feat: add Google OAuth login alongside GitHub

Create unified /login page with GitHub and Google sign-in options. Refactor auth callbacks into provider-specific routes (/api/auth/callback/{github,google}). Update all login redirects to use new /login page with return_to parameter. Add state validation and CSRF protection via auth_state cookie.

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

Author: fullstackjam

src/routes/+page.svelte

@@ -251,12 +251,12 @@
 					<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><rect x="3" y="3" width="7" height="7" /><rect x="14" y="3" width="7" height="7" /><rect x="14" y="14" width="7" height="7" /><rect x="3" y="14" width="7" height="7" /></svg>
 					Dashboard
 				</a>
-			{:else}
-				<a href="/api/auth/login">
-					<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M12 20h9"/><path d="M16.5 3.5a2.121 2.121 0 0 1 3 3L7 19l-4 1 1-4L16.5 3.5z"/></svg>
-					Custom Configs
-				</a>
-			{/if}
+		{:else}
+			<a href="/login">
+				<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M12 20h9"/><path d="M16.5 3.5a2.121 2.121 0 0 1 3 3L7 19l-4 1 1-4L16.5 3.5z"/></svg>
+				Custom Configs
+			</a>
+		{/if}
 			<a href="/docs">
 				<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z"/><polyline points="14 2 14 8 20 8"/><line x1="16" y1="13" x2="8" y2="13"/><line x1="16" y1="17" x2="8" y2="17"/><polyline points="10 9 9 9 8 9"/></svg>
 				Docs

src/routes/[username]/[slug]/+page.svelte

@@ -57,7 +57,7 @@
 		try {
 			const authCheck = await fetch('/api/user');
 			if (!authCheck.ok) {
-				window.location.href = '/api/auth/login';
+				window.location.href = `/login?return_to=${encodeURIComponent(window.location.pathname)}`;
 				return;
 			}
 

src/routes/api/auth/callback/+server.ts …utes/api/auth/callback/github/+server.tssrc/routes/api/auth/callback/+server.ts renamed to src/routes/api/auth/callback/github/+server.ts src/routes/api/auth/callback/+server.ts renamed to src/routes/api/auth/callback/github/+server.ts

@@ -10,8 +10,15 @@ export const GET: RequestHandler = async ({ url, platform, cookies }) => {
 	if (!env) throw new Error('Platform env not available');
 
 	const code = url.searchParams.get('code');
+	const state = url.searchParams.get('state');
+	const savedState = cookies.get('auth_state');
+
 	if (!code) {
-		redirect(302, `${env.APP_URL}?error=no_code`);
+		redirect(302, '/login?error=no_code');
+	}
+
+	if (state !== savedState) {
+		redirect(302, '/login?error=invalid_state');
 	}
 
 	const tokenResponse = await fetch(GITHUB_TOKEN_URL, {
@@ -94,5 +101,9 @@ export const GET: RequestHandler = async ({ url, platform, cookies }) => {
 		maxAge: thirtyDays
 	});
 
-	redirect(302, '/dashboard');
+	const returnTo = cookies.get('auth_return_to') || '/dashboard';
+	cookies.delete('auth_state', { path: '/' });
+	cookies.delete('auth_return_to', { path: '/' });
+
+	redirect(302, returnTo);
 };

