google sign in

.gitignore

@@ -47,3 +47,7 @@ build/
 # Private keys (keep in repo but be careful)
 PRIVATE_KEY.pem
 client_secret.json
+test.jpg
+
+# Downloaded video files
+downloads/

app.py

@@ -12,7 +12,7 @@ from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import JSONResponse
 
 from core.database import init_db
-from routers import auth, blink, general
+from routers import auth, blink, general, gemini
 from services.drive_service import DriveService
 
 # Configure logging
@@ -46,8 +46,18 @@ async def lifespan(app: FastAPI):
     
     await init_db()
     logger.info("Database initialized successfully")
+    
+    # Start background job worker
+    from services.job_worker import start_worker, stop_worker
+    await start_worker()
+    logger.info("Background job worker started")
+    
     yield
     
+    # Stop background job worker
+    await stop_worker()
+    logger.info("Background job worker stopped")
+    
     # Shutdown: Upload DB to Drive
     logger.info("Shutdown: Uploading database to Google Drive...")
     drive_service.upload_db()
@@ -75,6 +85,7 @@ app.add_middleware(
 app.include_router(general.router)
 app.include_router(auth.router)
 app.include_router(blink.router)
+app.include_router(gemini.router)
 
 
 @app.exception_handler(Exception)

core/models.py

@@ -37,6 +37,7 @@ class BlinkData(Base):
 class User(Base):
     """
     User model for credit system.
+    Supports both legacy secret key and Google OAuth authentication.
     """
     __tablename__ = "users"
 
@@ -44,7 +45,16 @@ class User(Base):
     user_id = Column(String(50), unique=True, index=True, nullable=False)  # Backend generated UUID
     temp_user_id = Column(String(50), index=True, nullable=True)  # From frontend
     email = Column(String(255), unique=True, index=True, nullable=False)
-    secret_key_hash = Column(String(255), nullable=False)
+    
+    # Google OAuth fields
+    google_id = Column(String(255), unique=True, index=True, nullable=True)  # Google sub claim
+    name = Column(String(255), nullable=True)  # Display name from Google
+    profile_picture = Column(Text, nullable=True)  # Google profile picture URL
+    
+    # Legacy field (kept for migration, nullable now)
+    secret_key_hash = Column(String(255), nullable=True)
+    
+    # Credits and status
     credits = Column(Integer, default=100)
     created_at = Column(DateTime(timezone=True), server_default=func.now())
     updated_at = Column(DateTime(timezone=True), server_default=func.now(), onupdate=func.now())
@@ -55,6 +65,7 @@ class User(Base):
         return f"<User(id={self.id}, email={self.email})>"
 
 
+
 class RateLimit(Base):
     """
     Rate limit tracking table.
@@ -83,3 +94,26 @@ class AuditLog(Base):
     status = Column(String(20), nullable=False)
     error_message = Column(Text, nullable=True)
     timestamp = Column(DateTime(timezone=True), server_default=func.now())
+
+
+class GeminiJob(Base):
+    """
+    Generic job queue for Gemini operations (video, image, text).
+    """
+    __tablename__ = "gemini_jobs"
+
+    id = Column(Integer, primary_key=True, autoincrement=True, index=True)
+    job_id = Column(String(100), unique=True, index=True, nullable=False)  # Our ID for client
+    user_id = Column(String(50), index=True, nullable=False)  # User who requested
+    job_type = Column(String(20), index=True, nullable=False)  # video, image, text, analyze
+    third_party_id = Column(String(255), nullable=True)  # Gemini operation name (for video)
+    status = Column(String(20), default="queued", index=True)  # queued, processing, completed, failed
+    input_data = Column(JSON, nullable=True)  # Request details (prompt, settings, etc.)
+    output_data = Column(JSON, nullable=True)  # Result (filename, text, etc.)
+    error_message = Column(Text, nullable=True)
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    started_at = Column(DateTime(timezone=True), nullable=True)
+    completed_at = Column(DateTime(timezone=True), nullable=True)
+
+    def __repr__(self):
+        return f"<GeminiJob(job_id={self.job_id}, type={self.job_type}, status={self.status})>"

core/schemas.py

@@ -1,12 +1,46 @@
 from pydantic import BaseModel, EmailStr, Field
+from typing import Optional
+
+# Pydantic Models for Google OAuth Authentication
 
-# Pydantic Models
 class CheckRegistrationRequest(BaseModel):
+    """Check if a user_id has completed registration."""
     user_id: str = Field(..., min_length=1, description="Temporary user ID from frontend")
 
-class RegisterRequest(BaseModel):
-    user_id: str = Field(..., min_length=1, description="Temporary user ID from frontend")
-    email: EmailStr = Field(..., description="User email address")
 
-class ResetRequest(BaseModel):
-    email: EmailStr = Field(..., description="User email address")
+class GoogleAuthRequest(BaseModel):
+    """Request with Google ID token from frontend Sign-In."""
+    id_token: str = Field(..., min_length=1, description="Google ID token from Sign-In")
+    temp_user_id: Optional[str] = Field(None, description="Optional temp user ID for linking")
+
+
+class AuthResponse(BaseModel):
+    """Response after successful Google authentication."""
+    success: bool
+    access_token: str
+    user_id: str
+    email: str
+    name: Optional[str] = None
+    credits: int
+    is_new_user: bool
+
+
+class UserInfoResponse(BaseModel):
+    """Response containing current user information."""
+    user_id: str
+    email: str
+    name: Optional[str] = None
+    credits: int
+    profile_picture: Optional[str] = None
+
+
+class TokenRefreshRequest(BaseModel):
+    """Request to refresh an access token."""
+    token: str = Field(..., description="Current access token to refresh")
+
+
+class TokenRefreshResponse(BaseModel):
+    """Response with refreshed access token."""
+    success: bool
+    access_token: str
+

core/security.py

@@ -1,25 +1,32 @@
-import secrets
+"""
+Core Security Utilities
+
+Note: Secret key authentication has been replaced with Google OAuth.
+The bcrypt functions below are kept for potential future use (e.g., admin passwords).
+"""
 import bcrypt
 
+
 def verify_password(plain_password: str, hashed_password: str) -> bool:
     """
-    Verify a password against a hash.
+    Verify a password against a bcrypt hash.
+    
+    Note: This is no longer used for user authentication (moved to Google OAuth).
+    Kept for potential admin/internal use cases.
     """
     if isinstance(hashed_password, str):
         hashed_password = hashed_password.encode('utf-8')
     return bcrypt.checkpw(plain_password.encode('utf-8'), hashed_password)
 
+
 def get_password_hash(password: str) -> str:
     """
     Hash a password using bcrypt.
+    
+    Note: This is no longer used for user authentication (moved to Google OAuth).
+    Kept for potential admin/internal use cases.
     """
-    # rounds=12 as per spec
     salt = bcrypt.gensalt(rounds=12)
     hashed = bcrypt.hashpw(password.encode('utf-8'), salt)
     return hashed.decode('utf-8')
 
-def generate_secret_key() -> str:
-    """
-    Generate a secure secret key starting with 'sk_'.
-    """
-    return "sk_" + secrets.token_urlsafe(32)

dependencies.py

@@ -9,7 +9,12 @@ from sqlalchemy.ext.asyncio import AsyncSession
 
 from core.database import get_db
 from core.models import User, RateLimit
-from core.security import verify_password
+from services.jwt_service import (
+    verify_access_token,
+    TokenExpiredError,
+    InvalidTokenError,
+    JWTError
+)
 
 logger = logging.getLogger(__name__)
 
@@ -63,57 +68,107 @@ async def check_rate_limit(
         await db.commit()
         return True
 
-async def verify_credits(
+
+async def get_current_user(
     req: Request,
     db: AsyncSession = Depends(get_db)
 ) -> User:
     """
-    Dependency to validate secret key and deduct credits.
+    Extract and verify JWT from Authorization header.
+    Returns the authenticated user.
+    
+    Usage:
+        @router.get("/protected")
+        async def protected_route(user: User = Depends(get_current_user)):
+            return {"user_id": user.user_id}
     """
-    secret_key = req.headers.get("X-Secret-Key")
-    if not secret_key:
+    auth_header = req.headers.get("Authorization")
+    
+    if not auth_header:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Missing X-Secret-Key header"
+            detail="Missing Authorization header",
+            headers={"WWW-Authenticate": "Bearer"}
         )
     
-    # Validate secret key format
-    if not secret_key.startswith("sk_"):
+    if not auth_header.startswith("Bearer "):
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Invalid secret key format"
+            detail="Invalid Authorization header format. Use: Bearer <token>",
+            headers={"WWW-Authenticate": "Bearer"}
         )
-        
-    # Find user
-    query = select(User).where(User.is_active == True)
+    
+    token = auth_header.split(" ", 1)[1]
+    
+    try:
+        payload = verify_access_token(token)
+    except TokenExpiredError:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token has expired. Please sign in again.",
+            headers={"WWW-Authenticate": "Bearer"}
+        )
+    except InvalidTokenError as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=f"Invalid token: {str(e)}",
+            headers={"WWW-Authenticate": "Bearer"}
+        )
+    except JWTError as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=f"Authentication error: {str(e)}",
+            headers={"WWW-Authenticate": "Bearer"}
+        )
+    
+    # Get user from DB
+    query = select(User).where(
+        User.user_id == payload.user_id,
+        User.is_active == True
+    )
     result = await db.execute(query)
-    users = result.scalars().all()
-    
-    valid_user = None
-    for user in users:
-        if verify_password(secret_key, user.secret_key_hash):
-            valid_user = user
-            break
-            
-    if not valid_user:
+    user = result.scalar_one_or_none()
+    
+    if not user:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Invalid secret key"
+            detail="User not found or inactive"
         )
-        
-    # Check credits
-    if valid_user.credits <= 0:
+    
+    return user
+
+
+async def verify_credits(
+    user: User = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db)
+) -> User:
+    """
+    Verify user has credits and deduct one.
+    
+    This dependency first authenticates the user via JWT,
+    then checks and deducts credits.
+    
+    Usage:
+        @router.post("/api-endpoint")
+        async def api_endpoint(user: User = Depends(verify_credits)):
+            # User is authenticated and has 1 credit deducted
+            return {"credits_remaining": user.credits}
+    """
+    if user.credits <= 0:
         raise HTTPException(
             status_code=status.HTTP_402_PAYMENT_REQUIRED,
-            detail="Insufficient credits"
+            detail="Insufficient credits. Please purchase more credits."
         )
-        
+    
     # Deduct credit
-    valid_user.credits -= 1
-    valid_user.last_used_at = datetime.utcnow()
+    user.credits -= 1
+    user.last_used_at = datetime.utcnow()
     await db.commit()
     
-    return valid_user
+    logger.debug(f"Deducted 1 credit from user {user.user_id}. Remaining: {user.credits}")
+    
+    return user
+
 
 async def get_geolocation(ip_address: str) -> Tuple[Optional[str], Optional[str]]:
     """

