update

SETUP.md

@@ -45,6 +45,24 @@
    export OPENAI_API_KEY=your_api_key_here
    ```
 
+   **Google Sign-In (optional)** — create an OAuth **Web application** client in [Google Cloud Console](https://console.cloud.google.com/apis/credentials) (APIs & Services → Credentials). Under **Authorized redirect URIs** add exactly:
+   - Local (Vite dev): `http://localhost:5173/api/auth/google/callback`
+   - Docker / Hugging Face / your public URL: `https://<your-host>/api/auth/google/callback`
+
+   Then set:
+   ```bash
+   export GOOGLE_CLIENT_ID=...
+   export GOOGLE_CLIENT_SECRET=...
+   # Must match the redirect URI above (recommended for dev):
+   export FRONTEND_ORIGIN=http://localhost:5173
+   # Or set the full callback explicitly:
+   # export GOOGLE_REDIRECT_URI=http://localhost:5173/api/auth/google/callback
+   # Strong random secret for signed session cookies (required in production):
+   export SESSION_SECRET=$(openssl rand -hex 32)
+   ```
+
+   For HTTPS deployments (e.g. Hugging Face Spaces), also set `HTTPS_ONLY_COOKIES=1` and add your public origin to `CORS_ORIGINS` if the browser origin differs from the API host.
+
 3. **Run Backend**:
    ```bash
    cd backend

backend/app/auth_routes.py

@@ -0,0 +1,146 @@
+"""
+Google OAuth2 (OpenID Connect) sign-in: authorization code flow with server-side session cookie.
+Configure GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, and either GOOGLE_REDIRECT_URI or FRONTEND_ORIGIN.
+"""
+
+from __future__ import annotations
+
+import os
+import secrets
+from urllib.parse import urlencode
+
+import httpx
+from fastapi import APIRouter, HTTPException, Request
+from fastapi.responses import RedirectResponse
+from google.auth.transport import requests as google_auth_requests
+from google.oauth2 import id_token
+
+router = APIRouter(prefix="/api/auth", tags=["auth"])
+
+GOOGLE_AUTH_URI = "https://accounts.google.com/o/oauth2/v2/auth"
+GOOGLE_TOKEN_URI = "https://oauth2.googleapis.com/token"
+
+
+def _client_configured() -> bool:
+    return bool(os.environ.get("GOOGLE_CLIENT_ID", "").strip() and os.environ.get("GOOGLE_CLIENT_SECRET", "").strip())
+
+
+def _redirect_uri(request: Request) -> str:
+    """Callback URL; must match an entry in Google Cloud Console → OAuth client."""
+    explicit = os.environ.get("GOOGLE_REDIRECT_URI", "").strip()
+    if explicit:
+        return explicit
+    fe = os.environ.get("FRONTEND_ORIGIN", "").strip()
+    if fe:
+        return fe.rstrip("/") + "/api/auth/google/callback"
+    return str(request.base_url).rstrip("/") + "/api/auth/google/callback"
+
+
+def _post_login_url(request: Request) -> str:
+    fe = os.environ.get("FRONTEND_ORIGIN", "").strip()
+    if fe:
+        return fe.rstrip("/") + "/"
+    return str(request.base_url).rstrip("/") + "/"
+
+
+@router.get("/status")
+async def auth_status():
+    return {"googleConfigured": _client_configured()}
+
+
+@router.get("/me")
+async def auth_me(request: Request):
+    user = request.session.get("user")
+    if not user:
+        raise HTTPException(status_code=401, detail="Not signed in")
+    return user
+
+
+@router.post("/logout")
+async def auth_logout(request: Request):
+    request.session.clear()
+    return {"ok": True}
+
+
+@router.get("/google")
+async def google_login(request: Request):
+    if not _client_configured():
+        raise HTTPException(
+            status_code=503,
+            detail="Google sign-in is not configured (set GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET).",
+        )
+    client_id = os.environ["GOOGLE_CLIENT_ID"].strip()
+    state = secrets.token_urlsafe(32)
+    redirect_uri = _redirect_uri(request)
+    request.session["google_oauth_state"] = state
+    request.session["google_oauth_redirect_uri"] = redirect_uri
+    params = {
+        "client_id": client_id,
+        "redirect_uri": redirect_uri,
+        "response_type": "code",
+        "scope": "openid email profile",
+        "state": state,
+        "access_type": "online",
+        "include_granted_scopes": "true",
+    }
+    return RedirectResponse(url=f"{GOOGLE_AUTH_URI}?{urlencode(params)}")
+
+
+@router.get("/google/callback")
+async def google_callback(
+    request: Request,
+    code: str | None = None,
+    state: str | None = None,
+    error: str | None = None,
+):
+    dest = _post_login_url(request)
+    if error:
+        return RedirectResponse(url=f"{dest}?auth_error={error}")
+    if not code or not state:
+        raise HTTPException(status_code=400, detail="Missing code or state")
+    expected = request.session.pop("google_oauth_state", None)
+    redirect_uri = request.session.pop("google_oauth_redirect_uri", None) or _redirect_uri(request)
+    if not expected or state != expected:
+        raise HTTPException(status_code=400, detail="Invalid OAuth state")
+    if not _client_configured():
+        raise HTTPException(status_code=503, detail="Google sign-in is not configured")
+
+    client_id = os.environ["GOOGLE_CLIENT_ID"].strip()
+    client_secret = os.environ["GOOGLE_CLIENT_SECRET"].strip()
+
+    async with httpx.AsyncClient() as client:
+        token_res = await client.post(
+            GOOGLE_TOKEN_URI,
+            data={
+                "code": code,
+                "client_id": client_id,
+                "client_secret": client_secret,
+                "redirect_uri": redirect_uri,
+                "grant_type": "authorization_code",
+            },
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+        )
+    if token_res.status_code != 200:
+        raise HTTPException(status_code=502, detail="Token exchange failed")
+    tokens = token_res.json()
+    id_tok = tokens.get("id_token")
+    if not id_tok:
+        raise HTTPException(status_code=502, detail="No id_token in response")
+
+    try:
+        id_info = id_token.verify_oauth2_token(
+            id_tok,
+            google_auth_requests.Request(),
+            client_id,
+        )
+    except ValueError as e:
+        raise HTTPException(status_code=400, detail=f"Invalid id token: {e}") from e
+
+    request.session["user"] = {
+        "sub": id_info.get("sub"),
+        "email": id_info.get("email"),
+        "name": id_info.get("name"),
+        "picture": id_info.get("picture"),
+        "email_verified": id_info.get("email_verified"),
+    }
+    return RedirectResponse(url=dest)

