feat: Implement Google OAuth authentication

[aaronaco]

Description

Implement backend authentication system with Google OAuth, JWT tokens, and secure session management. This provides the foundation for user authentication across the application.

Related Issue

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Refactor (code change that neither fixes a bug nor adds a feature)
• Documentation update
• Test update

Changes Made

Database

• Added Drizzle ORM with Neon PostgreSQL connection
• Created users table with email, name, auth provider, and verification status
• Created oauth_accounts table for OAuth provider linking
• Created refresh_tokens table for secure session management
• Added database seed script for development (npm run db:seed)

Authentication

• Implemented Google OAuth 2.0 flow with google-auth-library
• JWT access tokens (15 min expiry) + refresh tokens (7 days expiry)
• Secure httpOnly cookies with sameSite strict
• Refresh token rotation with reuse detection (revokes all sessions on reuse)
• Token hashing with SHA-256 for database storage

API Endpoints

• GET /api/auth/google - Initiates Google OAuth flow
• GET /api/auth/google/callback - Handles OAuth callback
• GET /api/auth/me - Returns current authenticated user
• POST /api/auth/refresh - Rotates tokens and issues new pair
• POST /api/auth/logout - Logs out current session
• POST /api/auth/logout-all - Revokes all user sessions

Middleware

• requireAuth - Protects routes, requires valid access token
• optionalAuth - Attaches user if authenticated, doesn't block
• Auth bypass for development environment (AUTH_BYPASS=true)

Configuration

• Added DEV_BYPASS_USER_ID to environment config
• Updated .env.example with all auth-related variables

Testing

• Added Jest + Supertest for API testing
• Configured Jest for ESM module transformation
• Created test helpers and setup files
• 12 tests covering all auth endpoints

Testing

• Unit tests pass (npm test)
• Manual testing performed
• New tests added for new functionality

Test commands run:

npm test
npm run test:coverage

Test results:

PASS src/__tests__/auth.test.ts
  Auth API
    GET /api/auth/me (3 tests)
    POST /api/auth/refresh (4 tests)
    POST /api/auth/logout (2 tests)
    POST /api/auth/logout-all (2 tests)
    GET /api/auth/google (1 test)

Tests: 12 passed, 12 total

Manual testing:

• Google OAuth flow tested in browser
• Auth bypass verified with curl http://localhost:8000/api/auth/me
• Cookie setting verified in browser DevTools

Screenshots / Recordings

N/A - Backend API changes only

Checklist

• My code follows the project's coding style
• I have performed a self-review of my code
• I have commented my code where necessary
• My changes generate no new warnings or errors
• I have added tests that prove my fix/feature works
• All existing tests pass locally

Additional Notes

New Dependencies Added

Production:

• drizzle-orm - Database ORM
• @neondatabase/serverless - Neon PostgreSQL driver
• google-auth-library - Google OAuth
• jsonwebtoken - JWT handling
• cookie-parser - Cookie parsing middleware

Development:

• drizzle-kit - Database migrations
• jest, ts-jest, supertest - Testing

Developer Setup

New developers need to:

1. Copy .env.example to .env and fill in credentials
2. Run npx drizzle-kit push to set up database schema
3. Run npm run db:seed to create dev user for auth bypass
4. Set AUTH_BYPASS=true in .env for local development without Google OAuth

Security Considerations

• Refresh tokens are hashed before database storage
• Token reuse detection revokes all sessions (prevents token theft)
• httpOnly cookies prevent XSS token theft
• sameSite strict prevents CSRF attacks