From 71c27b28a8b4e210e138cdfeb30e5524bd1a7b92 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 7 May 2026 19:04:55 +0000
Subject: [PATCH 1/3] fix(frontend): wire landing links to index, add privacy
 menu item, add google sign-in flow

Agent-Logs-Url: https://github.com/devXyi/prexus-intelligence/sessions/3b81347b-26ec-43c0-9ecb-c118a784ef0f

Co-authored-by: devXyi <265634822+devXyi@users.noreply.github.com>
---
 backend/backend/apps/api-gateway/auth.go | 115 +++++++++++++++++++++
 backend/backend/apps/api-gateway/main.go |   1 +
 frontend/index.html                      | 122 ++++++++++++++++++++++-
 frontend/landing.html                    |   9 +-
 4 files changed, 242 insertions(+), 5 deletions(-)

diff --git a/backend/backend/apps/api-gateway/auth.go b/backend/backend/apps/api-gateway/auth.go
index 8b75ee6..0e9b593 100644
--- a/backend/backend/apps/api-gateway/auth.go
+++ b/backend/backend/apps/api-gateway/auth.go
@@ -5,8 +5,12 @@ package main
 
 import (
 	"context"
+	"database/sql"
+	"encoding/json"
+	"errors"
 	"log"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"
 	"time"
@@ -34,6 +38,10 @@ type LoginRequest struct {
 	Password string `json:"password" binding:"required"`
 }
 
+type GoogleLoginRequest struct {
+	Credential string `json:"credential" binding:"required"`
+}
+
 type AuthResponse struct {
 	Token string  `json:"token"`
 	User  UserDTO `json:"user"`
@@ -54,6 +62,14 @@ type Claims struct {
 	jwt.RegisteredClaims
 }
 
+type GoogleTokenInfo struct {
+	Audience      string `json:"aud"`
+	Email         string `json:"email"`
+	EmailVerified string `json:"email_verified"`
+	Name          string `json:"name"`
+	Subject       string `json:"sub"`
+}
+
 // ─────────────────────────────────────────────────────────────
 // Register
 // ─────────────────────────────────────────────────────────────
@@ -160,6 +176,105 @@ func handleLogin(c *gin.Context) {
 	})
 }
 
+func verifyGoogleIDToken(ctx context.Context, idToken string) (*GoogleTokenInfo, error) {
+	tokenInfoURL := "https://oauth2.googleapis.com/tokeninfo?id_token=" + url.QueryEscape(idToken)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, tokenInfoURL, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK {
+		return nil, errors.New("invalid Google credential")
+	}
+
+	var info GoogleTokenInfo
+	if err := json.NewDecoder(res.Body).Decode(&info); err != nil {
+		return nil, err
+	}
+
+	if info.Email == "" || info.Subject == "" || info.EmailVerified != "true" {
+		return nil, errors.New("Google account is not eligible for sign-in")
+	}
+
+	if expectedAud := strings.TrimSpace(os.Getenv("GOOGLE_CLIENT_ID")); expectedAud != "" && info.Audience != expectedAud {
+		return nil, errors.New("Google credential audience mismatch")
+	}
+
+	return &info, nil
+}
+
+func handleGoogleLogin(c *gin.Context) {
+	var req GoogleLoginRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(c.Request.Context(), authTimeout)
+	defer cancel()
+
+	tokenInfo, err := verifyGoogleIDToken(ctx, req.Credential)
+	if err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": err.Error()})
+		return
+	}
+
+	email := normalizeEmail(tokenInfo.Email)
+
+	var id int64
+	var fullName, orgName, role string
+	err = DB.QueryRowContext(ctx,
+		`SELECT id,COALESCE(full_name,''),COALESCE(org_name,''),role
+		 FROM users WHERE email=$1`,
+		email,
+	).Scan(&id, &fullName, &orgName, &role)
+
+	if errors.Is(err, sql.ErrNoRows) {
+		role = "user"
+		fullName = strings.TrimSpace(tokenInfo.Name)
+		seed := "google-oauth-" + tokenInfo.Subject + "-" + time.Now().UTC().Format(time.RFC3339Nano)
+		hash, hashErr := bcrypt.GenerateFromPassword([]byte(seed), bcrypt.DefaultCost)
+		if hashErr != nil {
+			log.Printf("google signup hash error: %v", hashErr)
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create account"})
+			return
+		}
+
+		insertErr := DB.QueryRowContext(ctx,
+			`INSERT INTO users (email,password_hash,full_name,org_name,role,created_at)
+			 VALUES ($1,$2,$3,$4,$5,$6) RETURNING id`,
+			email, string(hash), fullName, "", role, time.Now().UTC(),
+		).Scan(&id)
+		if insertErr != nil {
+			log.Printf("google signup DB error: %v", insertErr)
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create account"})
+			return
+		}
+	} else if err != nil {
+		log.Printf("google login DB error: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Login failed"})
+		return
+	}
+
+	token, err := issueToken(id, email, role)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Token generation failed"})
+		return
+	}
+
+	c.JSON(http.StatusOK, AuthResponse{
+		Token: token,
+		User:  UserDTO{ID: id, Email: email, FullName: fullName, OrgName: orgName, Role: role},
+	})
+}
+
 // ─────────────────────────────────────────────────────────────
 // Me
 // ─────────────────────────────────────────────────────────────
diff --git a/backend/backend/apps/api-gateway/main.go b/backend/backend/apps/api-gateway/main.go
index d62828e..636cade 100644
--- a/backend/backend/apps/api-gateway/main.go
+++ b/backend/backend/apps/api-gateway/main.go
@@ -167,6 +167,7 @@ func main() {
 	r.GET("/health", RateLimitMiddleware(), handleHealth)
 	r.POST("/register", RateLimitMiddleware(), handleRegister)
 	r.POST("/login", RateLimitMiddleware(), handleLogin)
+	r.POST("/login/google", RateLimitMiddleware(), handleGoogleLogin)
 
