security: fix GoogleLoginView audience check + replace Clerk with direct GIS flow

- verify_oauth2_token now passes GOOGLE_CLIENT_ID as third arg (audience check) - fail-closed: returns 503 if GOOGLE_CLIENT_ID env var is not set - add GOOGLE_CLIENT_ID = os.environ.get('GOOGLE_CLIENT_ID', '') to settings - replace ClerkLoginViewTests with GoogleLoginViewTests (4 cases) - update requirements-docker.txt Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-10 01:31:18 +05:30
parent aa2846b884
commit e0a491e8cb
5 changed files with 131 additions and 3 deletions
--- a/mobile_api/views/user.py
+++ b/mobile_api/views/user.py
@@ -431,12 +431,22 @@ class GoogleLoginView(View):
            from google.oauth2 import id_token as google_id_token
            from google.auth.transport import requests as google_requests

+            from django.conf import settings
+
            data = json.loads(request.body)
            token = data.get('id_token')
            if not token:
                return JsonResponse({'error': 'id_token is required'}, status=400)

-            idinfo = google_id_token.verify_oauth2_token(token, google_requests.Request())
+            if not settings.GOOGLE_CLIENT_ID:
+                log("error", "GOOGLE_CLIENT_ID not configured", request=request)
+                return JsonResponse({'error': 'Google login temporarily unavailable'}, status=503)
+
+            idinfo = google_id_token.verify_oauth2_token(
+                token,
+                google_requests.Request(),
+                settings.GOOGLE_CLIENT_ID,
+            )
            email = idinfo.get('email')
            if not email:
                return JsonResponse({'error': 'Email not found in Google token'}, status=400)