torsten/stechuhr3
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Implement Google OAuth linking functionality. Update backend to handle linking existing accounts with Google, including state token management. Enhance frontend to support linking process, including new UI components for user input and feedback. Update mobile app to handle OAuth callbacks and integrate linking features. Refactor related services and controllers for improved error handling and user experience.

Browse Source
This commit is contained in:
Torsten Schulz (local)
2026-05-15 08:27:36 +02:00
parent 95b611fd04
commit c16d2a6e4d
20 changed files with 768 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
GOOGLE_OAUTH_MANUAL_STEPS.md Normal file
View File

@@ -0,0 +1,83 @@
# Google OAuth: manuelle Restarbeiten
Stand: 2026-05-15
## 1. Google Cloud Console vorbereiten
1. In der Google Cloud Console das passende Projekt öffnen oder ein neues Projekt anlegen.
2. Unter `APIs & Services > OAuth consent screen` den Consent Screen konfigurieren.
3. App-Name, Support-E-Mail und Entwicklerkontakt eintragen.
4. Scopes reichen für diese App:
- `profile`
- `email`
5. Unter `APIs & Services > Credentials` einen OAuth-Client vom Typ `Web application` anlegen.
6. Als Authorized redirect URI eintragen:
- Produktion: `https://stechuhr3.tsschulz.de/api/auth/google/callback`
- Lokal, falls benötigt: `http://localhost:3010/api/auth/google/callback`
7. `Client ID` und `Client Secret` notieren.
## 2. Server-Environment setzen
Auf dem Server in der produktiven Environment-Datei folgende Werte setzen:
```env
GOOGLE_CLIENT_ID=<client-id-aus-google-console>
GOOGLE_CLIENT_SECRET=<client-secret-aus-google-console>
GOOGLE_CALLBACK_URL=https://stechuhr3.tsschulz.de/api/auth/google/callback
API_PUBLIC_URL=https://stechuhr3.tsschulz.de/api
FRONTEND_URL=https://stechuhr3.tsschulz.de
SESSION_SECRET=<langer-zufallswert>
JWT_SECRET=<bestehender-oder-langer-zufallswert>
```
Wichtig: `GOOGLE_CALLBACK_URL` muss exakt mit der Redirect URI in der Google Console übereinstimmen.
## 3. Backend deployen und neu starten
1. Code auf den Server bringen.
2. Backend neu starten, z. B. über das vorhandene Deploy-Skript oder PM2.
3. Log prüfen. Erwartet:
```text
✅ Google OAuth konfiguriert
```
Wenn stattdessen `Google OAuth nicht konfiguriert` erscheint, fehlen `GOOGLE_CLIENT_ID` oder `GOOGLE_CLIENT_SECRET` im laufenden Prozess.
## 4. Web-Frontend deployen
1. Frontend neu bauen.
2. Neue `dist`-Dateien deployen.
3. Browser-Cache bei Bedarf leeren.
## 5. Android-App neu bauen/installieren
1. Debug/APK oder Release/AAB neu bauen.
2. App neu installieren.
3. Prüfen, dass Android den Deep Link `timeclock://oauth-callback` öffnet.
## 6. Testfälle
1. Google-Account ohne vorhandene TimeClock-E-Mail:
- `Mit Google anmelden`
- Erwartung: neuer Account wird erstellt und eingeloggt.
2. Google-Account bereits verknüpft:
- `Mit Google anmelden`
- Erwartung: direkter Login.
3. Google-Account mit E-Mail eines bestehenden Passwort-Accounts:
- `Mit Google anmelden`
- Erwartung: Verknüpfungsabfrage.
- Bestehende E-Mail + Passwort eingeben.
- Erwartung: Account wird verknüpft und eingeloggt.
4. Eingeloggt unter `Persönliche Daten`:
- `Mit Google-Konto verknüpfen`
- Erwartung: Google Flow startet, danach Rückkehr und Verknüpfung.
5. Danach ausloggen und erneut `Mit Google anmelden`.
- Erwartung: direkter Login in denselben bestehenden Account.
## 7. Falls etwas fehlschlägt
- Google meldet `redirect_uri_mismatch`: Redirect URI in Google Console und `GOOGLE_CALLBACK_URL` vergleichen.
- Backend zeigt OAuth nicht konfiguriert: PM2/Deploy lädt die neuen Env-Werte nicht. Prozess mit aktualisierter Environment neu starten.
- Android kehrt nicht in die App zurück: prüfen, ob der Browser auf `timeclock://oauth-callback?...` weiterleitet und die neu gebaute App installiert ist.
- Verknüpfung schlägt fehl: prüfen, ob der alte Account wirklich ein Passwort hat. OAuth-only Accounts können sich nicht per Passwort bestätigen.

