (payload == null) return GoogleOneTapLoginInvalidToken.I; |
| | | 32 | | |
| | 0 | 33 | | if (!payload.EmailVerified) return SocialLoginEmailNotVerified.I; |
| | | 34 | | |
| | 0 | 35 | | var email = payload.Email.ToLowerInvariant(); |
| | 0 | 36 | | if (await ctx.EmailRequiresSsoAsync(email)) return SocialLoginSsoRequired.I; |
| | | 37 | | |
| | 0 | 38 | | var provider = SocialLoginProvider.Google; |
| | 0 | 39 | | var providerKey = payload.Subject; |
| | | 40 | | |
| | | 41 | | // 1. Look up existing social login link by (provider, providerKey) |
| | 0 | 42 | | var existingLink = await ctx.UserSocialLogins.FirstOrDefaultAsync(x => x.Provider == provider && x.ProviderKey = |
| | 0 | 43 | | if (existingLink != null) |
| | | 44 | | { |
| | 0 | 45 | | var jwt = await signInService.SignIn(existingLink.Email); |
| | 0 | 46 | | return jwt.ToGoogleOneTapLoginOut(); |
| | | 47 | | } |
| | | 48 | | |
| | | 49 | | // 2. Look up existing user by email |
| | 0 | 50 | | var existingUser = await ctx.Users.FirstOrDefaultAsync(u => u.Email == email); |
| | 0 | 51 | | if (existingUser != null) |
| | | 52 | | { |
| | 0 | 53 | | existingUser.ConfirmEmail(); |
| | 0 | 54 | | ctx.Add(new UserSocialLogin(existingUser.Id, provider, providerKey, email)); |
| | 0 | 55 | | await ctx.SaveChangesAsync(); |
| | 0 | 56 | | var jwt = await signInService.SignIn(email); |
| | 0 | 57 | | return jwt.ToGoogleOneTapLoginOut(); |
| | | 58 | | } |
| | | 59 | | |
| | | 60 | | // 3. Auto-provision new user on public and web schemes |
| | 0 | 61 | | var name = payload.Name; |
| | 0 | 62 | | if (name.IsEmpty()) name = email; |
| | | 63 | | |
| | 0 | 64 | | var directorRole = await ctx.GetDirectorRole(); |
| | | 65 | | |
| | 0 | 66 | | var institution = Institution.NewForUserRegister(); |
| | 0 | 67 | | var user = new SykiUser(institution, name, email); |
| | 0 | 68 | | var userRole = new SykiUserRole(institution, user, directorRole.Id); |
| | 0 | 69 | | var socialLogin = new UserSocialLogin(user.Id, provider, providerKey, email) { User = user }; |
| | | 70 | | |
| | 0 | 71 | | ctx.AddRange(institution, userRole, socialLogin); |
| | 0 | 72 | | await userManager.CreateAsync(user, $"Syki@{Guid.NewGuid()}"); |
| | | 73 | | |
| | 0 | 74 | | var jwtResult = await signInService.SignIn(email); |
| | 0 | 75 | | return jwtResult.ToGoogleOneTapLoginOut(); |
| | 0 | 76 | | } |
| | | 77 | | } |