[1b] Google OAuth sign-in + JWT session

[andrmaz]

What to build

Implement the Google OAuth sign-in flow under /auth/google/*. On successful callback, issue a JWT (or server-side session token) that encodes user identity and org membership. Add a validation middleware that rejects missing/expired tokens with a clear error. Expose /api/me to verify session state.

Acceptance criteria

• A user can complete Google SSO and land on a success state.
• A valid JWT/session token is issued and verifiable by the middleware.
• /api/me returns authenticated user identity.
• Invalid or expired tokens are rejected with a structured error response.
• Unit tests cover token issuance and validation paths.

Blocked by

• [1a] Project scaffolding + core schema #2 [1a] Project scaffolding + core schema

[andrmaz]

@cursoragent Implement this issue

[cursor]

All tasks are complete. Here's a summary of what was implemented:

Google OAuth + JWT session is now fully implemented in apps/api. The key pieces:

• GET /auth/google — redirects users to Google's OAuth consent screen via passport-google-oauth20
• GET /auth/google/callback — receives the OAuth callback, upserts the user in the DB (using UserService + PrismaService), and returns { accessToken: <JWT> }
• GET /api/me — protected by JwtAuthGuard; returns the authenticated user's id, email, organizationId, and role
• JwtAuthGuard — rejects missing or expired tokens with a structured UnauthorizedException
• AuthService — issueToken / verifyToken / decodeToken backed by @nestjs/jwt; tokens encode sub, email, organizationId, role and expire after 8 hours

14 new unit tests cover: token issuance (payload claims, iat/exp), token verification (valid, tampered, wrong-secret, malformed, expired), decode, and JWT strategy payload validation. All 43 tests (new + pre-existing) pass with pnpm check-types and pnpm lint also green.

The four required environment variables (GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GOOGLE_CALLBACK_URL, JWT_SECRET) are documented in .env.example and declared in turbo.json.