4
backend/env.production.template
View File

@@ -56,7 +56,8 @@ EMAIL_FROM_NAME=TimeClock Zeiterfassung
# Erstelle OAuth Credentials unter: https://console.cloud.google.com/
GOOGLE_CLIENT_ID=your-google-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your-google-client-secret
GOOGLE_CALLBACK_URL=https://stechuhr3.tsschulz.de/api/auth/oauth/google/callback
GOOGLE_CALLBACK_URL=https://stechuhr3.tsschulz.de/api/auth/google/callback
API_PUBLIC_URL=https://stechuhr3.tsschulz.de/api
# =============================================================================
# SECURITY & CORS
@@ -88,4 +89,3 @@ BACKUP_DIR=/var/backups/timeclock
# Backup-Retention in Tagen
BACKUP_RETENTION_DAYS=30

4
backend/src/config/passport.js
View File

@@ -17,8 +17,7 @@ class PassportConfig {
},
async (accessToken, refreshToken, profile, done) => {
try {
const result = await oauthService.authenticateWithProvider(profile, 'google');
return done(null, result);
return done(null, { profile, provider: 'google' });
} catch (error) {
return done(error, null);
}
@@ -45,4 +44,3 @@ class PassportConfig {
module.exports = PassportConfig;

91
backend/src/controllers/OAuthController.js
View File

@@ -1,4 +1,5 @@
const passport = require('passport');
const oauthService = require('../services/OAuthService');
/**
* OAuth Controller
@@ -10,12 +11,38 @@ class OAuthController {
* GET /api/auth/google
*/
googleAuth(req, res, next) {
const state = req.query.stateToken || oauthService.createStateToken({
platform: req.query.platform === 'android' ? 'android' : 'web'
});
passport.authenticate('google', {
scope: ['profile', 'email'],
session: false
session: false,
state
})(req, res, next);
}
/**
* Google OAuth-Verknüpfung für eingeloggte Benutzer starten
* POST /api/auth/google/link-url
*/
createGoogleLinkUrl(req, res) {
try {
const platform = req.body?.platform === 'android' ? 'android' : 'web';
const stateToken = oauthService.createStateToken({
mode: 'link',
platform,
userId: req.user.userId
});
const baseUrl = process.env.API_PUBLIC_URL || `${req.protocol}://${req.get('host')}/api`;
res.json({
success: true,
url: `${baseUrl}/auth/google?stateToken=${encodeURIComponent(stateToken)}`
});
} catch (error) {
res.status(500).json({ success: false, error: error.message });
}
}
/**
* Google OAuth Callback
* GET /api/auth/google/callback
@@ -24,18 +51,67 @@ class OAuthController {
passport.authenticate('google', {
session: false,
failureRedirect: `${process.env.FRONTEND_URL || 'http://localhost:5010'}/login?error=oauth_failed`
}, (err, result) => {
}, async (err, result) => {
if (err || !result) {
console.error('Google OAuth Fehler:', err);
return res.redirect(`${process.env.FRONTEND_URL || 'http://localhost:5010'}/login?error=oauth_failed`);
}
// Redirect zum Frontend mit Token
const frontendUrl = process.env.FRONTEND_URL || 'http://localhost:5010';
res.redirect(`${frontendUrl}/oauth-callback?token=${result.token}`);
try {
const state = oauthService.verifyStateToken(req.query.state);
const authResult = await oauthService.completeOAuthLogin(result.profile, result.provider, {
linkUserId: state.mode === 'link' ? state.userId : null
});
const target = state.platform === 'android'
? 'timeclock://oauth-callback'
: `${process.env.FRONTEND_URL || 'http://localhost:5010'}/oauth-callback`;
if (authResult.requiresLink) {
const params = new URLSearchParams({
pending: authResult.pendingToken,
email: authResult.email || '',
provider: result.provider
});
return res.redirect(`${target}?${params.toString()}`);
}
return res.redirect(`${target}?token=${encodeURIComponent(authResult.token)}`);
} catch (callbackError) {
console.error('Google OAuth Callback-Verarbeitung fehlgeschlagen:', callbackError);
return res.redirect(`${process.env.FRONTEND_URL || 'http://localhost:5010'}/login?error=oauth_failed`);
}
})(req, res, next);
}
async linkExistingAccount(req, res) {
try {
const { pendingToken, email, password } = req.body;
if (!pendingToken || !email || !password) {
return res.status(400).json({ success: false, error: 'pendingToken, E-Mail und Passwort sind erforderlich' });
}
const result = await oauthService.linkPendingToPasswordAccount(pendingToken, email, password);
res.json({ success: true, token: result.token, user: result.user });
} catch (error) {
console.error('OAuth-Verknüpfung mit bestehendem Account fehlgeschlagen:', error);
res.status(401).json({ success: false, error: error.message });
}
}
async linkPendingToCurrentUser(req, res) {
try {
const { pendingToken } = req.body;
if (!pendingToken) {
return res.status(400).json({ success: false, error: 'pendingToken ist erforderlich' });
}
const result = await oauthService.linkPendingToAuthenticatedUser(pendingToken, req.user.userId);
res.json({ success: true, token: result.token, user: result.user });
} catch (error) {
console.error('OAuth-Verknüpfung fehlgeschlagen:', error);
res.status(400).json({ success: false, error: error.message });
}
}
/**
* OAuth-Identities für Benutzer abrufen
* GET /api/auth/identities
@@ -43,8 +119,6 @@ class OAuthController {
async getIdentities(req, res) {
try {
const userId = req.user.userId;
const oauthService = require('../services/OAuthService');
const identities = await oauthService.getUserIdentities(userId);
res.json({
@@ -69,8 +143,6 @@ class OAuthController {
try {
const userId = req.user.userId;
const { provider } = req.params;
const oauthService = require('../services/OAuthService');
const unlinked = await oauthService.unlinkProvider(userId, provider);
if (unlinked) {
@@ -98,4 +170,3 @@ class OAuthController {
module.exports = new OAuthController();

