DEV Community: Tech In Vernacular The latest articles on DEV Community by Tech In Vernacular (@technvernacular). https://dev.to/technvernacular https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3934412%2Ff8757f8f-df80-434f-8ce9-54730a178467.png DEV Community: Tech In Vernacular https://dev.to/technvernacular en Setting Up Gmail OAuth2 With Nodemailer and Google Cloud Platform (GCP) Tech In Vernacular Sat, 06 Jun 2026 11:00:00 +0000 https://dev.to/technvernacular/setting-up-gmail-oauth2-with-nodemailer-and-google-cloud-platform-gcp-223p https://dev.to/technvernacular/setting-up-gmail-oauth2-with-nodemailer-and-google-cloud-platform-gcp-223p <p>Sending emails from applications now don evolve significantly from how e take dey be over the years. The normal way wey be username and password authentication for Gmail SMTP wey we been dey use before no really dey market again because of some kind security matters and Google's own restriction for apps wey dey considered "less secure".</p> <p>The latest way now wey secure pass na to use Gmail OAuth2 authentication, with another external emailing padi like Nodemailer. I been just run am for my portfolio na why e sweet me to write like this, make another person for fit find am helpful.</p> <p>For this guide, you go sabi how to:</p> <ul> <li>Configure a Google Cloud Platform (GCP) project</li> <li>Enable the Gmail API</li> <li>Configure the OAuth Consent Screen</li> <li>Generate OAuth credentials</li> <li>Generate a refresh token</li> <li>Configure Nodemailer with Gmail OAuth2</li> <li>Handle common errors</li> <li>Secure your application properly</li> </ul> <p>This tutorial go work for:</p> <ul> <li>Node.js</li> <li>Express</li> <li>Nuxt server routes</li> <li>Vue backend APIs</li> <li>Next.js API routes</li> <li>TypeScript projects</li> </ul> <h2> Table of Contents </h2> <ol> <li>Why use Gmail OAuth2?</li> <li>Prerequisites</li> <li>Creating a Google Cloud Project</li> <li>Enabling the Gmail API</li> <li>Configuring the OAuth Consent Screen</li> <li>Creating OAuth Credentials</li> <li>Installing Dependencies</li> <li>Generating a Refresh Token</li> <li>Configuring Nodemailer</li> <li>Sending Emails</li> <li>Escaping HTML and Preventing Injection</li> <li>Common Errors and Fixes</li> <li>Production Recommendations</li> <li>Final Thoughts</li> </ol> <h3> Why use Gmail OAuth2? </h3> <p>Google don deprecate the password-based SMTP authentication for many applications.</p> <p>OAuth2 dey offer:</p> <ul> <li>Better security</li> <li>Token-based authentication</li> <li>No exposed Gmail passwords</li> <li>Controlled access scopes</li> <li>Revocable access</li> </ul> <p>Instead make you do something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">auth</span><span class="p">:</span> <span class="p">{</span> <span class="nl">user</span><span class="p">:</span> <span class="dl">"</span><span class="s2">example@gmail.com</span><span class="dl">"</span><span class="p">,</span> <span class="nx">pass</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gmail-password</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>You go just do like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">auth</span><span class="p">:</span> <span class="p">{</span> <span class="nl">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">OAuth2</span><span class="dl">"</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">clientId</span><span class="p">,</span> <span class="nx">clientSecret</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">}</span> </code></pre> </div> <h3> Prerequisites </h3> <p>Before you start cook anything, make sure say the following ingredients dey ground:</p> <ul> <li>A Google account</li> <li>Node.js installed</li> <li>npm or yarn</li> <li>A backend/server environment</li> <li>Basic knowledge of JavaScript or TypeScript</li> </ul> <h3> Creating a Google Cloud Project </h3> <p>Go to the Google Cloud Console:</p> <p><a href="https://console.cloud.google.com/" rel="noopener noreferrer">Google Cloud Console</a></p> <h4> Step 1: Create new project </h4> <ol> <li>Click the project dropdown wey dey the top bar</li> <li>Click <strong>New Project</strong> </li> <li>Enter project name wey you want</li> <li>Click <strong>Create</strong> </li> </ol> <p>Wait for the project make e initialize.</p> <h3> Enabling the Gmail API </h3> <p>Once your project don create:</p> <ol> <li>Open the APIs Library:</li> </ol> <p><a href="https://console.cloud.google.com/apis/library" rel="noopener noreferrer">Google APIs Library</a></p> <ol> <li>Search for: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Gmail API </code></pre> </div> <ol> <li>Click the Gmail API</li> <li>Click <strong>Enable</strong> </li> </ol> <p>If you no enable this Gmail API, the OAuth email sending go just dey chop dust.</p> <h3> Configuring the OAuth Consent Screen </h3> <p>This step na must before you go generate OAuth credentials.</p> <p>Navigate go:</p> <p><a href="https://console.cloud.google.com/apis/credentials/consent" rel="noopener noreferrer">OAuth Consent Screen</a></p> <h4> Step 1: Choose user type </h4> <p>Choose:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>External </code></pre> </div> <p>Then click <strong>Create</strong>.</p> <h4> Step 2: Fill the app information </h4> <p>Provide:</p> <ul> <li>App name</li> <li>Support email</li> <li>Developer contact email</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>App Name: Portfolio Mailer </code></pre> </div> <h4> Step 3: Add test users </h4> <p>If your app still dey for testing mode:</p> <ol> <li>Open the <strong>Test Users</strong> section</li> <li>Add the Gmail account wey you wan dey use for sending the emails</li> </ol> <p>If you jump this step pass, you go dey jam error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>unauthorized_client </code></pre> </div> <h3> Creating OAuth credentials </h3> <p>Now, na to create the OAuth credentials.</p> <p>Go to:</p> <p><a href="https://console.cloud.google.com/apis/credentials" rel="noopener noreferrer">Google Cloud Credentials</a></p> <h4> Step 1: Create OAuth client ID </h4> <ol> <li>Click <strong>Create Credentials</strong> </li> <li>Select <strong>OAuth Client ID</strong> </li> </ol> <h4> Step 2: Select application type </h4> <p>Choose:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Web Application </code></pre> </div> <p>No go choose:</p> <ul> <li>Desktop App</li> <li>Android</li> <li>iOS</li> </ul> <h4> Step 3: Add redirect URI </h4> <p>Under the following section:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Authorized redirect URIs </code></pre> </div> <p>Add:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:3000 </code></pre> </div> <p>or your preferred port. This one na must if we wan generate refresh tokens.</p> <h4> Step 4: Save credentials </h4> <p>After you don done, Google go provide:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client ID Client Secret </code></pre> </div> <p>Save them securely, you fit copy am or you fit download am.</p> <h3> Installing dependencies </h3> <p>Install the packages wey you go need:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>nodemailer googleapis dotenv </code></pre> </div> <p>For TypeScript, also run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-D</span> tsx typescript </code></pre> </div> <h3> Environment variables </h3> <p>Create a <code>.env</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SMTP_USER=your-email@gmail.com GOOGLE_CLIENT_ID=your-client-id GOOGLE_CLIENT_SECRET=your-client-secret GOOGLE_OAUTH_REFRESH_TOKEN=your-refresh-token </code></pre> </div> <p>No go ever commit <code>.env</code> files go GitHub, dem suppose don sing this one for your ear enough.</p> <h3> Generating a refresh token </h3> <p>This na one of the most important part for this setup.</p> <h4> Step 1: Create a script </h4> <p>Create a script file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>scripts/generate-refresh-token.ts </code></pre> </div> <p>for the root of your application.</p> <p>Then add the following code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">googleapis</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">dotenv</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">dotenv</span><span class="dl">"</span><span class="p">;</span> <span class="nx">dotenv</span><span class="p">.</span><span class="nf">config</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">google</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nc">OAuth2</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="p">,</span> <span class="dl">"</span><span class="s2">http://localhost:3000</span><span class="dl">"</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">scopes</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">https://mail.google.com/</span><span class="dl">"</span><span class="p">,</span> <span class="p">];</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">oauth2Client</span><span class="p">.</span><span class="nf">generateAuthUrl</span><span class="p">({</span> <span class="na">access_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">offline</span><span class="dl">"</span><span class="p">,</span> <span class="na">scope</span><span class="p">:</span> <span class="nx">scopes</span><span class="p">,</span> <span class="na">prompt</span><span class="p">:</span> <span class="dl">"</span><span class="s2">consent</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Authorization url: </span><span class="dl">"</span><span class="p">,</span> <span class="nx">url</span><span class="p">);</span> </code></pre> </div> <h4> Step 2: Run the script </h4> <p>Using TypeScript, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx tsx scripts/generate-refresh-token.ts </code></pre> </div> <p>Or JavaScript:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node scripts/generate-refresh-token.js </code></pre> </div> <h4> Step 3: Open the authorization URL </h4> <p>The terminal go vomit the Google authorization URL give you.</p> <p>Copy the link open am for your browser.</p> <p>Login with the same Gmail account as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SMTP_USER </code></pre> </div> <p>And approve the permissions wey go come up.</p> <h4> Step 4: Copy the authorization code </h4> <p>After the approval, Google go redirect go the url wey you set for step 3 when you dey create the OAuth credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:3000/?code=... </code></pre> </div> <p>Copy the <code>code</code> value.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>4/0AX4XfWh... </code></pre> </div> <h4> Step 5: Exchange code for the refresh token </h4> <p>Update the script with the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">googleapis</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">dotenv</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">dotenv</span><span class="dl">"</span><span class="p">;</span> <span class="nx">dotenv</span><span class="p">.</span><span class="nf">config</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">google</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nc">OAuth2</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="p">,</span> <span class="dl">"</span><span class="s2">http://localhost:3000</span><span class="dl">"</span> <span class="p">);</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getRefreshToken</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">code</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">PASTE_AUTHORIZATION_CODE_HERE</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">tokens</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">oauth2Client</span><span class="p">.</span><span class="nf">getToken</span><span class="p">(</span><span class="nx">code</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Get tokens: </span><span class="dl">"</span><span class="p">,</span> <span class="nx">tokens</span><span class="p">);</span> <span class="p">}</span> <span class="nf">getRefreshToken</span><span class="p">();</span> </code></pre> </div> <h4> Step 6: Run the script again </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx tsx scripts/generate-refresh-token.ts </code></pre> </div> <p>You suppose see something wey go be like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"refresh_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://mail.google.com/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"token_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Copy the refresh token put inside the <code>.env</code>.</p> <h3> Configuring Nodemailer </h3> <p>Now make we configure the transporter.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">nodemailer</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">nodemailer</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">googleapis</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">clientId</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="o">!</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">clientSecret</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="o">!</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_OAUTH_REFRESH_TOKEN</span><span class="o">!</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SMTP_USER</span><span class="o">!</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">google</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nc">OAuth2</span><span class="p">(</span> <span class="nx">clientId</span><span class="p">,</span> <span class="nx">clientSecret</span><span class="p">,</span> <span class="dl">"</span><span class="s2">https://developers.google.com/oauthplayground</span><span class="dl">"</span> <span class="p">);</span> <span class="nx">oauth2Client</span><span class="p">.</span><span class="nf">setCredentials</span><span class="p">({</span> <span class="na">refresh_token</span><span class="p">:</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">});</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">createTransporter</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">oauth2Client</span><span class="p">.</span><span class="nf">getAccessToken</span><span class="p">();</span> <span class="k">return</span> <span class="nx">nodemailer</span><span class="p">.</span><span class="nf">createTransport</span><span class="p">({</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gmail</span><span class="dl">"</span><span class="p">,</span> <span class="na">auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">OAuth2</span><span class="dl">"</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">clientId</span><span class="p">,</span> <span class="nx">clientSecret</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="na">accessToken</span><span class="p">:</span> <span class="nx">accessToken</span><span class="p">.</span><span class="nx">token</span> <span class="o">||</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h3> Sending emails </h3> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">transporter</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createTransporter</span><span class="p">();</span> <span class="k">await</span> <span class="nx">transporter</span><span class="p">.</span><span class="nf">sendMail</span><span class="p">({</span> <span class="na">from</span><span class="p">:</span> <span class="s2">`"Portfolio Contact" &lt;</span><span class="p">${</span><span class="nx">user</span><span class="p">}</span><span class="s2">&gt;`</span><span class="p">,</span> <span class="na">replyTo</span><span class="p">:</span> <span class="dl">"</span><span class="s2">visitor@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="na">to</span><span class="p">:</span> <span class="nx">user</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="dl">"</span><span class="s2">New Portfolio Message</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="s2">` Name: John Doe Email: visitor@example.com Message: Hello there! `</span><span class="p">,</span> <span class="na">html</span><span class="p">:</span> <span class="s2">` &lt;div&gt; &lt;h2&gt;New Portfolio Message&lt;/h2&gt; &lt;p&gt;&lt;strong&gt;Name:&lt;/strong&gt; John Doe&lt;/p&gt; &lt;p&gt; &lt;strong&gt;Email:&lt;/strong&gt; visitor@example.com &lt;/p&gt; &lt;p&gt;Hello there!