From e27db2ed63fd3c9c686c049a9b9049a907985ecc Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Thu, 13 Aug 2015 12:03:47 -0400
Subject: initial server implementation for using google as a single-sign-on
 oauth service

---
 api/user.go        |  6 +++++
 config/config.json | 10 ++++++++
 model/gitlab.go    | 57 +++++++++++++++++++++++++++++++++++++++++++++
 model/google.go    | 54 +++++++++++++++++++++++++++++++++++++++++++
 model/user.go      | 68 ++++++++++--------------------------------------------
 utils/config.go    |  1 +
 web/web.go         |  9 +++++---
 7 files changed, 146 insertions(+), 59 deletions(-)
 create mode 100644 model/gitlab.go
 create mode 100644 model/google.go

diff --git a/api/user.go b/api/user.go
index a42f81cf1..79f2201da 100644
--- a/api/user.go
+++ b/api/user.go
@@ -1314,9 +1314,15 @@ func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, te
 
 	clientId := utils.Cfg.SSOSettings[service].Id
 	endpoint := utils.Cfg.SSOSettings[service].AuthEndpoint
+	scope := utils.Cfg.SSOSettings[service].Scope
 	state := model.HashPassword(clientId)
 
 	authUrl := endpoint + "?response_type=code&client_id=" + clientId + "&redirect_uri=" + url.QueryEscape(redirectUri+"?team="+teamName) + "&state=" + url.QueryEscape(state)
+
+	if len(scope) > 0 {
+		authUrl += "&scope=" + utils.UrlEncode(scope)
+	}
+
 	http.Redirect(w, r, authUrl, http.StatusFound)
 }
 
diff --git a/config/config.json b/config/config.json
index c446b517c..8405b9076 100644
--- a/config/config.json
+++ b/config/config.json
@@ -29,9 +29,19 @@
             "Allow": false,
             "Secret" : "",
             "Id": "",
+            "Scope": "",
             "AuthEndpoint": "",
             "TokenEndpoint": "",
             "UserApiEndpoint": ""
+        },
+        "google": {
+            "Allow": true,
+            "Secret": "hWN1kiPeyihN6nHr36j0oDqx",
+            "Id": "974585606220-ek5q66olpagb069pkg9ok0d7h8djeov6.apps.googleusercontent.com",
+            "Scope": "email profile",
+            "AuthEndpoint": "https://accounts.google.com/o/oauth2/auth",
+            "TokenEndpoint": "https://www.googleapis.com/oauth2/v3/token",
+            "UserApiEndpoint": "https://www.googleapis.com/plus/v1/people/me"
         }
     },
     "SqlSettings": {
diff --git a/model/gitlab.go b/model/gitlab.go
new file mode 100644
index 000000000..9adcac189
--- /dev/null
+++ b/model/gitlab.go
@@ -0,0 +1,57 @@
+// Copyright (c) 2015 Spinpunch, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package model
+
+import (
+	"encoding/json"
+	"io"
+	"strconv"
+	"strings"
+)
+
+const (
+	USER_AUTH_SERVICE_GITLAB = "gitlab"
+)
+
+type GitLabUser struct {
+	Id       int64  `json:"id"`
+	Username string `json:"username"`
+	Email    string `json:"email"`
+	Name     string `json:"name"`
+}
+
+func UserFromGitLabUser(glu *GitLabUser) *User {
+	user := &User{}
+	user.Username = glu.Username
+	splitName := strings.Split(glu.Name, " ")
+	if len(splitName) == 2 {
+		user.FirstName = splitName[0]
+		user.LastName = splitName[1]
+	} else if len(splitName) >= 2 {
+		user.FirstName = splitName[0]
+		user.LastName = strings.Join(splitName[1:], " ")
+	} else {
+		user.FirstName = glu.Name
+	}
+	user.Email = glu.Email
+	user.AuthData = strconv.FormatInt(glu.Id, 10)
+	user.AuthService = USER_AUTH_SERVICE_GITLAB
+
+	return user
+}
+
+func GitLabUserFromJson(data io.Reader) *GitLabUser {
+	decoder := json.NewDecoder(data)
+	var glu GitLabUser
+	err := decoder.Decode(&glu)
+	if err == nil {
+		return &glu
+	} else {
+		return nil
+	}
+}
+
+func (glu *GitLabUser) GetAuthData() string {
+	return strconv.FormatInt(glu.Id, 10)
+}
diff --git a/model/google.go b/model/google.go
new file mode 100644
index 000000000..bdb500704
--- /dev/null
+++ b/model/google.go
@@ -0,0 +1,54 @@
+// Copyright (c) 2015 Spinpunch, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package model
+
+import (
+	"encoding/json"
+	"io"
+)
+
+const (
+	USER_AUTH_SERVICE_GOOGLE = "google"
+)
+
+type GoogleUser struct {
+	Id       string              `json:"id"`
+	Nickname string              `json:"nickname"`
+	Emails   []map[string]string `json:"emails"`
+	Names    map[string]string   `json:"name"`
+}
+
+func UserFromGoogleUser(gu *GoogleUser) *User {
+	user := &User{}
+	user.Username = gu.Nickname
+	user.FirstName = gu.Names["givenName"]
+	user.LastName = gu.Names["familyName"]
+	user.Nickname = gu.Nickname
+
+	for _, e := range gu.Emails {
+		if e["type"] == "account" {
+			user.Email = e["value"]
+		}
+	}
+
+	user.AuthData = gu.Id
+	user.AuthService = USER_AUTH_SERVICE_GOOGLE
+
+	return user
+}
+
+func GoogleUserFromJson(data io.Reader) *GoogleUser {
+	decoder := json.NewDecoder(data)
+	var gu GoogleUser
+	err := decoder.Decode(&gu)
+	if err == nil {
+		return &gu
+	} else {
+		return nil
+	}
+}
+
+func (gu *GoogleUser) GetAuthData() string {
+	return gu.Id
+}
diff --git a/model/user.go b/model/user.go
index ed5161538..ebefa4762 100644
--- a/model/user.go
+++ b/model/user.go
@@ -8,24 +8,22 @@ import (
 	"encoding/json"
 	"io"
 	"regexp"
-	"strconv"
 	"strings"
 )
 
