feat: Google OAuth sign-in + per-user Gemini API key

Users with Google accounts can now sign in without a password. Auth flow: - GET /auth/google → Google consent page (CSRF state cookie) - GET /auth/google/callback → exchange code, lookup user, set JWT - auth.json gains google_sub + google_email fields - set_password() no longer overwrites unrelated auth.json fields Admin setup: python manage_passwords.py google-add <username> <email> # add GOOGLE_CLIENT_ID + GOOGLE_CLIENT_SECRET to .env Per-user Gemini key: - get_user_gemini_key() reads gemini_api_key from auth.json - orchestrator_engine.run() accepts gemini_api_key param - orchestrator router passes user's key, falls back to server key login.html: "Sign in with Google" button above the password form. manage_passwords.py list: now shows auth method columns (pw / google). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-27 21:01:52 -04:00
parent 62fde62653
commit 8aec6aafcc
10 changed files with 376 additions and 21 deletions
--- a/cortex/routers/orchestrator.py
+++ b/cortex/routers/orchestrator.py
@@ -18,6 +18,7 @@ from datetime import datetime, timezone
 from fastapi import APIRouter
 from pydantic import BaseModel

+from auth_utils import get_user_gemini_key
 from config import settings
 from context_loader import load_context
 from persona import set_context, validate as validate_persona
@@ -161,6 +162,7 @@ async def _run_job(job_id: str, req: OrchestrateRequest) -> None:
            system_prompt=system_prompt,
            session_messages=session_messages,
            respond_with_claude=req.respond_with_claude,
+            gemini_api_key=get_user_gemini_key(user),
        )

        # Save the turn to the session store so it survives a page refresh