 	// ── Protected Routes (Auth + RBAC) ────────────────────
 	auth := r.Group("/", AuthMiddleware())
diff --git a/frontend/index.html b/frontend/index.html
index 3041593..c6192f9 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -74,6 +74,12 @@
 .btn-auth{width:100%;padding:14px;background:var(--cobalt);color:white;border:none;border-radius:8px;cursor:pointer;font-family:var(--font-data);font-size:11px;font-weight:600;letter-spacing:.14em;text-transform:uppercase;transition:var(--transition);box-shadow:0 0 20px rgba(14,165,233,.3)}
 .btn-auth:hover:not(:disabled){filter:brightness(1.12);box-shadow:0 0 32px rgba(14,165,233,.5)}
 .btn-auth:disabled{opacity:.5;cursor:not-allowed}
+.auth-divider{display:flex;align-items:center;gap:10px;margin:4px 0}
+.auth-divider::before,.auth-divider::after{content:'';flex:1;height:1px;background:rgba(255,255,255,.08)}
+.auth-divider span{font-family:var(--font-data);font-size:9px;letter-spacing:.12em;color:var(--ghost);text-transform:uppercase}
+.btn-google{width:100%;padding:12px 14px;background:rgba(255,255,255,.02);color:var(--ice);border:1px solid rgba(255,255,255,.14);border-radius:8px;cursor:pointer;font-family:var(--font-data);font-size:10px;letter-spacing:.1em;text-transform:uppercase;transition:var(--transition);display:flex;align-items:center;justify-content:center;gap:8px}
+.btn-google:hover:not(:disabled){border-color:rgba(14,165,233,.4);background:rgba(14,165,233,.08)}
+.btn-google:disabled{opacity:.5;cursor:not-allowed}
 .btn-ghost{background:transparent;border:1px solid var(--border);color:var(--steel);padding:8px 18px;border-radius:10px;cursor:pointer;font-family:var(--font-data);font-size:10px;letter-spacing:.12em;text-transform:uppercase;transition:var(--transition)}
 .btn-ghost:hover{border-color:rgba(14,165,233,.3);color:var(--ice)}
 