4
backend/src/routes/auth.js
View File

@@ -13,14 +13,16 @@ router.post('/reset-password', authController.resetPassword.bind(authController)
// OAuth Routes (öffentlich)
router.get('/google', oauthController.googleAuth.bind(oauthController));
router.get('/google/callback', oauthController.googleCallback.bind(oauthController));
router.post('/oauth/link-existing', oauthController.linkExistingAccount.bind(oauthController));
// Geschützte Routes (Auth erforderlich)
router.post('/logout', authenticateToken, authController.logout.bind(authController));
router.get('/me', authenticateToken, authController.getCurrentUser.bind(authController));
router.post('/change-password', authenticateToken, authController.changePassword.bind(authController));
router.get('/validate', authenticateToken, authController.validateToken.bind(authController));
router.post('/google/link-url', authenticateToken, oauthController.createGoogleLinkUrl.bind(oauthController));
router.post('/oauth/link-current', authenticateToken, oauthController.linkPendingToCurrentUser.bind(oauthController));
router.get('/identities', authenticateToken, oauthController.getIdentities.bind(oauthController));
router.delete('/identity/:provider', authenticateToken, oauthController.unlinkProvider.bind(oauthController));
module.exports = router;

116
backend/src/services/OAuthService.js
View File

@@ -19,6 +19,10 @@ class OAuthService {
* @returns {Promise<Object>} Token und Benutzer-Info
*/
async authenticateWithProvider(profile, provider) {
return this.completeOAuthLogin(profile, provider);
}
async completeOAuthLogin(profile, provider, options = {}) {
const { User, AuthInfo, AuthIdentity, AuthToken } = database.getModels();
const providerId = profile.id;
@@ -51,8 +55,29 @@ class OAuthService {
// Bestehender OAuth-Benutzer
authInfo = authIdentity.authInfo;
user = authInfo.user;
if (options.linkUserId && Number(user.id) !== Number(options.linkUserId)) {
throw new Error('Dieser Google-Account ist bereits mit einem anderen Benutzer verknüpft');
}
} else {
// Neuer OAuth-Benutzer oder Verknüpfung mit bestehendem Account
if (options.linkUserId) {
authInfo = await AuthInfo.findOne({
where: { user_id: options.linkUserId },
include: [{ model: User, as: 'user' }]
});
if (!authInfo) {
throw new Error('Benutzer für Verknüpfung nicht gefunden');
}
authIdentity = await AuthIdentity.create({
auth_info_id: authInfo.id,
provider,
identity: providerId,
version: 0
});
user = authInfo.user;
} else {
// Neuer OAuth-Benutzer oder explizite Verknüpfung mit bestehendem Account
// Prüfen ob Benutzer mit dieser E-Mail bereits existiert
if (email) {
@@ -66,15 +91,12 @@ class OAuthService {
}
if (authInfo) {
// Verknüpfe OAuth mit bestehendem Account
user = authInfo.user;
authIdentity = await AuthIdentity.create({
auth_info_id: authInfo.id,
provider,
identity: providerId,
version: 0
});
return {
requiresLink: true,
pendingToken: this.createPendingToken(profile, provider),
email,
displayName
};
} else {
// Neuen Benutzer erstellen
user = await User.create({
@@ -112,6 +134,70 @@ class OAuthService {
});
}
}
}
return this.createLoginResult(user, authInfo, provider);
}
createPendingToken(profile, provider) {
return jwt.sign(
{
provider,
providerId: profile.id,
email: profile.emails && profile.emails[0] ? profile.emails[0].value : null,
displayName: profile.displayName || profile.name || null,
type: 'oauth-pending'
},
this.jwtSecret,
{ expiresIn: '15m' }
);
}
verifyPendingToken(pendingToken) {
const data = jwt.verify(pendingToken, this.jwtSecret);
if (data.type !== 'oauth-pending' || !data.provider || !data.providerId) {
throw new Error('Ungültiger OAuth-Verknüpfungstoken');
}
return data;
}
createStateToken(data) {
return jwt.sign({ ...data, type: 'oauth-state' }, this.jwtSecret, { expiresIn: '15m' });
}
verifyStateToken(stateToken) {
if (!stateToken) return {};
const data = jwt.verify(stateToken, this.jwtSecret);
if (data.type !== 'oauth-state') {
throw new Error('Ungültiger OAuth-State');
}
return data;
}
async linkPendingToPasswordAccount(pendingToken, email, password) {
const authService = require('./AuthService');
const pending = this.verifyPendingToken(pendingToken);
const loginResult = await authService.login(email, password, '0');
const profile = {
id: pending.providerId,
displayName: pending.displayName || loginResult.user.full_name,
emails: pending.email ? [{ value: pending.email }] : []
};
return this.completeOAuthLogin(profile, pending.provider, { linkUserId: loginResult.user.id });
}
async linkPendingToAuthenticatedUser(pendingToken, userId) {
const pending = this.verifyPendingToken(pendingToken);
const profile = {
id: pending.providerId,
displayName: pending.displayName || null,
emails: pending.email ? [{ value: pending.email }] : []
};
return this.completeOAuthLogin(profile, pending.provider, { linkUserId: userId });
}
createLoginResult(user, authInfo, provider) {
const { AuthToken } = database.getModels();
// JWT Token generieren
const token = jwt.sign(
@@ -129,14 +215,12 @@ class OAuthService {
const expiresAt = new Date();
expiresAt.setHours(expiresAt.getHours() + 24);
await AuthToken.create({
return AuthToken.create({
auth_info_id: authInfo.id,
value: crypto.createHash('sha256').update(token).digest('hex'),
expires: expiresAt,
version: 0
});
return {
}).then(() => ({
token,
user: {
id: user.id,
@@ -145,7 +229,7 @@ class OAuthService {
role: user.role,
provider
}
};
}));
}
/**
@@ -205,5 +289,3 @@ class OAuthService {
module.exports = new OAuthService();

