feat(users): add google oauth login flow

2026-05-01 01:54:02 +03:30
parent 99eb4c2594
commit fb15a16204
10 changed files with 815 additions and 33 deletions
--- a/apps/users/api/serializers.py
+++ b/apps/users/api/serializers.py
@@ -1,23 +1,11 @@
-import logging
-import random
-import string
-
 from django.contrib.auth import get_user_model
-from django.db import transaction
-from django.utils import timezone
-from django_redis import get_redis_connection
 from drf_spectacular.utils import extend_schema_serializer
 from rest_framework import serializers

 from core.serializers.base import BaseModelSerializer

-from apps.users.tasks import send_verification_sms
-from apps.users.utils import record_login_attempt
-
 User = get_user_model()

-logger = logging.getLogger(__name__)
-

 class UserProfilePictureSerializer(BaseModelSerializer):
    class Meta:
@@ -51,10 +39,10 @@ class RegisterSerializer(serializers.Serializer):
        re_password = data.get("re_password", "")

        if not (mobile.isdigit() and len(mobile) == 11):
-            raise serializers.ValidationError({"mobile": "فرمت شماره موبایل نادرست است."})
+            raise serializers.ValidationError({"mobile": "ÙØ±Ù…Øª Ø´Ù…Ø§Ø±Ù‡ Ù…ÙˆØ¨Ø§ÛŒÙ„ Ù†Ø§Ø¯Ø±Ø³Øª Ø§Ø³Øª."})

        if password != re_password:
-            raise serializers.ValidationError({"password": "رمز عبور مطابقت ندارد."})
+            raise serializers.ValidationError({"password": "Ø±Ù…Ø² Ø¹Ø¨ÙˆØ± Ù…Ø·Ø§Ø¨Ù‚Øª Ù†Ø¯Ø§Ø±Ø¯."})

        return data

@@ -65,11 +53,8 @@ class SendOTPSerializer(serializers.Serializer):
    mode = serializers.ChoiceField(choices=["register", "login", "forget_password"])

    def validate_mobile(self, value):
-        """
-        Normalize and validate Iranian mobile numbers (example: 09XXXXXXXXX).
-        """
        if not value.isdigit() or len(value) != 11 or not value.startswith("09"):
-            raise serializers.ValidationError("شماره موبایل معتبر نیست.")
+            raise serializers.ValidationError("Ø´Ù…Ø§Ø±Ù‡ Ù…ÙˆØ¨Ø§ÛŒÙ„ Ù…Ø¹ØªØ¨Ø± Ù†ÛŒØ³Øª.")
        return value


@@ -80,7 +65,7 @@ class LoginOtpSerializer(serializers.Serializer):

    def validate_mobile(self, value):
        if not (value.isdigit() and len(value) == 11):
-            raise serializers.ValidationError("فرمت شماره موبایل نادرست است.")
+            raise serializers.ValidationError("ÙØ±Ù…Øª Ø´Ù…Ø§Ø±Ù‡ Ù…ÙˆØ¨Ø§ÛŒÙ„ Ù†Ø§Ø¯Ø±Ø³Øª Ø§Ø³Øª.")
        return value


@@ -90,10 +75,30 @@ class LoginSerializer(serializers.Serializer):

    def validate_mobile(self, value):
        if not (value.isdigit() and len(value) == 11):
-            raise serializers.ValidationError("فرمت شماره موبایل نادرست است.")
+            raise serializers.ValidationError("ÙØ±Ù…Øª Ø´Ù…Ø§Ø±Ù‡ Ù…ÙˆØ¨Ø§ÛŒÙ„ Ù†Ø§Ø¯Ø±Ø³Øª Ø§Ø³Øª.")
        return value


+class GoogleOAuthFlowSerializer(serializers.Serializer):
+    flow = serializers.CharField()
+
+
+class GoogleOAuthCompleteSerializer(serializers.Serializer):
+    flow = serializers.CharField()
+    mobile = serializers.CharField(max_length=11)
+
+    def validate_mobile(self, value):
+        normalized = "".join(ch for ch in value if ch.isdigit())
+        if len(normalized) != 11 or not normalized.startswith("09"):
+            raise serializers.ValidationError("ÙØ±Ù…Øª Ø´Ù…Ø§Ø±Ù‡ Ù…ÙˆØ¨Ø§ÛŒÙ„ Ù†Ø§Ø¯Ø±Ø³Øª Ø§Ø³Øª.")
+        return normalized
+
+
+class GoogleOAuthClaimVerifySerializer(serializers.Serializer):
+    flow = serializers.CharField()
+    code = serializers.CharField(max_length=6)
+
+
 class ResetPasswordSerializer(serializers.Serializer):
    mobile = serializers.CharField(max_length=11)
    code = serializers.CharField(max_length=6)
@@ -102,7 +107,7 @@ class ResetPasswordSerializer(serializers.Serializer):

    def validate(self, data):
        if data.get("password") != data.get("re_password"):
-            raise serializers.ValidationError({"password": "رمز عبور مطابقت ندارد."})
+            raise serializers.ValidationError({"password": "Ø±Ù…Ø² Ø¹Ø¨ÙˆØ± Ù…Ø·Ø§Ø¨Ù‚Øª Ù†Ø¯Ø§Ø±Ø¯."})
        return data