@@ -263,6 +269,11 @@
             <input type="password" id="authPassword" placeholder="PASSWORD" required minlength="6" class="inp" style="letter-spacing:.3em"/>
             <div id="authError" class="error-box"></div>
             <button type="submit" id="authBtn" class="btn-auth">Sign In</button>
+            <div class="auth-divider"><span>or</span></div>
+            <button type="button" id="googleSignInBtn" class="btn-google" onclick="startGoogleSignIn()">
+              <i class="fa-brands fa-google" style="font-size:12px"></i>Continue with Google
+            </button>
+            <p id="googleSignInHint" style="display:none;font-family:var(--font-data);font-size:8.5px;letter-spacing:.08em;color:var(--ghost);text-transform:uppercase;text-align:center;margin-top:2px"></p>
           </form>
         </div>
 
@@ -584,8 +595,10 @@ <h2 style="font-family:var(--font-display);font-size:20px;font-weight:700;letter
 
 
 <!-- ═══ SCRIPTS ═══ -->
+<script src="https://accounts.google.com/gsi/client" async defer></script>
 <script>
 const API = 'https://prexus-intelligence.onrender.com';
+const GOOGLE_CLIENT_ID = window.PRX_GOOGLE_CLIENT_ID || '';
 let currentPage = 'auth';
 let authMode = 'login';
 let sessionUser = null;
@@ -642,6 +655,107 @@ <h2 style="font-family:var(--font-display);font-size:20px;font-weight:700;letter
   document.getElementById('authError').className = 'error-box';
 }
 
+function setGoogleHint(message) {
+  const hint = document.getElementById('googleSignInHint');
+  if (!hint) return;
+  hint.textContent = message || '';
+  hint.style.display = message ? 'block' : 'none';
+}
+
+function parseJwtPayload(token) {
+  const payload = token.split('.')[1];
+  const normalized = payload.replace(/-/g, '+').replace(/_/g, '/');
+  const decoded = atob(normalized + '='.repeat((4 - normalized.length % 4) % 4));
+  return JSON.parse(decoded);
+}
+
+async function completeGoogleSignIn(idToken) {
+  const errEl = document.getElementById('authError');
+  const btn = document.getElementById('googleSignInBtn');
+  errEl.className = 'error-box';
+  btn.disabled = true;
+  btn.innerHTML = '<i class="fa-brands fa-google" style="font-size:12px"></i>Authenticating…';
+
+  try {
+    let userData = null;
+
+    if (apiOnline) {
+      const res = await fetch(API + '/login/google', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ credential: idToken }),
+        signal: AbortSignal.timeout(10000),
+      });
+      if (res.ok) {
+        userData = await res.json();
+      } else {
+        const fallbackErr = await res.json().catch(() => ({}));
+        throw new Error(fallbackErr.error || 'Google sign-in failed');
+      }
+    } else {
+      const payload = parseJwtPayload(idToken);
+      userData = {
+        token: 'sim_google_' + Date.now(),
+        user: {
+          id: 'usr_google_sim',
+          email: payload.email || '',
+          full_name: payload.name || payload.given_name || '',
+          org_name: '',
+          role: 'user',
+        },
+      };
+    }
+
+    if (!userData?.token || !userData?.user?.email) {
+      throw new Error('Invalid sign-in response');
+    }
+
+    localStorage.setItem('prx_token', userData.token);
+    localStorage.setItem('prx_user', JSON.stringify(userData.user));
+    sessionUser = userData.user;
+
+    const org = localStorage.getItem(`prexus_org_${sessionUser.email}`);
+    if (org) {
+      document.getElementById('hubOrgName').textContent = JSON.parse(org).orgName;
+      navigate('hub');
+    } else {
+      if (sessionUser.full_name) {
+        const fn = document.getElementById('orgFullName');
+        if (fn) fn.value = sessionUser.full_name;
+      }
+      navigate('org');
+    }
+  } catch (err) {
+    errEl.textContent = '✕ ' + (err.message || 'Google sign-in failed. Please try again.');
+    errEl.className = 'error-box show';
+  } finally {
+    btn.disabled = false;
+    btn.innerHTML = '<i class="fa-brands fa-google" style="font-size:12px"></i>Continue with Google';
+  }
+}
+
+function startGoogleSignIn() {
+  if (!window.google?.accounts?.id) {
+    setGoogleHint('Google services not loaded. Refresh and try again.');
+    return;
+  }
+  if (!GOOGLE_CLIENT_ID) {
+    setGoogleHint('Google sign-in is temporarily unavailable.');
+    return;
+  }
+  setGoogleHint('');
+  window.google.accounts.id.initialize({
+    client_id: GOOGLE_CLIENT_ID,
+    callback: (response) => {
+      if (!response?.credential) return;
+      completeGoogleSignIn(response.credential);
+    },
+    ux_mode: 'popup',
+    auto_select: false,
+  });
+  window.google.accounts.id.prompt();
+}
+
 /* ─── AUTH SUBMIT ─── */
 async function handleAuthSubmit(e) {
   e.preventDefault();
@@ -794,8 +908,13 @@ <h2 style="font-family:var(--font-display);font-size:20px;font-weight:700;letter
   initCookies();
   checkApi(); // non-blocking
 