112
frontend/src/views/OAuthCallback.vue
View File

@@ -1,6 +1,24 @@
<template>
<div class="oauth-callback">
<div class="loading-container">
<div v-if="pendingToken" class="link-container">
<h2>Google-Konto verknüpfen</h2>
<p>
Für {{ googleEmail }} existiert bereits ein Account. Melden Sie sich mit dem bestehenden Account an,
um ihn mit Google zu verknüpfen.
</p>
<form @submit.prevent="linkExistingAccount" class="link-form">
<label>E-Mail-Adresse</label>
<input v-model="email" type="email" required>
<label>Passwort</label>
<input v-model="password" type="password" required>
<button class="btn btn-primary" :disabled="linking">
{{ linking ? 'Wird verknüpft...' : 'Bestehenden Account verknüpfen' }}
</button>
<button type="button" class="btn" @click="router.push('/login')">Abbrechen</button>
</form>
<p v-if="errorMessage" class="error">{{ errorMessage }}</p>
</div>
<div v-else class="loading-container">
<h2>{{ status }}</h2>
<div class="spinner"></div>
</div>
@@ -11,16 +29,60 @@
import { ref, onMounted } from 'vue'
import { useRoute, useRouter } from 'vue-router'
import { useAuthStore } from '../stores/authStore'
import { API_BASE_URL } from '@/config/api'
const route = useRoute()
const router = useRouter()
const authStore = useAuthStore()
const API_URL = API_BASE_URL
const status = ref('Authentifizierung läuft...')
const pendingToken = ref('')
const googleEmail = ref('')
const email = ref('')
const password = ref('')
const linking = ref(false)
const errorMessage = ref('')
async function finishLogin(token) {
authStore.saveToken(token)
await authStore.fetchCurrentUser()
status.value = 'Login erfolgreich! Sie werden weitergeleitet...'
setTimeout(() => {
router.push('/')
}, 1000)
}
async function linkExistingAccount() {
try {
linking.value = true
errorMessage.value = ''
const response = await fetch(`${API_URL}/auth/oauth/link-existing`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
pendingToken: pendingToken.value,
email: email.value,
password: password.value
})
})
const result = await response.json()
if (!response.ok || !result.success || !result.token) {
throw new Error(result.error || 'Verknüpfung fehlgeschlagen')
}
pendingToken.value = ''
await finishLogin(result.token)
} catch (error) {
errorMessage.value = error.message || 'Verknüpfung fehlgeschlagen'
} finally {
linking.value = false
}
}
onMounted(async () => {
const token = route.query.token
const error = route.query.error
const pending = route.query.pending
if (error) {
status.value = 'OAuth-Login fehlgeschlagen'
@@ -30,19 +92,16 @@ onMounted(async () => {
return
}
if (pending) {
pendingToken.value = pending
googleEmail.value = route.query.email || ''
email.value = route.query.email || ''
return
}
if (token) {
try {
// Token speichern
authStore.saveToken(token)
// Benutzer-Daten laden
await authStore.fetchCurrentUser()
status.value = 'Login erfolgreich! Sie werden weitergeleitet...'
setTimeout(() => {
router.push('/')
}, 1000)
await finishLogin(token)
} catch (err) {
status.value = 'Fehler beim Login'
setTimeout(() => {
@@ -71,6 +130,34 @@ onMounted(async () => {
text-align: center;
}
.link-container {
background: #fafafa;
border: 1px solid #e0e0e0;
border-radius: 6px;
padding: 24px;
width: min(460px, calc(100vw - 32px));
}
.link-container h2 {
margin-top: 0;
}
.link-form {
display: flex;
flex-direction: column;
gap: 10px;
}
.link-form input {
padding: 8px 12px;
border: 1px solid #ddd;
border-radius: 4px;
}
.error {
color: #d9534f;
}
.loading-container h2 {
color: #333;
font-weight: 500;
@@ -94,4 +181,3 @@ onMounted(async () => {
</style>