docs/CLIENT_INTEGRATION.md

@@ -0,0 +1,287 @@
+# Google Sign-In Client Integration Guide
+
+Quick guide for frontend developers to integrate Google Sign-In with the APIGateway.
+
+## Setup
+
+### 1. Get Your Google Client ID
+
+Use the same `GOOGLE_CLIENT_ID` that's configured on the backend.
+
+### 2. Add Google Identity Services Script
+
+```html
+<script src="https://accounts.google.com/gsi/client" async defer></script>
+```
+
+---
+
+## Option A: One-Tap / Button Sign-In (Recommended)
+
+```html
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="https://accounts.google.com/gsi/client" async defer></script>
+</head>
+<body>
+    <!-- Google One Tap prompt -->
+    <div id="g_id_onload"
+         data-client_id="YOUR_GOOGLE_CLIENT_ID.apps.googleusercontent.com"
+         data-callback="handleGoogleSignIn"
+         data-auto_prompt="false">
+    </div>
+    
+    <!-- Sign In Button -->
+    <div class="g_id_signin"
+         data-type="standard"
+         data-size="large"
+         data-theme="outline"
+         data-text="sign_in_with"
+         data-shape="rectangular"
+         data-logo_alignment="left">
+    </div>
+
+    <script>
+    const API_BASE = 'https://your-api-gateway.com';  // Change this
+    
+    async function handleGoogleSignIn(response) {
+        try {
+            // Send Google token to your backend
+            const res = await fetch(`${API_BASE}/auth/google`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    id_token: response.credential,
+                    temp_user_id: localStorage.getItem('temp_user_id') // optional
+                })
+            });
+            
+            const data = await res.json();
+            
+            if (data.success) {
+                // Store the access token
+                localStorage.setItem('access_token', data.access_token);
+                localStorage.setItem('user', JSON.stringify({
+                    user_id: data.user_id,
+                    email: data.email,
+                    name: data.name,
+                    credits: data.credits
+                }));
+                
+                console.log('Signed in!', data.is_new_user ? 'New user' : 'Existing user');
+                // Redirect or update UI
+                window.location.reload();
+            } else {
+                alert('Sign in failed: ' + (data.detail || 'Unknown error'));
+            }
+        } catch (error) {
+            console.error('Sign in error:', error);
+            alert('Sign in failed. Please try again.');
+        }
+    }
+    </script>
+</body>
+</html>
+```
+
+---
+
+## Option B: Programmatic Sign-In
+
+```javascript
+const API_BASE = 'https://your-api-gateway.com';
+
+// Initialize Google Sign-In
+function initGoogleSignIn(clientId) {
+    google.accounts.id.initialize({
+        client_id: clientId,
+        callback: handleGoogleSignIn
+    });
+    
+    // Render button in a container
+    google.accounts.id.renderButton(
+        document.getElementById('google-signin-btn'),
+        { theme: 'outline', size: 'large', text: 'signin_with' }
+    );
+}
+
+// Handle the response
+async function handleGoogleSignIn(response) {
+    const res = await fetch(`${API_BASE}/auth/google`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ id_token: response.credential })
+    });
+    
+    const data = await res.json();
+    if (data.success) {
+        localStorage.setItem('access_token', data.access_token);
+    }
+}
+
+// Call on page load
+window.onload = () => initGoogleSignIn('YOUR_CLIENT_ID.apps.googleusercontent.com');
+```
+
+---
+
+## Making API Calls
+
+After sign-in, use the access token for all API calls:
+
+```javascript
+const API_BASE = 'https://your-api-gateway.com';
+
+async function apiCall(endpoint, options = {}) {
+    const token = localStorage.getItem('access_token');
+    
+    if (!token) {
+        throw new Error('Not signed in');
+    }
+    
+    const response = await fetch(`${API_BASE}${endpoint}`, {
+        ...options,
+        headers: {
+            'Authorization': `Bearer ${token}`,
+            'Content-Type': 'application/json',
+            ...options.headers
+        }
+    });
+    
+    if (response.status === 401) {
+        // Token expired - need to sign in again
+        localStorage.removeItem('access_token');
+        window.location.href = '/login';
+        return;
+    }
+    
+    return response.json();
+}
+
+// Examples
+async function getCurrentUser() {
+    return apiCall('/auth/me');
+}
+
+async function generateText(prompt) {
+    return apiCall('/gemini/generate-text', {
+        method: 'POST',
+        body: JSON.stringify({ prompt })
+    });
+}
+
+async function checkJobStatus(jobId) {
+    return apiCall(`/gemini/job/${jobId}`);
+}
+```
+
+---
+
+## API Endpoints Reference
+
+| Endpoint | Method | Auth Required | Description |
+|----------|--------|---------------|-------------|
+| `/auth/google` | POST | ❌ | Sign in with Google token |
+| `/auth/me` | GET | ✅ | Get current user info |
+| `/auth/refresh` | POST | ❌ | Refresh access token |
+| `/gemini/generate-text` | POST | ✅ | Generate text (costs 1 credit) |
+| `/gemini/generate-video` | POST | ✅ | Generate video (costs 1 credit) |
+| `/gemini/job/{job_id}` | GET | ✅ | Check job status |
+
+---
+
+## Sign Out
+
+```javascript
+function signOut() {
+    localStorage.removeItem('access_token');
+    localStorage.removeItem('user');
+    
+    // Optionally call logout endpoint for audit
+    fetch(`${API_BASE}/auth/logout`, {
+        method: 'POST',
+        headers: { 'Authorization': `Bearer ${token}` }
+    });
+    
+    // Revoke Google session
+    google.accounts.id.disableAutoSelect();
+    
+    window.location.href = '/';
+}
+```
+
+---
+
+## Error Handling
+
+| Status | Meaning | Action |
+|--------|---------|--------|
+| 401 | Token expired/invalid | Redirect to sign-in |
+| 402 | Insufficient credits | Show "buy credits" prompt |
+| 429 | Rate limited | Wait and retry |
+
+```javascript
+async function apiCallWithErrorHandling(endpoint, options) {
+    const response = await apiCall(endpoint, options);
+    
+    if (response.status === 402) {
+        alert('You have run out of credits!');
+        return null;
+    }
+    
+    return response;
+}
+```
+
+---
+
+## React Example
+
+```jsx
+import { useEffect, useState } from 'react';
+
+function App() {
+    const [user, setUser] = useState(null);
+    
+    useEffect(() => {
+        // Check if already signed in
+        const token = localStorage.getItem('access_token');
+        if (token) {
+            fetch('/auth/me', {
+                headers: { 'Authorization': `Bearer ${token}` }
+            })
+            .then(r => r.json())
+            .then(setUser)
+            .catch(() => localStorage.removeItem('access_token'));
+        }
+        
+        // Initialize Google Sign-In
+        window.handleGoogleSignIn = async (response) => {
+            const res = await fetch('/auth/google', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ id_token: response.credential })
+            });
+            const data = await res.json();
+            if (data.success) {
+                localStorage.setItem('access_token', data.access_token);
+                setUser(data);
+            }
+        };
+    }, []);
+    
+    if (!user) {
+        return (
+            <div>
+                <div id="g_id_onload"
+                     data-client_id="YOUR_CLIENT_ID"
+                     data-callback="handleGoogleSignIn" />
+                <div className="g_id_signin" data-type="standard" />
+            </div>
+        );
+    }
+    
+    return <div>Welcome, {user.name}! Credits: {user.credits}</div>;
+}
+```

generate_jwt_secret.py

@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+"""
+Generate JWT Secret Key
+
+This script generates a cryptographically secure secret key for JWT signing.
+Run this locally and add the generated key to your .env file.
+
+Usage:
+    python generate_jwt_secret.py
+    
+    # Or with custom length
+    python generate_jwt_secret.py --length 128
+
+Output:
+    Prints the secret key and instructions for adding it to your environment.
+"""
+
+import argparse
+import secrets
+import sys
+
+
+def generate_secret(length: int = 64) -> str:
+    """
+    Generate a cryptographically secure URL-safe secret.
+    
+    Args:
+        length: Number of bytes for the secret (default: 64).
+                The actual string length will be ~1.3x this due to base64 encoding.
+    
+    Returns:
+        str: URL-safe base64 encoded secret.
+    """
+    return secrets.token_urlsafe(length)
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Generate a secure JWT secret key",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+    python generate_jwt_secret.py
+    python generate_jwt_secret.py --length 128
+    python generate_jwt_secret.py --format docker
+        """
+    )
+    parser.add_argument(
+        "--length", "-l",
+        type=int,
+        default=64,
+        help="Number of bytes for the secret (default: 64)"
+    )
+    parser.add_argument(
+        "--format", "-f",
+        choices=["env", "docker", "export", "raw"],
+        default="env",
+        help="Output format (default: env)"
+    )
+    
+    args = parser.parse_args()
+    
+    if args.length < 32:
+        print("Warning: Secret length should be at least 32 bytes for security.", file=sys.stderr)
+    
+    secret = generate_secret(args.length)
+    
+    print("\n" + "=" * 60)
+    print("🔐 Generated JWT Secret Key")
+    print("=" * 60)
+    
+    if args.format == "raw":
+        print(secret)
+    elif args.format == "env":
+        print(f"\nAdd this line to your .env file:\n")
+        print(f"JWT_SECRET={secret}")
+    elif args.format == "docker":
+        print(f"\nAdd this to your docker-compose.yml environment:\n")
+        print(f"  - JWT_SECRET={secret}")
+    elif args.format == "export":
+        print(f"\nRun this command to set the environment variable:\n")
+        print(f"export JWT_SECRET='{secret}'")
+    
+    print("\n" + "-" * 60)
+    print("⚠️  IMPORTANT SECURITY NOTES:")
+    print("-" * 60)
+    print("• Keep this secret confidential - never commit it to git")
+    print("• Use different secrets for development and production")
+    print("• If compromised, all existing tokens become invalid")
+    print("• Store securely (e.g., secrets manager, encrypted env)")
+    print("=" * 60 + "\n")
+
+
+if __name__ == "__main__":
+    main()

requirements.txt

@@ -13,3 +13,6 @@ python-dotenv>=1.0.0
 google-api-python-client>=2.0.0
 google-auth-oauthlib>=1.0.0
 google-auth-httplib2>=0.1.0
+google-genai>=1.0.0
+PyJWT>=2.8.0
+

routers/auth.py

@@ -1,21 +1,48 @@
-from fastapi import APIRouter, Depends, HTTPException, status, Request, BackgroundTasks, Header
+"""
+Authentication Router - Google OAuth
+
+Endpoints for Google Sign-In authentication flow.
+No more secret keys - users authenticate with their Google account.
+"""
+from fastapi import APIRouter, Depends, HTTPException, status, Request, BackgroundTasks
 from fastapi.responses import JSONResponse
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select
 from datetime import datetime
 import uuid
+import logging
 
 from core.database import get_db
 from core.models import User, AuditLog
-from core.schemas import CheckRegistrationRequest, RegisterRequest, ResetRequest
-from core.security import get_password_hash, verify_password, generate_secret_key
-from services.email_service import send_email
-from dependencies import check_rate_limit
+from core.schemas import (
+    CheckRegistrationRequest,
+    GoogleAuthRequest,
+    AuthResponse,
+    UserInfoResponse,
+    TokenRefreshRequest,
+    TokenRefreshResponse
+)
+from services.google_auth_service import (
+    GoogleAuthService,
+    InvalidTokenError as GoogleInvalidTokenError,
+    ConfigurationError as GoogleConfigError,
+    get_google_auth_service
+)
+from services.jwt_service import (
+    JWTService,
+    create_access_token,
+    get_jwt_service,
+    InvalidTokenError as JWTInvalidTokenError
+)
+from dependencies import check_rate_limit, get_current_user
 from services.drive_service import DriveService
 
+logger = logging.getLogger(__name__)
+
 router = APIRouter(prefix="/auth", tags=["auth"])
 drive_service = DriveService()
 
+
 @router.post("/check-registration")
 async def check_registration(
     request: CheckRegistrationRequest,
@@ -24,6 +51,7 @@ async def check_registration(
 ):
     """
     Check if a temporary user_id has completed registration.
+    Useful for frontend to check if user needs to sign in.
     """
     # Rate Limit: 10 requests per minute per IP
     ip = req.client.host
@@ -37,227 +65,209 @@ async def check_registration(
     return {"is_registered": user is not None}
 
 
-@router.post("/register")
-async def register(
-    request: RegisterRequest,
+@router.post("/google", response_model=AuthResponse)
+async def google_auth(
+    request: GoogleAuthRequest,
     req: Request,
     background_tasks: BackgroundTasks,
     db: AsyncSession = Depends(get_db)
 ):
     """
-    Register new user, generate secret key, send email.
+    Authenticate with Google ID token.
+    
+    Frontend flow:
+    1. User clicks "Sign in with Google" button
+    2. Google returns an ID token
+    3. Frontend sends that token to this endpoint
+    4. We verify it with Google and issue our own JWT
+    
+    Creates new user or returns existing user.
+    Existing users matched by email.
     """
-    # Rate Limit: 5 registrations per hour per IP
     ip = req.client.host
-    if not await check_rate_limit(db, ip, "/auth/register", 5, 60):
-        raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS, detail="Too many registration attempts")
-
-    # Check Email Already Registered
-    query = select(User).where(User.email == request.email)
-    result = await db.execute(query)
-    if result.scalar_one_or_none():
-        raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="Email already registered")
-
-    # Check temp_user_id Already Registered
-    query = select(User).where(User.temp_user_id == request.user_id)
+    
+    # Rate Limit: 10 attempts per minute per IP
+    if not await check_rate_limit(db, ip, "/auth/google", 10, 1):
+        raise HTTPException(
+            status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+            detail="Too many authentication attempts"
+        )
+    
+    # Verify Google token
+    try:
+        google_service = get_google_auth_service()
+        google_info = google_service.verify_token(request.id_token)
+    except GoogleConfigError as e:
+        logger.error(f"Google Auth not configured: {e}")
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail="Google authentication is not configured"
+        )
+    except GoogleInvalidTokenError as e:
+        logger.warning(f"Invalid Google token from {ip}: {e}")
+        
+        # Log failed attempt
+        audit_log = AuditLog(
+            user_id=None,
+            action="google_auth",
+            ip_address=ip,
+            status="failed",
+            error_message=str(e)
+        )
+        db.add(audit_log)
+        await db.commit()
+        
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid Google token. Please try signing in again."
+        )
+    
+    # Check for existing user by email (preserves credits for migrated users)
+    query = select(User).where(User.email == google_info.email)
     result = await db.execute(query)
-    if result.scalar_one_or_none():
-        raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="User already registered")
-
-    # Generate Secret Key
-    secret_key = generate_secret_key()
-    secret_key_hash = get_password_hash(secret_key)
-    backend_user_id = "usr_" + str(uuid.uuid4())
-
-    # Create User
-    new_user = User(
-        user_id=backend_user_id,
-        temp_user_id=request.user_id,
-        email=request.email,
-        secret_key_hash=secret_key_hash,
-        credits=100
-    )
-    db.add(new_user)
+    user = result.scalar_one_or_none()
+    
+    is_new_user = False
     
-    # Log Audit
+    if user:
+        # Existing user - update Google info
+        if not user.google_id:
+            user.google_id = google_info.google_id
+            logger.info(f"Linked Google account to existing user: {user.email}")
+        
+        user.name = google_info.name
+        user.profile_picture = google_info.picture
+        user.last_used_at = datetime.utcnow()
+        
+        # Link temp_user_id if provided and not already set
+        if request.temp_user_id and not user.temp_user_id:
+            user.temp_user_id = request.temp_user_id
+    else:
+        # New user - create account
+        is_new_user = True
+        user = User(
+            user_id="usr_" + str(uuid.uuid4()),
+            temp_user_id=request.temp_user_id,
+            email=google_info.email,
+            google_id=google_info.google_id,
+            name=google_info.name,
+            profile_picture=google_info.picture,
+            credits=100
+        )
+        db.add(user)
+        logger.info(f"New user created via Google: {google_info.email}")
+    
+    # Log successful auth
     audit_log = AuditLog(
-        user_id=backend_user_id,
-        action="register",
+        user_id=user.user_id,
+        action="google_auth",
         ip_address=ip,
         status="success"
     )
     db.add(audit_log)
-    
     await db.commit()
-
-    # Send Email (Async)
-    email_body = f"""Hello,
-
-Your secret key is: {secret_key}
-
-Please save this key securely.
-You'll need it to access your credits.
-
-If you lose this key, use the 'Forgot Key'
-option with this email address.
-
-Credits: 100
-Valid from: {datetime.now().strftime('%Y-%m-%d')}
-
-Do not share this key with anyone."""
-
-    background_tasks.add_task(
-        send_email,
-        request.email,
-        "Your Secret Key - Credit System",
-        email_body
-    )
+    
+    # Create our JWT access token
+    access_token = create_access_token(user.user_id, user.email)
     
     # Sync DB to Drive (Async)
     background_tasks.add_task(drive_service.upload_db)
+    
+    return AuthResponse(
+        success=True,
+        access_token=access_token,
+        user_id=user.user_id,
+        email=user.email,
+        name=user.name,
+        credits=user.credits,
+        is_new_user=is_new_user
+    )
 
-    return {"success": True, "message": "Registration successful. Check your email."}
 
+@router.get("/me", response_model=UserInfoResponse)
+async def get_current_user_info(
+    user: User = Depends(get_current_user)
+):
+    """
+    Get current authenticated user info.
+    
+    Requires Authorization: Bearer <token> header.
+    """
+    return UserInfoResponse(
+        user_id=user.user_id,
+        email=user.email,
+        name=user.name,
+        credits=user.credits,
+        profile_picture=user.profile_picture
+    )
 
-@router.post("/validate")
-async def validate_key(
+
+@router.post("/refresh", response_model=TokenRefreshResponse)
+async def refresh_token(
+    request: TokenRefreshRequest,
     req: Request,
-    background_tasks: BackgroundTasks,
-    x_secret_key: str = Header(..., alias="X-Secret-Key"),
     db: AsyncSession = Depends(get_db)
 ):
     """
-    Validate secret key and return user info.
+    Refresh an access token.
+    
+    Use this when the current token is about to expire
+    (or has recently expired) to get a new one without
+    requiring the user to sign in again.
     """
-    # Rate Limit: 20 validations per hour per IP
     ip = req.client.host
-    if not await check_rate_limit(db, ip, "/auth/validate", 20, 60):
-        raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS, detail="Too many validation attempts")
-
-    query = select(User).where(User.is_active == True)
-    result = await db.execute(query)
-    users = result.scalars().all()
-    
-    valid_user = None
-    for user in users:
-        if verify_password(x_secret_key, user.secret_key_hash):
-            valid_user = user
-            break
     
-    if valid_user:
-        # Update last_used_at
-        valid_user.last_used_at = datetime.utcnow()
-        
-        # Log Audit
-        audit_log = AuditLog(
-            user_id=valid_user.user_id,
-            action="validate",
-            ip_address=ip,
-            status="success"
+    # Rate Limit: 5 refreshes per minute per IP
+    if not await check_rate_limit(db, ip, "/auth/refresh", 5, 1):
+        raise HTTPException(
+            status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+            detail="Too many refresh attempts"
         )
-        db.add(audit_log)
-        await db.commit()
-        
-        # Sync DB to Drive (Async) - Optional but good for audit logs
-        background_tasks.add_task(drive_service.upload_db)
+    
+    try:
+        jwt_service = get_jwt_service()
+        new_token = jwt_service.refresh_token(request.token)
         
-        return {
-            "valid": True,
-            "user_id": valid_user.user_id,
-            "credits": valid_user.credits,
-            "message": "Valid key"
-        }
-    else:
-        # Log Audit
-        audit_log = AuditLog(
-            user_id=None,
-            action="validate",
-            ip_address=ip,
-            status="failed",
-            error_message="Invalid key"
+        return TokenRefreshResponse(
+            success=True,
+            access_token=new_token
         )
-        db.add(audit_log)
-        await db.commit()
-        
-        return JSONResponse(
+    except JWTInvalidTokenError as e:
+        raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
-            content={"valid": False, "message": "Invalid secret key"}
+            detail=f"Cannot refresh token: {str(e)}"
         )
 
 
-@router.post("/reset")
-async def reset_key(
-    request: ResetRequest,
+@router.post("/logout")
+async def logout(
     req: Request,
     background_tasks: BackgroundTasks,
+    user: User = Depends(get_current_user),
     db: AsyncSession = Depends(get_db)
 ):
     """
-    Reset/recover secret key via email.
-    """
-    # Rate Limit: 3 reset attempts per hour per email
-    if not await check_rate_limit(db, request.email, "/auth/reset", 3, 60):
-        raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS, detail="Too many reset attempts")
-
-    query = select(User).where(User.email == request.email)
-    result = await db.execute(query)
-    user = result.scalar_one_or_none()
+    Logout current user.
+    
+    Note: JWT tokens are stateless, so this endpoint mainly
+    serves to log the action. Frontend should discard the token.
     
+    For full session invalidation, consider implementing
+    a token blacklist or reducing token expiry times.
+    """
     ip = req.client.host
-
-    if user:
-        # Generate New Secret Key
-        new_secret_key = generate_secret_key()
-        new_secret_key_hash = get_password_hash(new_secret_key)
-        
-        user.secret_key_hash = new_secret_key_hash
-        user.updated_at = datetime.utcnow()
-        
-        # Log Audit
-        audit_log = AuditLog(
-            user_id=user.user_id,
-            action="reset",
-            ip_address=ip,
-            status="success"
-        )
-        db.add(audit_log)
-        await db.commit()
-        
-        # Send Email
-        email_body = f"""Hello,
-
-You requested a secret key reset.
-
-Your NEW secret key is: {new_secret_key}
-
-Your old secret key is now invalid.
-
-If you didn't request this, please
-contact support immediately.
-
-Current Credits: {user.credits}"""
-
-        background_tasks.add_task(
-            send_email,
-            request.email,
-            "Your New Secret Key",
-            email_body
-        )
-        
-        # Sync DB to Drive (Async)
-        background_tasks.add_task(drive_service.upload_db)
-        
-    else:
-        # Log Audit (failed/not found)
-        audit_log = AuditLog(
-            user_id=None,
-            action="reset",
-            ip_address=ip,
-            status="failed",
-            error_message="Email not found"
-        )
-        db.add(audit_log)
-        await db.commit()
-
-    # Always return success
-    return {"success": True, "message": "If this email is registered, reset instructions have been sent."}
+    
+    # Log logout
+    audit_log = AuditLog(
+        user_id=user.user_id,
+        action="logout",
+        ip_address=ip,
+        status="success"
+    )
+    db.add(audit_log)
+    await db.commit()
+    
+    # Sync DB to Drive (Async)
+    background_tasks.add_task(drive_service.upload_db)
+    
+    return {"success": True, "message": "Logged out successfully"}

routers/gemini.py

@@ -0,0 +1,352 @@
+"""
+Gemini Router - API endpoints for Gemini AI services.
+Uses job queue pattern for async processing.
+Authentication via JWT (Authorization: Bearer <token>).
+"""
+import os
+import uuid
+from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi.responses import FileResponse
+from pydantic import BaseModel, Field
+from typing import Optional, Literal
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select, func
+
+from core.database import get_db
+from core.models import User, GeminiJob
+from services.gemini_service import MODELS, DOWNLOADS_DIR
+from dependencies import verify_credits, get_current_user
+from datetime import datetime
+
+router = APIRouter(prefix="/gemini", tags=["gemini"])
+
+
+# Request/Response Models
+class GenerateAnimationPromptRequest(BaseModel):
+    base64_image: str = Field(..., description="Base64 encoded image data")
+    mime_type: str = Field(..., description="MIME type of the image (e.g., image/png)")
+    custom_prompt: Optional[str] = Field(None, description="Optional custom prompt for analysis")
+
+
+class EditImageRequest(BaseModel):
+    base64_image: str = Field(..., description="Base64 encoded image data")
+    mime_type: str = Field(..., description="MIME type of the image")
+    prompt: str = Field(..., description="Edit instructions")
+
+
+class GenerateVideoRequest(BaseModel):
+    base64_image: str = Field(..., description="Base64 encoded image data")
+    mime_type: str = Field(..., description="MIME type of the image")
+    prompt: str = Field(..., description="Video generation prompt")
+    aspect_ratio: Literal["16:9", "9:16"] = Field("16:9", description="Video aspect ratio")
+    resolution: Literal["720p", "1080p"] = Field("720p", description="Video resolution")
+    number_of_videos: int = Field(1, ge=1, le=4, description="Number of videos to generate")
+
+
+class GenerateTextRequest(BaseModel):
+    prompt: str = Field(..., description="Text prompt")
+    model: Optional[str] = Field(None, description="Model to use (defaults to gemini-2.5-flash)")
+
+
+class AnalyzeImageRequest(BaseModel):
+    base64_image: str = Field(..., description="Base64 encoded image data")
+    mime_type: str = Field(..., description="MIME type of the image")
+    prompt: str = Field(..., description="Analysis prompt")
+
+
+# Authentication is handled by dependencies.verify_credits
+# which uses JWT tokens from Authorization: Bearer <token> header
+
+
+async def get_queue_position(db: AsyncSession, job_id: str) -> int:
+    """Get the position of a job in the queue."""
+    query = select(func.count()).where(
+        GeminiJob.status == "queued",
+        GeminiJob.created_at < select(GeminiJob.created_at).where(GeminiJob.job_id == job_id).scalar_subquery()
+    )
+    result = await db.execute(query)
+    return result.scalar() + 1
+
+
+async def create_job(
+    db: AsyncSession,
+    user: User,
+    job_type: str,
+    input_data: dict
+) -> GeminiJob:
+    """Create a new job in the queue."""
+    job_id = f"job_{uuid.uuid4().hex[:16]}"
+    
+    job = GeminiJob(
+        job_id=job_id,
+        user_id=user.user_id,
+        job_type=job_type,
+        status="queued",
+        input_data=input_data
+    )
+    db.add(job)
+    await db.commit()
+    await db.refresh(job)
+    
+    return job
+
+
+@router.post("/generate-animation-prompt")
+async def generate_animation_prompt(
+    request: GenerateAnimationPromptRequest,
+    user: User = Depends(verify_credits),
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Queue an animation prompt generation job.
+    """
+    job = await create_job(
+        db=db,
+        user=user,
+        job_type="animation_prompt",
+        input_data={
+            "base64_image": request.base64_image,
+            "mime_type": request.mime_type,
+            "custom_prompt": request.custom_prompt
+        }
+    )
+    
+    position = await get_queue_position(db, job.job_id)
+    
+    return {
+        "success": True,
+        "job_id": job.job_id,
+        "status": "queued",
+        "position": position,
+        "credits_remaining": user.credits
+    }
+
+
+@router.post("/edit-image")
+async def edit_image(
+    request: EditImageRequest,
+    user: User = Depends(verify_credits),
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Queue an image edit job.
+    """
+    job = await create_job(
+        db=db,
+        user=user,
+        job_type="image",
+        input_data={
+            "base64_image": request.base64_image,
+            "mime_type": request.mime_type,
+            "prompt": request.prompt
+        }
+    )
+    
+    position = await get_queue_position(db, job.job_id)
+    
+    return {
+        "success": True,
+        "job_id": job.job_id,
+        "status": "queued",
+        "position": position,
+        "credits_remaining": user.credits
+    }
+
+
+@router.post("/generate-video")
+async def generate_video(
+    request: GenerateVideoRequest,
+    user: User = Depends(verify_credits),
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Queue a video generation job.
+    """
+    job = await create_job(
+        db=db,
+        user=user,
+        job_type="video",
+        input_data={
+            "base64_image": request.base64_image,
+            "mime_type": request.mime_type,
+            "prompt": request.prompt,
+            "aspect_ratio": request.aspect_ratio,
+            "resolution": request.resolution,
+            "number_of_videos": request.number_of_videos
+        }
+    )
+    
+    position = await get_queue_position(db, job.job_id)
+    
+    return {
+        "success": True,
+        "job_id": job.job_id,
+        "status": "queued",
+        "position": position,
+        "credits_remaining": user.credits
+    }
+
+
+@router.post("/generate-text")
+async def generate_text(
+    request: GenerateTextRequest,
+    user: User = Depends(verify_credits),
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Queue a text generation job.
+    """
+    job = await create_job(
+        db=db,
+        user=user,
+        job_type="text",
+        input_data={
+            "prompt": request.prompt,
+            "model": request.model
+        }
+    )
+    
+    position = await get_queue_position(db, job.job_id)
+    
+    return {
+        "success": True,
+        "job_id": job.job_id,
+        "status": "queued",
+        "position": position,
+        "credits_remaining": user.credits
+    }
+
+
+@router.post("/analyze-image")
+async def analyze_image(
+    request: AnalyzeImageRequest,
+    user: User = Depends(verify_credits),
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Queue an image analysis job.
+    """
+    job = await create_job(
+        db=db,
+        user=user,
+        job_type="analyze",
+        input_data={
+            "base64_image": request.base64_image,
+            "mime_type": request.mime_type,
+            "prompt": request.prompt
+        }
+    )
+    
+    position = await get_queue_position(db, job.job_id)
+    
+    return {
+        "success": True,
+        "job_id": job.job_id,
+        "status": "queued",
+        "position": position,
+        "credits_remaining": user.credits
+    }
+
+
+@router.get("/job/{job_id}")
+async def get_job_status(
+    job_id: str,
+    user: User = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Get the status of a job.
+    Poll this endpoint until status is 'completed' or 'failed'.
+    """
+    query = select(GeminiJob).where(
+        GeminiJob.job_id == job_id,
+        GeminiJob.user_id == user.user_id
+    )
+    result = await db.execute(query)
+    job = result.scalar_one_or_none()
+    
+    if not job:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Job not found"
+        )
+    
+    response = {
+        "success": True,
+        "job_id": job.job_id,
+        "job_type": job.job_type,
+        "status": job.status,
+        "created_at": job.created_at.isoformat() if job.created_at else None,
+        "credits_remaining": user.credits
+    }
+    
+    if job.status == "queued":
+        response["position"] = await get_queue_position(db, job.job_id)
+    
+    if job.status == "processing":
+        response["started_at"] = job.started_at.isoformat() if job.started_at else None
+    
+    if job.status == "completed":
+        response["completed_at"] = job.completed_at.isoformat() if job.completed_at else None
+        response["output"] = job.output_data
+        
+        # For video jobs, add download URL
+        if job.job_type == "video" and job.output_data and job.output_data.get("filename"):
+            response["download_url"] = f"/gemini/download/{job.job_id}"
+    
+    if job.status == "failed":
+        response["error"] = job.error_message
+        response["completed_at"] = job.completed_at.isoformat() if job.completed_at else None
+    
+    return response
+
+
+@router.get("/download/{job_id}")
+async def download_video(
+    job_id: str,
+    user: User = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Download a generated video.
+    """
+    query = select(GeminiJob).where(
+        GeminiJob.job_id == job_id,
+        GeminiJob.user_id == user.user_id,
+        GeminiJob.job_type == "video"
+    )
+    result = await db.execute(query)
+    job = result.scalar_one_or_none()
+    
+    if not job:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Job not found"
+        )
+    
+    if job.status != "completed" or not job.output_data or not job.output_data.get("filename"):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Video not ready for download"
+        )
+    
+    filepath = os.path.join(DOWNLOADS_DIR, job.output_data["filename"])
+    if not os.path.exists(filepath):
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Video file not found"
+        )
+    
+    return FileResponse(
+        path=filepath,
+        media_type="video/mp4",
+        filename=f"video_{job_id}.mp4"
+    )
+
+
+@router.get("/models")
+async def get_models():
+    """
+    Get available model names.
+    """
+    return {"models": MODELS}

services/drive_service.py

@@ -24,9 +24,10 @@ class DriveService:
     def __init__(self):
         self.creds = None
         self.service = None
-        self.client_id = os.getenv('GOOGLE_CLIENT_ID')
-        self.client_secret = os.getenv('GOOGLE_CLIENT_SECRET')
-        self.refresh_token = os.getenv('GOOGLE_REFRESH_TOKEN')
+        # Server-side credentials for Drive API
+        self.client_id = os.getenv('SERVER_GOOGLE_CLIENT_ID') or os.getenv('GOOGLE_CLIENT_ID')
+        self.client_secret = os.getenv('SERVER_GOOGLE_CLIENT_SECRET') or os.getenv('GOOGLE_CLIENT_SECRET')
+        self.refresh_token = os.getenv('SERVER_GOOGLE_REFRESH_TOKEN') or os.getenv('GOOGLE_REFRESH_TOKEN')
 
     def authenticate(self):
         """Authenticate using the refresh token."""

services/email_service.py

@@ -32,9 +32,10 @@ class GmailService:
     def __init__(self):
         self.creds = None
         self.service = None
-        self.client_id = os.getenv('GOOGLE_CLIENT_ID')
-        self.client_secret = os.getenv('GOOGLE_CLIENT_SECRET')
-        self.refresh_token = os.getenv('GOOGLE_REFRESH_TOKEN')
+        # Server-side credentials for Gmail API
+        self.client_id = os.getenv('SERVER_GOOGLE_CLIENT_ID') or os.getenv('GOOGLE_CLIENT_ID')
+        self.client_secret = os.getenv('SERVER_GOOGLE_CLIENT_SECRET') or os.getenv('GOOGLE_CLIENT_SECRET')
+        self.refresh_token = os.getenv('SERVER_GOOGLE_REFRESH_TOKEN') or os.getenv('GOOGLE_REFRESH_TOKEN')
         self.sender_email = os.getenv('SMTP_SENDER') or os.getenv('EMAIL_ID')
 
     def authenticate(self):

services/gemini_service.py

@@ -0,0 +1,344 @@
+"""
+Gemini AI Service for image and video generation.
+Python port of the TypeScript geminiService.ts
+Uses server-side API key from environment.
+"""
+import asyncio
+import logging
+import os
+import uuid
+import httpx
+from typing import Optional, Literal
+from google import genai
+from google.genai import types
+
+logger = logging.getLogger(__name__)
+
+# Model names - easily configurable
+MODELS = {
+    "text_generation": "gemini-2.5-flash",
+    "image_edit": "gemini-2.5-flash-image",
+    "video_generation": "veo-3.1-fast-generate-preview"
+}
+
+# Type aliases
+AspectRatio = Literal["16:9", "9:16"]
+Resolution = Literal["720p", "1080p"]
+
+# Video downloads directory
+DOWNLOADS_DIR = os.path.join(os.path.dirname(os.path.dirname(__file__)), "downloads")
+
+# Ensure downloads directory exists
+os.makedirs(DOWNLOADS_DIR, exist_ok=True)
+
+# Concurrency limits from environment (defaults)
+MAX_CONCURRENT_VIDEOS = int(os.getenv("MAX_CONCURRENT_VIDEOS", "2"))
+MAX_CONCURRENT_IMAGES = int(os.getenv("MAX_CONCURRENT_IMAGES", "5"))
+MAX_CONCURRENT_TEXT = int(os.getenv("MAX_CONCURRENT_TEXT", "10"))
+
+# Semaphores for concurrency control
+_video_semaphore: Optional[asyncio.Semaphore] = None
+_image_semaphore: Optional[asyncio.Semaphore] = None
+_text_semaphore: Optional[asyncio.Semaphore] = None
+
+
+def get_video_semaphore() -> asyncio.Semaphore:
+    """Get or create video semaphore."""
+    global _video_semaphore
+    if _video_semaphore is None:
+        _video_semaphore = asyncio.Semaphore(MAX_CONCURRENT_VIDEOS)
+        logger.info(f"Video semaphore initialized with limit: {MAX_CONCURRENT_VIDEOS}")
+    return _video_semaphore
+
+
+def get_image_semaphore() -> asyncio.Semaphore:
+    """Get or create image semaphore."""
+    global _image_semaphore
+    if _image_semaphore is None:
+        _image_semaphore = asyncio.Semaphore(MAX_CONCURRENT_IMAGES)
+        logger.info(f"Image semaphore initialized with limit: {MAX_CONCURRENT_IMAGES}")
+    return _image_semaphore
+
+
+def get_text_semaphore() -> asyncio.Semaphore:
+    """Get or create text semaphore."""
+    global _text_semaphore
+    if _text_semaphore is None:
+        _text_semaphore = asyncio.Semaphore(MAX_CONCURRENT_TEXT)
+        logger.info(f"Text semaphore initialized with limit: {MAX_CONCURRENT_TEXT}")
+    return _text_semaphore
+
+
+def get_gemini_api_key() -> str:
+    """Get Gemini API key from environment."""
+    api_key = os.getenv("GEMINI_API_KEY")
+    if not api_key:
+        raise ValueError("GEMINI_API_KEY environment variable not set")
+    return api_key
+
+
+class GeminiService:
+    """
+    Gemini AI Service for text, image, and video generation.
+    Uses server-side API key from environment.
+    """
+
+    def __init__(self, api_key: Optional[str] = None):
+        """Initialize the Gemini client with API key from env or provided."""
+        self.api_key = api_key or get_gemini_api_key()
+        self.client = genai.Client(api_key=self.api_key)
+
+    def _handle_api_error(self, error: Exception, context: str):
+        """Handle API errors with descriptive messages."""
+        msg = str(error)
+        if "404" in msg or "NOT_FOUND" in msg or "Requested entity was not found" in msg or "[5," in msg:
+            raise ValueError(
+                f"Model not found ({context}). Ensure your API key project has access to this model. "
+                "Veo requires a paid account."
+            )
+        raise error
+
+    async def generate_animation_prompt(
+        self,
+        base64_image: str,
+        mime_type: str,
+        custom_prompt: Optional[str] = None
+    ) -> str:
+        """
+        Analyzes the image to generate a suitable animation prompt.
+        """
+        default_prompt = custom_prompt or "Describe how this image could be subtly animated with cinematic movement."
+        async with get_text_semaphore():
+            try:
+                response = await asyncio.to_thread(
+                    self.client.models.generate_content,
+                    model=MODELS["text_generation"],
+                    contents=types.Content(
+                        parts=[
+                            types.Part.from_bytes(
+                                data=base64_image,
+                                mime_type=mime_type
+                            ),
+                            types.Part.from_text(text=default_prompt)
+                        ]
+                    )
+                )
+                return response.text or "Cinematic subtle movement"
+            except Exception as error:
+                self._handle_api_error(error, MODELS["text_generation"])
+
+    async def edit_image(
+        self,
+        base64_image: str,
+        mime_type: str,
+        prompt: str
+    ) -> str:
+        """
+        Edit an image using Gemini image model.
+        Returns base64 data URI of the edited image.
+        """
+        async with get_image_semaphore():
+            try:
+                response = await asyncio.to_thread(
+                    self.client.models.generate_content,
+                    model=MODELS["image_edit"],
+                    contents=types.Content(
+                        parts=[
+                            types.Part.from_bytes(
+                                data=base64_image,
+                                mime_type=mime_type
+                            ),
+                            types.Part.from_text(text=prompt or "Enhance this image")
+                        ]
+                    )
+                )
+
+                candidates = response.candidates
+                if not candidates:
+                    raise ValueError("No candidates returned from Gemini.")
+
+                for part in candidates[0].content.parts:
+                    if hasattr(part, 'inline_data') and part.inline_data and part.inline_data.data:
+                        result_mime = part.inline_data.mime_type or 'image/png'
+                        return f"data:{result_mime};base64,{part.inline_data.data}"
+
+                raise ValueError("No image data found in the response.")
+            except Exception as error:
+                self._handle_api_error(error, MODELS["image_edit"])
+
+    async def start_video_generation(
+        self,
+        base64_image: str,
+        mime_type: str,
+        prompt: str,
+        aspect_ratio: AspectRatio = "16:9",
+        resolution: Resolution = "720p",
+        number_of_videos: int = 1
+    ) -> dict:
+        """
+        Start video generation using Veo model.
+        Returns operation details for polling.
+        """
+        async with get_video_semaphore():
+            try:
+                # Start video generation
+                operation = await asyncio.to_thread(
+                    self.client.models.generate_videos,
+                    model=MODELS["video_generation"],
+                    prompt=prompt,
+                    image=types.Image(
+                        image_bytes=base64_image,
+                        mime_type=mime_type
+                    ),
+                    config=types.GenerateVideosConfig(
+                        number_of_videos=number_of_videos,
+                        resolution=resolution,
+                        aspect_ratio=aspect_ratio
+                    )
+                )
+                
+                # Return operation details
+                return {
+                    "gemini_operation_name": operation.name,
+                    "done": operation.done,
+                    "status": "completed" if operation.done else "pending"
+                }
+            except Exception as error:
+                self._handle_api_error(error, MODELS["video_generation"])
+
+    async def check_video_status(self, gemini_operation_name: str) -> dict:
+        """
+        Check the status of a video generation operation.
+        Returns status and video URL if complete.
+        """
+        try:
+            # Get operation status
+            operation = await asyncio.to_thread(
+                self.client.operations.get,
+                name=gemini_operation_name
+            )
+            
+            if not operation.done:
+                return {
+                    "gemini_operation_name": gemini_operation_name,
+                    "done": False,
+                    "status": "pending"
+                }
+            
+            if operation.error:
+                return {
+                    "gemini_operation_name": gemini_operation_name,
+                    "done": True,
+                    "status": "failed",
+                    "error": operation.error.message or "Unknown error"
+                }
+            
+            # Extract video URI
+            generated_videos = getattr(operation.response, 'generated_videos', None)
+            if not generated_videos:
+                return {
+                    "gemini_operation_name": gemini_operation_name,
+                    "done": True,
+                    "status": "failed",
+                    "error": "No video URI returned. May be due to safety filters."
+                }
+            
+            video_uri = generated_videos[0].video.uri if generated_videos[0].video else None
+            if not video_uri:
+                return {
+                    "gemini_operation_name": gemini_operation_name,
+                    "done": True,
+                    "status": "failed",
+                    "error": "No video URI in response."
+                }
+            
+            # Return success with video URL (internal - will be downloaded by router)
+            return {
+                "gemini_operation_name": gemini_operation_name,
+                "done": True,
+                "status": "completed",
+                "video_url": f"{video_uri}&key={self.api_key}"
+            }
+            
+        except Exception as error:
+            msg = str(error)
+            if "404" in msg or "NOT_FOUND" in msg or "Requested entity was not found" in msg:
+                return {
+                    "gemini_operation_name": gemini_operation_name,
+                    "done": True,
+                    "status": "failed",
+                    "error": "Operation not found (404). It may have expired."
+                }
+            raise error
+
+    async def download_video(self, video_url: str, operation_id: str) -> str:
+        """
+        Download video from Gemini to local storage.
+        Returns the local filename.
+        """
+        filename = f"{operation_id}.mp4"
+        filepath = os.path.join(DOWNLOADS_DIR, filename)
+        
+        try:
+            async with httpx.AsyncClient(timeout=120.0) as client:
+                response = await client.get(video_url)
+                response.raise_for_status()
+                
+                with open(filepath, 'wb') as f:
+                    f.write(response.content)
+                
+                logger.info(f"Downloaded video to {filepath}")
+                return filename
+        except Exception as e:
+            logger.error(f"Failed to download video: {e}")
+            raise ValueError(f"Failed to download video: {e}")
+
+    async def generate_text(
+        self,
+        prompt: str,
+        model: Optional[str] = None
+    ) -> str:
+        """
+        Simple text generation with Gemini.
+        """
+        model_name = model or MODELS["text_generation"]
+        async with get_text_semaphore():
+            try:
+                response = await asyncio.to_thread(
+                    self.client.models.generate_content,
+                    model=model_name,
+                    contents=types.Content(
+                        parts=[types.Part.from_text(text=prompt)]
+                    )
+                )
+                return response.text or ""
+            except Exception as error:
+                self._handle_api_error(error, model_name)
+
+    async def analyze_image(
+        self,
+        base64_image: str,
+        mime_type: str,
+        prompt: str
+    ) -> str:
+        """
+        Analyze image with custom prompt.
+        """
+        async with get_text_semaphore():
+            try:
+                response = await asyncio.to_thread(
+                    self.client.models.generate_content,
+                    model=MODELS["text_generation"],
+                    contents=types.Content(
+                        parts=[
+                            types.Part.from_bytes(
+                                data=base64_image,
+                                mime_type=mime_type
+                            ),
+                            types.Part.from_text(text=prompt)
+                        ]
+                    )
+                )
+                return response.text or ""
+            except Exception as error:
+                self._handle_api_error(error, MODELS["text_generation"])

services/google_auth_service.py

@@ -0,0 +1,232 @@
+"""
+Modular Google OAuth Service
+
+A self-contained, plug-and-play service for verifying Google ID tokens.
+Can be used in any Python application with minimal configuration.
+
+Usage:
+    from services.google_auth_service import GoogleAuthService, GoogleUserInfo
+    
+    # Initialize with client ID
+    auth_service = GoogleAuthService(client_id="your-google-client-id")
+    
+    # Or use environment variable GOOGLE_CLIENT_ID
+    auth_service = GoogleAuthService()
+    
+    # Verify a Google ID token
+    user_info = auth_service.verify_token(id_token)
+    print(user_info.email, user_info.google_id, user_info.name)
+
+Environment Variables:
+    GOOGLE_CLIENT_ID: Your Google OAuth 2.0 Client ID
+
+Dependencies:
+    google-auth>=2.0.0
+    google-auth-oauthlib>=1.0.0
+"""
+
+import os
+import logging
+from dataclasses import dataclass
+from typing import Optional
+from google.oauth2 import id_token as google_id_token
+from google.auth.transport import requests as google_requests
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class GoogleUserInfo:
+    """
+    User information extracted from a verified Google ID token.
+    
+    Attributes:
+        google_id: Unique Google user identifier (sub claim)
+        email: User's email address
+        email_verified: Whether Google has verified the email
+        name: User's display name (may be None)
+        picture: URL to user's profile picture (may be None)
+        given_name: User's first name (may be None)
+        family_name: User's last name (may be None)
+        locale: User's locale preference (may be None)
+    """
+    google_id: str
+    email: str
+    email_verified: bool = True
+    name: Optional[str] = None
+    picture: Optional[str] = None
+    given_name: Optional[str] = None
+    family_name: Optional[str] = None
+    locale: Optional[str] = None
+
+
+class GoogleAuthError(Exception):
+    """Base exception for Google Auth errors."""
+    pass
+
+
+class InvalidTokenError(GoogleAuthError):
+    """Raised when the token is invalid or expired."""
+    pass
+
+
+class ConfigurationError(GoogleAuthError):
+    """Raised when the service is not properly configured."""
+    pass
+
+
+class GoogleAuthService:
+    """
+    Service for verifying Google OAuth ID tokens.
+    
+    This service validates ID tokens issued by Google Sign-In and extracts
+    user information. It's designed to be modular and reusable across
+    different applications.
+    
+    Example:
+        service = GoogleAuthService()
+        try:
+            user_info = service.verify_token(token_from_frontend)
+            print(f"Welcome {user_info.name}!")
+        except InvalidTokenError:
+            print("Invalid or expired token")
+    """
+    
+    def __init__(
+        self,
+        client_id: Optional[str] = None,
+        clock_skew_seconds: int = 0
+    ):
+        """
+        Initialize the Google Auth Service.
+        
+        Args:
+            client_id: Google OAuth 2.0 Client ID. If not provided,
+                      falls back to GOOGLE_CLIENT_ID environment variable.
+            clock_skew_seconds: Allowed clock skew in seconds for token
+                               validation (default: 0).
+        
+        Raises:
+            ConfigurationError: If no client_id is provided or found.
+        """
+        self.client_id = client_id or os.getenv("AUTH_SIGN_IN_GOOGLE_CLIENT_ID")
+        self.clock_skew_seconds = clock_skew_seconds
+        
+        if not self.client_id:
+            raise ConfigurationError(
+                "Google Client ID is required. Either pass client_id parameter "
+                "or set GOOGLE_CLIENT_ID environment variable."
+            )
+        
+        logger.info(f"GoogleAuthService initialized with client_id: {self.client_id[:20]}...")
+    
+    def verify_token(self, id_token: str) -> GoogleUserInfo:
+        """
+        Verify a Google ID token and extract user information.
+        
+        Args:
+            id_token: The ID token received from the frontend after
+                     Google Sign-In.
+        
+        Returns:
+            GoogleUserInfo: Dataclass containing user's Google profile info.
+        
+        Raises:
+            InvalidTokenError: If the token is invalid, expired, or
+                              doesn't match the expected client ID.
+        """
+        if not id_token:
+            raise InvalidTokenError("Token cannot be empty")
+        
+        try:
+            # Verify the token with Google
+            idinfo = google_id_token.verify_oauth2_token(
+                id_token,
+                google_requests.Request(),
+                self.client_id,
+                clock_skew_in_seconds=self.clock_skew_seconds
+            )
+            
+            # Validate issuer
+            if idinfo.get("iss") not in ["accounts.google.com", "https://accounts.google.com"]:
+                raise InvalidTokenError("Invalid token issuer")
+            
+            # Validate audience
+            if idinfo.get("aud") != self.client_id:
+                raise InvalidTokenError("Token was not issued for this application")
+            
+            # Extract user info
+            return GoogleUserInfo(
+                google_id=idinfo["sub"],
+                email=idinfo["email"],
+                email_verified=idinfo.get("email_verified", False),
+                name=idinfo.get("name"),
+                picture=idinfo.get("picture"),
+                given_name=idinfo.get("given_name"),
+                family_name=idinfo.get("family_name"),
+                locale=idinfo.get("locale")
+            )
+            
+        except ValueError as e:
+            logger.warning(f"Token verification failed: {e}")
+            raise InvalidTokenError(f"Token verification failed: {str(e)}")
+        except Exception as e:
+            logger.error(f"Unexpected error during token verification: {e}")
+            raise InvalidTokenError(f"Token verification error: {str(e)}")
+    
+    def verify_token_safe(self, id_token: str) -> Optional[GoogleUserInfo]:
+        """
+        Verify a Google ID token without raising exceptions.
+        
+        Useful for cases where you want to check validity without
+        exception handling.
+        
+        Args:
+            id_token: The ID token to verify.
+        
+        Returns:
+            GoogleUserInfo if valid, None if invalid.
+        """
+        try:
+            return self.verify_token(id_token)
+        except GoogleAuthError:
+            return None
+
+
+# Singleton instance for convenience (initialized on first use)
+_default_service: Optional[GoogleAuthService] = None
+
+
+def get_google_auth_service() -> GoogleAuthService:
+    """
+    Get the default GoogleAuthService instance.
+    
+    Creates a singleton instance using environment variables.
+    
+    Returns:
+        GoogleAuthService: The default service instance.
+    
+    Raises:
+        ConfigurationError: If GOOGLE_CLIENT_ID is not set.
+    """
+    global _default_service
+    if _default_service is None:
+        _default_service = GoogleAuthService()
+    return _default_service
+
+
+def verify_google_token(id_token: str) -> GoogleUserInfo:
+    """
+    Convenience function to verify a token using the default service.
+    
+    Args:
+        id_token: The Google ID token to verify.
+    
+    Returns:
+        GoogleUserInfo: Verified user information.
+    
+    Raises:
+        InvalidTokenError: If verification fails.
+        ConfigurationError: If service is not configured.
+    """
+    return get_google_auth_service().verify_token(id_token)

services/job_worker.py

@@ -0,0 +1,278 @@
+"""
+Background worker for processing Gemini jobs.
+Runs continuously, picks up queued jobs, processes them.
+"""
+import asyncio
+import logging
+import os
+from datetime import datetime
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import create_async_engine, async_sessionmaker, AsyncSession
+
+from core.database import DATABASE_URL
+from core.models import GeminiJob
+from services.gemini_service import GeminiService, DOWNLOADS_DIR
+
+logger = logging.getLogger(__name__)
+
+# Worker configuration
+WORKER_POLL_INTERVAL = int(os.getenv("WORKER_POLL_INTERVAL", "5"))  # seconds
+MAX_CONCURRENT_VIDEO_JOBS = int(os.getenv("MAX_CONCURRENT_VIDEO_JOBS", "2"))
+MAX_CONCURRENT_IMAGE_JOBS = int(os.getenv("MAX_CONCURRENT_IMAGE_JOBS", "3"))
+MAX_CONCURRENT_TEXT_JOBS = int(os.getenv("MAX_CONCURRENT_TEXT_JOBS", "5"))
+
+# Track running jobs
+_running_jobs = {
+    "video": 0,
+    "image": 0,
+    "text": 0,
+    "analyze": 0,
+    "animation_prompt": 0
+}
+_lock = asyncio.Lock()
+
+
+class JobWorker:
+    """Background worker for processing Gemini jobs."""
+    
+    def __init__(self):
+        self.engine = create_async_engine(DATABASE_URL, echo=False)
+        self.async_session = async_sessionmaker(
+            self.engine,
+            class_=AsyncSession,
+            expire_on_commit=False
+        )
+        self._running = False
+        self._tasks = []
+    
+    async def start(self):
+        """Start the worker."""
+        self._running = True
+        logger.info("Job worker started")
+        asyncio.create_task(self._poll_loop())
+    
+    async def stop(self):
+        """Stop the worker."""
+        self._running = False
+        # Wait for running tasks to complete
+        if self._tasks:
+            await asyncio.gather(*self._tasks, return_exceptions=True)
+        logger.info("Job worker stopped")
+    
+    async def _poll_loop(self):
+        """Main polling loop."""
+        while self._running:
+            try:
+                await self._process_queued_jobs()
+            except Exception as e:
+                logger.error(f"Error in worker poll loop: {e}")
+            await asyncio.sleep(WORKER_POLL_INTERVAL)
+    
+    async def _process_queued_jobs(self):
+        """Find and process queued jobs."""
+        async with self.async_session() as session:
+            # Get queued jobs
+            query = select(GeminiJob).where(
+                GeminiJob.status == "queued"
+            ).order_by(GeminiJob.created_at)
+            
+            result = await session.execute(query)
+            jobs = result.scalars().all()
+            
+            for job in jobs:
+                # Check if we can process this job type
+                if not await self._can_process(job.job_type):
+                    continue
+                
+                # Mark as processing
+                async with _lock:
+                    _running_jobs[job.job_type] = _running_jobs.get(job.job_type, 0) + 1
+                
+                try:
+                    job.status = "processing"
+                    job.started_at = datetime.utcnow()
+                    await session.commit()
+                    
+                    # Process job in background
+                    task = asyncio.create_task(self._process_job(job.job_id))
+                    self._tasks.append(task)
+                    task.add_done_callback(lambda t: self._tasks.remove(t) if t in self._tasks else None)
+                except Exception as e:
+                    logger.error(f"Error starting job {job.job_id}: {e}")
+                    async with _lock:
+                        _running_jobs[job.job_type] = max(0, _running_jobs.get(job.job_type, 0) - 1)
+    
+    async def _can_process(self, job_type: str) -> bool:
+        """Check if we can process another job of this type."""
+        async with _lock:
+            current = _running_jobs.get(job_type, 0)
+            if job_type == "video":
+                return current < MAX_CONCURRENT_VIDEO_JOBS
+            elif job_type in ("image", "edit_image"):
+                return current < MAX_CONCURRENT_IMAGE_JOBS
+            else:  # text, analyze, animation_prompt
+                return current < MAX_CONCURRENT_TEXT_JOBS
+    
+    async def _process_job(self, job_id: str):
+        """Process a single job."""
+        async with self.async_session() as session:
+            try:
+                # Get the job
+                query = select(GeminiJob).where(GeminiJob.job_id == job_id)
+                result = await session.execute(query)
+                job = result.scalar_one_or_none()
+                
+                if not job:
+                    logger.error(f"Job {job_id} not found")
+                    return
+                
+                logger.info(f"Processing job {job_id} (type: {job.job_type})")
+                
+                service = GeminiService()
+                input_data = job.input_data or {}
+                
+                if job.job_type == "video":
+                    await self._process_video_job(session, job, service, input_data)
+                elif job.job_type == "image":
+                    await self._process_image_job(session, job, service, input_data)
+                elif job.job_type == "text":
+                    await self._process_text_job(session, job, service, input_data)
+                elif job.job_type == "analyze":
+                    await self._process_analyze_job(session, job, service, input_data)
+                elif job.job_type == "animation_prompt":
+                    await self._process_animation_prompt_job(session, job, service, input_data)
+                else:
+                    job.status = "failed"
+                    job.error_message = f"Unknown job type: {job.job_type}"
+                    job.completed_at = datetime.utcnow()
+                    await session.commit()
+                
+            except Exception as e:
+                logger.error(f"Error processing job {job_id}: {e}")
+                try:
+                    job.status = "failed"
+                    job.error_message = str(e)
+                    job.completed_at = datetime.utcnow()
+                    await session.commit()
+                except:
+                    pass
+            finally:
+                async with _lock:
+                    job_type = job.job_type if job else "unknown"
+                    _running_jobs[job_type] = max(0, _running_jobs.get(job_type, 0) - 1)
+    
+    async def _process_video_job(self, session: AsyncSession, job: GeminiJob, service: GeminiService, input_data: dict):
+        """Process a video generation job."""
+        # Start video generation
+        result = await service.start_video_generation(
+            base64_image=input_data.get("base64_image", ""),
+            mime_type=input_data.get("mime_type", "image/jpeg"),
+            prompt=input_data.get("prompt", ""),
+            aspect_ratio=input_data.get("aspect_ratio", "16:9"),
+            resolution=input_data.get("resolution", "720p"),
+            number_of_videos=input_data.get("number_of_videos", 1)
+        )
+        
+        # Save third party ID
+        job.third_party_id = result.get("gemini_operation_name")
+        await session.commit()
+        
+        # Poll until done
+        while True:
+            status_result = await service.check_video_status(job.third_party_id)
+            
+            if status_result.get("done"):
+                if status_result.get("status") == "completed":
+                    # Download video
+                    video_url = status_result.get("video_url")
+                    if video_url:
+                        filename = await service.download_video(video_url, job.job_id)
+                        job.status = "completed"
+                        job.output_data = {"filename": filename}
+                    else:
+                        job.status = "failed"
+                        job.error_message = "No video URL returned"
+                else:
+                    job.status = "failed"
+                    job.error_message = status_result.get("error", "Unknown error")
+                
+                job.completed_at = datetime.utcnow()
+                await session.commit()
+                break
+            
+            await asyncio.sleep(10)  # Poll every 10 seconds
+    
+    async def _process_image_job(self, session: AsyncSession, job: GeminiJob, service: GeminiService, input_data: dict):
+        """Process an image edit job."""
+        result = await service.edit_image(
+            base64_image=input_data.get("base64_image", ""),
+            mime_type=input_data.get("mime_type", "image/jpeg"),
+            prompt=input_data.get("prompt", "")
+        )
+        
+        job.status = "completed"
+        job.output_data = {"image": result}
+        job.completed_at = datetime.utcnow()
+        await session.commit()
+    
+    async def _process_text_job(self, session: AsyncSession, job: GeminiJob, service: GeminiService, input_data: dict):
+        """Process a text generation job."""
+        result = await service.generate_text(
+            prompt=input_data.get("prompt", ""),
+            model=input_data.get("model")
+        )
+        
+        job.status = "completed"
+        job.output_data = {"text": result}
+        job.completed_at = datetime.utcnow()
+        await session.commit()
+    
+    async def _process_analyze_job(self, session: AsyncSession, job: GeminiJob, service: GeminiService, input_data: dict):
+        """Process an image analysis job."""
+        result = await service.analyze_image(
+            base64_image=input_data.get("base64_image", ""),
+            mime_type=input_data.get("mime_type", "image/jpeg"),
+            prompt=input_data.get("prompt", "")
+        )
+        
+        job.status = "completed"
+        job.output_data = {"analysis": result}
+        job.completed_at = datetime.utcnow()
+        await session.commit()
+    
+    async def _process_animation_prompt_job(self, session: AsyncSession, job: GeminiJob, service: GeminiService, input_data: dict):
+        """Process an animation prompt generation job."""
+        result = await service.generate_animation_prompt(
+            base64_image=input_data.get("base64_image", ""),
+            mime_type=input_data.get("mime_type", "image/jpeg"),
+            custom_prompt=input_data.get("custom_prompt")
+        )
+        
+        job.status = "completed"
+        job.output_data = {"prompt": result}
+        job.completed_at = datetime.utcnow()
+        await session.commit()
+
+
+# Singleton worker instance
+_worker: JobWorker = None
+
+
+def get_worker() -> JobWorker:
+    """Get the global worker instance."""
+    global _worker
+    if _worker is None:
+        _worker = JobWorker()
+    return _worker
+
+
+async def start_worker():
+    """Start the background worker."""
+    worker = get_worker()
+    await worker.start()
+
+
+async def stop_worker():
+    """Stop the background worker."""
+    worker = get_worker()
+    await worker.stop()

services/jwt_service.py

@@ -0,0 +1,378 @@
+"""
+Modular JWT Service
+
+A self-contained, plug-and-play service for creating and verifying JWT tokens.
+Can be used in any Python application with minimal configuration.
+
+Usage:
+    from services.jwt_service import JWTService, TokenPayload
+    
+    # Initialize with secret key
+    jwt_service = JWTService(secret_key="your-secret-key")
+    
+    # Or use environment variable JWT_SECRET
+    jwt_service = JWTService()
+    
+    # Create a token
+    token = jwt_service.create_token(user_id="user123", email="[email protected]")
+    
+    # Verify a token
+    payload = jwt_service.verify_token(token)
+    print(payload.user_id, payload.email)
+
+Environment Variables:
+    JWT_SECRET: Your secret key for signing tokens (required)
+    JWT_EXPIRY_HOURS: Token expiry in hours (default: 168 = 7 days)
+    JWT_ALGORITHM: Algorithm to use (default: HS256)
+
+Dependencies:
+    PyJWT>=2.8.0
+
+Generate a secure secret:
+    python -c "import secrets; print(secrets.token_urlsafe(64))"
+"""
+
+import os
+import logging
+from dataclasses import dataclass
+from datetime import datetime, timedelta
+from typing import Optional, Dict, Any
+import jwt
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class TokenPayload:
+    """
+    Payload extracted from a verified JWT token.
+    
+    Attributes:
+        user_id: The user's unique identifier (sub claim)
+        email: The user's email address
+        issued_at: When the token was issued
+        expires_at: When the token expires
+        extra: Any additional claims in the token
+    """
+    user_id: str
+    email: str
+    issued_at: datetime
+    expires_at: datetime
+    extra: Dict[str, Any] = None
+    
+    def __post_init__(self):
+        if self.extra is None:
+            self.extra = {}
+    
+    @property
+    def is_expired(self) -> bool:
+        """Check if the token has expired."""
+        return datetime.utcnow() > self.expires_at
+    
+    @property
+    def time_until_expiry(self) -> timedelta:
+        """Get time remaining until expiry."""
+        return self.expires_at - datetime.utcnow()
+
+
+class JWTError(Exception):
+    """Base exception for JWT errors."""
+    pass
+
+
+class TokenExpiredError(JWTError):
+    """Raised when the token has expired."""
+    pass
+
+
+class InvalidTokenError(JWTError):
+    """Raised when the token is invalid."""
+    pass
+
+
+class ConfigurationError(JWTError):
+    """Raised when the service is not properly configured."""
+    pass
+
+
+class JWTService:
+    """
+    Service for creating and verifying JWT tokens.
+    
+    This service handles JWT token lifecycle for authentication.
+    It's designed to be modular and reusable across different applications.
+    
+    Example:
+        service = JWTService(secret_key="my-secret")
+        
+        # Create token
+        token = service.create_token(user_id="u123", email="[email protected]")
+        
+        # Verify token
+        try:
+            payload = service.verify_token(token)
+            print(f"User: {payload.user_id}")
+        except TokenExpiredError:
+            print("Token expired, please login again")
+        except InvalidTokenError:
+            print("Invalid token")
+    """
+    
+    # Default configuration
+    DEFAULT_ALGORITHM = "HS256"
+    DEFAULT_EXPIRY_HOURS = 168  # 7 days
+    
+    def __init__(
+        self,
+        secret_key: Optional[str] = None,
+        algorithm: Optional[str] = None,
+        expiry_hours: Optional[int] = None
+    ):
+        """
+        Initialize the JWT Service.
+        
+        Args:
+            secret_key: Secret key for signing tokens. If not provided,
+                       falls back to JWT_SECRET environment variable.
+            algorithm: JWT algorithm (default: HS256).
+            expiry_hours: Token expiry in hours (default: 168 = 7 days).
+        
+        Raises:
+            ConfigurationError: If no secret_key is provided or found.
+        """
+        self.secret_key = secret_key or os.getenv("JWT_SECRET")
+        self.algorithm = algorithm or os.getenv("JWT_ALGORITHM", self.DEFAULT_ALGORITHM)
+        self.expiry_hours = expiry_hours or int(
+            os.getenv("JWT_EXPIRY_HOURS", str(self.DEFAULT_EXPIRY_HOURS))
+        )
+        
+        if not self.secret_key:
+            raise ConfigurationError(
+                "JWT secret key is required. Either pass secret_key parameter "
+                "or set JWT_SECRET environment variable. "
+                "Generate one with: python -c \"import secrets; print(secrets.token_urlsafe(64))\""
+            )
+        
+        # Warn if secret is too short
+        if len(self.secret_key) < 32:
+            logger.warning(
+                "JWT secret key is short (< 32 chars). "
+                "Consider using a longer secret for better security."
+            )
+        
+        logger.info(
+            f"JWTService initialized (algorithm={self.algorithm}, "
+            f"expiry={self.expiry_hours}h)"
+        )
+    
+    def create_token(
+        self,
+        user_id: str,
+        email: str,
+        extra_claims: Optional[Dict[str, Any]] = None,
+        expiry_hours: Optional[int] = None
+    ) -> str:
+        """
+        Create a JWT token for a user.
+        
+        Args:
+            user_id: The user's unique identifier.
+            email: The user's email address.
+            extra_claims: Additional claims to include in the token.
+            expiry_hours: Custom expiry for this token (overrides default).
+        
+        Returns:
+            str: The encoded JWT token.
+        """
+        now = datetime.utcnow()
+        expiry = expiry_hours or self.expiry_hours
+        
+        payload = {
+            "sub": user_id,
+            "email": email,
+            "iat": now,
+            "exp": now + timedelta(hours=expiry),
+        }
+        
+        if extra_claims:
+            payload.update(extra_claims)
+        
+        token = jwt.encode(payload, self.secret_key, algorithm=self.algorithm)
+        
+        logger.debug(f"Created token for user_id={user_id}")
+        return token
+    
+    def verify_token(self, token: str) -> TokenPayload:
+        """
+        Verify a JWT token and extract the payload.
+        
+        Args:
+            token: The JWT token to verify.
+        
+        Returns:
+            TokenPayload: Dataclass containing the verified payload.
+        
+        Raises:
+            TokenExpiredError: If the token has expired.
+            InvalidTokenError: If the token is invalid or malformed.
+        """
+        if not token:
+            raise InvalidTokenError("Token cannot be empty")
+        
+        try:
+            payload = jwt.decode(
+                token,
+                self.secret_key,
+                algorithms=[self.algorithm]
+            )
+            
+            # Extract standard claims
+            user_id = payload.get("sub")
+            email = payload.get("email")
+            iat = payload.get("iat")
+            exp = payload.get("exp")
+            
+            if not user_id or not email:
+                raise InvalidTokenError("Token missing required claims (sub, email)")
+            
+            # Convert timestamps to datetime
+            issued_at = datetime.utcfromtimestamp(iat) if isinstance(iat, (int, float)) else iat
+            expires_at = datetime.utcfromtimestamp(exp) if isinstance(exp, (int, float)) else exp
+            
+            # Extract extra claims
+            standard_claims = {"sub", "email", "iat", "exp"}
+            extra = {k: v for k, v in payload.items() if k not in standard_claims}
+            
+            return TokenPayload(
+                user_id=user_id,
+                email=email,
+                issued_at=issued_at,
+                expires_at=expires_at,
+                extra=extra
+            )
+            
+        except jwt.ExpiredSignatureError:
+            logger.debug("Token verification failed: expired")
+            raise TokenExpiredError("Token has expired")
+        except jwt.InvalidTokenError as e:
+            logger.debug(f"Token verification failed: {e}")
+            raise InvalidTokenError(f"Invalid token: {str(e)}")
+        except Exception as e:
+            logger.error(f"Unexpected error during token verification: {e}")
+            raise InvalidTokenError(f"Token verification error: {str(e)}")
+    
+    def verify_token_safe(self, token: str) -> Optional[TokenPayload]:
+        """
+        Verify a JWT token without raising exceptions.
+        
+        Args:
+            token: The JWT token to verify.
+        
+        Returns:
+            TokenPayload if valid, None if invalid or expired.
+        """
+        try:
+            return self.verify_token(token)
+        except JWTError:
+            return None
+    
+    def refresh_token(
+        self,
+        token: str,
+        expiry_hours: Optional[int] = None
+    ) -> str:
+        """
+        Refresh a token by creating a new one with the same claims.
+        
+        Args:
+            token: The current (possibly expired) token.
+            expiry_hours: Custom expiry for the new token.
+        
+        Returns:
+            str: A new JWT token with updated expiry.
+        
+        Raises:
+            InvalidTokenError: If the token is malformed.
+        """
+        try:
+            # Decode without verifying expiry
+            payload = jwt.decode(
+                token,
+                self.secret_key,
+                algorithms=[self.algorithm],
+                options={"verify_exp": False}
+            )
+            
+            user_id = payload.get("sub")
+            email = payload.get("email")
+            
+            if not user_id or not email:
+                raise InvalidTokenError("Token missing required claims")
+            
+            # Preserve extra claims
+            standard_claims = {"sub", "email", "iat", "exp"}
+            extra = {k: v for k, v in payload.items() if k not in standard_claims}
+            
+            return self.create_token(
+                user_id=user_id,
+                email=email,
+                extra_claims=extra,
+                expiry_hours=expiry_hours
+            )
+            
+        except jwt.InvalidTokenError as e:
+            raise InvalidTokenError(f"Cannot refresh invalid token: {str(e)}")
+
+
+# Singleton instance for convenience
+_default_service: Optional[JWTService] = None
+
+
+def get_jwt_service() -> JWTService:
+    """
+    Get the default JWTService instance.
+    
+    Creates a singleton instance using environment variables.
+    
+    Returns:
+        JWTService: The default service instance.
+    
+    Raises:
+        ConfigurationError: If JWT_SECRET is not set.
+    """
+    global _default_service
+    if _default_service is None:
+        _default_service = JWTService()
+    return _default_service
+
+
+def create_access_token(user_id: str, email: str, **kwargs) -> str:
+    """
+    Convenience function to create a token using the default service.
+    
+    Args:
+        user_id: The user's unique identifier.
+        email: The user's email address.
+        **kwargs: Additional arguments passed to create_token.
+    
+    Returns:
+        str: The encoded JWT token.
+    """
+    return get_jwt_service().create_token(user_id, email, **kwargs)
+
+
+def verify_access_token(token: str) -> TokenPayload:
+    """
+    Convenience function to verify a token using the default service.
+    
+    Args:
+        token: The JWT token to verify.
+    
+    Returns:
+        TokenPayload: Verified token payload.
+    
+    Raises:
+        TokenExpiredError: If the token has expired.
+        InvalidTokenError: If the token is invalid.
+    """
+    return get_jwt_service().verify_token(token)

tests/conftest.py

@@ -1,14 +1,27 @@
 import pytest
 import os
 import sys
+from unittest.mock import patch, MagicMock
 from fastapi.testclient import TestClient
 from sqlalchemy.ext.asyncio import create_async_engine, async_sessionmaker, AsyncSession
 
+# Set test environment variables BEFORE importing app
+os.environ["JWT_SECRET"] = "test-secret-key-that-is-long-enough-for-security-purposes"
+os.environ["GOOGLE_CLIENT_ID"] = "test-google-client-id.apps.googleusercontent.com"
+os.environ["RESET_DB"] = "true"  # Prevent Drive download during tests
+
 # Add parent directory to path to allow importing app
 sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), "..")))
 
-from app import app
-from core.database import get_db, Base
+# Mock the drive service before importing app
+with patch("services.drive_service.DriveService") as mock_drive:
+    mock_instance = MagicMock()
+    mock_instance.download_db.return_value = False
+    mock_instance.upload_db.return_value = True
+    mock_drive.return_value = mock_instance
+    
+    from app import app
+    from core.database import get_db, Base
 
 # Use a file-based SQLite database for testing to ensure persistence
 TEST_DATABASE_URL = "sqlite+aiosqlite:///./test_blink_data.db"
@@ -34,16 +47,6 @@ async def db_session(test_engine):
     
     async with async_session() as session:
         yield session
-        
-    # We don't drop tables here to allow persistence if needed, 
-    # but for isolation we usually want to. 
-    # However, the previous test relied on persistence for rate limiting.
-    # Let's keep it simple: we clear data manually if needed or rely on fresh DB per run (session scope engine).
-    # Actually, for rate limiting test to work across requests, we need persistence.
-    # But for isolation between tests, we want cleanup.
-    # The previous test_app.py had cleanup_db fixture. Let's replicate that logic in the test file or here.
-    
-    # Let's just yield session here.
 
 @pytest.fixture(scope="function")
 def client(test_engine):
@@ -57,6 +60,12 @@ def client(test_engine):
             yield session
 
     app.dependency_overrides[get_db] = override_get_db
-    with TestClient(app) as c:
-        yield c
+    
+    # Mock drive service for the test client
+    with patch("routers.auth.drive_service") as mock_auth_drive:
+        mock_auth_drive.upload_db.return_value = True
+        with TestClient(app) as c:
+            yield c
+    
     app.dependency_overrides.clear()
+