backend/app/main.py

@@ -2,6 +2,7 @@ from fastapi import FastAPI, UploadFile, File, Depends, HTTPException, Query, Re
 from fastapi.responses import FileResponse, StreamingResponse
 from fastapi.staticfiles import StaticFiles
 from fastapi.middleware.cors import CORSMiddleware
+from starlette.middleware.sessions import SessionMiddleware
 from pathlib import Path
 from sqlalchemy.orm import Session
 from sqlalchemy import func, or_
@@ -45,17 +46,39 @@ from .models import (
 )
 from .gpt_service import generate_email_sequence, enrich_manual_contact_profile
 from .smartlead_client import SmartleadClient
+from .auth_routes import router as auth_router
 
 app = FastAPI()
 
+# Session cookie for Google OAuth (must be before CORS if using credentials across origins)
+_session_secret = os.environ.get("SESSION_SECRET", "dev-session-secret-change-in-production")
+_is_https = os.environ.get("HTTPS_ONLY_COOKIES", "").strip() in ("1", "true", "yes")
+app.add_middleware(
+    SessionMiddleware,
+    secret_key=_session_secret,
+    same_site="lax",
+    https_only=_is_https,
+    max_age=14 * 24 * 60 * 60,
+)
+
+_cors_raw = os.environ.get(
+    "CORS_ORIGINS",
+    "http://localhost:5173,http://127.0.0.1:5173,http://localhost:3000,http://127.0.0.1:3000",
+)
+_cors_origins = [o.strip() for o in _cors_raw.split(",") if o.strip()]
+if not _cors_origins:
+    _cors_origins = ["*"]
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=_cors_origins,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
 )
 
+app.include_router(auth_router)
+
 # Create uploads directory
 UPLOAD_DIR = Path("/data/uploads")
 UPLOAD_DIR.mkdir(parents=True, exist_ok=True)

backend/requirements.txt

@@ -7,4 +7,6 @@ aiofiles
 sqlalchemy
 requests
 duckduckgo-search>=6.3.0
-google-genai>=1.5.0
+google-genai>=1.5.0
+httpx
+google-auth

frontend/src/components/layout/AppShell.jsx

@@ -11,6 +11,7 @@ import {
 } from 'lucide-react';
 import { Button } from '@/components/ui/button';
 import { cn } from '@/lib/utils';
+import GoogleAuthBar from '@/components/layout/GoogleAuthBar';
 