31
frontend/src/views/Profile.vue
View File

@@ -87,6 +87,13 @@
</select>
</div>
<div class="form-group">
<label>Google-Anmeldung</label>
<button type="button" class="btn" @click="linkGoogle" :disabled="loading">
Mit Google-Konto verknüpfen
</button>
</div>
<div class="form-actions">
<button type="submit" class="btn btn-primary" :disabled="loading">
{{ loading ? 'Wird gespeichert...' : 'Einstellungen speichern' }}
@@ -216,6 +223,29 @@ async function saveProfile() {
}
}
async function linkGoogle() {
try {
loading.value = true
const response = await fetch(`${API_URL}/auth/google/link-url`, {
method: 'POST',
headers: {
...authStore.getAuthHeaders(),
'Content-Type': 'application/json'
},
body: JSON.stringify({ platform: 'web' })
})
const result = await response.json()
if (!response.ok || !result.url) {
throw new Error(result.error || 'Google-Verknüpfung konnte nicht gestartet werden')
}
window.location.href = result.url
} catch (error) {
await alert(`Fehler: ${error.message}`, 'Fehler')
} finally {
loading.value = false
}
}
// Initiales Laden
onMounted(async () => {
await Promise.all([
@@ -325,4 +355,3 @@ onMounted(async () => {
box-shadow: 0 4px 8px rgba(76, 175, 80, 0.4);
}
</style>

BIN
mobile-app/composeApp/release/composeApp-release.aab
View File

Binary file not shown.

11
mobile-app/composeApp/src/main/AndroidManifest.xml
View File

@@ -11,11 +11,20 @@
android:theme="@style/Theme.TimeClock">
<activity
android:name=".MainActivity"
android:exported="true">
android:exported="true"
android:launchMode="singleTask">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data
android:scheme="timeclock"
android:host="oauth-callback" />
</intent-filter>
</activity>
</application>
</manifest>

41
mobile-app/composeApp/src/main/kotlin/de/tsschulz/timeclock/MainActivity.kt
View File

@@ -1,11 +1,14 @@
package de.tsschulz.timeclock
import android.graphics.Color
import android.content.Intent
import android.os.Bundle
import android.util.Log
import android.widget.TextView
import androidx.activity.ComponentActivity
import androidx.activity.compose.setContent
import androidx.compose.runtime.LaunchedEffect
import androidx.compose.runtime.mutableStateOf
import androidx.core.view.WindowCompat
import androidx.lifecycle.viewmodel.compose.viewModel
import de.tsschulz.timeclock.ui.TimeClockApp
@@ -17,9 +20,12 @@ import de.tsschulz.timeclock.ui.theme.TimeClockTheme
import de.tsschulz.timeclock.ui.time.TimeViewModel
class MainActivity : ComponentActivity() {
private val oauthCallback = mutableStateOf<OAuthCallback?>(null)
@Suppress("DEPRECATION")
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
oauthCallback.value = intent.toOAuthCallback()
Log.i(TAG, "MainActivity.onCreate")
window.statusBarColor = Color.rgb(240, 255, 236)
window.navigationBarColor = Color.WHITE
@@ -30,6 +36,20 @@ class MainActivity : ComponentActivity() {
val bookingViewModel: BookingViewModel = viewModel(factory = BookingViewModel.Factory(application))
val settingsViewModel: SettingsViewModel = viewModel(factory = SettingsViewModel.Factory(application))
val adminViewModel: AdminViewModel = viewModel(factory = AdminViewModel.Factory(application))
val callback = oauthCallback.value
LaunchedEffect(callback) {
when (callback) {
is OAuthCallback.Token -> {
authViewModel.completeOAuthToken(callback.token)
oauthCallback.value = null
}
is OAuthCallback.Pending -> {
authViewModel.requireOAuthLink(callback.pendingToken, callback.email)
oauthCallback.value = null
}
null -> Unit
}
}
TimeClockTheme {
TimeClockApp(
authViewModel = authViewModel,
@@ -58,7 +78,28 @@ class MainActivity : ComponentActivity() {
}
}
override fun onNewIntent(intent: Intent) {
super.onNewIntent(intent)
setIntent(intent)
oauthCallback.value = intent.toOAuthCallback()
}
private fun Intent?.toOAuthCallback(): OAuthCallback? {
val data = this?.data ?: return null
if (data.scheme != "timeclock" || data.host != "oauth-callback") return null
val token = data.getQueryParameter("token")
if (!token.isNullOrBlank()) return OAuthCallback.Token(token)
val pending = data.getQueryParameter("pending")
if (!pending.isNullOrBlank()) return OAuthCallback.Pending(pending, data.getQueryParameter("email"))
return null
}
private companion object {
const val TAG = "TimeClockStartup"
}
}
private sealed class OAuthCallback {
data class Token(val token: String) : OAuthCallback()
data class Pending(val pendingToken: String, val email: String?) : OAuthCallback()
}

19
mobile-app/composeApp/src/main/kotlin/de/tsschulz/timeclock/data/api/AuthDtos.kt
View File