 const (
-	ROLE_ADMIN               = "admin"
-	ROLE_SYSTEM_ADMIN        = "system_admin"
-	ROLE_SYSTEM_SUPPORT      = "system_support"
-	USER_AWAY_TIMEOUT        = 5 * 60 * 1000 // 5 minutes
-	USER_OFFLINE_TIMEOUT     = 1 * 60 * 1000 // 1 minute
-	USER_OFFLINE             = "offline"
-	USER_AWAY                = "away"
-	USER_ONLINE              = "online"
-	USER_NOTIFY_ALL          = "all"
-	USER_NOTIFY_MENTION      = "mention"
-	USER_NOTIFY_NONE         = "none"
-	BOT_USERNAME             = "valet"
-	USER_AUTH_SERVICE_GITLAB = "gitlab"
+	ROLE_ADMIN           = "admin"
+	ROLE_SYSTEM_ADMIN    = "system_admin"
+	ROLE_SYSTEM_SUPPORT  = "system_support"
+	USER_AWAY_TIMEOUT    = 5 * 60 * 1000 // 5 minutes
+	USER_OFFLINE_TIMEOUT = 1 * 60 * 1000 // 1 minute
+	USER_OFFLINE         = "offline"
+	USER_AWAY            = "away"
+	USER_ONLINE          = "online"
+	USER_NOTIFY_ALL      = "all"
+	USER_NOTIFY_MENTION  = "mention"
+	USER_NOTIFY_NONE     = "none"
+	BOT_USERNAME         = "valet"
 )
 
 type User struct {
@@ -54,13 +52,6 @@ type User struct {
 	FailedAttempts     int       `json:"failed_attempts"`
 }
 
-type GitLabUser struct {
-	Id       int64  `json:"id"`
-	Username string `json:"username"`
-	Email    string `json:"email"`
-	Name     string `json:"name"`
-}
-
 // IsValid validates the user and returns an error if it isn't configured
 // correctly.
 func (u *User) IsValid() *AppError {
@@ -355,38 +346,3 @@ func IsUsernameValid(username string) bool {
 
 	return true
 }
-
-func UserFromGitLabUser(glu *GitLabUser) *User {
-	user := &User{}
-	user.Username = glu.Username
-	splitName := strings.Split(glu.Name, " ")
-	if len(splitName) == 2 {
-		user.FirstName = splitName[0]
-		user.LastName = splitName[1]
-	} else if len(splitName) >= 2 {
-		user.FirstName = splitName[0]
-		user.LastName = strings.Join(splitName[1:], " ")
-	} else {
-		user.FirstName = glu.Name
-	}
-	user.Email = glu.Email
-	user.AuthData = strconv.FormatInt(glu.Id, 10)
-	user.AuthService = USER_AUTH_SERVICE_GITLAB
-
-	return user
-}
-
-func GitLabUserFromJson(data io.Reader) *GitLabUser {
-	decoder := json.NewDecoder(data)
-	var glu GitLabUser
-	err := decoder.Decode(&glu)
-	if err == nil {
-		return &glu
-	} else {
-		return nil
-	}
-}
-
-func (glu *GitLabUser) GetAuthData() string {
-	return strconv.FormatInt(glu.Id, 10)
-}
diff --git a/utils/config.go b/utils/config.go
index 8d9dd11e0..a3944f670 100644
--- a/utils/config.go
+++ b/utils/config.go
@@ -37,6 +37,7 @@ type SSOSetting struct {
 	Allow           bool
 	Secret          string
 	Id              string
+	Scope           string
 	AuthEndpoint    string
 	TokenEndpoint   string
 	UserApiEndpoint string
diff --git a/web/web.go b/web/web.go
index 8b329c149..1acddb914 100644
--- a/web/web.go
+++ b/web/web.go
@@ -53,13 +53,13 @@ func InitWeb() {
 	mainrouter.Handle("/{team:[A-Za-z0-9-]+(__)?[A-Za-z0-9-]+}/", api.AppHandler(login)).Methods("GET")
 	mainrouter.Handle("/{team:[A-Za-z0-9-]+(__)?[A-Za-z0-9-]+}/login", api.AppHandler(login)).Methods("GET")
 
-	// Bug in gorilla.mux pervents us from using regex here.
+	// Bug in gorilla.mux prevents us from using regex here.
 	mainrouter.Handle("/{team}/login/{service}", api.AppHandler(loginWithOAuth)).Methods("GET")
 	mainrouter.Handle("/login/{service:[A-Za-z]+}/complete", api.AppHandlerIndependent(loginCompleteOAuth)).Methods("GET")
 
 	mainrouter.Handle("/{team:[A-Za-z0-9-]+(__)?[A-Za-z0-9-]+}/logout", api.AppHandler(logout)).Methods("GET")
 	mainrouter.Handle("/{team:[A-Za-z0-9-]+(__)?[A-Za-z0-9-]+}/reset_password", api.AppHandler(resetPassword)).Methods("GET")
-	// Bug in gorilla.mux pervents us from using regex here.
+	// Bug in gorilla.mux prevents us from using regex here.
 	mainrouter.Handle("/{team}/channels/{channelname}", api.UserRequired(getChannel)).Methods("GET")
 
 	// Anything added here must have an _ in it so it does not conflict with team names
@@ -67,7 +67,7 @@ func InitWeb() {
 	mainrouter.Handle("/signup_user_complete/", api.AppHandlerIndependent(signupUserComplete)).Methods("GET")
 	mainrouter.Handle("/signup_team_confirm/", api.AppHandlerIndependent(signupTeamConfirm)).Methods("GET")
 
