284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
2.4 KiB
2.4 KiB
Gmail Provider Setup Guide
This guide walks an administrator through connecting a Gmail mailbox to the system using tenant-owned Google OAuth + Pub/Sub.
For background on why Pub/Sub is now initialised once, see
../architecture/pubsub.md.
Prerequisites
- Google Cloud project with the Gmail API and Pub/Sub API enabled.
- A tenant-owned OAuth client (Client ID + Client Secret) created in Google Cloud Console.
- A tenant-owned service account key JSON (for Pub/Sub provisioning) available for upload/paste.
End-to-End Flow
flowchart TD
A[Admin configures Google integration settings] --> B[User clicks 'Authorize Access' on Gmail provider]
B --> C[Provider draft saved (upsertEmailProvider)]
C --> D[OAuth popup opens]
D --> E[User grants permissions]
E --> F[OAuth callback]
F --> G[configureGmailProvider → setupPubSub]
G --> H[GmailWebhookService.registerWatch]
H --> I[Provider ready]
Only one call to setupPubSub happens at step G.
Step-by-Step
- Open Settings → Integrations → Providers.
- Create (or select) a Google Cloud project and OAuth client, then configure the redirect URI shown in the UI.
- Paste Project ID, OAuth Client ID, OAuth Client Secret, and the service account key JSON into the Google integration screen and save.
- Open Settings → Email Providers → + Add Gmail.
- Fill display name, mailbox, and any label filtering.
- Click Authorize Access and complete the OAuth consent. The window closes automatically and setup continues.
Refreshing Pub/Sub
If the subscription/watch expires or the webhook URL changes, use the Refresh Watch button or call the API:
curl -X POST \
-H "Authorization: Bearer <admin-token>" \
-H "Content-Type: application/json" \
-d '{"providerId":"<providerId>"}' \
https://<host>/api/email/refresh-watch
This bypasses the 24-hour cool-down by setting force=true.
Troubleshooting
- OAuth fails – confirm the tenant’s OAuth client includes the redirect URI shown in Settings → Integrations → Providers.
- No messages arriving – check
google_email_provider_config.pubsub_initialised_atandwatch_expiration. Use Refresh Watch if either is stale. - Pub/Sub provisioning fails – confirm the uploaded service account has the required IAM permissions on the tenant’s Google Cloud project.