From 04ca9b6f9a5e0c969db84a8b6fa3c69995f8e022 Mon Sep 17 00:00:00 2001
From: MartinBraquet <martin.braquet@gmail.com>
Date: Thu, 30 Oct 2025 22:39:10 +0100
Subject: [PATCH] Remove PKCE as using google client secret

---
 backend/api/src/auth-google.ts |  7 +++----
 common/src/api/schema.ts       |  1 -
 web/lib/firebase/users.ts      | 20 --------------------
 web/pages/_app.tsx             | 17 ++++++-----------
 4 files changed, 9 insertions(+), 36 deletions(-)

diff --git a/backend/api/src/auth-google.ts b/backend/api/src/auth-google.ts
index 4361d7d0..83f5ec6b 100644
--- a/backend/api/src/auth-google.ts
+++ b/backend/api/src/auth-google.ts
@@ -3,17 +3,16 @@ import {GOOGLE_CLIENT_ID} from "common/constants";
 import {REDIRECT_URI} from "common/envs/constants";
 
 export const authGoogle: APIHandler<'auth-google'> = async (
-  {code, codeVerifier},
+  {code},
   _auth
 ) => {
-  console.log('Google Auth Codes:', code, codeVerifier)
-  if (!code || !codeVerifier) return {success: false, result: {}}
+  console.log('Google Auth Codes:', code)
+  if (!code) return {success: false, result: {}}
 
   const body = {
     client_id: GOOGLE_CLIENT_ID,
     client_secret: process.env.GOOGLE_CLIENT_SECRET!,
     code: code as string,
-    code_verifier: codeVerifier as string,
     grant_type: 'authorization_code',
     redirect_uri: REDIRECT_URI,
   };
diff --git a/common/src/api/schema.ts b/common/src/api/schema.ts
index 46d534e1..56ee573c 100644
--- a/common/src/api/schema.ts
+++ b/common/src/api/schema.ts
@@ -740,7 +740,6 @@ export const API = (_apiTypeCheck = {
     returns: {} as any,
     props: z.object({
       code: z.string(),
-      codeVerifier: z.string(),
     }),
     summary: 'Google Auth',
     tag: 'Authentication',
diff --git a/web/lib/firebase/users.ts b/web/lib/firebase/users.ts
index 45df47fd..cfba771b 100644
--- a/web/lib/firebase/users.ts
+++ b/web/lib/firebase/users.ts
@@ -46,22 +46,6 @@ export function writeReferralInfo(
   }
 }
 
-async function generatePKCE() {
-  const array = new Uint8Array(32);
-  crypto.getRandomValues(array);
-  const codeVerifier = btoa(String.fromCharCode(...array))
-    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-
-  const encoder = new TextEncoder();
-  const hashBuffer = await crypto.subtle.digest('SHA-256', encoder.encode(codeVerifier));
-  const hashArray = Array.from(new Uint8Array(hashBuffer));
-  const codeChallenge = btoa(String.fromCharCode(...hashArray))
-    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-
-  console.log({codeVerifier, codeChallenge})
-  return {codeVerifier, codeChallenge};
-}
-
 /**
  * Authenticates a Firebase client running a webview APK on Android with Google OAuth.
  *
@@ -73,16 +57,12 @@ async function generatePKCE() {
  * @public
  */
 export async function webviewGoogleSignin() {
-  const {codeVerifier, codeChallenge} = await generatePKCE();
-  localStorage.setItem('pkce_verifier', codeVerifier);
 
   const params = new URLSearchParams({
     client_id: GOOGLE_CLIENT_ID,
     redirect_uri: REDIRECT_URI,
     response_type: 'code',
     scope: 'openid email profile',
-    code_challenge: codeChallenge,
-    code_challenge_method: 'S256',
   });
   console.log('params', params)
 
diff --git a/web/pages/_app.tsx b/web/pages/_app.tsx
index b52a51a0..739f2c8d 100644
--- a/web/pages/_app.tsx
+++ b/web/pages/_app.tsx
@@ -16,13 +16,14 @@ import {unauthedApi} from "common/util/api";
 import {GoogleAuthProvider, signInWithCredential} from "firebase/auth";
 import {auth} from "web/lib/firebase/users";
 import {isAndroidWebView} from "web/lib/util/webview";
-import { Capacitor } from '@capacitor/core';
-import { StatusBar, Style } from '@capacitor/status-bar';
+import {Capacitor} from '@capacitor/core';
+import {StatusBar, Style} from '@capacitor/status-bar';
 
 if (Capacitor.isNativePlatform()) {
   // Only runs on iOS/Android native
-  StatusBar.setOverlaysWebView({ overlay: false }).catch(console.warn);
-  StatusBar.setStyle({ style: Style.Light }).catch(console.warn);
+  // Note sure it's doing anything, though, need to check
+  StatusBar.setOverlaysWebView({overlay: false}).catch(console.warn);
+  StatusBar.setStyle({style: Style.Light}).catch(console.warn);
 }
 
 
@@ -94,14 +95,8 @@ function MyApp({Component, pageProps}: AppProps<PageProps>) {
         return;
       }
 
-      const codeVerifier = localStorage.getItem('pkce_verifier');
-      if (!codeVerifier) {
-        console.error('No code verifier found in localStorage');
-        return;
-      }
-
       try {
-        const {result} = await unauthedApi('auth-google', {code, codeVerifier})
+        const {result} = await unauthedApi('auth-google', {code})
         const googleTokens = result.tokens
         console.log('/auth-google tokens', googleTokens);
         // Create a Firebase credential from the Google tokens