Sentiaus opened a new pull request, #5250:
URL: https://github.com/apache/texera/pull/5250
<!--
Thanks for sending a pull request (PR)! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines:
[Contributing to
Texera](https://github.com/apache/texera/blob/main/CONTRIBUTING.md)
2. Ensure you have added or run the appropriate tests for your PR
3. If the PR is work in progress, mark it a draft on GitHub.
4. Please write your PR title to summarize what this PR proposes, we
are following Conventional Commits style for PR titles as well.
5. Be sure to keep the PR description updated to reflect all changes.
-->
### What changes were proposed in this PR?
Adds the backend required for Google Drive OAuth integration.
**Schema changes:** Adds a new `user_oauth_token` table
(`sql/updates/23.sql`) to store encrypted OAuth tokens per provider. The
`provider` column (`google_drive`, etc.) is intentionally generic so future
integrations (AWS, Microsoft) can reuse the same table without a schema change.
The auth blob is stored as a JWE-encrypted JSON string rather than a raw token.
**Token encryption:** Adds `TokenEncryptionService` using jose4j AES-256-GCM
(`DIRECT` key management) to encrypt auth blobs at rest. The encryption key is
read from `auth.encryption.256-bit-secret` in `auth.conf`, with
`AUTH_ENCRYPTION_SECRET` as the env-var override. This follows the same pattern
as the existing JWT secret key.
**New endpoints — `GoogleDriveAuthResource`:**
`GET /api/auth/google/drive/connect` — Returns a Google OAuth authorization
URL for the frontend to open in a popup. Accepts a `reauth` query param; when
`true`, sets `prompt=consent` to force Google to re-issue a refresh token (used
when a previous token has returned `invalid_grant`). Requires `REGULAR` or
`ADMIN` role.
`GET /api/auth/google/drive/callback` — Called by Google's OAuth redirect.
Not role-gated (no `Authorization` header is present on a browser redirect).
Authenticates the user via a short-lived JWT in the `state` query parameter,
exchanges the `code` for tokens, encrypts the auth blob, and upserts into
`user_oauth_token`.
`GET /api/auth/google/drive/token` — Decrypts the stored auth blob, uses the
refresh token to fetch a short-lived access token from Google, and returns it
to the frontend. Returns `no_refresh_token` if no record exists, or
`invalid_grant` if Google rejects the refresh token. Requires `REGULAR` or
`ADMIN` role.
`GET /api/auth/google/config` — Exposes `clientId` and `redirectUri` to the
frontend so the Drive service doesn't need to hardcode them.
**Config:** Adds `google.client-id`, `google.client-secret`, and
`app-domain` to `UserSystemConfig` and `user-system.conf`. **These must be
configured on the Texera GCP project before Drive integration will work.**
### Any related issues, documentation, discussions?
Closes #4240 (partial — frontend in follow-up PRs)
Google Documentation to enable Google Picker:
https://developers.google.com/workspace/drive/picker/guides/overview
### How was this PR tested?
- `sbt "Auth/testOnly org.apache.texera.auth.TokenEncryptionServiceSpec"` —
2 unit tests covering encrypt/decrypt round-trip and invalid-input error case
- Backend compiles cleanly: `sbt amber/compile`
- The `/callback` endpoint was tested manually via the full OAuth flow in a
local dev environment
### Was this PR authored or co-authored using generative AI tooling?
Commit messages and some implementation co-authored with Claude Sonnet 4.6
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
