sameer2210
diff --git a/‎backend/bun.lock‎
Lines changed: 31 additions & 0 deletions b/‎backend/bun.lock‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎backend/package.json‎
Lines changed: 1 addition & 0 deletions b/‎backend/package.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎backend/src/app.js‎
Lines changed: 13 additions & 1 deletion b/‎backend/src/app.js‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎backend/src/controllers/auth.controller.js‎
Lines changed: 176 additions & 29 deletions b/‎backend/src/controllers/auth.controller.js‎
Lines changed: 176 additions & 29 deletions
@@ -14,6 +14,7 @@
     "cors": "^2.8.5",
     "dotenv": "^17.3.1",
     "express": "^5.1.0",
+    "google-auth-library": "^10.6.2",
     "jsonwebtoken": "^9.0.2",
     "mongoose": "^9.2.3",
     "morgan": "^1.10.1",
 
@@ -16,10 +16,22 @@ app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 app.use(cookieParser());
 
+const allowedOrigins = (process.env.FRONTEND_URL || "http://localhost:5173")
+  .split(",")
+  .map((origin) => origin.trim())
+  .filter(Boolean);
+
 app.use(
   cors({
-    origin: process.env.FRONTEND_URL || 'http://localhost:5173',
+    origin: (origin, callback) => {
+      if (!origin || allowedOrigins.includes(origin)) {
+        return callback(null, true);
+      }
+      return callback(new Error("Not allowed by CORS"));
+    },
     credentials: true,
+    methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+    allowedHeaders: ["Content-Type", "Authorization"],
   })
 );
 
 
@@ -1,60 +1,207 @@
-// controllers/auth.controller.js
-import User from '../models/user.model.js';
-import generateToken from '../utils/generateToken.js';
+import { OAuth2Client } from "google-auth-library";
+import User from "../models/user.model.js";
+import { clearAuthCookie, setAuthCookie } from "../utils/authCookie.js";
+import generateToken from "../utils/generateToken.js";
 
-// REGISTER (only for normal users, admin comes from seed file)
 const allowedRoles = new Set(["developer", "client"]);
 
+const getSafeRole = (role) => (allowedRoles.has(role) ? role : "client");
+
+const serializeUser = (user) => ({
+  _id: user._id,
+  name: user.name,
+  email: user.email,
+  role: user.role,
+  profilePic: user.profilePic || user.avatar || "",
+  googleId: user.googleId || null,
+});
+
+const sendAuthResponse = (res, user, statusCode = 200) => {
+  const token = generateToken(user._id);
+  setAuthCookie(res, token);
+
+  res.status(statusCode).json({
+    ...serializeUser(user),
+    token,
+  });
+};
+
+const getGoogleAudienceList = () => {
+  const rawIds =
+    process.env.GOOGLE_CLIENT_IDS || process.env.GOOGLE_CLIENT_ID || "";
+  const audience = rawIds
+    .split(",")
+    .map((id) => id.trim())
+    .filter(Boolean);
+
+  if (!audience.length) {
+    const error = new Error(
+      "Google OAuth is not configured. Set GOOGLE_CLIENT_ID (or GOOGLE_CLIENT_IDS)."
+    );
+    error.statusCode = 500;
+    throw error;
+  }
+
+  return audience;
+};
+
+const getGoogleClient = () => {
+  return new OAuth2Client();
+};
+
 export const registerUser = async (req, res, next) => {
   try {
     const { name, email, password, role } = req.body;
 
-    const userExists = await User.findOne({ email });
-    if (userExists) {
+    if (!name || !email || !password) {
       res.status(400);
-      throw new Error('User already exists');
+      throw new Error("Name, email and password are required.");
     }
 
-    const safeRole = allowedRoles.has(role) ? role : "client";
+    const existingUser = await User.findOne({ email: email.toLowerCase() });
+    if (existingUser) {
+      res.status(400);
+      throw new Error("User already exists");
+    }
 
     const user = await User.create({
-      name,
-      email,
+      name: name.trim(),
+      email: email.toLowerCase(),
       password,
-      role: safeRole,
+      role: getSafeRole(role),
     });
 
-    res.status(201).json({
-      _id: user._id,
-      name: user.name,
-      email: user.email,
-      role: user.role,
-      token: generateToken(user._id),
-    });
+    sendAuthResponse(res, user, 201);
   } catch (error) {
     next(error);
   }
 };
 
-// LOGIN (works for both user & admin)
 export const loginUser = async (req, res, next) => {
   try {
     const { email, password } = req.body;
 
-    const user = await User.findOne({ email });
-    if (user && (await user.matchPassword(password))) {
-      res.json({
-        _id: user._id,
-        name: user.name,
-        email: user.email,
-        role: user.role, // tells frontend if this is "admin" or "user"
-        token: generateToken(user._id),
+    if (!email || !password) {
+      res.status(400);
+      throw new Error("Email and password are required.");
+    }
+
+    const user = await User.findOne({ email: email.toLowerCase() });
+    if (!user) {
+      res.status(401);
+      throw new Error("Invalid email or password");
+    }
+
+    if (!user.password) {
+      res.status(400);
+      throw new Error(
+        "This account uses Google sign-in. Continue with Google to log in."
+      );
+    }
+
+    const isPasswordValid = await user.matchPassword(password);
+    if (!isPasswordValid) {
+      res.status(401);
+      throw new Error("Invalid email or password");
+    }
+
+    sendAuthResponse(res, user);
+  } catch (error) {
+    next(error);
+  }
+};
+
+export const googleAuth = async (req, res, next) => {
+  try {
+    const { token: googleIdToken, role } = req.body;
+
+    if (!googleIdToken) {
+      res.status(400);
+      throw new Error("Google ID token is required.");
+    }
+
+    const audience = getGoogleAudienceList();
+    const oauthClient = getGoogleClient();
+
+    const ticket = await oauthClient.verifyIdToken({
+      idToken: googleIdToken,
+      audience,
+    });
+
+    const payload = ticket.getPayload();
+    if (!payload) {
+      res.status(401);
+      throw new Error("Invalid Google token payload.");
+    }
+
+    const googleId = payload.sub;
+    const email = payload.email?.toLowerCase();
+    const name = payload.name?.trim();
+    const profilePic = payload.picture || "";
+    const isEmailVerified = Boolean(payload.email_verified);
+
+    if (!googleId || !email || !isEmailVerified) {
+      res.status(401);
+      throw new Error("Google account must have a verified email.");
+    }
+
+    if (!allowedRoles.has(role)) {
+      res.status(400);
+      throw new Error("Account type must be either client or developer.");
+    }
+
+    const selectedRole = role;
+    let user = await User.findOne({ email });
+    let isNewUser = false;
+
+    if (!user) {
+      user = await User.create({
+        name: name || email.split("@")[0],
+        email,
+        googleId,
+        profilePic,
+        avatar: profilePic,
+        role: selectedRole,
+        isVerified: true,
       });
+      isNewUser = true;
     } else {
-      res.status(401);
-      throw new Error('Invalid email or password');
+      if (user.googleId && user.googleId !== googleId) {
+        res.status(409);
+        throw new Error("This email is linked to a different Google account.");
+      }
+
+      if (!user.googleId) user.googleId = googleId;
+      if (name && !user.name) user.name = name;
+      if (profilePic) user.profilePic = profilePic;
+      if (profilePic && !user.avatar) user.avatar = profilePic;
+      if (!user.isVerified && isEmailVerified) user.isVerified = true;
+
+      await user.save();
     }
+
+    const token = generateToken(user._id);
+    setAuthCookie(res, token);
+
+    res.status(200).json({
+      ...serializeUser(user),
+      token,
+      isNewUser,
+    });
   } catch (error) {
+    if (error?.message?.includes("Wrong recipient")) {
+      error.message =
+        "Google verification failed: client ID mismatch. Ensure frontend VITE_GOOGLE_CLIENT_ID and backend GOOGLE_CLIENT_ID/GOOGLE_CLIENT_IDS are aligned.";
+    }
+
+    if (!res.statusCode || res.statusCode === 200) {
+      res.status(error.statusCode || 401);
+    }
     next(error);
   }
 };
+
+export const logoutUser = async (req, res) => {
+  clearAuthCookie(res);
+  res.status(200).json({ message: "Logged out successfully." });
+};