-	// Bug in gorilla.mux pervents us from using regex here.
+	// Bug in gorilla.mux prevents us from using regex here.
 	mainrouter.Handle("/{team}/signup/{service}", api.AppHandler(signupWithOAuth)).Methods("GET")
 	mainrouter.Handle("/signup/{service:[A-Za-z]+}/complete", api.AppHandlerIndependent(signupCompleteOAuth)).Methods("GET")
 
@@ -532,6 +532,9 @@ func signupCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request)
 		if service == model.USER_AUTH_SERVICE_GITLAB {
 			glu := model.GitLabUserFromJson(body)
 			user = model.UserFromGitLabUser(glu)
+		} else if service == model.USER_AUTH_SERVICE_GOOGLE {
+			gu := model.GoogleUserFromJson(body)
+			user = model.UserFromGoogleUser(gu)
 		}
 
 		if user == nil {
-- 
cgit v1.2.3-1-g7c22


From b704e9489b21b3bec17f5c8b573a1724781ee6f7 Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Fri, 14 Aug 2015 08:43:49 -0400
Subject: added google sign-in functionality to the client, with minor model
 modifications

---
 api/user.go                                   | 53 ++++++++++++++++++++-------
 model/google.go                               | 16 +++++---
 web/react/components/login.jsx                | 13 +++++--
 web/react/components/signup_user_complete.jsx | 28 +++++++++++---
 web/react/components/signup_user_oauth.jsx    |  5 ++-
 web/react/pages/channel.jsx                   |  9 +++--
 web/react/stores/user_store.jsx               | 14 ++++++-
 web/react/utils/async_client.jsx              | 14 +++----
 web/react/utils/client.jsx                    | 15 ++++++--
 web/react/utils/constants.jsx                 |  2 +
 web/web.go                                    | 48 +++++-------------------
 11 files changed, 136 insertions(+), 81 deletions(-)

diff --git a/api/user.go b/api/user.go
index 79f2201da..303ec2b0a 100644
--- a/api/user.go
+++ b/api/user.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"code.google.com/p/freetype-go/freetype"
 	l4g "code.google.com/p/log4go"
+	b64 "encoding/base64"
 	"fmt"
 	"github.com/gorilla/mux"
 	"github.com/mattermost/platform/model"
@@ -1304,7 +1305,7 @@ func getStatuses(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, teamName, service, redirectUri string) {
+func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, teamName, service, redirectUri, loginHint string) {
 
 	if s, ok := utils.Cfg.SSOSettings[service]; !ok || !s.Allow {
 		c.Err = model.NewAppError("GetAuthorizationCode", "Unsupported OAuth service provider", "service="+service)
@@ -1315,26 +1316,48 @@ func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, te
 	clientId := utils.Cfg.SSOSettings[service].Id
 	endpoint := utils.Cfg.SSOSettings[service].AuthEndpoint
 	scope := utils.Cfg.SSOSettings[service].Scope
-	state := model.HashPassword(clientId)
 
-	authUrl := endpoint + "?response_type=code&client_id=" + clientId + "&redirect_uri=" + url.QueryEscape(redirectUri+"?team="+teamName) + "&state=" + url.QueryEscape(state)
+	stateProps := map[string]string{"team": teamName, "hash": model.HashPassword(clientId)}
+	state := b64.StdEncoding.EncodeToString([]byte(model.MapToJson(stateProps)))
+
+	authUrl := endpoint + "?response_type=code&client_id=" + clientId + "&redirect_uri=" + url.QueryEscape(redirectUri) + "&state=" + url.QueryEscape(state)
 
 	if len(scope) > 0 {
 		authUrl += "&scope=" + utils.UrlEncode(scope)
 	}
 
+	if len(loginHint) > 0 {
+		authUrl += "&login_hint=" + utils.UrlEncode(loginHint)
+	}
+
 	http.Redirect(w, r, authUrl, http.StatusFound)
 }
 
-func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser, *model.AppError) {
+func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser, *model.Team, *model.AppError) {
 	if s, ok := utils.Cfg.SSOSettings[service]; !ok || !s.Allow {
-		return nil, model.NewAppError("AuthorizeOAuthUser", "Unsupported OAuth service provider", "service="+service)
+		return nil, nil, model.NewAppError("AuthorizeOAuthUser", "Unsupported OAuth service provider", "service="+service)
+	}
+
+	stateStr := ""
+	if b, err := b64.StdEncoding.DecodeString(state); err != nil {
+		return nil, nil, model.NewAppError("AuthorizeOAuthUser", "Invalid state", err.Error())
+	} else {
+		stateStr = string(b)
 	}
 
-	if !model.ComparePassword(state, utils.Cfg.SSOSettings[service].Id) {
-		return nil, model.NewAppError("AuthorizeOAuthUser", "Invalid state", "")
+	stateProps := model.MapFromJson(strings.NewReader(stateStr))
+
+	if !model.ComparePassword(stateProps["hash"], utils.Cfg.SSOSettings[service].Id) {
+		return nil, nil, model.NewAppError("AuthorizeOAuthUser", "Invalid state", "")
+	}
+
+	teamName := stateProps["team"]
+	if len(teamName) == 0 {
+		return nil, nil, model.NewAppError("AuthorizeOAuthUser", "Invalid state; missing team name", "")
 	}
 
+	tchan := Srv.Store.Team().GetByName(teamName)
+
 	p := url.Values{}
 	p.Set("client_id", utils.Cfg.SSOSettings[service].Id)
 	p.Set("client_secret", utils.Cfg.SSOSettings[service].Secret)
@@ -1350,17 +1373,17 @@ func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser
 
 	var ar *model.AccessResponse
 	if resp, err := client.Do(req); err != nil {
-		return nil, model.NewAppError("AuthorizeOAuthUser", "Token request failed", err.Error())
+		return nil, nil, model.NewAppError("AuthorizeOAuthUser", "Token request failed", err.Error())
 	} else {
 		ar = model.AccessResponseFromJson(resp.Body)
 	}
 
-	if ar.TokenType != model.ACCESS_TOKEN_TYPE {
-		return nil, model.NewAppError("AuthorizeOAuthUser", "Bad token type", "token_type="+ar.TokenType)
+	if strings.ToLower(ar.TokenType) != model.ACCESS_TOKEN_TYPE {
+		return nil, nil, model.NewAppError("AuthorizeOAuthUser", "Bad token type", "token_type="+ar.TokenType)
 	}
 
 	if len(ar.AccessToken) == 0 {
-		return nil, model.NewAppError("AuthorizeOAuthUser", "Missing access token", "")
+		return nil, nil, model.NewAppError("AuthorizeOAuthUser", "Missing access token", "")
 	}
 
 	p = url.Values{}
@@ -1372,9 +1395,13 @@ func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser
 	req.Header.Set("Authorization", "Bearer "+ar.AccessToken)
 
 	if resp, err := client.Do(req); err != nil {
-		return nil, model.NewAppError("AuthorizeOAuthUser", "Token request to "+service+" failed", err.Error())
+		return nil, nil, model.NewAppError("AuthorizeOAuthUser", "Token request to "+service+" failed", err.Error())
 	} else {
-		return resp.Body, nil
+		if result := <-tchan; result.Err != nil {
+			return nil, nil, result.Err
+		} else {
+			return resp.Body, result.Data.(*model.Team), nil
+		}
 	}
 
 }
diff --git a/model/google.go b/model/google.go
index bdb500704..2a1eb3caa 100644
--- a/model/google.go
+++ b/model/google.go
@@ -6,6 +6,7 @@ package model
 import (
 	"encoding/json"
 	"io"
+	"strings"
 )
 
 const (
@@ -13,15 +14,20 @@ const (
 )
 
 type GoogleUser struct {
-	Id       string              `json:"id"`
-	Nickname string              `json:"nickname"`
-	Emails   []map[string]string `json:"emails"`
-	Names    map[string]string   `json:"name"`
+	Id          string              `json:"id"`
+	Nickname    string              `json:"nickname"`
+	DisplayName string              `json:"displayName"`
+	Emails      []map[string]string `json:"emails"`
+	Names       map[string]string   `json:"name"`
 }
 
 func UserFromGoogleUser(gu *GoogleUser) *User {
 	user := &User{}
-	user.Username = gu.Nickname
+	if len(gu.Nickname) > 0 {
+		user.Username = gu.Nickname
+	} else {
+		user.Username = strings.ToLower(strings.Replace(gu.DisplayName, " ", "", -1))
+	}
 	user.FirstName = gu.Names["givenName"]
 	user.LastName = gu.Names["familyName"]
 	user.Nickname = gu.Nickname
diff --git a/web/react/components/login.jsx b/web/react/components/login.jsx
index fe0a47777..5f396ac49 100644
--- a/web/react/components/login.jsx
+++ b/web/react/components/login.jsx
@@ -92,14 +92,21 @@ module.exports = React.createClass({
 
         var auth_services = JSON.parse(this.props.authServices);
 
-        var login_message;
-        if (auth_services.indexOf("gitlab") >= 0) {
-            login_message = (
+        var login_message = [];
+        if (auth_services.indexOf(Constants.GITLAB_SERVICE) >= 0) {
+            login_message.push(
                 <div className="form-group form-group--small">
                     <span><a href={"/"+teamName+"/login/gitlab"}>{"Log in with GitLab"}</a></span>
                 </div>
             );
         }
+        if (auth_services.indexOf(Constants.GOOGLE_SERVICE) >= 0) {
+            login_message.push(
+                <div className="form-group form-group--small">
+                    <span><a href={"/"+teamName+"/login/google"}>{"Log in with Google"}</a></span>
+                </div>
+            );
+        }
 
         return (
             <div className="signup-team__container">
diff --git a/web/react/components/signup_user_complete.jsx b/web/react/components/signup_user_complete.jsx
index b21553d8a..fd389e21f 100644
--- a/web/react/components/signup_user_complete.jsx
+++ b/web/react/components/signup_user_complete.jsx
@@ -5,6 +5,7 @@ var utils = require('../utils/utils.jsx');
 var client = require('../utils/client.jsx');
 var UserStore = require('../stores/user_store.jsx');
 var BrowserStore = require('../stores/browser_store.jsx');
+var Constants = require('../utils/constants.jsx');
 
 module.exports = React.createClass({
     handleSubmit: function(e) {
@@ -151,19 +152,34 @@ module.exports = React.createClass({
         // add options to log in using another service
         var authServices = JSON.parse(this.props.authServices);
 
-        var signupMessage = null;
-        if (authServices.indexOf('gitlab') >= 0) {
-            signupMessage = (
-                <div>
+        var signupMessage = [];
+        if (authServices.indexOf(Constants.GITLAB_SERVICE) >= 0) {
+            signupMessage.push(
                     <a className='btn btn-custom-login gitlab' href={'/' + this.props.teamName + '/signup/gitlab' + window.location.search}>
                         <span className='icon' />
                         <span>with GitLab</span>
                     </a>
+           );
+        }
+
+        if (authServices.indexOf(Constants.GOOGLE_SERVICE) >= 0) {
+            signupMessage.push(
+                    <a className='btn btn-custom-login gitlab' href={'/' + this.props.teamName + '/signup/google' + window.location.search}>
+                        <span className='icon' />
+                        <span>with Google</span>
+                    </a>
+           );
+        }
+
+        if (signupMessage.length > 0) {
+            signupMessage = (
+                <div>
+                    {signupMessage}
                     <div className='or__container'>
                         <span>or</span>
                     </div>
-               </div>
-           );
+                </div>
+            );
         }
 
