Shop It Docs
Developer Resourcesauth

Auth Module Backend Documentation

Internal auth architecture with split admin/customer controllers and Google OAuth customer-only behavior.

Auth - Backend Documentation

1. Module Scope

Shared AuthModule provides auth primitives used by two HTTP surfaces:

  • Admin controller: /api/auth/*
  • Mobile customer controller: /api/mobile/auth/*

Core responsibilities:

  • email/password auth
  • session/token issuance + refresh/logout
  • email/phone verification flows
  • password reset flows
  • customer Google OAuth login/linking/signup

2. Composition

2.1 Controllers

  • apps/api/src/modules/auth/auth.controller.ts
    • admin/backoffice auth routes
    • no Google OAuth endpoints
  • apps/api/src/modules/mobile/auth/auth.controller.ts
    • customer/mobile auth routes
    • owns Google OAuth endpoints (google, google/callback)

2.2 Strategies and guards

  • LocalStrategy + LocalAuthGuard for admin email login
  • JwtStrategy + JwtAuthGuard for protected routes
  • GoogleStrategy + GoogleAuthGuard for customer Google OAuth flow

2.3 Core services

  • AuthService
  • AuthSessionService
  • AuthUserQueryService
  • AuthTokenService
  • AuthEmailService
  • VerificationTokenService

3. Google OAuth Execution Path (Customer Only)

  1. GET /api/mobile/auth/google triggers GoogleAuthGuard redirect.
  2. Google calls GET /api/mobile/auth/google/callback.
  3. GoogleStrategy.validate() returns profile payload (id, email, displayName, photoUrl) and provider tokens.
  4. AuthService.handleGoogleOAuth() applies runtime rules:
    • reject missing email
    • reject if email belongs to admin user
    • find existing customer by email
    • upsert/link Google account row
    • auto-mark customer emailVerified=true when needed
    • auto-create customer + Google account when customer does not exist
  5. Service issues session + tokens via existing auth issuance path.
  6. Mobile controller returns ResponseDto("Google login successful.", { user, tokens }).

4. Data Model Effects

Tables touched in Google flow:

  • customers
  • admin_users (lookup check only)
  • account
  • customer_sessions

Write behavior:

  • Existing linked customer: updates account token columns.
  • Existing unlinked customer: creates Google provider link row in account.
  • Existing unverified customer: updates customers.email_verified = true.
  • New customer: inserts into customers and inserts provider link into account.

5. Behavior Clarifications

5.1 New user via Google

Customer is auto-signed-up (customer row created), then logged in immediately.

5.2 Existing customer with pending email verification

Successful Google login on same email upgrades account to verified and logs user in.

5.3 Admin account attempting Google login

Rejected with unauthorized response; admin must use email/password flow.

6. Configuration

Google config keys:

  • GOOGLE_CLIENT_ID
  • GOOGLE_CLIENT_SECRET
  • GOOGLE_CALLBACK_URL

Expected callback route:

  • http://<host>:<port>/api/mobile/auth/google/callback

7. Security and Operational Controls

  • DTO validation via global ValidationPipe
  • endpoint throttling via IpThrottlerGuard + @IpThrottle
  • banned-user protection via user-query checks
  • token/session rotation centralized in session service

This keeps Google flow aligned with the same session issuance policy as email login.

Auth Module API & Integration Guide

Endpoint reference for admin auth and customer mobile auth, including Google OAuth customer flow and edge-case behavior.

Auth Module Feature Guide

Functional behavior of admin auth, customer mobile auth, Google login/signup/linking, and verification edge cases.

On this page

Auth - Backend Documentation1. Module Scope2. Composition2.1 Controllers2.2 Strategies and guards2.3 Core services3. Google OAuth Execution Path (Customer Only)4. Data Model Effects5. Behavior Clarifications5.1 New user via Google5.2 Existing customer with pending email verification5.3 Admin account attempting Google login6. Configuration7. Security and Operational Controls