Open
Conversation
Contributor
👀 Peer Review RequiredHi @Ananya44444! This pull request does not yet have a peer review. Before this PR can be merged, please request a review from one of your peers:
Thank you for contributing! 🎉 |
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
Note
|
| Cohort / File(s) | Summary |
|---|---|
Settings / OAuth & security web/settings.py |
Imports ImproperlyConfigured; introduces EARLY_DEBUG/messages; changes MESSAGE_ENCRYPTION_KEY/SECURE_MESSAGE_KEY to default to "" and generate only for early/debug/collectstatic paths, otherwise raise ImproperlyConfigured; requires GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET when DEBUG=False; adds allauth.socialaccount and allauth.socialaccount.providers.google to INSTALLED_APPS; adds SOCIALACCOUNT_FORMS, SOCIALACCOUNT_AUTO_SIGNUP=False, SOCIALACCOUNT_PROVIDERS, SOCIALACCOUNT_EMAIL_VERIFICATION="mandatory", and SOCIALACCOUNT_EMAIL_REQUIRED=True. |
Templates: authentication UI web/templates/account/login.html, web/templates/account/signup.html |
Loads {% load i18n socialaccount %} and inserts a translatable divider plus Google OAuth buttons using {% provider_login_url 'google' next=redirect_field_value %} with a static Google SVG icon; UI-only additions, no changes to existing form fields or submit logic. |
Forms: social signup web/forms.py |
Adds SocialUserRegistrationForm (subclass of allauth's social signup) with fields: first_name, last_name, optional is_teacher, referral_code, how_did_you_hear_about_us, captcha, and required is_profile_public; implements clean_referral_code() and save(request) to populate user/profile and handle referral logic; exports form via __all__. |
Dependencies pyproject.toml |
Adds runtime dependency pyjwt = "^2.12.1". |
Sequence Diagram(s)
sequenceDiagram
participant User
participant Browser
participant App as "Django App\n(allauth)"
participant Google as "Google OAuth"
participant DB as "Database"
User->>Browser: Click "Sign in with Google"
Browser->>App: Request provider login URL / initiate OAuth
App->>Google: Redirect with client_id, scope, redirect_uri
Google->>User: Prompt for consent / credentials
User->>Google: Authenticate and consent
Google->>Browser: Redirect back with code
Browser->>App: Return to callback URL with code
App->>Google: Exchange code for token (client_id, client_secret)
Google->>App: Return access token and user info
App->>DB: Create or update user record (and profile)
App->>Browser: Set session and redirect to next
Estimated code review effort
🎯 4 (Complex) | ⏱️ ~45 minutes
🚥 Pre-merge checks | ✅ 2 | ❌ 1
❌ Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. | Write docstrings for the functions missing them to satisfy the coverage threshold. |
✅ Passed checks (2 passed)
| Check name | Status | Explanation |
|---|---|---|
| Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. |
| Title check | ✅ Passed | The title accurately summarizes the main objective of the changeset: implementing Google OAuth login functionality across the application. |
✏️ Tip: You can configure your own custom pre-merge checks in the settings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
- Create PR with unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.
Tip
You can get early access to new features in CodeRabbit.
Enable the early_access setting to enable early access features such as new models, tools, and more.
There was a problem hiding this comment.
Pull request overview
Adds Google OAuth authentication entry points using django-allauth socialaccount integration so users can initiate “Sign in/up with Google” from the existing allauth login/signup pages.
Changes:
- Added Google provider + socialaccount apps and Google provider settings in
web/settings.py. - Added “Continue with Google” UI to
login.htmland “Sign up with Google” UI tosignup.html. - Adjusted environment variable loading behavior in
web/settings.py.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
web/settings.py |
Enables allauth socialaccount + Google provider and configures Google credentials via env vars; also changes .env loading logic. |
web/templates/account/login.html |
Adds a divider and “Sign in with Google” link/button. |
web/templates/account/signup.html |
Adds a divider and “Sign up with Google” link/button. |
Comments suppressed due to low confidence (1)
web/settings.py:26
environ.Env.read_env(env_file)is now called unconditionally, but the file is also conditionally loaded again a few lines later. This is redundant and can also change startup behavior if.envis missing (the lateros.path.existsbranch suggests missing.envis expected). Remove the unconditional call and keep a single, consistent.envloading path.