+  if (!GOOGLE_CLIENT_ID) {
+    setGoogleHint('Set PRX_GOOGLE_CLIENT_ID to enable Google sign-in.');
+  }
+
   const token = localStorage.getItem('prx_token');
   const user  = localStorage.getItem('prx_user');
+  const hash  = (window.location.hash || '').toLowerCase();
 
   if (token && user) {
     try { sessionUser = JSON.parse(user); } catch(_) {}
@@ -815,8 +934,9 @@ <h2 style="font-family:var(--font-display);font-size:20px;font-weight:700;letter
     }
   }
   navigate('auth');
+  if (hash === '#register') setAuthMode('register');
+  if (hash === '#signin') setAuthMode('login');
 });
 </script>
 </body>
 </html>
-
diff --git a/frontend/landing.html b/frontend/landing.html
index 540fb6c..fd112ef 100644
--- a/frontend/landing.html
+++ b/frontend/landing.html
@@ -780,9 +780,10 @@
 
 <!-- Dropdown -->
 <nav class="menu-dropdown" id="menu-dropdown" aria-hidden="true">
-  <a href="auth.html"          class="menu-item">Registration <span class="arr">→</span></a>
-  <a href="auth.html#signin"   class="menu-item">Sign In      <span class="arr">→</span></a>
+  <a href="index.html#register" class="menu-item">Registration <span class="arr">→</span></a>
+  <a href="index.html#signin"   class="menu-item">Sign In      <span class="arr">→</span></a>
   <a href="demo.html"          class="menu-item">Book Demo    <span class="arr">→</span></a>
+  <a href="privacy-policy.html" class="menu-item">Privacy Policy <span class="arr">→</span></a>
   <div class="menu-divider"></div>
   <div class="menu-section-label">Be Prexisian</div>
   <a href="pricing.html"  class="menu-item sub">Plans &amp; Pricing <span class="arr">→</span></a>
@@ -826,7 +827,7 @@ <h1 class="hero-h1">
 
     <div class="hero-actions">
       <a href="demo.html"  class="btn-primary">Book a Demo →</a>
-      <a href="auth.html"  class="btn-secondary">Request Access</a>
+      <a href="index.html#register"  class="btn-secondary">Request Access</a>
     </div>
 
     <p class="hero-tagline">Climate Intelligence · Health Risk · Strategic Intelligence · Economic Signals</p>
@@ -1002,7 +1003,7 @@ <h2 class="cta-h2 reveal">Join the<br/>Intelligence Network</h2>
   <p class="cta-body reveal">Prexus is available to verified government departments, research institutions, and regulated enterprises. Register for access or book a guided demonstration.</p>
   <div class="cta-actions reveal">
     <a href="demo.html"  class="btn-primary"  style="font-size:11px;padding:14px 30px">Book a Demo →</a>
-    <a href="auth.html"  class="btn-secondary" style="font-size:11px;padding:13px 22px">Request Access</a>
+    <a href="index.html#register"  class="btn-secondary" style="font-size:11px;padding:13px 22px">Request Access</a>
   </div>
   <p class="cta-note reveal">TLS 1.3 · AES-256 · SOC 2 Type II · ISO 27001 · Zero-Trust Architecture</p>
 </section>

From f04c56deb822d9341b286a682173cac50172313f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 7 May 2026 19:07:23 +0000
Subject: [PATCH 2/3] feat(auth): add google token login endpoint and wire
 frontend google sign-in config

Agent-Logs-Url: https://github.com/devXyi/prexus-intelligence/sessions/3b81347b-26ec-43c0-9ecb-c118a784ef0f

