[Draft] Implement onboarding wizard and allow google SSO login configuration

[ATechAdventurer]

• Introduced a comprehensive onboarding API with multiple endpoints for managing onboarding steps, including authentication, data sources, and user configurations.
• Added middleware to check onboarding status and cache results to optimize API calls.
• Implemented Google OAuth integration with validation and configuration management.
• Enhanced user experience by redirecting users based on onboarding status.
• Created new components for onboarding UI and improved data handling in the onboarding process.
• Updated database schema to support onboarding progress tracking.

This commit lays the groundwork for a streamlined onboarding experience, ensuring users can efficiently set up their applications.

📋 Pull Request Summary

🔗 Related Issues

• Fixes #
• Relates to #

📝 Changes Made

🧪 Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• All existing tests pass

Testing Details:

📚 Documentation

• Code is self-documenting with clear variable/function names
• Added/updated JSDoc comments for public APIs
• Updated README.md if needed
• Updated other documentation files
• No documentation changes needed

🔄 Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📝 Documentation update
• 🔧 Refactoring (no functional changes)
• ⚡ Performance improvement
• 🧪 Test improvements

🚨 Breaking Changes

• This PR introduces breaking changes
• Migration guide provided
• Deprecation warnings added

Breaking Change Details:

📸 Screenshots/Videos

📋 Additional Notes

[gemini-code-assist]

Summary of Changes

Hello @ATechAdventurer, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers a foundational onboarding wizard designed to simplify the initial setup experience for new users. It provides a guided, step-by-step process for configuring essential application settings, with a particular focus on authentication. The wizard now supports Google SSO integration, allowing for dynamic credential management and streamlined admin user creation. Supporting this, a new set of API endpoints and database schema have been introduced to manage onboarding state, alongside middleware to ensure a seamless flow between setup and application usage.

Highlights

• Comprehensive Onboarding Wizard: Introduced a multi-step onboarding process for initial application setup, guiding users through authentication, data source configuration, and user management.
• Google SSO Integration: Implemented Google OAuth as a primary authentication option, allowing dynamic configuration and validation of credentials, and enabling admin users to sign in with their Google accounts.
• Dynamic Authentication Configuration: Refactored the authentication system to dynamically load and apply configurations for Google OAuth and OIDC SSO based on environment variables or settings saved during onboarding, enhancing flexibility.
• Dedicated Onboarding API: Added a suite of new API endpoints (/api/onboarding/*) to manage the state, progress, and configuration details for each step of the onboarding wizard.
• Onboarding Flow Middleware: Implemented middleware to intelligently redirect users to the onboarding wizard if the application is not yet set up, and conversely, redirect them away from the onboarding page once the setup is complete.
• Database Schema for Onboarding Progress: Introduced a new OnboardingProgress table in the database to persistently track the status and configuration data throughout the onboarding process.
• Updated Documentation: Added new and updated existing documentation, including a detailed SSO Setup Guide, to assist users with configuring authentication methods.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive onboarding wizard and dynamic Google SSO configuration. The changes are extensive, adding numerous API endpoints, UI components, middleware for routing, and database schema updates. My review has identified a critical security vulnerability concerning the exposure of a client secret, which must be addressed immediately. Additionally, I've noted several opportunities for significant refactoring to improve maintainability, particularly in a large UI component. Other comments focus on improving code quality by reducing duplication, ensuring type safety, and adopting more efficient database practices. Overall, this is a substantial feature addition that will greatly enhance the initial user experience once these issues are resolved.

[gemini-code-assist]

Exposing the clientSecret to the frontend is a critical security vulnerability. The client secret must be kept confidential on the server and should never be sent to the client-side. The frontend only requires the clientId to initiate the OAuth flow. All operations requiring the clientSecret, such as exchanging the authorization code for a token, must be handled exclusively by the backend.

      response.credentials = {
        clientId: config.clientId,
      };

[gemini-code-assist]

Accepting the clientSecret from the request body is a critical security vulnerability. The client secret should never be exposed on the client-side or transmitted from it. The backend should securely retrieve the clientId and clientSecret from a secure source, such as environment variables or the database (via GoogleAuthService), after the user has configured them during the onboarding process.

[gemini-code-assist]

The logic here assumes there will only ever be one onboarding progress record with userId: null. If it's possible for multiple incomplete onboarding sessions to exist (e.g., multiple users attempting to set up the app simultaneously), findFirst without a more specific ordering or filter could lead to updating the wrong record, creating a race condition. Consider adding a unique token for each onboarding session to reliably identify and update the correct progress record.

[gemini-code-assist]

This component has grown to over 1400 lines, managing the state, logic, and rendering for the entire multi-step onboarding flow. Such large "god components" are difficult to understand, maintain, and test. This significantly increases the risk of introducing bugs in the future.

It is highly recommended to refactor this into smaller, more focused components. For example, you could have:

• A main AdminOnboarding component that manages the current step and state transitions.
• Separate components for each step, such as WelcomeStep, AuthStep, and AuthConfigStep.

This will improve code organization, readability, and reusability.

[gemini-code-assist]

The validation logic within handleCompleteSetup is largely a duplication of the logic found in the handleNext function (specifically for the auth-config step). This duplication can easily lead to inconsistencies and bugs if one is updated and the other is not. This logic should be extracted into a single, reusable validation function that can be called from both places to ensure consistency and improve maintainability.

[gemini-code-assist]

The logic for creating a user is duplicated in the if (authMethod === 'password') block and the else block. Since the prisma.user.create call is identical in both branches, you can remove the conditional logic and have a single user creation step. This will make the code more concise and easier to maintain.

    adminUser = await prisma.user.create({
      data: {
        name: adminData.name,
        email: adminData.email,
        emailVerified: true,
        isAnonymous: false,
        telemetryEnabled: telemetryConsent,
        createdAt: new Date(),
        updatedAt: new Date(),
      },
    });

[gemini-code-assist]

This file is a server-side route handler. The dynamic import await import('~/lib/prisma') is unnecessary here. It can be replaced with a static import at the top of the file for better performance, readability, and to allow static analysis tools to work correctly.

[gemini-code-assist]

The as any cast for adminData and progress.adminData bypasses TypeScript's type safety. This can lead to runtime errors if the shape of the data is not what you expect. It's better to ensure the googleUserData object is correctly typed and merged safely with the existing adminData. Using a Zod schema to parse progress.adminData before merging would be a much safer approach.

[gemini-code-assist]

The introduction of an async function createAuthConfig to dynamically configure betterAuth is a great improvement. However, there's some duplicated logic between the provisionUser callback for SSO and the global hooks.after callback. Both contain logic for granting admin access and accepting invites. This could be consolidated into a single, reusable function to handle post-authentication actions for new users, regardless of the authentication method.

[gemini-code-assist]

Using a module-level variable onboardingStatusCache for caching in the middleware can lead to issues in serverless environments, where the middleware function might be instantiated multiple times. While this works in a single-process server, it's not a reliable caching strategy for edge or serverless functions. Consider using a more robust caching solution like @upstash/redis or Next.js's own data caching mechanisms if this is intended for a scalable environment.