         var termsDisclaimer = null;
diff --git a/web/react/components/signup_user_oauth.jsx b/web/react/components/signup_user_oauth.jsx
index 6322aedee..8b2800bde 100644
--- a/web/react/components/signup_user_oauth.jsx
+++ b/web/react/components/signup_user_oauth.jsx
@@ -33,7 +33,10 @@ module.exports = React.createClass({
         client.createUser(user, "", "",
             function(data) {
                 client.track('signup', 'signup_user_oauth_02');
-                window.location.href = '/' + this.props.teamName + '/login/'+user.auth_service;
+                UserStore.setCurrentUser(data);
+                UserStore.setLastEmail(data.email);
+
+                window.location.href = '/' + this.props.teamName + '/login/' + user.auth_service + '?login_hint=' + user.email;
             }.bind(this),
             function(err) {
                 this.state.server_error = err.message;
diff --git a/web/react/pages/channel.jsx b/web/react/pages/channel.jsx
index 929499715..52d537f27 100644
--- a/web/react/pages/channel.jsx
+++ b/web/react/pages/channel.jsx
@@ -54,14 +54,15 @@ global.window.setup_channel_page = function(team_name, team_type, team_id, chann
         id: team_id
     });
 
+    // ChannelLoader must be rendered first
     React.render(
-        <ErrorBar/>,
-        document.getElementById('error_bar')
+        <ChannelLoader/>,
+        document.getElementById('channel_loader')
     );
 
     React.render(
-        <ChannelLoader/>,
-        document.getElementById('channel_loader')
+        <ErrorBar/>,
+        document.getElementById('error_bar')
     );
 
     React.render(
diff --git a/web/react/stores/user_store.jsx b/web/react/stores/user_store.jsx
index f8616c6ab..248495dac 100644
--- a/web/react/stores/user_store.jsx
+++ b/web/react/stores/user_store.jsx
@@ -4,6 +4,7 @@
 var AppDispatcher = require('../dispatcher/app_dispatcher.jsx');
 var EventEmitter = require('events').EventEmitter;
 var assign = require('object-assign');
+var client = require('../utils/client.jsx');
 
 var Constants = require('../utils/constants.jsx');
 var ActionTypes = Constants.ActionTypes;
@@ -72,7 +73,7 @@ var UserStore = assign({}, EventEmitter.prototype, {
             BrowserStore.setGlobalItem('current_user_id', id);
         }
     },
-    getCurrentId: function() {
+    getCurrentId: function(skipFetch) {
         var currentId = this.gCurrentId;
 
         if (currentId == null) {
@@ -80,6 +81,17 @@ var UserStore = assign({}, EventEmitter.prototype, {
             this.gCurrentId = currentId;
         }
 
+        // this is a special case to force fetch the
+        // current user if it's missing
+        // it's synchronous to block rendering
+        if (currentId == null && !skipFetch) {
+            var me = client.getMeSynchronous();
+            if (me != null) {
+                this.setCurrentUser(me);
+                currentId = me.id;
+            }
+        }
+
         return currentId;
     },
     getCurrentUser: function() {
diff --git a/web/react/utils/async_client.jsx b/web/react/utils/async_client.jsx
index 0b87bbd7b..09710ddf0 100644
--- a/web/react/utils/async_client.jsx
+++ b/web/react/utils/async_client.jsx
@@ -390,15 +390,15 @@ module.exports.getPosts = function(force, id, maxPosts) {
     }
 }
 
-function getMe() {
-    if (isCallInProgress('getMe')) {
+function getMeSynchronous() {
+    if (isCallInProgress('getMeSynchronous')) {
         return;
     }
 
-    callTracker.getMe = utils.getTimestamp();
-    client.getMe(
+    callTracker.getMeSynchronous = utils.getTimestamp();
+    client.getMeSynchronous(
         function(data, textStatus, xhr) {
-            callTracker.getMe = 0;
+            callTracker.getMeSynchronous = 0;
 
             if (xhr.status === 304 || !data) return;
 
@@ -409,11 +409,11 @@ function getMe() {
         },
         function(err) {
             callTracker.getMe = 0;
-            dispatchError(err, 'getMe');
+            dispatchError(err, 'getMeSynchronous');
         }
     );
 }
-module.exports.getMe = getMe;
+module.exports.getMeSynchronous = getMeSynchronous;
 
 module.exports.getStatuses = function() {
     if (isCallInProgress('getStatuses')) return;
diff --git a/web/react/utils/client.jsx b/web/react/utils/client.jsx
index 5aab80d01..ce044457a 100644
--- a/web/react/utils/client.jsx
+++ b/web/react/utils/client.jsx
@@ -279,24 +279,33 @@ module.exports.getAudits = function(userId, success, error) {
     });
 };
 
-module.exports.getMe = function(success, error) {
+module.exports.getMeSynchronous = function(success, error) {
+    var currentUser = null;
 
     $.ajax({
+        async: false,
         url: "/api/v1/users/me",
         dataType: 'json',
         contentType: 'application/json',
         type: 'GET',
-        success: success,
+        success: function gotUser(data, textStatus, xhr) {
+            currentUser = data;
+            if (success) {
+                success(data, textStatus, xhr);
+            }
+        },
         error: function(xhr, status, err) {
             var ieChecker = window.navigator.userAgent; // This and the condition below is used to check specifically for browsers IE10 & 11 to suppress a 200 'OK' error from appearing on login
             if (xhr.status != 200 || !(ieChecker.indexOf("Trident/7.0") > 0 || ieChecker.indexOf("Trident/6.0") > 0)) {
                 if (error) {
-                    e = handleError("getMe", xhr, status, err);
+                    e = handleError('getMeSynchronous', xhr, status, err);
                     error(e);
                 };
             };
         }
     });
+
+    return currentUser;
 };
 