Co-authored-by: devXyi <265634822+devXyi@users.noreply.github.com>
---
 .env.example                             |   1 +
 backend/backend/apps/api-gateway/auth.go |   8 ++
 backend/backend/apps/api-gateway/main.go |  17 ++--
 backend/backend/go.mod                   |  42 +++++++--
 backend/backend/go.sum                   | 107 +++++++++++++++++++++++
 frontend/index.html                      |  27 ++++--
 6 files changed, 181 insertions(+), 21 deletions(-)
 create mode 100644 backend/backend/go.sum

diff --git a/.env.example b/.env.example
index fa5934b..fcd4caf 100644
--- a/.env.example
+++ b/.env.example
@@ -7,6 +7,7 @@
 ENV=development
 PORT=8080
 JWT_SECRET=change-this-to-a-long-random-string-in-production
+GOOGLE_CLIENT_ID=                 # Optional: enables Google sign-in validation
 
 # Points Go gateway to local Python engine during development
 DATA_ENGINE_URL=http://localhost:8001
diff --git a/backend/backend/apps/api-gateway/auth.go b/backend/backend/apps/api-gateway/auth.go
index 0e9b593..b03d53a 100644
--- a/backend/backend/apps/api-gateway/auth.go
+++ b/backend/backend/apps/api-gateway/auth.go
@@ -176,6 +176,14 @@ func handleLogin(c *gin.Context) {
 	})
 }
 
+func handleGoogleConfig(c *gin.Context) {
+	clientID := strings.TrimSpace(os.Getenv("GOOGLE_CLIENT_ID"))
+	c.JSON(http.StatusOK, gin.H{
+		"enabled":   clientID != "",
+		"client_id": clientID,
+	})
+}
+
 func verifyGoogleIDToken(ctx context.Context, idToken string) (*GoogleTokenInfo, error) {
 	tokenInfoURL := "https://oauth2.googleapis.com/tokeninfo?id_token=" + url.QueryEscape(idToken)
 
diff --git a/backend/backend/apps/api-gateway/main.go b/backend/backend/apps/api-gateway/main.go
index 636cade..03e26df 100644
--- a/backend/backend/apps/api-gateway/main.go
+++ b/backend/backend/apps/api-gateway/main.go
@@ -165,6 +165,7 @@ func main() {
 
 	// ── Public Routes ─────────────────────────────────────
 	r.GET("/health", RateLimitMiddleware(), handleHealth)
+	r.GET("/auth/google/config", RateLimitMiddleware(), handleGoogleConfig)
 	r.POST("/register", RateLimitMiddleware(), handleRegister)
 	r.POST("/login", RateLimitMiddleware(), handleLogin)
 	r.POST("/login/google", RateLimitMiddleware(), handleGoogleLogin)
@@ -173,25 +174,25 @@ func main() {
 	auth := r.Group("/", AuthMiddleware())
 	{
 		// Assets
-		auth.GET("/assets",     RequirePermission("assets:read"),   handleGetAssets)
-		auth.POST("/assets",    RequirePermission("assets:create"), handleCreateAsset)
+		auth.GET("/assets", RequirePermission("assets:read"), handleGetAssets)
+		auth.POST("/assets", RequirePermission("assets:create"), handleCreateAsset)
 		auth.PUT("/assets/:id", RequirePermission("assets:update"), handleUpdateAsset)
 		auth.DELETE("/assets/:id", RequirePermission("assets:delete"), handleDeleteAsset)
 
 		// Risk Engine
-		auth.POST("/risk/asset",       RequirePermission("risk:run"), proxyToDataEngine("/risk/asset"))
-		auth.POST("/risk/portfolio",   RequirePermission("risk:run"), proxyToDataEngine("/risk/portfolio"))
+		auth.POST("/risk/asset", RequirePermission("risk:run"), proxyToDataEngine("/risk/asset"))
+		auth.POST("/risk/portfolio", RequirePermission("risk:run"), proxyToDataEngine("/risk/portfolio"))
 		auth.POST("/risk/stress-test", RequirePermission("risk:run"), proxyToDataEngine("/risk/stress-test"))
-		auth.GET("/risk/health",       RequirePermission("risk:run"), proxyToDataEngineGET("/risk/health"))
+		auth.GET("/risk/health", RequirePermission("risk:run"), proxyToDataEngineGET("/risk/health"))
 
