Skip to content
imarch.dev
Back to blog
· 2 min read

One Click Instead of Six Digits

продукт oauth claude code flutter

Fifth time today I open Planq. Type my email. Wait for the code. Copy six digits. Sign in. An hour later, again. Email, code, six digits. OTP works. But thirty digits a day isn’t a sign-in flow - it’s a ritual.

Google OAuth - one-click sign-in

Why bother

Google OAuth sounds like half a day of integration work. Firebase SDK, authlib, new tables, migrations. But if you stop and think about what you actually need - you need the user’s email. Google provides it. The email already exists in the system. OTP and Google are just two different ways to prove you own that email. Same function, different entrance.

Two routes on the backend. The first generates a state, drops it in a cookie, and redirects to Google. The second handles the callback, gets the email, and calls the same _authenticate_user() as OTP does. No new dependencies. httpx was already installed. Three HTTP requests instead of a twelve-thousand-line library.

On the frontend, one link. <a href="/auth/google">. No JS SDK. A divider “or” between the button and the OTP form. Click, pick an account, you’re in.

Mobile

On the web it’s straightforward - cookies. On Android, cookies from the browser won’t make it back to the app. You need a different mechanism.

One parameter: ?platform=mobile in the request. The backend stores it in the state. After authorization, instead of cookies and a frontend redirect, it sends a deep link: planq://auth/callback with tokens in the query string. The app intercepts it, saves the tokens, lets you in. Same backend, same flow, one branch at the end.

The build broke. New AndroidX dependencies required a newer Gradle version. Bumped it, built fine.

What I didn’t do

I didn’t install a library for a single provider. I didn’t parse the ID Token - why bother when you can just hit the userinfo API after the server-side exchange. I didn’t touch the database schema. I didn’t build a UI for linking accounts. One email, one user, two ways to sign in.

OTP stays. For people whose corporate Google has restrictions. For mobile without Play Services. As a fallback.

But the main path is now one click. Thirty digits a day turned into zero.

Share:

Related posts

Four Bugs in One Evening

Four Bugs in One Evening

The Bot Learned to Do Things

The Bot Learned to Do Things

A Blog in One Evening

A Blog in One Evening