Skip to content

fix(api): fail fast when Google OAuth is not configured#70

Merged
Kingvic300 merged 1 commit into
mainfrom
fix/51-oauth-failfast
Jun 7, 2026
Merged

fix(api): fail fast when Google OAuth is not configured#70
Kingvic300 merged 1 commit into
mainfrom
fix/51-oauth-failfast

Conversation

@Kingvic300

@Kingvic300 Kingvic300 commented Jun 7, 2026

Copy link
Copy Markdown
Owner

Summary

google_login and google_callback read GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET with unwrap_or_default(). When unset (the default — these aren't in .env.example/compose), /auth/google/login redirected users to ...?client_id=&... (a Google error page) and the callback attempted a token exchange with empty credentials, instead of signalling a clear configuration error.

Changes

  • auth_handler.rs: return a clear Google OAuth is not configured error from both handlers when the client id/secret are missing.
  • .env.example: document GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GOOGLE_REDIRECT_URL.

Testing

  • cargo check -p txio-api passes.

Closes #51

Summary by CodeRabbit

  • New Features
    • Added Google OAuth authentication support with configurable environment variables
    • Implemented validation to ensure all required OAuth credentials are properly configured before use

google_login/google_callback read GOOGLE_CLIENT_ID/SECRET with
unwrap_or_default(), so an unconfigured deployment redirected users to
Google with an empty client_id (a confusing Google error page) and the
callback attempted a token exchange with empty credentials. Return a
clear error when the credentials are missing, and document the vars in
.env.example.

Closes #51
@vercel

vercel Bot commented Jun 7, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
txio Ready Ready Preview, Comment Jun 7, 2026 11:51am

@coderabbitai

coderabbitai Bot commented Jun 7, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Configuration documentation and early validation guards are added to the Google OAuth flow. .env.example now documents required Google OAuth credentials, and both login and callback handlers validate that these variables are present before proceeding, returning clear BadRequest errors if unconfigured.

Changes

Google OAuth Configuration and Validation

Layer / File(s) Summary
Configuration Documentation
.env.example
Google OAuth configuration block added with placeholders for GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, and GOOGLE_REDIRECT_URL.
Handler Validation Guards
backend/api/src/api/handlers/auth_handler.rs
google_login and google_callback now validate that required credentials are non-empty after trimming, returning BadRequest with a clear "not configured" message if either is missing.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A rabbit hops through OAuth's door,
No longer sneaking past before—
With config docs and guards so bright,
Google keys now fail upright! 🐰✨
No silent breaks, just truth displayed,
When credentials forget the trade.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change—adding validation to fail fast when Google OAuth credentials are missing—which aligns with the primary objective of the PR.
Linked Issues check ✅ Passed The PR successfully addresses all coding requirements from issue #51: environment variables are validated in auth handlers with clear error returns, and .env.example documents the required OAuth configuration parameters.
Out of Scope Changes check ✅ Passed All changes are directly scoped to issue #51—adding validation to auth handlers and documenting environment variables in .env.example with no unrelated modifications.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/51-oauth-failfast

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
backend/api/src/api/handlers/auth_handler.rs (1)

206-210: 💤 Low value

Consider a more semantically accurate HTTP status code.

The validation correctly fails fast when Google OAuth is unconfigured. However, HTTP 400 Bad Request typically indicates a client error in the request payload. Server misconfiguration might be better represented by 503 Service Unavailable or 501 Not Implemented, which the PR objectives mentioned.

Looking at the AppError enum, these variants aren't available. You could consider:

  • Using AppError::InternalError (maps to 500), though that's less descriptive
  • Adding a new ServiceUnavailable variant to AppError for features disabled by missing configuration

That said, BadRequest with a clear message is acceptable and meets the fail-fast requirement.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/api/src/api/handlers/auth_handler.rs` around lines 206 - 210, The
current check returns AppError::BadRequest when client_id is empty; change this
to a more semantically accurate error: either return AppError::InternalError (to
map to 500) or add a new AppError::ServiceUnavailable (or ServiceDisabled)
variant and return that here to represent missing server configuration; update
the AppError enum and its HTTP mapping accordingly and replace the return in
auth_handler.rs (the client_id validation block) to use the chosen variant so
the response code reflects server misconfiguration rather than a client payload
error.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@backend/api/src/api/handlers/auth_handler.rs`:
- Around line 206-210: The current check returns AppError::BadRequest when
client_id is empty; change this to a more semantically accurate error: either
return AppError::InternalError (to map to 500) or add a new
AppError::ServiceUnavailable (or ServiceDisabled) variant and return that here
to represent missing server configuration; update the AppError enum and its HTTP
mapping accordingly and replace the return in auth_handler.rs (the client_id
validation block) to use the chosen variant so the response code reflects server
misconfiguration rather than a client payload error.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 24147bcc-4e57-4f33-8eb9-3f937186edc1

📥 Commits

Reviewing files that changed from the base of the PR and between a452e2f and bd54461.

📒 Files selected for processing (2)
  • .env.example
  • backend/api/src/api/handlers/auth_handler.rs

@Kingvic300 Kingvic300 merged commit 83b54fc into main Jun 7, 2026
4 of 5 checks passed
Kingvic300 added a commit that referenced this pull request Jun 18, 2026
fix(api): fail fast when Google OAuth is not configured
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Medium] Google OAuth silently misbehaves when unconfigured (empty client_id)

1 participant