 		// Data Engine — GET proxies
-		auth.GET("/sources",    RequirePermission("risk:run"), proxyToDataEngineGET("/sources"))
+		auth.GET("/sources", RequirePermission("risk:run"), proxyToDataEngineGET("/sources"))
 		auth.GET("/lake/stats", RequirePermission("risk:run"), proxyToDataEngineGET("/lake/stats"))
 		auth.GET("/lake/files", RequirePermission("risk:run"), proxyToDataEngineGET("/lake/files"))
 
 		// AI
-		auth.POST("/chat",    RateLimitMiddleware(), RequirePermission("risk:run"), proxyToDataEngine("/chat"))
-		auth.POST("/claude",  RateLimitMiddleware(), RequirePermission("risk:run"), handleClaude)
+		auth.POST("/chat", RateLimitMiddleware(), RequirePermission("risk:run"), proxyToDataEngine("/chat"))
+		auth.POST("/claude", RateLimitMiddleware(), RequirePermission("risk:run"), handleClaude)
 		auth.POST("/analyze", RateLimitMiddleware(), RequirePermission("risk:run"), proxyToDataEngine("/analyze"))
 
 		// User
diff --git a/backend/backend/go.mod b/backend/backend/go.mod
index 2c913f6..f0503d1 100644
--- a/backend/backend/go.mod
+++ b/backend/backend/go.mod
@@ -3,10 +3,40 @@ module github.com/devXyi/prexus-intelligence/backend
 go 1.22
 
 require (
-	github.com/gin-contrib/cors    v1.7.2
-	github.com/gin-gonic/gin       v1.10.0
-	github.com/golang-jwt/jwt/v5   v5.2.1
-	github.com/joho/godotenv       v1.5.1
-	github.com/lib/pq              v1.10.9
-	golang.org/x/crypto            v0.24.0
+	github.com/gin-contrib/cors v1.7.2
+	github.com/gin-gonic/gin v1.10.0
+	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/joho/godotenv v1.5.1
+	github.com/lib/pq v1.10.9
+	golang.org/x/crypto v0.24.0
+	golang.org/x/time v0.10.0
+)
+
+require (
+	github.com/bytedance/sonic v1.11.6 // indirect
+	github.com/bytedance/sonic/loader v0.1.1 // indirect
+	github.com/cloudwego/base64x v0.1.4 // indirect
+	github.com/cloudwego/iasm v0.2.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
+	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.20.0 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.2.12 // indirect
+	golang.org/x/arch v0.8.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/backend/backend/go.sum b/backend/backend/go.sum
new file mode 100644
index 0000000..73c17cc
--- /dev/null
+++ b/backend/backend/go.sum
@@ -0,0 +1,107 @@
+github.com/bytedance/sonic v1.11.6 h1:oUp34TzMlL+OY1OUWxHqsdkgC/Zfc85zGqw9siXjrc0=
+github.com/bytedance/sonic v1.11.6/go.mod h1:LysEHSvpvDySVdC2f87zGWf6CIKJcAvqab1ZaiQtds4=
+github.com/bytedance/sonic/loader v0.1.1 h1:c+e5Pt1k/cy5wMveRDyk2X4B9hF4g7an8N3zCYjJFNM=
+github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
+github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
+github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
+github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
+github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
+github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
+github.com/gin-contrib/cors v1.7.2 h1:oLDHxdg8W/XDoN/8zamqk/Drgt4oVZDvaV0YmvVICQw=
+github.com/gin-contrib/cors v1.7.2/go.mod h1:SUJVARKgQ40dmrzgXEVxj2m7Ig1v1qIboQkPDTQ9t2E=
+github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
+github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
+github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
+github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.20.0 h1:K9ISHbSaI0lyB2eWMPJo+kOS/FBExVwjEviJTixqxL8=
+github.com/go-playground/validator/v10 v10.20.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
+github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
+github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
+github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
+github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
+github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
+github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
+golang.org/x/arch v0.8.0 h1:3wRIsP3pM4yUptoR96otTUOXI367OS0+c9eeRi9doIc=
+golang.org/x/arch v0.8.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4=
+golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
+google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
+rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
diff --git a/frontend/index.html b/frontend/index.html
index c6192f9..7b38520 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -598,11 +598,11 @@ <h2 style="font-family:var(--font-display);font-size:20px;font-weight:700;letter
 <script src="https://accounts.google.com/gsi/client" async defer></script>
 <script>
 const API = 'https://prexus-intelligence.onrender.com';
-const GOOGLE_CLIENT_ID = window.PRX_GOOGLE_CLIENT_ID || '';
 let currentPage = 'auth';
 let authMode = 'login';
 let sessionUser = null;
 let apiOnline = false;
+let googleClientId = '';
 
