trezor-suite/packages/auth-server

@trezor/auth-server

Authorization endpoints for saving labels in Google Drive via OAuth 2.0.

Google requires client_secret specific for an app to grant long term access to a user via a refresh_token. This is a recommended OAuth flow for desktop apps. Exposing client_secret could potentially enable attackers impersonating the app to gain access to the user's labels. Therefore, Google authentication server is accessed via our backend which stores the client_secret. Unlike the Dropbox OAuth implementation, it is not possible to substitute the secret with PKCE.

Development

Start by generating your own testing credentials for Suite Desktop.
Please note that instructions regarding Google Cloud configuration may not be up to date.

1. Open Google Cloud Platform > Credentials and create a new "OAuth 2.0 Client ID" credential.
2. If you are not in a "Project" already, you'll have to create one and assign it to an "Organization".
   ⚠️ You may have to use a personal Google profile, if your corporate account has insufficient rights to create/edit organizations!
3. Select "Desktop app" and set any name.
4. Navigate through "OAuth consent screen" to "Audience" and add yourself and/or any other emails as "Test users".
   Not to be mistaken with Service Accounts, those are unrelated.

Continue in Trezor Suite:

1. Replace client_secret in index.ts and CLIENT_ID in @trezor/suite with generated credentials.
2. Set OAuth API in Suite debug settings to http://localhost:3005 or override the authServerUrl here.
3. Install dependencies via yarn workspace @trezor/auth-server install.
4. Run the server locally via yarn workspace @trezor/auth-server dev.

Build

yarn workspace @trezor/auth-server build