def test_GoogleOauth2Verifier_verify_token_invalid_iss(_verify_token_payload):
    _verify_token_payload.return_value = {"iss": "invalid", "key": "value"}

    verifier = verifiers.GoogleOauth2Verifier(
        client_ids=[mock.sentinel.audience])

    with pytest.raises(exceptions.GoogleVerificationError):
        result = verifier.verify_token(mock.sentinel.token)
def test_GoogleOauth2Verifier_verify_token_valid_iss(_verify_token_payload):
    _verify_token_payload.return_value = {
        "iss": "accounts.google.com",
        "key": "value"
    }

    verifier = verifiers.GoogleOauth2Verifier(
        client_ids=[mock.sentinel.audience])
    result = verifier.verify_token(mock.sentinel.token)
    assert result["key"] == "value"
def test_GoogleOauth2Verifier_verify_token_invalid_hd(_verify_token_payload):
    _verify_token_payload.return_value = {
        "iss": "accounts.google.com",
        "key": "value",
        "hd": "invalid"
    }

    verifier = verifiers.GoogleOauth2Verifier(
        client_ids=[mock.sentinel.audience], g_suite_hosted_domain="domain")

    with pytest.raises(exceptions.GoogleVerificationError):
        result = verifier.verify_token(mock.sentinel.token)
def test_GoogleOauth2Verifier_verify_token_valid_hd(_verify_token_payload):
    _verify_token_payload.return_value = {
        "iss": "accounts.google.com",
        "key": "value",
        "hd": "domain"
    }

    verifier = verifiers.GoogleOauth2Verifier(
        client_ids=[mock.sentinel.audience], g_suite_hosted_domain="domain")

    result = verifier.verify_token(mock.sentinel.token)
    assert result["key"] == "value"
def handle_google_sign_in():
    """Handle signing in when Google sends the token to our server directly"""
    print('Handling User Request from Google Button or OneTap')
    
    #Verify CSRF double submit cookie
    csrf_token_cookie = request.cookies.get('g_csrf_token')
    if not csrf_token_cookie:
        return render_template('home.html', error="Google Sign In failed. No CSRF token in provided cookie.")
    
    csrf_token_body = request.values.get('g_csrf_token')
    if not csrf_token_body:
        return render_template('home.html', error="Google Sign In failed. No CSRF token in post body.")
    
    if csrf_token_body != csrf_token_cookie:
        return render_template('home.html', error="Google Sign In failed. Failed to verify double submit cookie.")
    
    id_token = request.values.get('credential')
    
    CLIENT_APP_IDS = ["443130310905-s9hq5vg9nbjctal1dlm2pf8ljb9vlbm3.apps.googleusercontent.com"] #CLIENT IDs of apps using this backend
    verifier = verifiers.GoogleOauth2Verifier(client_ids=CLIENT_APP_IDS)

    try:
        decoded_token = verifier.verify_token(id_token) #use decoded_token to complete user sign in
        
        email = decoded_token.get_email().lower()
        given_name = decoded_token.get_given_name()
        
        create_user_table()
        registered = is_email_registered(email)
        federated = is_account_federated(email)
        
        if registered:
            
            if federated:
                return render_template('account_success.html', name=given_name, login=str(True))
            
            else: #legacy user - link accounts
                session['decoded_token'] = decoded_token.to_json()
                error_message = ("The email associated with this Google account is already registered. " 
                             "Please link this existing account to your Google account.")
                return render_template('link_existing_account.html', link_error=error_message, google_email=email)
            
        else: #unregistered user
            session['decoded_token'] = decoded_token.to_json() #session value must be serializable
            return render_template('register_googler.html')

    except (ValueError, exceptions.GoogleVerificationError):
        #invalid token, prompt user to try again
        return render_template('home.html', error="Google Sign In failed. The ID Token was invalid.")