@@ -50,3 +50,22 @@ data class LogoutResponse(
val success: Boolean = true,
val message: String? = null,
)
@Serializable
data class OAuthLinkUrlRequest(
val platform: String = "android",
)
@Serializable
data class OAuthLinkUrlResponse(
val success: Boolean = false,
val url: String? = null,
val error: String? = null,
)
@Serializable
data class OAuthLinkExistingRequest(
val pendingToken: String,
val email: String,
val password: String,
)

26
mobile-app/composeApp/src/main/kotlin/de/tsschulz/timeclock/data/api/TimeClockApiClient.kt
View File

@@ -69,6 +69,32 @@ class TimeClockApiClient(
return decode(LogoutResponse.serializer(), raw.ifBlank { "{}" })
}
fun googleLoginUrl(): String = endpoint("auth/google?platform=android")
suspend fun createGoogleLinkUrl(): OAuthLinkUrlResponse {
val raw = execute(
authorized("auth/google/link-url")
.post(json.encodeToString(OAuthLinkUrlRequest.serializer(), OAuthLinkUrlRequest()).toRequestBody(JsonMedia))
.build(),
)
return decode(OAuthLinkUrlResponse.serializer(), raw)
}
suspend fun linkExistingOAuthAccount(pendingToken: String, email: String, password: String): LoginResponse {
val raw = execute(
Request.Builder()
.url(endpoint("auth/oauth/link-existing"))
.post(
json.encodeToString(
OAuthLinkExistingRequest.serializer(),
OAuthLinkExistingRequest(pendingToken, email, password),
).toRequestBody(JsonMedia),
)
.build(),
)
return decode(LoginResponse.serializer(), raw)
}
suspend fun getCurrentState(): CurrentStateResponse {
val raw = execute(authorized("time-entries/current-state").get().build())
return decode(CurrentStateResponse.serializer(), raw)

33
mobile-app/composeApp/src/main/kotlin/de/tsschulz/timeclock/data/auth/AuthRepository.kt
View File

@@ -63,6 +63,39 @@ class AuthRepository(
}
}
fun googleLoginUrl(): String = api.googleLoginUrl()
suspend fun createGoogleLinkUrl(): Result<String> =
try {
val res = api.createGoogleLinkUrl()
if (res.success && !res.url.isNullOrBlank()) {
Result.success(res.url)
} else {
Result.failure(Exception(res.error ?: "Google-Verknüpfung konnte nicht gestartet werden"))
}
} catch (e: Exception) {
Result.failure(e)
}
suspend fun completeOAuthLogin(token: String): Result<UserProfile> {
tokenStore.saveToken(token)
val user = restoreSession()
return if (user != null) Result.success(user) else Result.failure(Exception("Google-Login konnte nicht abgeschlossen werden"))
}
suspend fun linkExistingOAuthAccount(pendingToken: String, email: String, password: String): Result<UserProfile> =
try {
val res = api.linkExistingOAuthAccount(pendingToken, email.trim(), password)
if (res.success && !res.token.isNullOrBlank() && res.user != null) {
tokenStore.saveToken(res.token)
Result.success(res.user.toProfile())
} else {
Result.failure(Exception(res.error ?: "Google-Verknüpfung fehlgeschlagen"))
}
} catch (e: Exception) {
Result.failure(e)
}
suspend fun logout() {
try {
api.postLogout()

8
mobile-app/composeApp/src/main/kotlin/de/tsschulz/timeclock/data/settings/SettingsRepository.kt
View File

@@ -20,6 +20,14 @@ class SettingsRepository(
suspend fun updateProfile(fullName: String, stateId: String?, weekWorkdays: Int, dailyHours: Double, preferredTitleType: Int) =
api.updateProfile(ProfileUpdateRequest(fullName, stateId, weekWorkdays, dailyHours, preferredTitleType))
suspend fun createGoogleLinkUrl(): String {
val response = api.createGoogleLinkUrl()
if (!response.success || response.url.isNullOrBlank()) {
throw IllegalStateException(response.error ?: "Google-Verknüpfung konnte nicht gestartet werden")
}
return response.url
}
suspend fun changePassword(oldPassword: String, newPassword: String, confirmPassword: String) =
api.changePassword(PasswordChangeRequest(oldPassword, newPassword, confirmPassword))

18
mobile-app/composeApp/src/main/kotlin/de/tsschulz/timeclock/ui/TimeClockApp.kt
View File