 module.exports.inviteMembers = function(data, success, error) {
diff --git a/web/react/utils/constants.jsx b/web/react/utils/constants.jsx
index 508de9185..1fe0faccf 100644
--- a/web/react/utils/constants.jsx
+++ b/web/react/utils/constants.jsx
@@ -58,6 +58,8 @@ module.exports = {
   THUMBNAIL_HEIGHT: 100,
   DEFAULT_CHANNEL: 'town-square',
   OFFTOPIC_CHANNEL: 'off-topic',
+  GITLAB_SERVICE: 'gitlab',
+  GOOGLE_SERVICE: 'google',
   POST_CHUNK_SIZE: 60,
   MAX_POST_CHUNKS: 3,
   RESERVED_TEAM_NAMES: [
diff --git a/web/web.go b/web/web.go
index 1acddb914..d6f8d553b 100644
--- a/web/web.go
+++ b/web/web.go
@@ -496,7 +496,7 @@ func signupWithOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) {
 
 	redirectUri := c.GetSiteURL() + "/signup/" + service + "/complete"
 
-	api.GetAuthorizationCode(c, w, r, teamName, service, redirectUri)
+	api.GetAuthorizationCode(c, w, r, teamName, service, redirectUri, "")
 }
 
 func signupCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) {
@@ -505,26 +505,10 @@ func signupCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request)
 
 	code := r.URL.Query().Get("code")
 	state := r.URL.Query().Get("state")
-	teamName := r.FormValue("team")
 
-	uri := c.GetSiteURL() + "/signup/" + service + "/complete?team=" + teamName
+	uri := c.GetSiteURL() + "/signup/" + service + "/complete"
 
-	if len(teamName) == 0 {
-		c.Err = model.NewAppError("signupCompleteOAuth", "Invalid team name", "team_name="+teamName)
-		c.Err.StatusCode = http.StatusBadRequest
-		return
-	}
-
-	// Make sure team exists
-	var team *model.Team
-	if result := <-api.Srv.Store.Team().GetByName(teamName); result.Err != nil {
-		c.Err = result.Err
-		return
-	} else {
-		team = result.Data.(*model.Team)
-	}
-
-	if body, err := api.AuthorizeOAuthUser(service, code, state, uri); err != nil {
+	if body, team, err := api.AuthorizeOAuthUser(service, code, state, uri); err != nil {
 		c.Err = err
 		return
 	} else {
@@ -566,6 +550,7 @@ func loginWithOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) {
 	params := mux.Vars(r)
 	service := params["service"]
 	teamName := params["team"]
+	loginHint := r.URL.Query().Get("login_hint")
 
 	if len(teamName) == 0 {
 		c.Err = model.NewAppError("loginWithOAuth", "Invalid team name", "team_name="+teamName)
@@ -581,7 +566,7 @@ func loginWithOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) {
 
 	redirectUri := c.GetSiteURL() + "/login/" + service + "/complete"
 
-	api.GetAuthorizationCode(c, w, r, teamName, service, redirectUri)
+	api.GetAuthorizationCode(c, w, r, teamName, service, redirectUri, loginHint)
 }
 
 func loginCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) {
@@ -590,26 +575,10 @@ func loginCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request)
 
 	code := r.URL.Query().Get("code")
 	state := r.URL.Query().Get("state")
-	teamName := r.FormValue("team")
-
-	uri := c.GetSiteURL() + "/login/" + service + "/complete?team=" + teamName
 
-	if len(teamName) == 0 {
-		c.Err = model.NewAppError("loginCompleteOAuth", "Invalid team name", "team_name="+teamName)
-		c.Err.StatusCode = http.StatusBadRequest
-		return
-	}
+	uri := c.GetSiteURL() + "/login/" + service + "/complete"
 
-	// Make sure team exists
-	var team *model.Team
-	if result := <-api.Srv.Store.Team().GetByName(teamName); result.Err != nil {
-		c.Err = result.Err
-		return
-	} else {
-		team = result.Data.(*model.Team)
-	}
-
-	if body, err := api.AuthorizeOAuthUser(service, code, state, uri); err != nil {
+	if body, team, err := api.AuthorizeOAuthUser(service, code, state, uri); err != nil {
 		c.Err = err
 		return
 	} else {
@@ -617,6 +586,9 @@ func loginCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request)
 		if service == model.USER_AUTH_SERVICE_GITLAB {
 			glu := model.GitLabUserFromJson(body)
 			authData = glu.GetAuthData()
+		} else if service == model.USER_AUTH_SERVICE_GOOGLE {
+			gu := model.GoogleUserFromJson(body)
+			authData = gu.GetAuthData()
 		}
 
 		if len(authData) == 0 {
-- 
cgit v1.2.3-1-g7c22


From 8feec04929f17eb99e2f121530b8596966161528 Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Fri, 14 Aug 2015 11:57:13 -0400
Subject: incorporate asaad's UI updates for google sign-up

---
 web/react/components/signup_user_complete.jsx |   2 +-
 web/sass-files/sass/partials/_signup.scss     |  17 +++++++++++++++++
 web/static/images/googleLogo.png              | Bin 0 -> 3519 bytes
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 web/static/images/googleLogo.png

diff --git a/web/react/components/signup_user_complete.jsx b/web/react/components/signup_user_complete.jsx
index fd389e21f..0393e0413 100644
--- a/web/react/components/signup_user_complete.jsx
+++ b/web/react/components/signup_user_complete.jsx
@@ -164,7 +164,7 @@ module.exports = React.createClass({
 
