Login
POST /auth/login
OAuth 2.0 · Authorization Code Flow
Google Sign-In
Authenticate users via Google. Backend exchanges the code server-side,
sets an HttpOnly cookie on
sets an HttpOnly cookie on
.thesqua.re — shared across all subdomains.POST /auth/google/token
Architecture
How the code flows between services
Browser
dev.thesqua.re
1
redirect to Google
Google
accounts.google.com
2
redirect + code
React App
/auth/callback
3
POST code
Auth Service
auth.thesqua.re
4
exchange code
Google API
oauth2.googleapis.com
Step-by-Step Flow
Animates on panel open
👤
User clicks Sign in with Google Browser
Browser builds the Google OAuth URL with
redirect_uri pointing to the React callback route and redirects the user to Google.GET accounts.google.com/o/oauth2/v2/auth?client_id=219724…&redirect_uri=https://dev.thesqua.re/login&scope=openid email profile&response_type=code
G
Google authenticates & issues code Google
User logs in on Google. Google validates credentials and generates a one-time authorization
code — single-use, expires in ~10 minutes.⚛
Google redirects back to React React App
Browser lands on
https://dev.thesqua.re/login?code=…. React extracts the code from URL query params.GET https://dev.thesqua.re/login?code=4%2F0AX4…&scope=openid+email+profile&authuser=0
🔧
React POSTs code to Auth Service Auth Service
React sends
{ code, redirect_uri } to POST /auth/google/token with withCredentials: true. Backend exchanges the code with Google server-side and fetches the user profile.POST https://auth.thesqua.re/auth/google/token → { "code": "4/0AX4…", "redirect_uri": "https://dev.thesqua.re/login" }
🍪
Cookie set — user authenticated Cookie
Backend finds user by email, issues JWT, sets
auth_jwt HttpOnly cookie on .thesqua.re — shared across all subdomains automatically.Set-Cookie: auth_jwt=eyJhbGciOiJIUzI1NiJ9…; Domain=.thesqua.re; Secure; HttpOnly; SameSite=None; Max-Age=86400
✓
Done — fully authenticated Authenticated
All subsequent requests to
*.thesqua.re automatically include the auth_jwt cookie. Call GET /auth/me to verify the session.🔑 Authorized Redirect URIs
Google Cloud Console — OAuth Client
ACTIVE
https://auth.thesqua.re/Test panel (this page)ACTIVE
https://dev.thesqua.re/loginReact dev app callback routePENDING
https://www.thesqua.re/auth/callbackProduction — add when readyOAuth 2.0 · Authorization Code Flow
LinkedIn Sign-In
Authenticate users via LinkedIn. Backend exchanges the code server-side,
sets an HttpOnly cookie on
sets an HttpOnly cookie on
.thesqua.re — shared across all subdomains.POST /auth/linkedin/token
How it works
Redirect flow
Browser
auth.thesqua.re
1
redirect to LinkedIn
LinkedIn
linkedin.com
2
redirect + code
Auth Service
/auth/linkedin/call
3
exchange code
LinkedIn API
api.linkedin.com
Manual Exchange
POST /auth/linkedin/token
After clicking "Sign in with LinkedIn" above, the callback auto-exchanges the code. Use this form to manually exchange a code if needed.
Register — User
POST /auth/register · is_supplier: false
Register — Supplier
POST /auth/register · is_supplier: true
Logout
GET /auth/logout
Clears auth_jwt cookies immediately.
Me — Current Profile
GET /auth/me
Reads access_token cookie automatically. No input needed.
Refresh Token
POST /auth/refresh
Uses refresh_token cookie to issue a new access_token.
Cookie Viewer
Browser JS readable cookies only
access_token and refresh_token are HttpOnly — invisible here but sent automatically with every request.
Forgot Password
POST /auth/forgot-password
Always returns 200 — prevents email enumeration.
Reset Password
POST /auth/reset-password