@@ -113,7 +118,7 @@ class ChangePasswordSerializer(serializers.Serializer):

    def validate(self, data):
        if data.get("new_password") != data.get("re_password"):
-            raise serializers.ValidationError({"new_password": "رمز عبور جدید و تکرار آن مطابقت ندارند."})
+            raise serializers.ValidationError({"new_password": "Ø±Ù…Ø² Ø¹Ø¨ÙˆØ± Ø¬Ø¯ÛŒØ¯ Ùˆ ØªÚ©Ø±Ø§Ø± Ø¢Ù† Ù…Ø·Ø§Ø¨Ù‚Øª Ù†Ø¯Ø§Ø±Ù†Ø¯."})
        return data


@@ -138,9 +143,16 @@ class UserProfileSerializer(BaseModelSerializer):
    class Meta:
        model = User
        fields = BaseModelSerializer.Meta.fields + (
-            "mobile", "email", "first_name", "last_name", 
-            "description", "profile_picture", "birth_date", 
-            "is_verified", "full_name", "age"
+            "mobile",
+            "email",
+            "first_name",
+            "last_name",
+            "description",
+            "profile_picture",
+            "birth_date",
+            "is_verified",
+            "full_name",
+            "age",
        )
        read_only_fields = BaseModelSerializer.Meta.fields + ("mobile", "is_verified")

@@ -149,9 +161,9 @@ class UserSearchSerializer(serializers.ModelSerializer):
    class Meta:
        model = User
        fields = (
-            'id', 
-            'first_name', 
-            'last_name', 
-            'mobile', 
-            'profile_picture',
+            "id",
+            "first_name",
+            "last_name",
+            "mobile",
+            "profile_picture",
        )
--- a/apps/users/api/throttles.py
+++ b/apps/users/api/throttles.py
@@ -83,6 +83,35 @@ class ScopedMobileThrottle(SimpleRateThrottle):
        return allowed


+class ScopedFlowMobileThrottle(ScopedMobileThrottle):
+    def get_mobile_identifier(self, request) -> str | None:
+        mobile = super().get_mobile_identifier(request)
+        if mobile:
+            return mobile
+
+        try:
+            flow = request.data.get("flow")
+        except Exception:
+            flow = None
+
+        if not isinstance(flow, str) or not flow:
+            return None
+
+        try:
+            from apps.users.services.google_oauth import get_google_flow
+
+            flow_payload = get_google_flow(flow)
+        except Exception:
+            return None
+
+        mobile = flow_payload.get("mobile")
+        if not isinstance(mobile, str):
+            return None
+
+        normalized = "".join(ch for ch in mobile if ch.isdigit())
+        return normalized or None
+
+
 class OTPSendBurstThrottle(ScopedMobileThrottle):
    scope = "otp_send_burst"

@@ -97,3 +126,15 @@ class PasswordLoginThrottle(ScopedMobileThrottle):

 class OTPLoginThrottle(ScopedMobileThrottle):
    scope = "login_otp"
+
+
+class GoogleClaimSendBurstThrottle(ScopedFlowMobileThrottle):
+    scope = "otp_send_burst"
+
+
+class GoogleClaimSendSustainedThrottle(ScopedFlowMobileThrottle):
+    scope = "otp_send_sustained"
+
+
+class GoogleClaimVerifyThrottle(ScopedFlowMobileThrottle):
+    scope = "login_otp"
--- a/apps/users/api/urls.py
+++ b/apps/users/api/urls.py
@@ -9,9 +9,16 @@ app_name = "users"