         if (authServices.indexOf(Constants.GOOGLE_SERVICE) >= 0) {
             signupMessage.push(
-                    <a className='btn btn-custom-login gitlab' href={'/' + this.props.teamName + '/signup/google' + window.location.search}>
+                    <a className='btn btn-custom-login google' href={'/' + this.props.teamName + '/signup/google' + window.location.search}>
                         <span className='icon' />
                         <span>with Google</span>
                     </a>
diff --git a/web/sass-files/sass/partials/_signup.scss b/web/sass-files/sass/partials/_signup.scss
index 3a6f73316..ddf2aab88 100644
--- a/web/sass-files/sass/partials/_signup.scss
+++ b/web/sass-files/sass/partials/_signup.scss
@@ -186,6 +186,23 @@
                     display: inline-block;
                 }
             }
+            &.google {
+                background: #dd4b39;
+                &:hover {
+                    background: darken(#dd4b39, 10%);
+                }
+                span {
+                    vertical-align: middle;
+                }
+                .icon {
+                    background: url("../images/googleLogo.png");
+                    width: 18px;
+                    height: 18px;
+                    margin-right: 8px;
+                    @include background-size(100% 100%);
+                    display: inline-block;
+                }
+            }
         }
         &.btn-default {
             color: #444;
diff --git a/web/static/images/googleLogo.png b/web/static/images/googleLogo.png
new file mode 100644
index 000000000..932d755db
Binary files /dev/null and b/web/static/images/googleLogo.png differ
-- 
cgit v1.2.3-1-g7c22


From 07704d3299d6c85c531c98d7ff61251dc8e1f277 Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Fri, 14 Aug 2015 11:57:46 -0400
Subject: turn off google SSO by default and remove test google oauth
 credentials

---
 config/config.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/config.json b/config/config.json
index 8405b9076..e7134cba5 100644
--- a/config/config.json
+++ b/config/config.json
@@ -35,9 +35,9 @@
             "UserApiEndpoint": ""
         },
         "google": {
-            "Allow": true,
-            "Secret": "hWN1kiPeyihN6nHr36j0oDqx",
-            "Id": "974585606220-ek5q66olpagb069pkg9ok0d7h8djeov6.apps.googleusercontent.com",
+            "Allow": false,
+            "Secret": "",
+            "Id": "",
             "Scope": "email profile",
             "AuthEndpoint": "https://accounts.google.com/o/oauth2/auth",
             "TokenEndpoint": "https://www.googleapis.com/oauth2/v3/token",
-- 
cgit v1.2.3-1-g7c22


From 3faa09c641cc6cb7f2a5e88d080b6a90339972d9 Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Fri, 14 Aug 2015 12:35:43 -0400
Subject: reformat login.jsx to meet style guide

---
 web/react/components/login.jsx | 102 ++++++++++++++++++++++-------------------
 1 file changed, 54 insertions(+), 48 deletions(-)

diff --git a/web/react/components/login.jsx b/web/react/components/login.jsx
index 5f396ac49..c395bb500 100644
--- a/web/react/components/login.jsx
+++ b/web/react/components/login.jsx
@@ -4,64 +4,62 @@
 var utils = require('../utils/utils.jsx');
 var client = require('../utils/client.jsx');
 var UserStore = require('../stores/user_store.jsx');
-var TeamStore = require('../stores/team_store.jsx');
 var BrowserStore = require('../stores/browser_store.jsx');
 var Constants = require('../utils/constants.jsx');
 
 module.exports = React.createClass({
     handleSubmit: function(e) {
         e.preventDefault();
-        var state = { }
+        var state = {};
 
-        var name = this.props.teamName
+        var name = this.props.teamName;
         if (!name) {
-            state.server_error = "Bad team name"
+            state.serverError = 'Bad team name';
             this.setState(state);
             return;
         }
 
         var email = this.refs.email.getDOMNode().value.trim();
         if (!email) {
-            state.server_error = "An email is required"
+            state.serverError = 'An email is required';
             this.setState(state);
             return;
         }
 
         var password = this.refs.password.getDOMNode().value.trim();
         if (!password) {
-            state.server_error = "A password is required"
+            state.serverError = 'A password is required';
             this.setState(state);
             return;
         }
 
         if (!BrowserStore.isLocalStorageSupported()) {
-            state.server_error = "This service requires local storage to be enabled. Please enable it or exit private browsing.";
+            state.serverError = 'This service requires local storage to be enabled. Please enable it or exit private browsing.';
             this.setState(state);
             return;
         }
 
-        state.server_error = "";
+        state.serverError = '';
         this.setState(state);
 
         client.loginByEmail(name, email, password,
-            function(data) {
+            function loggedIn(data) {
                 UserStore.setCurrentUser(data);
                 UserStore.setLastEmail(email);
 
-                var redirect = utils.getUrlParameter("redirect");
+                var redirect = utils.getUrlParameter('redirect');
                 if (redirect) {
                     window.location.pathname = decodeURI(redirect);
                 } else {
                     window.location.pathname = '/' + name + '/channels/town-square';
                 }
-
-            }.bind(this),
-            function(err) {
-                if (err.message == "Login failed because email address has not been verified") {
+            },
+            function loginFailed(err) {
+                if (err.message === 'Login failed because email address has not been verified') {
                     window.location.href = '/verify_email?name=' + encodeURIComponent(name) + '&email=' + encodeURIComponent(email);
                     return;
                 }
-                state.server_error = err.message;
+                state.serverError = err.message;
                 this.valid = false;
                 this.setState(state);
             }.bind(this)
@@ -71,10 +69,13 @@ module.exports = React.createClass({
         return { };
     },
     render: function() {
-        var server_error = this.state.server_error ? <label className="control-label">{this.state.server_error}</label> : null;
-        var priorEmail = UserStore.getLastEmail() !== "undefined" ? UserStore.getLastEmail() : ""
+        var serverError;
+        if (this.state.serverError) {
+            serverError = <label className='control-label'>{this.state.serverError}</label>;
+        }
+        var priorEmail = UserStore.getLastEmail();
 
-        var emailParam = utils.getUrlParameter("email");
+        var emailParam = utils.getUrlParameter('email');
         if (emailParam) {
             priorEmail = decodeURIComponent(emailParam);
         }
@@ -84,57 +85,62 @@ module.exports = React.createClass({
 
         var focusEmail = false;
         var focusPassword = false;
-        if (priorEmail != "") {
+        if (priorEmail !== '') {
             focusPassword = true;
         } else {
             focusEmail = true;
         }
 
