trezor-suite/packages/auth-server

@trezor/auth-server

Authorization endpoints for saving labels in Google Drive via OAuth 2.0.

Google requires client_secret specific for an app to grant long term access to a user via a refresh_token. This is a recommended OAuth flow for desktop apps. Exposing client_secret could potentially enable attackers impersonating the app to gain access to the user's labels. Therefore, Google authentication server is accessed via our backend which stores the client_secret. Unlike the Dropbox OAuth implementation, it is not possible to substitute the secret with PKCE.

Development

1. Generate your own testing credentials for a Desktop App in Google Cloud Platform.
2. In Google Cloud Platform, add your account as a test user of the app.
3. Replace client_secret in index.ts and client_id in @trezor/suite with generated credentials.
4. Set OAuth API in Suite debug settings to http://localhost:3005 or override the authServerUrl here.
5. Install dependencies via yarn workspace @trezor/auth-server install.
6. Run the server locally via yarn workspace @trezor/auth-server dev.

Build

yarn workspace @trezor/auth-server build