&lt;/p&gt; &lt;/div&gt; `</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h3> Important: Use <code>replyTo</code> instead of <code>from</code> </h3> <p>This one na one common mistake wey fit happen.</p> <p>No go do like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">from</span><span class="p">:</span> <span class="dl">"</span><span class="s2">visitor@example.com</span><span class="dl">"</span> </code></pre> </div> <p>Gmail fit reject am, e dey get choko sometimes.</p> <p>Instead, do am like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">from</span><span class="p">:</span> <span class="s2">`"Portfolio Contact" &lt;</span><span class="p">${</span><span class="nx">user</span><span class="p">}</span><span class="s2">&gt;`</span><span class="p">,</span> <span class="nx">replyTo</span><span class="p">:</span> <span class="nx">visitorEmail</span><span class="p">,</span> </code></pre> </div> <p>This one dey sweet Gmail belle, e go still allow make you fit send direct replies give the visitor.</p> <h3> Escaping HTML and preventing injection </h3> <p>No go ever inject raw user input put inside the HTML. This no safe at all and proper wahala fit brew if anyhow person go jam am:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">html</span><span class="p">:</span> <span class="s2">`&lt;p&gt;</span><span class="p">${</span><span class="nx">message</span><span class="p">}</span><span class="s2">&lt;/p&gt;`</span> </code></pre> </div> <p>Create an <code>escapeHtml</code> helper function, this way dey safe enough:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">escapeHtml</span><span class="p">(</span><span class="nx">unsafe</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">unsafe</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&amp;/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;amp;</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&lt;/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;lt;</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&gt;/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;gt;</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;quot;</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/'/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;#039;</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>or install the package, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm install --save-dev escape-html @types/escape-html </code></pre> </div> <p>Then use am like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">safeMessage</span> <span class="o">=</span> <span class="nf">escapeHtml</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> </code></pre> </div> <p>Then pass am:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">html</span><span class="p">:</span> <span class="s2">`&lt;p&gt;</span><span class="p">${</span><span class="nx">safeMessage</span><span class="p">}</span><span class="s2">&lt;/p&gt;`</span> </code></pre> </div> <h3> Recommended security improvements </h3> <h4> Validate email inputs </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">emailRegex</span> <span class="o">=</span> <span class="sr">/^</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+@</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+$/</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">emailRegex</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">email</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Invalid email</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h4> Limit input length </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">if </span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">5000</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Message too long</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h4> Rate limit requests </h4> <p>Mount security for your form make you secure am from spam.</p> <p>Recommended:</p> <ul> <li><a href="https://developers.cloudflare.com/turnstile/" rel="noopener noreferrer">Cloudflare Turnstile</a></li> <li>reCAPTCHA</li> <li>IP rate limiting</li> </ul> <h3> Common errors and fixes </h3> <h4> <code>unauthorized_client</code> </h4> <p>Cause:</p> <ul> <li>OAuth consent no dey configured correctly</li> <li>Gmail account no dey added as test user</li> <li>Wrong OAuth client type</li> </ul> <p>Fix:</p> <ul> <li>Add yourself as a test user</li> <li>Use Web Application OAuth client</li> </ul> <h4> <code>redirect_uri_mismatch</code> </h4> <p>Cause:</p> <ul> <li>Missing redirect URI</li> </ul> <p>Fix:<br> Add the local server with your desired port:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:3000 </code></pre> </div> <p>to:</p> <ul> <li>Authorized redirect URIs</li> </ul> <h4> <code>invalid_grant</code> </h4> <p>Cause:</p> <ul> <li>Expired or revoked refresh token</li> </ul> <p>Fix:</p> <ul> <li>Generate a new refresh token</li> </ul> <h4> <code>Username and password not accepted</code> </h4> <p>Cause:</p> <ul> <li>Using password auth instead of the OAuth2</li> </ul> <p>Fix:</p> <ul> <li>Use OAuth2 credentials</li> </ul> <h3> Production recommendations </h3> <p>For small forms like the portfolio/contact forms, the Gmail OAuth2 works well.