feat(google): unify Google Workspace setup into one sign-in#200
Conversation
Replace the eleven separate Google integration setups (Gmail, Calendar, Drive, Docs, Sheets, Slides, Forms, Tasks, Chat, Contacts, Meet) with a single Google Workspace page: enter one OAuth client, pick services, and complete one Google consent. The resulting token is fanned out to every selected service so each adapter refreshes independently. Uses a bring-your-own OAuth client model so self-hosted users avoid Google verification, and requests incremental scopes so enabling more services later preserves existing grants. Partial consent enables only the services whose scopes were actually granted. Co-Authored-By: Crush <noreply@anthropic.com>
A connected service could show "Invalid token" even when the token was perfectly valid, because its Google API was simply not enabled in the user's Cloud project. The setup page now validates the shared token once and shows an actionable "Enable API" hint with guidance instead of a misleading error, and the header progress now counts only services that actually pass their health check. Co-Authored-By: Crush <noreply@anthropic.com>
Call out the most common first-run confusion: approving the consent screen grants scopes but does not enable the underlying APIs, which surfaces as a yellow "Enable API" badge. Add matching troubleshooting guidance. Co-Authored-By: Crush <noreply@anthropic.com>
acmacalister
left a comment
There was a problem hiding this comment.
LGTM. Clean PR: CI green, tests cover the unified flow + config fan-out, googleoauth package is well-isolated, no security or architecture concerns. The BYO-client + partial-consent design is the right call for self-hosted users.
|
CI/status checks: all green (build ✓, test ✓, lint ✓, security ✓, rust-sdk ✓). Clean PR — the unified Google Workspace flow is well-structured with the single source of truth in |
Add handler tests for the Google Workspace setup page, credential save fan-out, OAuth start guards, and callback error path — closing the test-coverage gap for the new unified setup flow. Co-Authored-By: Claude <noreply@anthropic.com>
|
CI status checks all passed (build ✓, test ✓, lint ✓, security ✓, rust-sdk ✓). Clean PR — no blocking issues found. LGTM. (Approval blocked by GitHub's same-account restriction.) |
Summary
include_granted_scopes=true) so enabling more services later preserves existing grants, and partial consent enables only the services actually granted.What changed
googleoauth/family.goas the single source of truth for per-service scopes plus the group OAuth start/callback/poll flow; the 11 adapters now pull scopes from it.GOOGLE_OAUTH_CLIENT_ID/GOOGLE_OAUTH_CLIENT_SECRETpopulate all Google services./integrations/google/setup; integrations index shows a collapsed Google Workspace group card; the 11 per-service pages keep working but link to the unified page.docs/google-setup.md(GCP walkthrough, 7-day Testing refresh caveat, scope table, token fan-out), updateddocs/web-ui.mdand the AGENTS.md reference table.Testing
make cipasses (build, vet, race tests, lint, gosec 0 issues, govulncheck clean).💘 Generated with Crush