<aside>

Google OAuth + JWT in Cookies + Passport JS

</aside>

                ┌────────────────────────┐
                │   User (Frontend App)  │
                └──────────┬─────────────┘
                           │
     [1] Clicks "Login with Google"
                           │
                           ▼
           ┌────────────────────────────────┐
           │   GET /api/auth/googleAuth     │
           │   passport.authenticate('google')│
           └────────────────────────────────┘
                           │
                           ▼
        Redirects user to Google OAuth Consent Screen
                           │
                           ▼
            ┌──────────────────────────────┐
            │   Google Authentication Page  │
            └──────────────────────────────┘
                           │
     [2] User logs in & grants permissions
                           │
                           ▼
        Google redirects user to callback URL:
        /api/auth/googleAuth/callback
                           │
                           ▼
┌────────────────────────────────────────────────────────────┐
│ passport.authenticate('google', { session: false })        │
│  ↳ GoogleStrategy callback triggers                         │
│     - Looks for existing user via googleId                  │
│     - If not found → creates new user in MongoDB            │
│     - Returns user object to callbackHandler                │
└────────────────────────────────────────────────────────────┘
                           │
                           ▼
┌────────────────────────────────────────────────────────────┐
│ callbackHandler(req, res):                                 │
│   - Generates JWT using user data:                         │
│       { id, email, name, avatar }                          │
│   - Signs with process.env.JWT_SECRET                      │
│   - Sets JWT in HTTP-only cookie "token"                   │
│   - Redirects user to FRONTEND_URL                         │
└────────────────────────────────────────────────────────────┘
                           │
                           ▼
                ┌────────────────────────┐
                │   Frontend Redirected   │
                │   (Cookie is stored)    │
                └────────────────────────┘
                           │
     [3] On next page load, frontend calls /api/auth/me
                           │
                           ▼
           ┌──────────────────────────────────┐
           │  GET /api/auth/me                │
           │  → userAuth middleware           │
           └──────────────────────────────────┘
                           │
                           ▼
┌────────────────────────────────────────────────────────────┐
│ userAuth middleware:                                       │
│   - Reads token from cookies                               │
│   - Verifies JWT using process.env.JWT_SECRET              │
│   - If valid → attaches decoded user to req.user           │
│   - Calls next()                                           │
│   - Else → returns 401 Unauthorized                        │
└────────────────────────────────────────────────────────────┘
                           │
                           ▼
┌─────────────────────────────────────┐
│ isAuthenticated controller:         │
│   - Returns { success: true, user } │
└─────────────────────────────────────┘
                           │
                           ▼
      ✅ Frontend now has authenticated user details

--------------------------------------------------------------

LOGOUT FLOW:

[4] Frontend calls POST /api/auth/logout
       │
       ▼
┌───────────────────────────────────────────────┐
│ logout controller:                            │
│   - res.clearCookie('token', {...options})    │
│   - Returns success response                  │
└───────────────────────────────────────────────┘
       │
       ▼
   ❌ User session (JWT) removed