Google OAuth support #1
Description
Reasoning
Currently, a user enters their student ID and Monash Ninja code. This allows them to abuse the system by claiming other codes using other student IDs, and potentially ruining it for everyone else. So, to remedy this, I propose requiring users to login with Google before entering in their student ID and code.
Having users would also let us add other components to the challenge, like an online game for instance, or allow users to be part of a 'special club' for finding a code.
We can perform a look up using their email to find their student ID, although this will have to be done manually. In the meantime, it will be easiest to record student ID and code, and have them login with Google beforehand.
Method
Using the googleapis.
- Use One Time Code to request an access token from Google.
- Use Access Token to request user profile from Google.
- Create or login user given profile information.
Authentication should work as follows:
┌───┐
│ 1 │
└───┘
┌────────────────┐ ┌────────────────┐
│ │ Requests │ │
│ Client │ ──────────token───────────▶│ Google │◀────────────┐
│ │ │ │ │
└────────────────┘ └────────────────┘ │
▲ │ │
│ │ │
│ │ │
│ ┌───┐ Sends One Time Code (OTC) │
│ │ 2 │ via redirect URI for Requests ┌───┐
│ └───┘ accessing Google User user │ 3 │
│ profile profile └───┘
│ │ │
┌───┐ Redirects user to │ │
│ 4 │ frontend, passing │ │
└───┘ token in the process ▼ │
│ ┌────────────────┐ │
│ │ │ │
└────────────────────────────────────│ API │─────────────┘
│ │
└────────────────┘