Google Login (No Email Verification)
Flow Summary
- Start: user chooses "Login with Google".
- Redirect to Google OAuth consent; upon success, Google returns profile
{ email, sub }. - Normalize email and deduplicate: link to existing
usersbynormalized_emailor create new. - Upsert an
identitiesrecord withprovider='google'andprovider_sub=sub. - Issue a session (JWT or DB token) and return to the client.
Endpoint Design
GET /auth/oauth/google/start: redirect to Google OAuth.GET /auth/oauth/google/callback: handle Google response.
Callback Handler (Pseudocode)
const callback = async (req, res) => {
const { email, sub } = await getGoogleProfile(req)
const normalized = normalizeEmail(email)
// Create or fetch user (dedup by normalized email)
const user = await upsertUserByNormalizedEmail({ email, normalized })
// Link identity (idempotent)
await upsertIdentity({
userId: user.id,
provider: 'google',
providerSub: sub,
})
// Issue session
const token = await issueSession(user)
return res.json({ token, user })
}
Dedup Rules
- Always match by
normalized_email = lower(trim(email)). - If identity exists for the provider/sub, reuse the linked user.
- If email exists but no identity, link new identity to that user.
- If neither exists, create user then identity.
Security & UX
- Skip email verification for Google login; rely on Google as the identity provider.
- Rate-limit OAuth callback to prevent abuse.
- Clearly show the final signed-in account to avoid confusion.
Error Handling
- Missing email from provider: prompt user to add email manually, then normalize and dedup.
- Conflicting data: log and alert; retain single account via
normalized_emailuniqueness.