 urlpatterns = [
    path("register/", views.RegisterWithOTPView.as_view(), name="register_verify"),
+    path("register/password/", views.RegisterWithPasswordView.as_view(), name="register_password"),
    path("otp/send/", views.SendOTPView.as_view(), name="send_otp"),
    path("otp/login/", views.LoginOTPView.as_view(), name="login_otp"),
    path("login/", views.LoginView.as_view(), name="login"),
+    path("oauth/google/start/", views.GoogleOAuthStartView.as_view(), name="google_oauth_start"),
+    path("oauth/google/callback/", views.GoogleOAuthCallbackView.as_view(), name="google_oauth_callback"),
+    path("oauth/google/flow/", views.GoogleOAuthFlowView.as_view(), name="google_oauth_flow"),
+    path("oauth/google/complete/", views.GoogleOAuthCompleteView.as_view(), name="google_oauth_complete"),
+    path("oauth/google/claim/send-otp/", views.GoogleOAuthClaimSendOtpView.as_view(), name="google_oauth_claim_send_otp"),
+    path("oauth/google/claim/verify/", views.GoogleOAuthClaimVerifyView.as_view(), name="google_oauth_claim_verify"),
    path("logout/", views.LogoutView.as_view(), name="logout"),
    path("password/set/", views.SetPasswordView.as_view(), name="set_password"),
    path("password/reset/", views.ResetPasswordView.as_view(), name="reset_password"),
--- a/apps/users/api/views.py
+++ b/apps/users/api/views.py
@@ -1,3 +1,4 @@
+from django.http import HttpResponseRedirect
 from django.contrib.auth import get_user_model
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import extend_schema, inline_serializer
@@ -19,6 +20,9 @@ from apps.users.api.serializers import (
    ChangePasswordSerializer,
    LoginOtpSerializer,
    LoginSerializer,
+    GoogleOAuthClaimVerifySerializer,
+    GoogleOAuthCompleteSerializer,
+    GoogleOAuthFlowSerializer,
    RegisterSerializer,
    ResetPasswordSerializer,
    SendOTPSerializer,
@@ -35,6 +39,9 @@ from apps.users.api.throttles import (
    OTPSendBurstThrottle,
    OTPSendSustainedThrottle,
    PasswordLoginThrottle,
+    GoogleClaimSendBurstThrottle,
+    GoogleClaimSendSustainedThrottle,
+    GoogleClaimVerifyThrottle,
 )
 from apps.users.services.auth import (
    register_user_with_password, 
@@ -46,6 +53,20 @@ from apps.users.services.auth import (
    change_password,
    logout_user
 )
+from apps.users.services.google_oauth import (
+    build_authenticated_flow_payload,
+    build_google_authorization_url,
+    build_google_callback_redirect_url,
+    build_pending_google_flow_payload,
+    complete_google_signup,
+    consume_google_state,
+    create_google_flow,
+    exchange_code_for_google_profile,
+    find_social_account_for_profile,
+    get_google_flow,
+    send_google_claim_otp,
+    verify_google_claim,
+)

 User = get_user_model()

@@ -146,6 +167,88 @@ class LoginOTPView(APIView):
        return Response(tokens, status=status.HTTP_200_OK)


+class GoogleOAuthStartView(APIView):
+    permission_classes = (AllowAny,)
+
+    @extend_schema(responses=None)
+    def get(self, request):
+        return HttpResponseRedirect(build_google_authorization_url())
+
+
+class GoogleOAuthCallbackView(APIView):
+    permission_classes = (AllowAny,)
+
+    @extend_schema(responses=None)
+    def get(self, request):
+        if request.query_params.get("error"):
+            raise serializers.ValidationError(
+                {"detail": request.query_params.get("error_description") or "Google sign-in was cancelled."}
+            )
+
+        consume_google_state(request.query_params.get("state"))
+        profile = exchange_code_for_google_profile(request.query_params.get("code"))
+        social_account = find_social_account_for_profile(profile)
+
+        if social_account:
+            flow_payload = build_authenticated_flow_payload(social_account.user)
+        else:
+            flow_payload = build_pending_google_flow_payload(profile)
+
+        flow = create_google_flow(flow_payload)
+        return HttpResponseRedirect(build_google_callback_redirect_url(flow))
+
+
+class GoogleOAuthFlowView(APIView):
+    permission_classes = (AllowAny,)
+
+    @extend_schema(responses=None)
+    def get(self, request):
+        serializer = GoogleOAuthFlowSerializer(data=request.query_params)
+        serializer.is_valid(raise_exception=True)
+        return Response(get_google_flow(serializer.validated_data["flow"]), status=status.HTTP_200_OK)
+
+
+class GoogleOAuthCompleteView(APIView):
+    permission_classes = (AllowAny,)
+
+    @extend_schema(request=GoogleOAuthCompleteSerializer, responses=None)
+    def post(self, request):
+        serializer = GoogleOAuthCompleteSerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        payload = complete_google_signup(
+            flow=serializer.validated_data["flow"],
+            mobile=serializer.validated_data["mobile"],
+        )
+        return Response(payload, status=status.HTTP_200_OK)
+
+
+class GoogleOAuthClaimSendOtpView(APIView):
+    permission_classes = (AllowAny,)
+    throttle_classes = [GoogleClaimSendBurstThrottle, GoogleClaimSendSustainedThrottle]
+
+    @extend_schema(request=GoogleOAuthFlowSerializer, responses=None)
+    def post(self, request):
+        serializer = GoogleOAuthFlowSerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        payload = send_google_claim_otp(serializer.validated_data["flow"])
+        return Response(payload, status=status.HTTP_200_OK)
+
+
+class GoogleOAuthClaimVerifyView(APIView):
+    permission_classes = (AllowAny,)
+    throttle_classes = [GoogleClaimVerifyThrottle]
+
+    @extend_schema(request=GoogleOAuthClaimVerifySerializer, responses=None)
+    def post(self, request):
+        serializer = GoogleOAuthClaimVerifySerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        payload = verify_google_claim(
+            flow=serializer.validated_data["flow"],
+            code=serializer.validated_data["code"],
+        )
+        return Response(payload, status=status.HTTP_200_OK)
+
+
 class ResetPasswordView(APIView):
    permission_classes = (AllowAny,)
    serializer_class = ResetPasswordSerializer