Sync general improvements from hypemarket #4 (#339)

- Fix duplicate trix/actiontext pins in importmap
- Add OAuth token auto-refresh (OauthTokenRefreshable concern)
- Add Google One-Tap authentication (jwt gem, verifier, controller, route)
- Add OG image fallback when prefilling organization from website
- Add sitemap.xml route and controller action
- Add badge-count meta tag for PWA/desktop app support
- Use daisyUI badge classes for notification badge
- Add RichTextHelper for Lexxy code language picker
- Improve after_sign_in_path_for with path_after_invitation helper

Author: yshmarov

Gemfile

@@ -88,6 +88,7 @@ gem "nondisposable"
 # oauth
 gem "omniauth-google-oauth2"
 gem "omniauth-github"
+gem "jwt"
 
 # authorization
 gem "pundit", "~> 2.3"

Gemfile.lock

@@ -689,6 +689,7 @@ DEPENDENCIES
   importmap-rails
   inline_svg (~> 1.9)
   jbuilder
+  jwt
   kamal
   letter_opener
   letter_opener_web

app/controllers/concerns/authentication.rb

@@ -14,18 +14,26 @@ def after_sign_in_path_for(resource)
     stored_location = stored_location_for(resource)
     return stored_location if stored_location
 
-    # Redirect users with pending invitations to their invitations page
-    return user_organizations_received_invitations_path if resource.received_invitations.pending.any?
+    invitation = resource.received_invitations.pending.first
+    return user_organizations_received_invitation_path(invitation) if invitation
 
-    if resource.organizations.any?
-      session.delete(:new_user) if session[:new_user]
-      organization_path(resource.organizations.first)
-    elsif session[:new_user]
+    if session[:new_user]
       session.delete(:new_user)
       # You can send new users to onboarding, billing, or somewhere else
       root_path
     else
-      stored_location_for(resource) || root_path
+      default_authenticated_path
     end
   end
+
+  def path_after_invitation(user)
+    next_invitation = user.received_invitations.pending.first
+    return user_organizations_received_invitation_path(next_invitation) if next_invitation
+
+    default_authenticated_path
+  end
+
+  def default_authenticated_path
+    organizations_path
+  end
 end

app/controllers/concerns/organization_prefill.rb

@@ -16,6 +16,7 @@ def prefill_organization_from_website(organization, url)
       name = metadata["site_name"] || metadata["title"]
       organization.name = name if name.present?
       attach_og_logo(organization, metadata["favicon_url"]) if metadata["favicon_url"].present?
+      attach_og_logo(organization, metadata["image_url"]) if !organization.logo.attached? && metadata["image_url"].present?
     end
   rescue Timeout::Error
     # Prefill timed out — user can still fill in details manually

app/controllers/static_controller.rb

@@ -5,6 +5,10 @@ class StaticController < ApplicationController
 
   def index; end
 
+  def sitemap
+    expires_in 12.hours, public: true
+  end
+
   def pricing; end
 
   def terms; end

app/controllers/users/omniauth_callbacks_controller.rb

@@ -1,11 +1,47 @@
 # frozen_string_literal: true
 
 class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  skip_before_action :verify_authenticity_token, only: :google_onetap
+
   def callback
     provider = params[:provider].to_sym
     handle_auth provider
   end
 
+  def google_onetap
+    unless g_csrf_token_valid?
+      redirect_to new_user_session_path, alert: I18n.t("devise.omniauth_callbacks.failure")
+      return
+    end
+
+    payload = GoogleIdTokenVerifier.verify(params[:credential])
+
+    unless payload["email_verified"]
+      redirect_to new_user_session_path, alert: I18n.t("devise.omniauth_callbacks.failure")
+      return
+    end
+
+    auth_hash = OmniAuth::AuthHash.new(
+      provider: "google_oauth2",
+      uid: payload["sub"],
+      info: { name: payload["name"], email: payload["email"], image: payload["picture"] }
+    )
+
+    user = User.from_omniauth(auth_hash)
+
+    if user.persisted?
+      if user.saved_change_to_id?
+        session[:new_user] = true
+        refer user
+      end
+      sign_in_and_redirect user, event: :authentication
+    else
+      redirect_to new_user_registration_url, alert: user.errors.full_messages.join("\n")
+    end
+  rescue JWT::DecodeError
+    redirect_to new_user_session_path, alert: I18n.t("devise.omniauth_callbacks.failure")
+  end
+
   def failure
     redirect_to new_user_registration_url, alert: I18n.t("devise.omniauth_callbacks.failure")
   end
@@ -16,15 +52,18 @@ def handle_auth(kind)
     auth_payload = request.env["omniauth.auth"]
 