src/routes/api/auth/callback/google/+server.ts

@@ -0,0 +1,105 @@
+import { redirect } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { signToken, generateId, slugify } from '$lib/server/auth';
+
+const GOOGLE_TOKEN_URL = 'https://oauth2.googleapis.com/token';
+const GOOGLE_USERINFO_URL = 'https://www.googleapis.com/oauth2/v2/userinfo';
+
+export const GET: RequestHandler = async ({ url, platform, cookies }) => {
+	const env = platform?.env;
+	if (!env) throw new Error('Platform env not available');
+
+	const code = url.searchParams.get('code');
+	const state = url.searchParams.get('state');
+	const savedState = cookies.get('auth_state');
+
+	if (!code) {
+		redirect(302, '/login?error=no_code');
+	}
+
+	if (state !== savedState) {
+		redirect(302, '/login?error=invalid_state');
+	}
+
+	const tokenResponse = await fetch(GOOGLE_TOKEN_URL, {
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		body: JSON.stringify({
+			client_id: env.GOOGLE_CLIENT_ID,
+			client_secret: env.GOOGLE_CLIENT_SECRET,
+			code,
+			redirect_uri: `${env.APP_URL}/api/auth/callback/google`,
+			grant_type: 'authorization_code'
+		})
+	});
+
+	const tokenData = await tokenResponse.json();
+	if (tokenData.error || !tokenData.access_token) {
+		redirect(302, '/login?error=token_failed');
+	}
+
+	const userResponse = await fetch(GOOGLE_USERINFO_URL, {
+		headers: { Authorization: `Bearer ${tokenData.access_token}` }
+	});
+
+	const googleUser = await userResponse.json();
+	if (!googleUser.id || !googleUser.email) {
+		redirect(302, '/login?error=user_failed');
+	}
+
+	const userId = `google_${googleUser.id}`;
+	const reservedUsernames = ['openboot', 'admin', 'api', 'dashboard', 'install', 'login', 'logout', 'settings', 'help', 'support', 'docs', 'blog'];
+	
+	let username = slugify(googleUser.email.split('@')[0]);
+	if (reservedUsernames.includes(username.toLowerCase()) || username.length < 3) {
+		username = `user-${googleUser.id.slice(-8)}`;
+	}
+
+	const existingUser = await env.DB.prepare('SELECT username FROM users WHERE id = ?').bind(userId).first();
+	if (existingUser) {
+		username = (existingUser as { username: string }).username;
+	}
+
+	await env.DB.prepare(
+		`
+		INSERT INTO users (id, username, email, avatar_url, updated_at)
+		VALUES (?, ?, ?, ?, datetime('now'))
+		ON CONFLICT(id) DO UPDATE SET
+			email = excluded.email,
+			avatar_url = excluded.avatar_url,
+			updated_at = datetime('now')
+	`
+	)
+		.bind(userId, username, googleUser.email, googleUser.picture || '')
+		.run();
+
+	const existingConfig = await env.DB.prepare('SELECT id FROM configs WHERE user_id = ? AND slug = ?').bind(userId, 'default').first();
+
+	if (!existingConfig) {
+		await env.DB.prepare(
+			`
+			INSERT INTO configs (id, user_id, slug, name, description, base_preset, packages)
+			VALUES (?, ?, 'default', 'Default', 'My default configuration', 'developer', '[]')
+		`
+		)
+			.bind(generateId(), userId)
+			.run();
+	}
+
+	const thirtyDays = 30 * 24 * 60 * 60;
+	const token = await signToken({ userId, username, exp: Date.now() + thirtyDays * 1000 }, env.JWT_SECRET);
+
+	cookies.set('session', token, {
+		path: '/',
+		httpOnly: true,
+		secure: true,
+		sameSite: 'lax',
+		maxAge: thirtyDays
+	});
+
+	const returnTo = cookies.get('auth_return_to') || '/dashboard';
+	cookies.delete('auth_state', { path: '/' });
+	cookies.delete('auth_return_to', { path: '/' });
+
+	redirect(302, returnTo);
+};

src/routes/api/auth/login/+server.ts

@@ -2,16 +2,45 @@ import { redirect } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 
 const GITHUB_AUTHORIZE_URL = 'https://github.com/login/oauth/authorize';
+const GOOGLE_AUTHORIZE_URL = 'https://accounts.google.com/o/oauth2/v2/auth';
 
-export const GET: RequestHandler = async ({ platform }) => {
+export const GET: RequestHandler = async ({ url, platform, cookies }) => {
 	const env = platform?.env;
 	if (!env) throw new Error('Platform env not available');
 
+	const provider = url.searchParams.get('provider') || 'github';
+	const returnTo = url.searchParams.get('return_to') || '/dashboard';
+	const state = crypto.randomUUID();
+
+	const cookieOptions = {
+		path: '/',
+		httpOnly: true,
+		secure: true,
+		sameSite: 'lax' as const,
+		maxAge: 600
+	};
+
+	cookies.set('auth_return_to', returnTo, cookieOptions);
+	cookies.set('auth_state', state, cookieOptions);
+
+	if (provider === 'google') {
+		const params = new URLSearchParams({
+			client_id: env.GOOGLE_CLIENT_ID,
+			redirect_uri: `${env.APP_URL}/api/auth/callback/google`,
+			response_type: 'code',
+			scope: 'openid email profile',
+			state,
+			access_type: 'online',
+			prompt: 'select_account'
+		});
+		redirect(302, `${GOOGLE_AUTHORIZE_URL}?${params}`);
+	}
+
 	const params = new URLSearchParams({
 		client_id: env.GITHUB_CLIENT_ID,
-		redirect_uri: `${env.APP_URL}/api/auth/callback`,
+		redirect_uri: `${env.APP_URL}/api/auth/callback/github`,
 		scope: 'read:user user:email',
-		state: crypto.randomUUID()
+		state
 	});
 
 	redirect(302, `${GITHUB_AUTHORIZE_URL}?${params}`);

src/routes/cli-auth/+page.svelte

@@ -24,7 +24,7 @@
 
 		if (!$auth.user && !$auth.loading) {
 			const returnTo = encodeURIComponent(`/cli-auth?code=${urlCode}`);
-			window.location.href = `/api/auth/login?return_to=${returnTo}`;
+			window.location.href = `/login?return_to=${returnTo}`;
 			return;
 		}
 

src/routes/dashboard/+page.svelte

@@ -210,7 +210,7 @@
 	onMount(async () => {
 		await auth.check();
 		if (!$auth.user && !$auth.loading) {
-			goto('/api/auth/login');
+			goto('/login?return_to=/dashboard');
 			return;
 		}
 		await loadConfigs();

src/routes/docs/+page.svelte

@@ -97,7 +97,7 @@
 					Dashboard
 				</Button>
 			{:else}
-				<Button href="/api/auth/login" variant="secondary">
+				<Button href="/login" variant="secondary">
 					<svg width="18" height="18" viewBox="0 0 24 24" fill="currentColor">
 						<path
 							d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z"