 const NAV_ITEMS = [
     { label: 'Generator', href: '/', icon: LayoutDashboard },
@@ -81,7 +82,10 @@ export default function AppShell({ title, subtitle, rightContent, children }) {
                             <h2 className="text-xl font-bold text-slate-800">{title}</h2>
                             {subtitle && <p className="text-sm text-slate-500">{subtitle}</p>}
                         </div>
-                        <div className="flex shrink-0 items-center gap-2">{rightContent}</div>
+                        <div className="flex shrink-0 items-center gap-2">
+                            <GoogleAuthBar />
+                            {rightContent}
+                        </div>
                     </div>
                 </div>
                 <nav className="flex items-center gap-2 border-t border-slate-100 bg-white/90 px-4 py-2 md:hidden">

frontend/src/components/layout/GoogleAuthBar.jsx

@@ -0,0 +1,142 @@
+import React, { useCallback, useEffect, useState } from 'react';
+import { useSearchParams } from 'react-router-dom';
+import { LogOut } from 'lucide-react';
+import { Button } from '@/components/ui/button';
+import { cn } from '@/lib/utils';
+
+/**
+ * Header sign-in: session cookie set by GET /api/auth/google → Google → /api/auth/google/callback.
+ */
+export default function GoogleAuthBar() {
+    const [searchParams, setSearchParams] = useSearchParams();
+    const [phase, setPhase] = useState('loading'); // loading | ready | error
+    const [googleOn, setGoogleOn] = useState(false);
+    const [user, setUser] = useState(null);
+
+    const refresh = useCallback(async () => {
+        try {
+            const [st, me] = await Promise.all([
+                fetch('/api/auth/status').then((r) => r.json()),
+                fetch('/api/auth/me', { credentials: 'include' }).then((r) =>
+                    r.ok ? r.json() : null
+                ),
+            ]);
+            setGoogleOn(!!st.googleConfigured);
+            setUser(me);
+            setPhase('ready');
+        } catch {
+            setPhase('error');
+        }
+    }, []);
+
+    useEffect(() => {
+        refresh();
+    }, [refresh]);
+
+    useEffect(() => {
+        const err = searchParams.get('auth_error');
+        if (!err) return;
+        if (err === 'access_denied') {
+            console.info('Google sign-in was cancelled.');
+        } else {
+            console.warn('Google sign-in error:', err);
+        }
+        const next = new URLSearchParams(searchParams);
+        next.delete('auth_error');
+        setSearchParams(next, { replace: true });
+    }, [searchParams, setSearchParams]);
+
+    const logout = async () => {
+        try {
+            await fetch('/api/auth/logout', { method: 'POST', credentials: 'include' });
+            setUser(null);
+        } catch (e) {
+            console.error(e);
+        }
+    };
+
+    if (phase === 'loading' || (phase === 'ready' && !googleOn)) {
+        if (phase === 'loading') {
+            return (
+                <div
+                    className="h-9 w-24 shrink-0 rounded-md bg-slate-100/80 animate-pulse"
+                    aria-hidden
+                />
+            );
+        }
+        return null;
+    }
+
+    if (phase === 'error') {
+        return null;
+    }
+
+    if (user) {
+        return (
+            <div className="flex max-w-[min(100vw-8rem,20rem)] items-center gap-2">
+                {user.picture ? (
+                    <img
+                        src={user.picture}
+                        alt=""
+                        className="h-8 w-8 shrink-0 rounded-full border border-slate-200 object-cover"
+                        referrerPolicy="no-referrer"
+                    />
+                ) : null}
+                <span className="hidden min-w-0 truncate text-sm text-slate-600 sm:inline">
+                    {user.name || user.email || 'Signed in'}
+                </span>
+                <Button
+                    type="button"
+                    variant="outline"
+                    size="sm"
+                    className="shrink-0 gap-1"
+                    onClick={logout}
+                    title="Sign out"
+                >
+                    <LogOut className="h-3.5 w-3.5" />
+                    <span className="hidden sm:inline">Sign out</span>
+                </Button>
+            </div>
+        );
+    }
+
+    return (
+        <Button
+            asChild
+            variant="outline"
+            size="sm"
+            className={cn(
+                'shrink-0 gap-2 border-slate-200 bg-white text-slate-800 shadow-sm',
+                'hover:bg-slate-50'
+            )}
+        >
+            <a href="/api/auth/google" className="inline-flex items-center gap-2">
+                <GoogleMark className="h-4 w-4 shrink-0" />
+                <span className="whitespace-nowrap">Sign in with Google</span>
+            </a>
+        </Button>
+    );
+}
+
+function GoogleMark({ className }) {
+    return (
+        <svg className={className} viewBox="0 0 24 24" aria-hidden>
+            <path
+                fill="#4285F4"
+                d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z"
+            />
+            <path
+                fill="#34A853"
+                d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"
+            />
+            <path
+                fill="#FBBC05"
+                d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z"
+            />
+            <path
+                fill="#EA4335"
+                d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"
+            />
+        </svg>
+    );
+}