</p> <p>However, for scalable production apps, consider dedicated email providers like:</p> <ul> <li><a href="https://resend.com" rel="noopener noreferrer">Resend</a></li> <li><a href="https://www.mailgun.com" rel="noopener noreferrer">Mailgun</a></li> <li><a href="https://www.brevo.com" rel="noopener noreferrer">Brevo</a></li> </ul> <p>Advantages:</p> <ul> <li>Better deliverability</li> <li>Easier setup</li> <li>Analytics</li> <li>Fewer Gmail restrictions</li> </ul> <h3> Full code implementation </h3> <p>My full code implementation inside my Nuxt server component for my portfolio<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">nodemailer</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">nodemailer</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">escapeHtml</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">escape-html</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineEventHandler</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">readBody</span><span class="p">(</span><span class="nx">event</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">body</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="nf">createError</span><span class="p">({</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">statusMessage</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid request payload. Body is required.</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">subject</span><span class="p">,</span> <span class="nx">message</span><span class="p">,</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">body</span><span class="p">;</span> <span class="c1">// Validation</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">name</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span> <span class="o">||</span> <span class="o">!</span><span class="nx">name</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="p">{</span> <span class="k">throw</span> <span class="nf">createError</span><span class="p">({</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">statusMessage</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Name is required and must be a valid text.</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">email</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span> <span class="o">||</span> <span class="o">!</span><span class="nx">email</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="p">{</span> <span class="k">throw</span> <span class="nf">createError</span><span class="p">({</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">statusMessage</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Email address is required.</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">emailRegex</span> <span class="o">=</span> <span class="sr">/^</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+@</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+$/</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">emailRegex</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">email</span><span class="p">.</span><span class="nf">trim</span><span class="p">()))</span> <span class="p">{</span> <span class="k">throw</span> <span class="nf">createError</span><span class="p">({</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">statusMessage</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Please provide a valid email address.</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">message</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">message</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span> <span class="o">||</span> <span class="o">!</span><span class="nx">message</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="p">{</span> <span class="k">throw</span> <span class="nf">createError</span><span class="p">({</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">statusMessage</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Message is required and must be a valid text.</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">5000</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="nf">createError</span><span class="p">({</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">statusMessage</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Message too long</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">trimmedName</span> <span class="o">=</span> <span class="nf">escapeHtml</span><span class="p">(</span><span class="nx">name</span><span class="p">.</span><span class="nf">trim</span><span class="p">());</span> <span class="kd">const</span> <span class="nx">trimmedEmail</span> <span class="o">=</span> <span class="nf">escapeHtml</span><span class="p">(</span><span class="nx">email</span><span class="p">.</span><span class="nf">trim</span><span class="p">());</span> <span class="kd">const</span> <span class="nx">trimmedSubject</span> <span class="o">=</span> <span class="nf">escapeHtml</span><span class="p">(</span><span class="nx">subject</span><span class="p">.</span><span class="nf">trim</span><span class="p">());</span> <span class="kd">const</span> <span class="nx">trimmedMessage</span> <span class="o">=</span> <span class="nf">escapeHtml</span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nf">trim</span><span class="p">());</span> <span class="c1">// Dispatching</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SMTP_USER</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">receiver</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CONTACT_EMAIL_RECEIVER</span> <span class="o">??</span> <span class="nx">user</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">clientId</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">clientSecret</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_OAUTH_REFRESH_TOKEN</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span> <span class="o">&amp;&amp;</span> <span class="nx">clientId</span> <span class="o">&amp;&amp;</span> <span class="nx">clientSecret</span> <span class="o">&amp;&amp;</span> <span class="nx">refreshToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">transporter</span> <span class="o">=</span> <span class="nx">nodemailer</span><span class="p">.</span><span class="nf">createTransport</span><span class="p">({</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gmail</span><span class="dl">"</span><span class="p">,</span> <span class="na">auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">OAuth2</span><span class="dl">"</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="nx">user</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">clientId</span><span class="p">,</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">clientSecret</span><span class="p">,</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">}</span> <span class="p">})</span> <span class="k">await</span> <span class="nx">transporter</span><span class="p">.</span><span class="nf">sendMail</span><span class="p">({</span> <span class="na">from</span><span class="p">:</span> <span class="s2">`"Portfolio Contact" &lt;</span><span class="p">${</span><span class="nx">user</span><span class="p">}</span><span class="s2">&gt;`</span><span class="p">,</span> <span class="na">replyTo</span><span class="p">:</span> <span class="nx">trimmedEmail</span><span class="p">,</span> <span class="na">to</span><span class="p">:</span> <span class="nx">receiver</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">trimmedSubject</span> <span class="o">??</span> <span class="s2">`Portfolio Message from </span><span class="p">${</span><span class="nx">trimmedName</span><span class="p">}</span><span class="s2">`</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="s2">`Name: </span><span class="p">${</span><span class="nx">trimmedName</span><span class="p">}</span><span class="s2">\nEmail: </span><span class="p">${</span><span class="nx">trimmedEmail</span><span class="p">}</span><span class="s2">\n\nMessage:\n</span><span class="p">${</span><span class="nx">trimmedMessage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">html</span><span class="p">:</span> <span class="s2">` &lt;div style="font-family: sans-serif; padding: 20px; color: #333; max-width: 600px; border: 1px solid #e2e8f0; border-radius: 12px;"&gt; &lt;h2 style="color: #235347; border-bottom: 2px solid #235347; padding-bottom: 8px;"&gt;New Contact Form Message&lt;/h2&gt; &lt;p&gt;&lt;strong&gt;Name:&lt;/strong&gt; </span><span class="p">${</span><span class="nx">trimmedName</span><span class="p">}</span><span class="s2">&lt;/p&gt; &lt;p&gt;&lt;strong&gt;Email:&lt;/strong&gt; &lt;a href="mailto:</span><span class="p">${</span><span class="nx">trimmedEmail</span><span class="p">}</span><span class="s2">"&gt;</span><span class="p">${</span><span class="nx">trimmedEmail</span><span class="p">}</span><span class="s2">&lt;/a&gt;&lt;/p&gt; &lt;p&gt;&lt;strong&gt;Message:&lt;/strong&gt;&lt;/p&gt; &lt;blockquote style="background: #f7fafc; padding: 15px; border-left: 4px solid #235347; margin: 0; white-space: pre-wrap;"&gt;</span><span class="p">${</span><span class="nx">trimmedMessage</span><span class="p">}</span><span class="s2">&lt;/blockquote&gt; &lt;hr style="border: 0; border-top: 1px solid #e2e8f0; margin: 20px 0;" /&gt; &lt;p style="font-size: 0.875rem; color: #718096;"&gt;Sent from your Portfolio contact form.&lt;/p&gt; &lt;/div&gt; `</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Message sent successfully via SMTP!</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="na">error</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">SMTP sending error:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">throw</span> <span class="nf">createError</span><span class="p">({</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="na">statusMessage</span><span class="p">:</span> <span class="s2">`Failed to send email. Error: </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">SMTP Configuration Issue</span><span class="dl">"</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <h3> Final thoughts </h3> <p>Setting up Gmail OAuth2 with Nodemailer fit be like say na heavy or too much work because say the following dey involved:</p> <ul> <li>Google Cloud configuration</li> <li>OAuth flows</li> <li>API permissions</li> <li>Token generation</li> </ul> <p>But once you don configure am properly, e go provide a secure and production-ready email solution wey no need make you expose your Gmail password.</p> <p>The key steps no pass:</p> <ol> <li>Enable Gmail API</li> <li>Configure OAuth consent</li> <li>Create OAuth credentials</li> <li>Generate a refresh token</li> <li>Configure Nodemailer correctly</li> <li>Use <code>replyTo</code> instead of arbitrary <code>from</code> addresses</li> <li>Escape user input to prevent injection</li> </ol> <p>Once all these things don gather stand well, your application fit dey use Gmail and OAuth2 authentication dey send emails securely, you mind sef go dey at rest. I hope say you go find am usefully helpful. </p> <p>Cheers🥂!</p> webdev tutorial google javascript