tests/debug_gemini_service.py

@@ -0,0 +1,165 @@
+"""
+Debug script to test Gemini service with API keys from environment.
+Keys should be in GEMINI_KEYS environment variable, comma-separated.
+
+Usage:
+    GEMINI_KEYS="key1,key2,key3" python tests/debug_gemini_service.py
+"""
+import os
+import sys
+import asyncio
+import logging
+import base64
+from dotenv import load_dotenv
+
+# Load environment variables
+load_dotenv()
+
+# Add parent directory to path
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), "..")))
+
+from services.gemini_service import GeminiService, MODELS
+
+# Configure logging
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger(__name__)
+
+# Test image path
+TEST_IMAGE_PATH = os.path.join(os.path.dirname(os.path.dirname(__file__)), "test.jpg")
+
+
+def load_test_image():
+    """Load test image and return base64 + mime type."""
+    if not os.path.exists(TEST_IMAGE_PATH):
+        logger.error(f"Test image not found: {TEST_IMAGE_PATH}")
+        return None, None
+    
+    with open(TEST_IMAGE_PATH, "rb") as f:
+        image_data = f.read()
+    
+    base64_image = base64.b64encode(image_data).decode("utf-8")
+    mime_type = "image/jpeg"
+    
+    logger.info(f"Loaded test image: {TEST_IMAGE_PATH} ({len(image_data)} bytes)")
+    return base64_image, mime_type
+
+
+async def test_generate_text(service: GeminiService, key_index: int):
+    """Test simple text generation."""
+    logger.info(f"[Key {key_index}] Testing text generation...")
+    try:
+        result = await service.generate_text("Say hello in one word.")
+        logger.info(f"[Key {key_index}] Text generation result: {result[:100]}...")
+        return True
+    except Exception as e:
+        logger.error(f"[Key {key_index}] Text generation failed: {e}")
+        return False
+
+
+async def test_analyze_image(service: GeminiService, key_index: int, base64_image: str, mime_type: str):
+    """Test image analysis."""
+    logger.info(f"[Key {key_index}] Testing image analysis...")
+    try:
+        result = await service.analyze_image(
+            base64_image=base64_image,
+            mime_type=mime_type,
+            prompt="Describe this image in one sentence."
+        )
+        logger.info(f"[Key {key_index}] Image analysis result: {result[:100]}...")
+        return True
+    except Exception as e:
+        logger.error(f"[Key {key_index}] Image analysis failed: {e}")
+        return False
+
+
+async def test_generate_animation_prompt(service: GeminiService, key_index: int, base64_image: str, mime_type: str):
+    """Test animation prompt generation."""
+    logger.info(f"[Key {key_index}] Testing animation prompt generation...")
+    try:
+        result = await service.generate_animation_prompt(
+            base64_image=base64_image,
+            mime_type=mime_type
+        )
+        logger.info(f"[Key {key_index}] Animation prompt result: {result[:100]}...")
+        return True
+    except Exception as e:
+        logger.error(f"[Key {key_index}] Animation prompt generation failed: {e}")
+        return False
+
+
+async def test_key(api_key: str, key_index: int, base64_image: str, mime_type: str):
+    """Test all basic operations with a single API key."""
+    logger.info(f"\n{'='*50}")
+    logger.info(f"Testing Key {key_index}: {api_key[:10]}...{api_key[-4:]}")
+    logger.info(f"{'='*50}")
+    
+    try:
+        service = GeminiService(api_key)
+    except Exception as e:
+        logger.error(f"[Key {key_index}] Failed to initialize service: {e}")
+        return {"key_index": key_index, "valid": False, "error": str(e)}
+    
+    results = {
+        "key_index": key_index,
+        "key_preview": f"{api_key[:10]}...{api_key[-4:]}",
+        "text_generation": await test_generate_text(service, key_index),
+        "image_analysis": await test_analyze_image(service, key_index, base64_image, mime_type),
+        "animation_prompt": await test_generate_animation_prompt(service, key_index, base64_image, mime_type),
+    }
+    
+    results["valid"] = all([
+        results["text_generation"],
+        results["image_analysis"],
+        results["animation_prompt"]
+    ])
+    
+    return results
+
+
+async def main():
+    # Load test image
+    base64_image, mime_type = load_test_image()
+    if not base64_image:
+        logger.error("Cannot run tests without test image. Please add test.jpg to project root.")
+        return
+    
+    gemini_keys_str = os.getenv("GEMINI_KEYS", "")
+    
+    if not gemini_keys_str:
+        logger.error("GEMINI_KEYS environment variable not set.")
+        logger.info("Usage: GEMINI_KEYS='key1,key2,key3' python tests/debug_gemini_service.py")
+        return
+    
+    keys = [k.strip() for k in gemini_keys_str.split(",") if k.strip()]
+    
+    if not keys:
+        logger.error("No valid keys found in GEMINI_KEYS.")
+        return
+    
+    logger.info(f"Found {len(keys)} API key(s) to test.")
+    logger.info(f"Available models: {MODELS}")
+    
+    all_results = []
+    for i, key in enumerate(keys):
+        result = await test_key(key, i + 1, base64_image, mime_type)
+        all_results.append(result)
+    
+    # Summary
+    logger.info(f"\n{'='*50}")
+    logger.info("SUMMARY")
+    logger.info(f"{'='*50}")
+    
+    valid_count = sum(1 for r in all_results if r.get("valid", False))
+    logger.info(f"Valid keys: {valid_count}/{len(keys)}")
+    
+    for result in all_results:
+        status = "✓ VALID" if result.get("valid") else "✗ INVALID"
+        logger.info(f"  Key {result['key_index']}: {status}")
+        if not result.get("valid"):
+            for test_name in ["text_generation", "image_analysis", "animation_prompt"]:
+                if test_name in result and not result[test_name]:
+                    logger.info(f"    - {test_name}: FAILED")
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

tests/test_integration.py

@@ -1,25 +1,28 @@
+"""
+Integration Tests for Google OAuth Authentication
+
+Tests the new Google Sign-In flow, JWT token handling, and API access.
+"""
 import pytest
-from unittest.mock import patch
+from unittest.mock import patch, MagicMock
 import os
 from sqlalchemy import text
 
+from services.google_auth_service import GoogleUserInfo
+from services.jwt_service import JWTService
+
+
 # Cleanup fixture
 @pytest.fixture(autouse=True)
 def cleanup_db():
     if os.path.exists("./test_blink_data.db"):
-        # We can't easily delete the file if it's open by the engine in conftest.
-        # Instead, we should probably truncate tables.
         pass
     yield
-    # Cleanup logic if needed
 
-# We need a way to clear data between tests if we want isolation.
-# Since we are using a file-based DB shared across the session (engine),
-# we should truncate tables.
 
 @pytest.fixture(autouse=True)
 async def clear_tables(db_session):
-    # Truncate all tables
+    """Truncate all tables between tests."""
     async with db_session.begin():
         await db_session.execute(text("DELETE FROM users"))
         await db_session.execute(text("DELETE FROM rate_limits"))
@@ -27,65 +30,179 @@ async def clear_tables(db_session):
         await db_session.execute(text("DELETE FROM blink_data"))
     await db_session.commit()
 
-@patch("services.email_service.send_email")
-def test_credit_system_flow(mock_send_email, client):
-    mock_send_email.return_value = True
-    
-    # 1. Register
-    response = client.post("/auth/register", json={
-        "user_id": "test-user-1",
-        "email": "test@example.com"
-    })
-    assert response.status_code == 200
-    assert response.json()["success"] == True
+
+@pytest.fixture
+def jwt_service():
+    """Create a JWT service for testing."""
+    return JWTService(secret_key="test-secret-key-for-testing-only")
+
+
+@pytest.fixture
+def mock_google_user():
+    """Mock Google user info."""
+    return GoogleUserInfo(
+        google_id="google_123456789",
+        email="[email protected]",
+        email_verified=True,
+        name="Test User",
+        picture="https://example.com/photo.jpg"
+    )
+
+
+class TestGoogleAuth:
+    """Test Google OAuth authentication flow."""
     
-    # 2. Check registration
-    response = client.post("/auth/check-registration", json={"user_id": "test-user-1"})
-    assert response.status_code == 200
-    assert response.json()["is_registered"] == True
-
-    # 3. Validate with mocked key (we need to know the key)
-    # Since we can't easily get the key from the hashed DB, let's mock generate_secret_key
-    with patch("routers.auth.generate_secret_key", return_value="sk_test_key_1234567890123456789012345"):
-        # Register user 2
-        client.post("/auth/register", json={
-            "user_id": "test-user-2",
-            "email": "[email protected]"
+    @patch("routers.auth.get_google_auth_service")
+    def test_google_auth_new_user(self, mock_get_service, client, mock_google_user):
+        """Test new user registration via Google."""
+        mock_service = MagicMock()
+        mock_service.verify_token.return_value = mock_google_user
+        mock_get_service.return_value = mock_service
+        
+        response = client.post("/auth/google", json={
+            "id_token": "fake-google-token-12345",
+            "temp_user_id": "temp-user-abc"
         })
         
-        # Validate
-        response = client.post("/auth/validate", headers={"X-Secret-Key": "sk_test_key_1234567890123456789012345"})
         assert response.status_code == 200
-        assert response.json()["valid"] == True
-        assert response.json()["credits"] == 100
-
-def test_blink_flow(client):
-    # Test Blink Endpoint
-    # We need a valid userid format: 20 chars + encrypted data
-    user_id = "12345678901234567890"
-    encrypted_data = "some_encrypted_data_base64"
-    userid_param = user_id + encrypted_data
+        data = response.json()
+        assert data["success"] == True
+        assert data["is_new_user"] == True
+        assert data["email"] == "[email protected]"
+        assert data["name"] == "Test User"
+        assert data["credits"] == 100
+        assert "access_token" in data
+        assert data["access_token"] != ""
     
-    response = client.get(f"/blink?userid={userid_param}")
-    assert response.status_code == 200
-    data = response.json()
-    assert data["status"] == "success"
-    assert data["user_id"] == user_id
+    @patch("routers.auth.get_google_auth_service")
+    def test_google_auth_existing_user(self, mock_get_service, client, mock_google_user):
+        """Test existing user login via Google."""
+        mock_service = MagicMock()
+        mock_service.verify_token.return_value = mock_google_user
+        mock_get_service.return_value = mock_service
+        
+        # First login - creates user
+        response1 = client.post("/auth/google", json={"id_token": "token1"})
+        assert response1.status_code == 200
+        assert response1.json()["is_new_user"] == True
+        
+        # Second login - same user
+        response2 = client.post("/auth/google", json={"id_token": "token2"})
+        assert response2.status_code == 200
+        data = response2.json()
+        assert data["is_new_user"] == False
+        assert data["email"] == "[email protected]"
+        assert data["credits"] == 100  # Credits preserved
     
-    # Verify data stored (via API)
-    response = client.get("/api/data")
-    assert response.status_code == 200
-    items = response.json()["items"]
-    assert len(items) > 0
-    assert items[0]["user_id"] == user_id
-
-@patch("services.email_service.send_email")
-def test_rate_limiting(mock_send_email, client):
-    # 10 requests should succeed
-    for _ in range(10):
-        response = client.post("/auth/check-registration", json={"user_id": "rate-limit-test"})
+    @patch("routers.auth.get_google_auth_service")
+    def test_google_auth_invalid_token(self, mock_get_service, client):
+        """Test handling of invalid Google token."""
+        from services.google_auth_service import InvalidTokenError
+        
+        mock_service = MagicMock()
+        mock_service.verify_token.side_effect = InvalidTokenError("Invalid token")
+        mock_get_service.return_value = mock_service
+        
+        response = client.post("/auth/google", json={"id_token": "invalid-token"})
+        
+        assert response.status_code == 401
+        assert "Invalid Google token" in response.json()["detail"]
+
+
+class TestJWTAuth:
+    """Test JWT token authentication."""
+    
+    @patch("routers.auth.get_google_auth_service")
+    def test_get_current_user(self, mock_get_service, client, mock_google_user):
+        """Test getting current user with JWT."""
+        mock_service = MagicMock()
+        mock_service.verify_token.return_value = mock_google_user
+        mock_get_service.return_value = mock_service
+        
+        # Login to get token
+        login_response = client.post("/auth/google", json={"id_token": "token"})
+        token = login_response.json()["access_token"]
+        
+        # Get user info
+        response = client.get("/auth/me", headers={"Authorization": f"Bearer {token}"})
+        
+        assert response.status_code == 200
+        data = response.json()
+        assert data["email"] == "[email protected]"
+        assert data["credits"] == 100
+    
+    def test_missing_auth_header(self, client):
+        """Test request without Authorization header."""
+        response = client.get("/auth/me")
+        assert response.status_code == 401
+        assert "Missing Authorization header" in response.json()["detail"]
+    
+    def test_invalid_token_format(self, client):
+        """Test request with invalid token format."""
+        response = client.get("/auth/me", headers={"Authorization": "InvalidFormat"})
+        assert response.status_code == 401
+        assert "Invalid Authorization header format" in response.json()["detail"]
+    
+    def test_invalid_token(self, client):
+        """Test request with invalid JWT token."""
+        response = client.get("/auth/me", headers={"Authorization": "Bearer invalid.jwt.token"})
+        assert response.status_code == 401
+
+
+class TestCreditSystem:
+    """Test credit deduction system."""
+    
+    @patch("routers.auth.get_google_auth_service")
+    def test_credit_deduction(self, mock_get_service, client, mock_google_user):
+        """Test that credits are deducted when using API."""
+        mock_service = MagicMock()
+        mock_service.verify_token.return_value = mock_google_user
+        mock_get_service.return_value = mock_service
+        
+        # Login
+        login_response = client.post("/auth/google", json={"id_token": "token"})
+        token = login_response.json()["access_token"]
+        initial_credits = login_response.json()["credits"]
+        
+        # Make an API call that deducts credits (would need gemini endpoint mock)
+        # For now, just verify user info doesn't deduct credits
+        response = client.get("/auth/me", headers={"Authorization": f"Bearer {token}"})
+        assert response.json()["credits"] == initial_credits  # No deduction for info endpoint
+
+
+class TestBlinkFlow:
+    """Test blink data collection."""
+    
+    def test_blink_flow(self, client):
+        """Test Blink endpoint still works."""
+        user_id = "12345678901234567890"
+        encrypted_data = "some_encrypted_data_base64"
+        userid_param = user_id + encrypted_data
+        
+        response = client.get(f"/blink?userid={userid_param}")
+        assert response.status_code == 200
+        data = response.json()
+        assert data["status"] == "success"
+        assert data["user_id"] == user_id
+        
+        # Verify data stored
+        response = client.get("/api/data")
         assert response.status_code == 200
+        items = response.json()["items"]
+        assert len(items) > 0
+        assert items[0]["user_id"] == user_id
+
+
+class TestRateLimiting:
+    """Test rate limiting."""
+    
+    def test_rate_limiting(self, client):
+        """Test rate limiting on auth endpoints."""
+        # 10 requests should succeed
+        for _ in range(10):
+            response = client.post("/auth/check-registration", json={"user_id": "rate-limit-test"})
+            assert response.status_code == 200
         
-    # 11th request should fail
-    response = client.post("/auth/check-registration", json={"user_id": "rate-limit-test"})
-    assert response.status_code == 429
+        # 11th request should fail
+        response = client.post("/auth/check-registration", json={"user_id": "rate-limit-test"})
+        assert response.status_code == 429