env_file = os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))), ".env")
environ.Env.read_env(env_file)
# Set encryption key for secure messaging; in production, this must come from the environment
MESSAGE_ENCRYPTION_KEY = env.str("MESSAGE_ENCRYPTION_KEY", default=Fernet.generate_key()).strip()
SECURE_MESSAGE_KEY = MESSAGE_ENCRYPTION_KEY
if os.path.exists(env_file):
environ.Env.read_env(env_file)
else:
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@web/settings.py`:
- Around line 134-136: The INSTALLED_APPS order is incorrect: move the
"allauth.socialaccount" and "allauth.socialaccount.providers.google" entries so
they come after the core allauth apps ("allauth" and "allauth.account") in the
INSTALLED_APPS list; locate the INSTALLED_APPS definition in web/settings.py and
reorder the entries so that "allauth" and "allauth.account" appear before
"allauth.socialaccount" and "allauth.socialaccount.providers.google".
- Line 18: Remove the unconditional call to environ.Env.read_env(env_file) and
keep only the conditional read that checks for the file's existence (the block
that uses os.path.exists(env_file) and then calls environ.Env.read_env(env_file)
or prints a message); specifically, delete the lone
environ.Env.read_env(env_file) invocation so the conditional branch around
environ.Env.read_env(env_file) is the single source of truth for loading the
.env file.
- Around line 550-551: SOCIALACCOUNT_EMAIL_REQUIRED is set to False which can
create accounts without emails while ACCOUNT_EMAIL_REQUIRED and
ACCOUNT_EMAIL_AUTHENTICATION are True; update SOCIALACCOUNT_EMAIL_REQUIRED to
True (and ensure SOCIALACCOUNT_EMAIL_VERIFICATION remains consistent with your
policy) so Google/social sign-ups always collect an email and align with
ACCOUNT_EMAIL_REQUIRED and ACCOUNT_EMAIL_AUTHENTICATION to prevent accounts
missing email-based authentication.
In `@web/templates/account/login.html`:
- Around line 90-108: The Google icon is loaded from an external CDN in the <a>
button's <img> (src="https://www.svgrepo.com/...") which can break if the CDN is
unavailable; download the SVG into your project's static assets (e.g.,
static/images/google-icon.svg) and update the <img> in the login template (the
anchor tag that uses provider_login_url 'google') to reference the local static
asset instead of the external URL, ensuring you load it via your framework's
static file helper so it works in production and during collectstatic.
In `@web/templates/account/signup.html`:
- Around line 252-270: The template currently loads the Google SVG from an
external URL in the img tag
("https://www.svgrepo.com/show/475656/google-color.svg"); to self-host it, save
that SVG into your static assets (e.g., static/images/google-color.svg) and
update the img src in the signup template to reference the local static file
(use your project's static/template helper, e.g., {% load static %} and {%
static 'images/google-color.svg' %}) so the button (the <a> with
provider_login_url 'google' and the img alt="Google") uses the local asset and
will work offline/if the external host is down; remember to add the SVG to
version control and run collectstatic if required.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: alphaonelabs/coderabbit/.coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2f56c145-2289-457d-9d17-72118fb76f7e
📒 Files selected for processing (3)
web/settings.pyweb/templates/account/login.htmlweb/templates/account/signup.html
github-actions
bot
added
files-changed: 6
Contributor
💬 Unresolved Review ConversationsHi @Ananya44444! 👋 This pull request currently has 3 unresolved review conversations. Please address all review feedback and push a new commit to resolve them before this PR can be merged. Steps to resolve:
Once all conversations are resolved, this notice will be removed automatically. Thank you! 🙏 |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 4
♻️ Duplicate comments (1)
web/templates/account/signup.html (1)
257-258:⚠️ Potential issue | 🟡 MinorMirror the divider dark-mode fix here.
This label has the same missing
dark:text-*variant as the login divider, so it drops contrast in dark mode too.As per coding guidelines "Always include dark mode alternatives using dark: prefix for elements".
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@web/templates/account/signup.html` around lines 257 - 258, The divider label span containing the text "Or sign up with" currently has classes "bg-white dark:bg-gray-800 px-2 text-gray-500" and is missing a dark-mode text variant; update that span's class list to include the same dark:text utility used for the login divider (e.g., add dark:text-gray-400 or the project's chosen dark text class) so the label retains sufficient contrast in dark mode (refer to the span with text "Or sign up with" to locate the element).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@web/settings.py`:
- Around line 541-542: The raise in the settings conditional uses a hard-coded
message which triggers Ruff TRY003; refactor by extracting the message into a
named constant or by creating a small custom exception helper and using that
instead of inlining the string. Update the conditional that checks DEBUG and
(google_client_id or google_client_secret) to raise ImproperlyConfigured with
the constant (e.g., GOOGLE_CLIENT_CREDENTIALS_ERROR) or raise a thin helper
exception (e.g., raise_missing_google_credentials()) while keeping the symbols
DEBUG, google_client_id, google_client_secret, and ImproperlyConfigured
unchanged so the lint warning is resolved.