 /* ─── NAVIGATE ─── */
 function navigate(page) {
@@ -739,13 +739,13 @@ <h2 style="font-family:var(--font-display);font-size:20px;font-weight:700;letter
     setGoogleHint('Google services not loaded. Refresh and try again.');
     return;
   }
-  if (!GOOGLE_CLIENT_ID) {
+  if (!googleClientId) {
     setGoogleHint('Google sign-in is temporarily unavailable.');
     return;
   }
   setGoogleHint('');
   window.google.accounts.id.initialize({
-    client_id: GOOGLE_CLIENT_ID,
+    client_id: googleClientId,
     callback: (response) => {
       if (!response?.credential) return;
       completeGoogleSignIn(response.credential);
@@ -756,6 +756,22 @@ <h2 style="font-family:var(--font-display);font-size:20px;font-weight:700;letter
   window.google.accounts.id.prompt();
 }
 
+async function initGoogleSignIn() {
+  try {
+    const res = await fetch(API + '/auth/google/config', { signal: AbortSignal.timeout(5000) });
+    if (!res.ok) throw new Error('config unavailable');
+    const cfg = await res.json();
+    if (cfg?.enabled && cfg?.client_id) {
+      googleClientId = String(cfg.client_id);
+      setGoogleHint('');
+    } else {
+      setGoogleHint('Google sign-in is temporarily unavailable.');
+    }
+  } catch (_) {
+    setGoogleHint('Google sign-in is temporarily unavailable.');
+  }
+}
+
 /* ─── AUTH SUBMIT ─── */
 async function handleAuthSubmit(e) {
   e.preventDefault();
@@ -907,10 +923,7 @@ <h2 style="font-family:var(--font-display);font-size:20px;font-weight:700;letter
 document.addEventListener('DOMContentLoaded', async () => {
   initCookies();
   checkApi(); // non-blocking
-
-  if (!GOOGLE_CLIENT_ID) {
-    setGoogleHint('Set PRX_GOOGLE_CLIENT_ID to enable Google sign-in.');
-  }
+  initGoogleSignIn(); // non-blocking
 
   const token = localStorage.getItem('prx_token');
   const user  = localStorage.getItem('prx_user');

From d448dcdfb772a2e9f197d843872c2b7a18a358b7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 7 May 2026 19:11:27 +0000
Subject: [PATCH 3/3] chore(auth): harden google token parsing and verification
 edge cases

Agent-Logs-Url: https://github.com/devXyi/prexus-intelligence/sessions/3b81347b-26ec-43c0-9ecb-c118a784ef0f

Co-authored-by: devXyi <265634822+devXyi@users.noreply.github.com>
---
 backend/backend/apps/api-gateway/auth.go | 31 +++++++++++++++++++-----
 frontend/index.html                      | 30 +++++++++++++++++++----
 2 files changed, 50 insertions(+), 11 deletions(-)

diff --git a/backend/backend/apps/api-gateway/auth.go b/backend/backend/apps/api-gateway/auth.go
index b03d53a..70a2e7c 100644
--- a/backend/backend/apps/api-gateway/auth.go
+++ b/backend/backend/apps/api-gateway/auth.go
@@ -5,7 +5,9 @@ package main
 
 import (
 	"context"
+	"crypto/rand"
 	"database/sql"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"log"
@@ -65,7 +67,7 @@ type Claims struct {
 type GoogleTokenInfo struct {
 	Audience      string `json:"aud"`
 	Email         string `json:"email"`
-	EmailVerified string `json:"email_verified"`
+	EmailVerified any    `json:"email_verified"`
 	Name          string `json:"name"`
 	Subject       string `json:"sub"`
 }
@@ -192,7 +194,8 @@ func verifyGoogleIDToken(ctx context.Context, idToken string) (*GoogleTokenInfo,
 		return nil, err
 	}
 
