1004: Add new endpoint for google token exchange #609
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new Google OAuth token exchange endpoint (/api/google/auth/exchange-code) to support the classroom importer feature. The endpoint accepts an authorization code from Google's OAuth flow and exchanges it for access tokens.
Key changes:
- New controller endpoint for exchanging Google OAuth authorization codes for access tokens
- Authorization restricted to school teachers and owners (students cannot access)
- Comprehensive test coverage for success, error, and authorization scenarios
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| app/controllers/api/google_auth_controller.rb | New controller implementing the token exchange endpoint with parameter validation and error handling |
| app/views/api/google_auth/exchange_code.json.jbuilder | View template that returns Google's token response fields (access_token, expires_in, token_type, scope, id_token) |
| config/routes.rb | Adds POST route /api/google/auth/exchange-code mapped to the new controller action |
| app/models/ability.rb | Grants exchange_code permission to school teachers and owners for the :google_auth resource |
| spec/requests/api/google_auth_controller_spec.rb | Comprehensive request specs covering successful exchanges, Google API errors, network failures, parameter validation, and authorization |
| spec/models/ability_spec.rb | Tests verifying authorization rules for different user roles (owners, teachers, students, unauthenticated users) |
| .env.example | Adds GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET environment variable examples with documentation reference |
| app/controllers/auth_controller.rb | Removes commented-out code (cleanup, no functional changes) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
| before_action :authorize_user | ||
| authorize_resource :google_auth, class: false | ||
|
|
||
| def exchange_code |
There was a problem hiding this comment.
My only thought is that this method is quite long and whether all this needs to be in the controller, or if some of this (like sending the actual request) could be factored out into another file?
There was a problem hiding this comment.
I'd rather avoid the boiler plate and added complexity of factoring it into a poro via a service or something, but have split the code into smaller methods, is that ok?
Status
What's changed?
Adds a new endpoint to support google token exchange for the classroom importer
Steps to perform after deploying to production
N/A