     if user_signed_in?
-      # User is already logged in, add OAuth account to current user
       identity = Identity.create_or_update_from_omniauth(auth_payload, current_user)
-      flash[:alert] = I18n.t("users.identities.errors.failed_to_connect", provider: Identity::AUTH_PROVIDERS[kind][:name], errors: identity.errors.full_messages.join(", ")) unless identity.persisted?
+      unless identity.persisted?
+        flash[:alert] = I18n.t("users.identities.errors.failed_to_connect",
+                               provider: Identity::AUTH_PROVIDERS[kind][:name],
+                               errors: identity.errors.full_messages.join(", "))
+      end
       redirect_to user_identities_path
     else
       user = User.from_omniauth(auth_payload)
       if user.persisted?
         if user.saved_change_to_id?
-          session[:new_user] = true if user.saved_change_to_id?
+          session[:new_user] = true
           refer user
         end
         sign_in_and_redirect user, event: :authentication, remember: true
@@ -34,4 +73,9 @@ def handle_auth(kind)
       end
     end
   end
+
+  def g_csrf_token_valid?
+    token = cookies["g_csrf_token"]
+    token.present? && token == params["g_csrf_token"]
+  end
 end

app/helpers/rich_text_helper.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module RichTextHelper
+  def code_language_picker
+    content_tag "lexxy-code-language-picker"
+  end
+end

app/javascript/controllers/google_onetap_controller.js

@@ -0,0 +1,23 @@
+import { Controller } from '@hotwired/stimulus'
+
+const GSI_SRC = 'https://accounts.google.com/gsi/client'
+
+export default class extends Controller {
+  static values = {
+    clientId: String,
+    loginUri: String
+  }
+
+  connect() {
+    if (document.querySelector(`script[src="${GSI_SRC}"]`)) return
+
+    this.script = document.createElement('script')
+    this.script.src = GSI_SRC
+    this.script.async = true
+    document.head.appendChild(this.script)
+  }
+
+  disconnect() {
+    this.script?.remove()
+  }
+}

app/models/concerns/oauth_token_refreshable.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+# Shared concern for models that store OAuth2 tokens and need automatic refresh.
+#
+# Models including this concern must:
+# - Have columns: access_token, refresh_token, expires_at, refresh_token_invalidated_at
+# - Define REFRESHABLE_PROVIDERS constant (array of provider/platform strings)
+# - Implement #oauth_provider_identifier (returns the string used for OAuth config lookup)
+# - Implement #oauth_token_owner (returns the user to notify on token invalidation)
+module OauthTokenRefreshable
+  extend ActiveSupport::Concern
+
+  def token
+    if can_refresh? && expired?
+      with_lock do
+        reload
+        renew_token! if can_refresh? && expired?
+      end
+    end
+    access_token
+  end
+
+  def expired?
+    return false unless expires_at?
+
+    expires_at <= 10.minutes.from_now
+  end
+
+  def can_refresh?
+    self.class::REFRESHABLE_PROVIDERS.include?(oauth_provider_identifier) &&
+      refresh_token.present? &&
+      refresh_token_invalidated_at.nil?
+  end
+
+  def renew_token!
+    new_token = current_token.refresh!
+    update(
+      access_token: new_token.token,
+      refresh_token: new_token.refresh_token || refresh_token,
+      expires_at: new_token.expires_at ? Time.zone.at(new_token.expires_at) : nil,
+      refresh_token_invalidated_at: nil
+    )
+  rescue OAuth2::Error => e
+    if e.code == "invalid_grant" || e.description&.include?("expired") || e.description&.include?("revoked")
+      update(refresh_token_invalidated_at: Time.current)
+      return nil
+    end
+    raise e
+  end
+
+  private
+
+  def current_token
+    OAuth2::AccessToken.new(
+      oauth2_client,
+      access_token,
+      refresh_token: refresh_token
+    )
+  end
+
+  def oauth2_client
+    config = provider_oauth_config
+    OAuth2::Client.new(
+      config[:client_id],
+      config[:client_secret],
+      site: config[:site],
+      authorize_url: config[:authorize_url],
+      token_url: config[:token_url]
+    )
+  end
+
+  def provider_oauth_config
+    case oauth_provider_identifier
+    when "google_oauth2"
+      {
+        client_id: Rails.application.credentials.dig(:google_oauth2, :client_id),
+        client_secret: Rails.application.credentials.dig(:google_oauth2, :client_secret),
+        site: "https://accounts.google.com",
+        authorize_url: "/o/oauth2/auth",
+        token_url: "/o/oauth2/token"
+      }
+    else
+      raise NotImplementedError, "Token refresh not supported for provider: #{oauth_provider_identifier}"
+    end
+  end
+end

app/models/identity.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Identity < ApplicationRecord
+  include OauthTokenRefreshable
+
   belongs_to :user
 
   validates :provider, presence: true
@@ -62,4 +64,14 @@ def self.create_or_update_from_omniauth(auth_payload, user)
   def self.auth_provider?(provider)
     AUTH_PROVIDERS.key?(provider.to_sym)
   end
+
+  # Required by OauthTokenRefreshable
+  def oauth_provider_identifier
+    provider
+  end
+
+  # Required by OauthTokenRefreshable
+  def oauth_token_owner
+    user
+  end
 end