@@ -1,5 +1,7 @@
package de.tsschulz.timeclock.ui
import android.content.Intent
import android.net.Uri
import androidx.compose.foundation.background
import androidx.compose.foundation.border
import androidx.compose.foundation.layout.Arrangement
@@ -19,6 +21,7 @@ import androidx.compose.runtime.remember
import androidx.compose.runtime.setValue
import androidx.compose.ui.Alignment
import androidx.compose.ui.Modifier
import androidx.compose.ui.platform.LocalContext
import androidx.compose.ui.text.font.FontWeight
import androidx.compose.ui.unit.dp
import androidx.compose.ui.unit.sp
@@ -77,12 +80,24 @@ fun TimeClockApp(
val bookingState by bookingViewModel.uiState.collectAsStateWithLifecycle()
val settingsState by settingsViewModel.uiState.collectAsStateWithLifecycle()
val adminState by adminViewModel.uiState.collectAsStateWithLifecycle()
val context = LocalContext.current
val openUrl: (String) -> Unit = { url ->
context.startActivity(Intent(Intent.ACTION_VIEW, Uri.parse(url)))
}
LaunchedEffect(settingsState.googleLinkUrl) {
settingsState.googleLinkUrl?.let {
openUrl(it)
settingsViewModel.consumeGoogleLinkUrl()
}
}
if (!authState.isAuthenticated) {
LaunchedEffect(Unit) { timeViewModel.stop() }
LoginScreen(
state = authState,
onLogin = { e, p, action -> authViewModel.login(e, p, action) },
onGoogleLogin = { openUrl(authViewModel.googleLoginUrl()) },
onLinkExistingGoogleAccount = { e, p -> authViewModel.linkExistingOAuthAccount(e, p) },
onRetryBootstrap = { authViewModel.retryBootstrap() },
)
return
@@ -93,6 +108,8 @@ fun TimeClockApp(
LoginScreen(
state = authState,
onLogin = { e, p, action -> authViewModel.login(e, p, action) },
onGoogleLogin = { openUrl(authViewModel.googleLoginUrl()) },
onLinkExistingGoogleAccount = { e, p -> authViewModel.linkExistingOAuthAccount(e, p) },
onRetryBootstrap = { authViewModel.retryBootstrap() },
)
return
@@ -238,6 +255,7 @@ private fun DemoScreen(
onSave = { name, stateId, weekWorkdays, dailyHours, titleType ->
settingsViewModel.updateProfile(name, stateId, weekWorkdays, dailyHours, titleType)
},
onLinkGoogle = { settingsViewModel.startGoogleLink() },
)
}
AppRoute.Password -> PasswordScreen(

68
mobile-app/composeApp/src/main/kotlin/de/tsschulz/timeclock/ui/auth/AuthViewModel.kt
View File

@@ -20,6 +20,9 @@ data class AuthUiState(
val user: UserProfile? = null,
val loginInProgress: Boolean = false,
val error: String? = null,
val googleLoginUrl: String? = null,
val oauthPendingToken: String? = null,
val oauthPendingEmail: String? = null,
/** Gespeicherter Token, aber `/auth/me` ist fehlgeschlagen (z. B. offline). */
val bootstrapWarn: String? = null,
)
@@ -35,6 +38,8 @@ class AuthViewModel(
viewModelScope.launch { runBootstrap() }
}
fun googleLoginUrl(): String = repository.googleLoginUrl()
private suspend fun runBootstrap() {
val user = repository.restoreSession()
val warn = if (user == null && repository.hasStoredToken()) {
@@ -88,6 +93,69 @@ class AuthViewModel(
}
}
fun completeOAuthToken(token: String) {
viewModelScope.launch {
_uiState.update { it.copy(loginInProgress = true, error = null) }
repository.completeOAuthLogin(token).fold(
onSuccess = { user ->
_uiState.update {
it.copy(
loginInProgress = false,
isAuthenticated = true,
user = user,
error = null,
oauthPendingToken = null,
oauthPendingEmail = null,
bootstrapWarn = null,
)
}
},
onFailure = { e ->
_uiState.update { it.copy(loginInProgress = false, error = e.message ?: "Google-Login fehlgeschlagen") }
},
)
}
}
fun requireOAuthLink(pendingToken: String, email: String?) {
_uiState.update {
it.copy(
bootstrapping = false,
loginInProgress = false,
oauthPendingToken = pendingToken,
oauthPendingEmail = email,
error = null,
)
}
}
fun linkExistingOAuthAccount(email: String, password: String) {
val pendingToken = _uiState.value.oauthPendingToken
if (pendingToken.isNullOrBlank()) {
_uiState.update { it.copy(error = "Keine Google-Verknüpfung offen") }
return
}
viewModelScope.launch {
_uiState.update { it.copy(loginInProgress = true, error = null) }
repository.linkExistingOAuthAccount(pendingToken, email, password).fold(
onSuccess = { user ->
_uiState.update {
it.copy(
loginInProgress = false,
isAuthenticated = true,
user = user,
oauthPendingToken = null,
oauthPendingEmail = null,
)
}
},
onFailure = { e ->
_uiState.update { it.copy(loginInProgress = false, error = e.message ?: "Google-Verknüpfung fehlgeschlagen") }
},
)
}
}
fun retryBootstrap() {
viewModelScope.launch {
_uiState.update { it.copy(bootstrapping = true, bootstrapWarn = null) }

51
mobile-app/composeApp/src/main/kotlin/de/tsschulz/timeclock/ui/auth/LoginScreen.kt
View File

