Allow users to log in with their Google account.
- Create a project in Google Cloud Console
- Go to APIs & Services → Credentials
- Create OAuth 2.0 Client ID (Web application)
- Add authorized redirect URI:
http://localhost:3000/auth/google/callback - Copy the Client ID and Client Secret
GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your-client-secret
GOOGLE_CALLBACK_URL=http://localhost:3000/auth/google/callbackcreateConfig({
login: {
allowGoogleOAuth: true,
},
});The google.clientId, google.clientSecret, and google.callbackUrl are automatically populated from the corresponding environment variables.
- User visits
GET /auth/google - Server generates PKCE (code_verifier + code_challenge) and state
- Server stores state + verifier in a short-lived httpOnly cookie
- Server redirects to Google's authorization page
- User consents → Google redirects to
/auth/google/callback - Server exchanges authorization code for tokens (with PKCE verifier)
- Server verifies the Google ID token
- Account resolution: find by
googleId→ find byemail→ create new - Session cookie is set → user is redirected to the app
- PKCE: Prevents authorization code interception attacks
- State parameter: Prevents CSRF attacks on the OAuth flow
- ID token verification: Validates signature, audience, and expiry
- No Passport.js: Direct HTTP calls for full transparency (see ADR-004)