- Around line 544-553: The OAuth callback mismatch happens because your
accounts/allauth routes are inside i18n_patterns and produce locale-prefixed
callback URIs; move the accounts routes out of i18n_patterns so the callback is
locale-agnostic: locate the urls.py references to i18n_patterns and the
path/include that uses "accounts/" or "include('allauth.urls')" and relocate
that path to the top-level URL patterns (before or after i18n_patterns) so the
callback URI registered with Google is always used; after moving, verify
LOGIN_REDIRECT_URL/LOGIN_URL behavior and update any reverse() uses if
necessary.
- Around line 24-26: The current settings allow silent generation of a new
MESSAGE_ENCRYPTION_KEY which will break decryption in production; update
web/settings.py to require MESSAGE_ENCRYPTION_KEY when not DEBUG by checking
DEBUG and env("MESSAGE_ENCRYPTION_KEY", default=None) and raising
django.core.exceptions.ImproperlyConfigured if missing, while keeping the
development path to generate a key (use Fernet.generate_key().decode() to store
a string for MESSAGE_ENCRYPTION_KEY/SECURE_MESSAGE_KEY); also audit places that
instantiate Fernet (e.g., any Fernet(...) usage) and ensure they call .encode()
on SECURE_MESSAGE_KEY so Fernet receives bytes.
In `@web/templates/account/login.html`:
- Around line 95-96: The divider label span uses text-gray-500 which lacks a
dark-mode alternative; update the span's class (the element containing "Or
continue with") to include a dark:text-gray-300 variant (add
"dark:text-gray-300" alongside "text-gray-500") and make the same change to the
equivalent signup divider span so the label remains readable against
dark:bg-gray-800.
---
Duplicate comments:
In `@web/templates/account/signup.html`:
- Around line 257-258: The divider label span containing the text "Or sign up
with" currently has classes "bg-white dark:bg-gray-800 px-2 text-gray-500" and
is missing a dark-mode text variant; update that span's class list to include
the same dark:text utility used for the login divider (e.g., add
dark:text-gray-400 or the project's chosen dark text class) so the label retains
sufficient contrast in dark mode (refer to the span with text "Or sign up with"
to locate the element).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: alphaonelabs/coderabbit/.coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5a05c6a3-4777-4d78-b935-7f73c6d5cf53
⛔ Files ignored due to path filters (2)
poetry.lockis excluded by!**/*.lock,!**/*.lockweb/static/images/google-icon.svgis excluded by!**/*.svg
📒 Files selected for processing (4)
pyproject.tomlweb/settings.pyweb/templates/account/login.htmlweb/templates/account/signup.html
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@web/settings.py`:
- Around line 17-21: EARLY_DEBUG (and any other env-derived fallbacks around
lines 28-34) is being computed before the .env is loaded and before test mode is
set, causing premature behavior; move the EARLY_DEBUG computation (the
env.bool("DEBUG", default=False) call) and any related fallback logic (e.g.,
MESSAGE_ENCRYPTION_KEY_REQUIRED_MSG / GOOGLE_OAUTH_CREDENTIALS_REQUIRED_MSG
usage) to after the env_file is loaded and after test-mode toggles so that DEBUG
is resolved from the same inputs (.env and test flags) as the rest of the
settings; update references to EARLY_DEBUG accordingly so the fallback decision
happens only after env.read_env (or equivalent) and test detection run.
In `@web/templates/account/login.html`:
- Line 5: The template currently only loads socialaccount and has hard-coded
English labels; add i18n support by adding `{% load i18n %}` alongside `{% load
socialaccount %}` and wrap the new Google-login divider and button text (the
strings introduced near the `{% load socialaccount %}` area and the block
covering lines ~96-107) in translation tags (`{% trans "Your label" %}` or `{%
blocktrans %}...{% endblocktrans %}`) so they are localized; make the identical
changes in signup.html to keep both auth pages translated.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: alphaonelabs/coderabbit/.coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5f04b94d-530b-4687-9e4e-0332286b4ca0
📒 Files selected for processing (3)
web/settings.pyweb/templates/account/login.htmlweb/templates/account/signup.html
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@web/settings.py`:
- Around line 555-564: The Google provider config in SOCIALACCOUNT_PROVIDERS is
missing the provider-level EMAIL_AUTHENTICATION flag; update the "google"
dictionary inside SOCIALACCOUNT_PROVIDERS to include EMAIL_AUTHENTICATION: True
so django-allauth will trust verified Google emails and match existing local
users by email (modify the existing SOCIALACCOUNT_PROVIDERS -> "google" dict
where client_id/secret, SCOPE, and AUTH_PARAMS are defined).