@@ -49,11 +49,15 @@ import de.tsschulz.timeclock.ui.theme.TcSpacing
fun LoginScreen(
state: AuthUiState,
onLogin: (email: String, password: String, action: String) -> Unit,
onGoogleLogin: () -> Unit,
onLinkExistingGoogleAccount: (email: String, password: String) -> Unit,
onRetryBootstrap: () -> Unit,
modifier: Modifier = Modifier,
) {
var email by rememberSaveable { mutableStateOf("") }
var password by rememberSaveable { mutableStateOf("") }
var linkEmail by rememberSaveable { mutableStateOf("") }
var linkPassword by rememberSaveable { mutableStateOf("") }
BoxWithConstraints(
modifier = modifier
@@ -139,6 +143,27 @@ fun LoginScreen(
state.error?.let { AuthErrorBanner(message = it) }
if (!state.oauthPendingToken.isNullOrBlank()) {
if (linkEmail.isBlank()) linkEmail = state.oauthPendingEmail.orEmpty()
Text(
text = "Für ${state.oauthPendingEmail ?: "dieses Google-Konto"} existiert bereits ein Account. Melden Sie sich mit dem bestehenden Account an, um ihn zu verknüpfen.",
color = TcColors.Text,
fontSize = 14.sp,
)
AuthFormRow(label = "E-Mail-Adresse", horizontal = useWideFormRows) {
TcTextField(label = "", value = linkEmail, onValueChange = { linkEmail = it }, showLabel = false)
}
AuthFormRow(label = "Passwort", horizontal = useWideFormRows) {
TcTextField(label = "", value = linkPassword, onValueChange = { linkPassword = it }, isPassword = true, showLabel = false)
}
Row(modifier = Modifier.fillMaxWidth(), horizontalArrangement = Arrangement.Center) {
TcButton(
text = if (state.loginInProgress) "Wird verknüpft…" else "Bestehenden Account verknüpfen",
variant = ButtonVariant.Primary,
onClick = { onLinkExistingGoogleAccount(linkEmail, linkPassword) },
)
}
} else {
AuthFormRow(
label = "E-Mail-Adresse",
horizontal = useWideFormRows,
@@ -179,6 +204,17 @@ fun LoginScreen(
contentPadding = PaddingValues(horizontal = 24.dp, vertical = 10.dp),
)
}
OAuthDivider()
Row(modifier = Modifier.fillMaxWidth(), horizontalArrangement = Arrangement.Center) {
TcButton(
text = "Mit Google anmelden",
variant = ButtonVariant.Default,
onClick = onGoogleLogin,
modifier = Modifier.defaultMinSize(minWidth = 220.dp),
contentPadding = PaddingValues(horizontal = 24.dp, vertical = 10.dp),
)
}
}
}
@@ -187,6 +223,21 @@ fun LoginScreen(
}
}
}
}
}
@Composable
private fun OAuthDivider() {
Row(
modifier = Modifier.fillMaxWidth(),
verticalAlignment = Alignment.CenterVertically,
horizontalArrangement = Arrangement.spacedBy(TcSpacing.Md),
) {
HorizontalDivider(modifier = Modifier.weight(1f), color = TcColors.Border)
Text("oder", color = TcColors.DividerText, fontSize = 14.sp)
HorizontalDivider(modifier = Modifier.weight(1f), color = TcColors.Border)
}
}
@Composable
private fun LoginTopBar() {

3
mobile-app/composeApp/src/main/kotlin/de/tsschulz/timeclock/ui/settings/SettingsScreens.kt
View File

@@ -49,6 +49,7 @@ fun ProfileScreen(
state: SettingsUiState,
isTablet: Boolean,
onSave: (String, String?, Int, Double, Int) -> Unit,
onLinkGoogle: () -> Unit,
) {
val profile = state.profile
var fullName by rememberSaveable { mutableStateOf("") }
@@ -80,6 +81,8 @@ fun ProfileScreen(
TcTextField("Arbeitstage pro Woche", weekWorkdays, { weekWorkdays = it }, placeholder = "5")
TcTextField("Stunden pro Tag", dailyHours, { dailyHours = it }, placeholder = "8.0")
TitleTypeDropdown(preferredTitleType, { preferredTitleType = it })
FieldLabel("Google-Anmeldung")
TcButton("Mit Google-Konto verknüpfen", variant = ButtonVariant.Default, onClick = onLinkGoogle)
TcButton("Speichern", variant = ButtonVariant.Primary, onClick = {
onSave(
fullName,

14
mobile-app/composeApp/src/main/kotlin/de/tsschulz/timeclock/ui/settings/SettingsViewModel.kt
View File

@@ -27,6 +27,7 @@ data class SettingsUiState(
val timewishes: List<TimewishDto> = emptyList(),
val invites: List<InvitationDto> = emptyList(),
val watchers: List<WatcherDto> = emptyList(),
val googleLinkUrl: String? = null,
)
class SettingsViewModel(
@@ -48,6 +49,19 @@ class SettingsViewModel(
loadProfile()
}
fun startGoogleLink() {
viewModelScope.launch {
_uiState.update { it.copy(loading = true, error = null, googleLinkUrl = null) }
runCatching { repository.createGoogleLinkUrl() }
.onSuccess { url -> _uiState.update { it.copy(loading = false, googleLinkUrl = url) } }
.onFailure { e -> _uiState.update { it.copy(loading = false, error = e.message ?: "Google-Verknüpfung konnte nicht gestartet werden") } }
}
}
fun consumeGoogleLinkUrl() {
_uiState.update { it.copy(googleLinkUrl = null) }
}
fun changePassword(oldPassword: String, newPassword: String, confirmPassword: String) = launchMutation("Passwort geändert") {
repository.changePassword(oldPassword, newPassword, confirmPassword)
}