-	res, err := http.DefaultClient.Do(req)
+	client := &http.Client{Timeout: authTimeout}
+	res, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
@@ -207,8 +210,8 @@ func verifyGoogleIDToken(ctx context.Context, idToken string) (*GoogleTokenInfo,
 		return nil, err
 	}
 
-	if info.Email == "" || info.Subject == "" || info.EmailVerified != "true" {
-		return nil, errors.New("Google account is not eligible for sign-in")
+	if info.Email == "" || info.Subject == "" || !isGoogleEmailVerified(info.EmailVerified) {
+		return nil, errors.New("Google account must have a verified email address")
 	}
 
 	if expectedAud := strings.TrimSpace(os.Getenv("GOOGLE_CLIENT_ID")); expectedAud != "" && info.Audience != expectedAud {
@@ -218,6 +221,17 @@ func verifyGoogleIDToken(ctx context.Context, idToken string) (*GoogleTokenInfo,
 	return &info, nil
 }
 
+func isGoogleEmailVerified(value any) bool {
+	switch v := value.(type) {
+	case bool:
+		return v
+	case string:
+		return strings.EqualFold(v, "true")
+	default:
+		return false
+	}
+}
+
 func handleGoogleLogin(c *gin.Context) {
 	var req GoogleLoginRequest
 	if err := c.ShouldBindJSON(&req); err != nil {
@@ -247,8 +261,13 @@ func handleGoogleLogin(c *gin.Context) {
 	if errors.Is(err, sql.ErrNoRows) {
 		role = "user"
 		fullName = strings.TrimSpace(tokenInfo.Name)
-		seed := "google-oauth-" + tokenInfo.Subject + "-" + time.Now().UTC().Format(time.RFC3339Nano)
-		hash, hashErr := bcrypt.GenerateFromPassword([]byte(seed), bcrypt.DefaultCost)
+		randomPassword := make([]byte, 32)
+		if _, randErr := rand.Read(randomPassword); randErr != nil {
+			log.Printf("google signup random generation error: %v", randErr)
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create account"})
+			return
+		}
+		hash, hashErr := bcrypt.GenerateFromPassword([]byte(base64.RawURLEncoding.EncodeToString(randomPassword)), bcrypt.DefaultCost)
 		if hashErr != nil {
 			log.Printf("google signup hash error: %v", hashErr)
 			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create account"})
diff --git a/frontend/index.html b/frontend/index.html
index 7b38520..59bbe58 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -662,11 +662,26 @@ <h2 style="font-family:var(--font-display);font-size:20px;font-weight:700;letter
   hint.style.display = message ? 'block' : 'none';
 }
 
+function decodeBase64URL(value) {
+  if (!value || typeof value !== 'string') {
+    throw new Error('Invalid Base64URL value');
+  }
+  const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
+  const paddingLength = (4 - (normalized.length % 4)) % 4;
+  return atob(normalized + '='.repeat(paddingLength));
+}
+
 function parseJwtPayload(token) {
-  const payload = token.split('.')[1];
-  const normalized = payload.replace(/-/g, '+').replace(/_/g, '/');
-  const decoded = atob(normalized + '='.repeat((4 - normalized.length % 4) % 4));
-  return JSON.parse(decoded);
+  const parts = String(token || '').split('.');
+  if (parts.length !== 3 || !parts[1]) {
+    throw new Error('Invalid Google token format');
+  }
+  const decoded = decodeBase64URL(parts[1]);
+  try {
+    return JSON.parse(decoded);
+  } catch {
+    throw new Error('Invalid Google token payload');
+  }
 }
 
 async function completeGoogleSignIn(idToken) {
@@ -693,7 +708,12 @@ <h2 style="font-family:var(--font-display);font-size:20px;font-weight:700;letter
         throw new Error(fallbackErr.error || 'Google sign-in failed');
       }
     } else {
-      const payload = parseJwtPayload(idToken);
+      let payload;
+      try {
+        payload = parseJwtPayload(idToken);
+      } catch (_) {
+        throw new Error('Google token format is invalid (offline mode)');
+      }
       userData = {
         token: 'sim_google_' + Date.now(),
         user: {