Login with Google OAuth
Authenticate a user using Google OAuth and receive an access token. This endpoint is only available for regular users (new-client-ui site).
Endpoint
Authentication
Not required (public endpoint)
Request Body
The request should be sent as application/x-www-form-urlencoded or multipart/form-data:
Parameters
| Field | Type | Required | Description | Validation |
|---|---|---|---|---|
code |
string | Yes | Authorization code received from Google OAuth | Not empty |
redirect_uri |
string | Yes | Redirect URI that was used in the initial OAuth request | Must match one of the allowed redirect URIs configured on the backend |
Response
Success (200 OK)
{
"access_token": "encrypted_token_string",
"user": {
"id": 1,
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@example.com",
"phone": "",
"profile_photo": "https://lh3.googleusercontent.com/...",
"preferred_language": "AZERBAIJANI",
"role": "1",
"created": "2025-01-15T10:30:00Z"
}
}
Error Responses
Missing Code (400)
Missing Redirect URI (400)
Invalid Redirect URI (400)
The redirect URI must match one of the allowed redirect URIs configured in the backend environment variable GOOGLE_ALLOWED_REDIRECT_URIS.
Invalid Grant (400)
This error occurs when: - The authorization code has expired (codes expire quickly) - The code has already been used (codes are single-use) - The redirect URI doesn't match what was used in the initial OAuth request
Failed to Exchange Code (400)
Failed to Get User Info (500)
Example Request
Using cURL (Form Data)
curl -X POST "https://api.luxmart.site/v1/accounts/login/google/" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "code=4/0AeanS8X...&redirect_uri=http://localhost:3000/auth/google/callback"
Using JavaScript (FormData)
const formData = new FormData();
formData.append("code", "4/0AeanS8X...");
formData.append("redirect_uri", "http://localhost:3000/auth/google/callback");
fetch("https://api.luxmart.site/v1/accounts/login/google/", {
method: "POST",
body: formData
})
.then(response => response.json())
.then(data => {
console.log("Access token:", data.access_token);
console.log("User:", data.user);
});
OAuth Flow
- Frontend initiates OAuth: Redirect user to Google OAuth consent screen
- User authorizes: User grants permissions to your application
- Google redirects: Google redirects back to your frontend with
codeparameter - Frontend sends code: Frontend sends the
codeandredirect_urito this endpoint - Backend exchanges code: Backend exchanges code for access token with Google
- Backend gets user info: Backend fetches user information from Google
- Backend creates/finds user: Backend creates new user or finds existing user by email
- Backend returns token: Backend generates and returns access token
Notes
- Only for regular users: This endpoint only works for users with role "1" (User)
- Auto-activation: Google OAuth users are automatically activated (no OTP required)
- Profile photo: User's Google profile photo is automatically saved
- Name handling: Google name is split into first_name and last_name
- Existing users: If a user with the same email exists, their profile photo is updated
- Token expiration: Token expires after 30 days of inactivity
- Redirect URI validation: The redirect URI is validated against a whitelist for security
- Single-use codes: Authorization codes can only be used once and expire quickly
Security
- The redirect URI is validated against a whitelist configured in
GOOGLE_ALLOWED_REDIRECT_URIS - Google also validates the redirect URI during token exchange
- This provides double protection against redirect attacks
Environment Variables Required
Backend must have these environment variables configured:
GOOGLE_CLIENT_ID=<your_google_client_id>
GOOGLE_CLIENT_SECRET=<your_google_client_secret>
GOOGLE_ALLOWED_REDIRECT_URIS=<comma_separated_list_of_allowed_uris>
Example: