Skip to content

Google OAuth2 authentication for Quarto Hub#18

Open
shikokuchuo wants to merge 17 commits intomainfrom
feature/auth
Open

Google OAuth2 authentication for Quarto Hub#18
shikokuchuo wants to merge 17 commits intomainfrom
feature/auth

Conversation

@shikokuchuo
Copy link
Collaborator

@shikokuchuo shikokuchuo commented Feb 24, 2026

Summary

Adds optional Google Sign-In across the Hub server and and web client.
Auth is off by default and enabled by passing --google-client-id <ID> to the hub server.

Architecture

   Browser (Google Sign-In)                                                  
            │                                                            
       ID token (JWT)                                         
            │
            ▼                                                               
    ┌───────────────────────────────┐
    │       Hub Server (Axum)       │                                       
    │                               │                       
    │  ── auth boundary ──────────  │
    │                               │
    │  REST API    Automerge sync   │
    └───────────────────────────────┘

Auth is enforced at the transport layer (HTTP/WebSocket upgrade) before any request processing begins.
The sync protocol (samod/Automerge) is completely unaware of authentication — unauthenticated connections are rejected before they reach it. This keeps auth concerns out of the collaboration engine entirely.

Server (quarto-hub)

  • New auth module that validates Google ID tokens locally using cached public keys (no per-request call to Google).
  • All endpoints (/health, /api/*, and WebSocket sync) require a valid token when auth is enabled.
  • Operators can restrict access to specific email addresses or domains via --allowed-emails and --allowed-domains.
  • Env vars QUARTO_HUB_GOOGLE_CLIENT_ID, QUARTO_HUB_ALLOWED_EMAILS and QUARTO_HUB_ALLOWED_DOMAINS allowed in place of arguments.
  • Startup check ensures TLS is accounted for before accepting tokens.

Web client (hub-client)

  • When a Google client ID is configured, unauthenticated users see a login screen with Google's standard Sign-In
    button.
  • After sign-in, the ID token is stored in the browser and attached to all sync and API connections.
  • Token expiry is monitored automatically; silent refresh renews the session without interrupting the user when possible.
  • Sign-out button with Google avatar shown in the ProjectSelector header.

@shikokuchuo shikokuchuo force-pushed the feature/auth branch 3 times, most recently from e4f1478 to 41af226 Compare February 25, 2026 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant