We are now entering the deep-end phase of real integration with Google Calendar. In the previous phase, we successfully completed the TDD for our algorithm locally. Now, it's time to establish the connection.
The first domino to fall is user login authentication (Google OAuth). If you simply ask a standard large language model to "write Google OAuth login logic," it will likely spit out a seemingly complete code snippet within 30 seconds.
But don't celebrate too soon! That unconstrained, auto-generated code is almost certainly riddled with vulnerabilities:
It might not include the state parameter to protect against Cross-Site Request Forgery (CSRF).
The stored access_token will likely lack the httpOnly and Secure flags in the cookie.
It might even naively hardcode your local and production callback routes together.
1. From "Write It for Me" to "Execute According to a Security Checklist"
Under an Agentic Development workflow, you must prevent this kind of "unguarded generation." We need to transform the security experience we've accumulated in traditional full-stack development into a prerequisite checklist for the Agent.
We will update our previous task_plan.md and attach a mandatory requirement to the details of this step:
"When implementing the [Google OAuth Authentication Callback Layer], you are required to adhere to the strictest industry security audit baselines. After writing the code, you must pass the following internal self-audit checklist and provide me with a report before you can submit your work:
[ ]Is thestateparameter enabled for session validation?[ ]Are the obtained Access Token and Refresh Token strictly stored in anhttpOnlyand domain-restricted Cookie/Session? They must never be exposed to the client-sidewindowobject.[ ]In case of an API error, is the actual stack trace hidden from the frontend to prevent leaking backend configuration details?"
2. The Agent's Internal Adversarial Process
When the Agent receives such instructions, the low-quality code block it was about to write offhandedly will be sent back to the rewrite pool.
It will develop the Next.js server-side callback route app/api/auth/callback/route.ts while simultaneously using a browser or analyzer to self-verify these three checklist items.
When the system responds, it won't just be a flimsy "Done." Instead, it will be accompanied by a solid declaration like: "Security self-audit complete. Injected crypto random byte generation to intercept CSRF. Selected HTTPOnly Cookie for storage."
This is a quantum leap. At this point, the AI is no longer just a mindless Junior developer. It's starting to adopt the cautious, defensive security mindset of a Senior developer.
Getting the login to work and obtaining permissions is just the first step in a long journey. The next step is to tackle the age-old problem of calendar system development: which calendar serves as the source of truth?