-        var auth_services = JSON.parse(this.props.authServices);
+        var authServices = JSON.parse(this.props.authServices);
 
-        var login_message = [];
-        if (auth_services.indexOf(Constants.GITLAB_SERVICE) >= 0) {
-            login_message.push(
-                <div className="form-group form-group--small">
-                    <span><a href={"/"+teamName+"/login/gitlab"}>{"Log in with GitLab"}</a></span>
+        var loginMessage = [];
+        if (authServices.indexOf(Constants.GITLAB_SERVICE) >= 0) {
+            loginMessage.push(
+                <div className='form-group form-group--small'>
+                    <span><a href={'/' + teamName + '/login/gitlab'}>{'Log in with GitLab'}</a></span>
                 </div>
             );
         }
-        if (auth_services.indexOf(Constants.GOOGLE_SERVICE) >= 0) {
-            login_message.push(
-                <div className="form-group form-group--small">
-                    <span><a href={"/"+teamName+"/login/google"}>{"Log in with Google"}</a></span>
+        if (authServices.indexOf(Constants.GOOGLE_SERVICE) >= 0) {
+            loginMessage.push(
+                <div className='form-group form-group--small'>
+                    <span><a href={'/' + teamName + '/login/google'}>{'Log in with Google'}</a></span>
                 </div>
             );
         }
 
+        var errorClass = '';
+        if (serverError) {
+            errorClass = ' has-error';
+        }
+
         return (
-            <div className="signup-team__container">
-                <h5 className="margin--less">Sign in to:</h5>
-                <h2 className="signup-team__name">{ teamDisplayName }</h2>
-                <h2 className="signup-team__subdomain">on { config.SiteName }</h2>
+            <div className='signup-team__container'>
+                <h5 className='margin--less'>Sign in to:</h5>
+                <h2 className='signup-team__name'>{teamDisplayName}</h2>
+                <h2 className='signup-team__subdomain'>on {config.SiteName}</h2>
                 <form onSubmit={this.handleSubmit}>
-                    <div className={server_error ? 'form-group has-error' : 'form-group'}>
-                        { server_error }
+                    <div className={'form-group' + errorClass}>
+                        {serverError}
                     </div>
-                    <div className={server_error ? 'form-group has-error' : 'form-group'}>
-                        <input autoFocus={focusEmail} type="email" className="form-control" name="email" defaultValue={priorEmail}  ref="email" placeholder="Email" />
+                    <div className={'form-group' + errorClass}>
+                        <input autoFocus={focusEmail} type='email' className='form-control' name='email' defaultValue={priorEmail} ref='email' placeholder='Email' />
                     </div>
-                    <div className={server_error ? 'form-group has-error' : 'form-group'}>
-                        <input autoFocus={focusPassword} type="password" className="form-control" name="password" ref="password" placeholder="Password" />
+                    <div className={'form-group' + errorClass}>
+                        <input autoFocus={focusPassword} type='password' className='form-control' name='password' ref='password' placeholder='Password' />
                     </div>
-                    <div className="form-group">
-                        <button type="submit" className="btn btn-primary">Sign in</button>
+                    <div className='form-group'>
+                        <button type='submit' className='btn btn-primary'>Sign in</button>
                     </div>
-                    { login_message }
-                    <div className="form-group margin--extra form-group--small">
-                        <span><a href="/find_team">{"Find other " + strings.TeamPlural}</a></span>
+                    {loginMessage}
+                    <div className='form-group margin--extra form-group--small'>
+                        <span><a href='/find_team'>{'Find other ' + strings.TeamPlural}</a></span>
                     </div>
-                    <div className="form-group">
-                        <a href={"/" + teamName + "/reset_password"}>I forgot my password</a>
+                    <div className='form-group'>
+                        <a href={'/' + teamName + '/reset_password'}>I forgot my password</a>
                     </div>
-                    <div className="margin--extra">
-                        <span>{"Want to create your own " + strings.Team + "?"} <a href="/" className="signup-team-login">Sign up now</a></span>
+                    <div className='margin--extra'>
+                        <span>{'Want to create your own ' + strings.Team + '?'} <a href='/' className='signup-team-login'>Sign up now</a></span>
                     </div>
                 </form>
             </div>
-- 
cgit v1.2.3-1-g7c22


From a7f09be9783f3354ab38d4fb4fb82085241d018f Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Fri, 14 Aug 2015 12:39:38 -0400
Subject: merge async_client getMe changes

---
 web/react/utils/async_client.jsx | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/web/react/utils/async_client.jsx b/web/react/utils/async_client.jsx
index 09710ddf0..8b6d821d6 100644
--- a/web/react/utils/async_client.jsx
+++ b/web/react/utils/async_client.jsx
@@ -390,15 +390,15 @@ module.exports.getPosts = function(force, id, maxPosts) {
     }
 }
 
-function getMeSynchronous() {
-    if (isCallInProgress('getMeSynchronous')) {
+function getMe() {
+    if (isCallInProgress('getMe')) {
         return;
     }
 
-    callTracker.getMeSynchronous = utils.getTimestamp();
+    callTracker.getMe = utils.getTimestamp();
     client.getMeSynchronous(
         function(data, textStatus, xhr) {
-            callTracker.getMeSynchronous = 0;
+            callTracker.getMe = 0;
 
             if (xhr.status === 304 || !data) return;
 
@@ -409,11 +409,11 @@ function getMeSynchronous() {
         },
         function(err) {
             callTracker.getMe = 0;
-            dispatchError(err, 'getMeSynchronous');
+            dispatchError(err, 'getMe');
         }
     );
 }
-module.exports.getMeSynchronous = getMeSynchronous;
+module.exports.getMe = getMe;
 
 module.exports.getStatuses = function() {
     if (isCallInProgress('getStatuses')) return;
-- 
cgit v1.2.3-1-g7c22