- Around line 555-567: Add a SOCIALACCOUNT_FORMS entry in settings to route
social signups through your onboarding form (e.g. set
SOCIALACCOUNT_FORMS["signup"] to your UserRegistrationForm or a
SocialSignupForm) and either implement the same validation for referral code,
captcha, and profile visibility on that form (class name: UserRegistrationForm
or new SocialSignupForm) or disable SOCIALACCOUNT_AUTO_SIGNUP so users must
submit the form; update settings to include SOCIALACCOUNT_FORMS and adjust
SOCIALACCOUNT_AUTO_SIGNUP accordingly so Google signups cannot bypass
onboarding.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: alphaonelabs/coderabbit/.coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: afefd50f-33eb-4e09-88da-59e357021008
📒 Files selected for processing (3)
web/settings.pyweb/templates/account/login.htmlweb/templates/account/signup.html
github-actions
bot
added
files-changed: 7
Contributor
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@web/forms.py`:
- Around line 313-350: Extract the duplicated field definitions into a single
reusable mixin or shared constants and have both forms inherit/use it: create a
RegistrationFieldsMixin (or similar) that declares first_name, last_name,
is_teacher, referral_code, how_did_you_hear_about_us, captcha, and
is_profile_public using the existing
TailwindInput/TailwindTextarea/TailwindCheckboxInput/CaptchaField setup, then
update UserRegistrationForm and the other form (the class containing these
fields) to inherit RegistrationFieldsMixin and remove the duplicated field
declarations; ensure the coerce lambda and widget choices are preserved exactly
when moving is_profile_public.
- Line 312: Add a descriptive docstring to the SocialUserRegistrationForm class
explaining its purpose and when it is used (e.g., registration via social auth)
and how it differs from the regular UserRegistrationForm; place the docstring
immediately under the class declaration in the SocialUserRegistrationForm class
definition and keep it concise, describing intent, expected behavior, and any
special fields or validation that differ from UserRegistrationForm.
- Around line 358-377: The save method lacks type annotations and doesn't guard
against exceptions from referral processing; add proper type hints to the method
signature (e.g., request: HttpRequest and return type -> User or the project's
User model) and wrap the call to handle_referral(user, referral_code) in a
try/except that catches broad referral-related errors (exceptions raised by
add_referral_earnings or send_referral_reward_email) and logs the failure (using
the module/class logger) without interrupting user creation; keep the existing
behavior when referral_code is falsy and still return user at the end.
- Around line 352-356: Extract the inline validation message in
UserRegistrationForm.clean_referral_code into a shared constant (e.g.,
REFERRAL_CODE_INVALID_MSG) at module scope and replace the string literal in
clean_referral_code with that constant; ensure any other occurrences (such as
other forms that use the same message) reference the same constant to keep
messages consistent and satisfy the linter (Ruff TRY003).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: alphaonelabs/coderabbit/.coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: ce58b08e-b03d-42e1-bfd0-451eb087f663
📒 Files selected for processing (2)
web/forms.pyweb/settings.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Google OAuth Login
Adds "Login with Google" and "Sign up with Google" buttons to the login and signup pages using django-allauth's social account module.
Changes
allauth.socialaccountandallauth.socialaccount.providers.googletoINSTALLED_APPSSOCIALACCOUNT_PROVIDERSinsettings.pyto read credentials from environment variableslogin.htmlandsignup.htmlProduction Setup Required
Before deploying, please:
.env:GOOGLE_CLIENT_ID=GOOGLE_CLIENT_SECRET=-https://www.alphaonelabs.com/en/accounts/google/login/callback/
-https://www.alphaonelabs.com/es/accounts/google/login/callback/
-https://www.alphaonelabs.com/fr/accounts/google/login/callback/
-https://www.alphaonelabs.com/de/accounts/google/login/callback/
-https://www.alphaonelabs.com/zh-hans/accounts/google/login/callback/
https://www.alphaonelabs.comsettings.pyScreen.Recording.2026-03-20.025824.mp4
Purpose
Adds Google OAuth login and signup via django-allauth so users can authenticate with Google accounts.
Key Changes
Impact
Review Effort