Purpose
Configure the auth gate on manual.brandacare.com so only users with
@brandacare.com Google accounts can access. No recurring cost, no DNS migration,
no Netlify Pro.
Time: 30 min total ·
Who: Yami or IT (Quasar/Santi/Manuel)
Important limitation
This is a client-side gate.
Deters casual/public access but is NOT cryptographic security:
- Someone technical can view source with curl/wget (HTML is publicly hosted)
- JavaScript disabled in browser = no gate
- Contains NO PHI (PHI lives in Google Apps Script / Workspace — see TRN-IT-001)
Steps
1Create project in Google Cloud Console
- Go to console.cloud.google.com
- Project selector at top → New Project
- Name:
BrandaCare Manual Auth - Organization:
brandacare.com(should appear if your Workspace is set up correctly) - Create
2Enable Google Identity Services
- Sidebar → APIs & Services → Enabled APIs & services
- No extra enablement needed for basic OAuth — Google Identity is default
3Configure OAuth consent screen
- Sidebar → APIs & Services → OAuth consent screen
- User Type: Internal (@brandacare.com users only)
- Create
- App information:
- App name:
BrandaCare Manual - User support email:
hello@brandacare.com - App logo: upload BrandaCare logo (optional)
- App name:
- App domain → Application home page:
https://manual.brandacare.com - Authorized domains:
brandacare.com - Developer contact:
hello@brandacare.com - Save and Continue → Scopes: leave default → Save and Continue → Summary → Back to Dashboard
4Create Credentials (Client ID)
- Sidebar → APIs & Services → Credentials
- Click + Create Credentials → OAuth client ID
- Application type: Web application
- Name:
BrandaCare Manual Web Client - Authorized JavaScript origins → + Add URI:
https://manual.brandacare.com
- Authorized redirect URIs → not needed (we use popup mode)
- Create
- COPY the Client ID shown (like
123456789-abcdef.apps.googleusercontent.com)
5Paste Client ID into auth.js
In your local manual repo, open docs/brand/auth.js:
const CLIENT_ID = 'REPLACE_WITH_YOUR_GOOGLE_OAUTH_CLIENT_ID.apps.googleusercontent.com';
Replace that line with your real Client ID:
const CLIENT_ID = '123456789-abcdef.apps.googleusercontent.com';
6Inject auth gate into all HTMLs
cd "api open dental stedi claims" python docs/inject_auth.py
Expected output:
🔒 Injecting auth gate into N files... ✅ N files modified (0 already had auth gate)
This adds <script src="brand/auth.js"> to each HTML's <head>. Idempotent — running twice doesn't duplicate.
7Re-deploy to Netlify
Drag-and-drop the docs/ folder to Netlify, or if you have CI from Git, push and deploy.
8Verify
- Open
manual.brandacare.comin incognito tab - BrandaCare-branded login screen should appear
- Click "Continue with Google" → log in with @brandacare.com → should enter
- Try with personal Gmail (NOT @brandacare.com) → should reject with clear message
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
| Orange "Auth gate not configured" banner | Client ID not replaced in auth.js | Edit brand/auth.js line 15 |
| "Error 400: redirect_uri_mismatch" | URI not in Authorized JS origins | Add https://manual.brandacare.com in Google Console → Credentials → your Client ID |
| "This app isn't verified" | OAuth consent screen User Type is External | Change to Internal in Google Console |
| Login works but rejects your @brandacare.com | ALLOWED_DOMAIN field is wrong | Check auth.js line 16: must be 'brandacare.com' (no @) |
| HTML changes not showing after edit | Browser cache | Cmd+Shift+R or incognito |
Maintenance
| When | What to do |
|---|---|
| New SOP/training added to manual | Re-run python docs/inject_auth.py → re-deploy |
| Client ID change | Edit brand/auth.js → re-deploy |
| Compromise suspected | Google Cloud → Credentials → regenerate or revoke tokens |
| Sessions last too long | Change SESSION_HOURS in auth.js (default: 8h) |