284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
54 lines
4.0 KiB
Markdown
54 lines
4.0 KiB
Markdown
# Scratchpad — Tenant-Owned Google OAuth
|
|
|
|
## Context / Ask
|
|
- Switch Google integrations to tenant-owned OAuth apps (client id/secret per tenant), remove Alga-owned app dependency.
|
|
- Add a setup area with guidance.
|
|
- Update setup screens for Google Calendar + Gmail inbound email to use tenant-supplied credentials and select the appropriate tenant Google configuration.
|
|
- Store secrets via Secrets Provider as tenant secrets.
|
|
- No migrations; fresh cutover is acceptable.
|
|
|
|
## Code Pointers (current-state)
|
|
### Settings / UI entrypoints
|
|
- Integrations settings hub: `server/src/components/settings/integrations/IntegrationsSettingsPage.tsx`
|
|
- Calendar settings page: `server/src/components/calendar/CalendarIntegrationsSettings.tsx`
|
|
- Google calendar provider form: `server/src/components/calendar/GoogleCalendarProviderForm.tsx`
|
|
- Email settings / providers: `server/src/components/EmailProviderConfiguration.tsx`
|
|
- Gmail provider form: `server/src/components/GmailProviderForm.tsx`
|
|
|
|
### Email (Gmail) OAuth + persistence
|
|
- OAuth init action: `server/src/lib/actions/email-actions/oauthActions.ts`
|
|
- OAuth init API route (also exists): `server/src/app/api/email/oauth/initiate/route.ts`
|
|
- OAuth callback route: `server/src/app/api/auth/google/callback/route.ts`
|
|
- Provider + config persistence: `server/src/lib/actions/email-actions/emailProviderActions.ts`
|
|
- Pub/Sub provisioning: `server/src/lib/actions/email-actions/setupPubSub.ts` (currently reads `google_service_account_key` as an app secret)
|
|
- Pub/Sub + watch orchestration: `server/src/lib/actions/email-actions/configureGmailProvider.ts`
|
|
- Gmail token refresh reads tenant secrets fallback: `server/src/services/email/providers/GmailAdapter.ts`
|
|
|
|
### Calendar OAuth + persistence
|
|
- OAuth init action: `server/src/lib/actions/calendarActions.ts`
|
|
- Redirect URI resolver: `server/src/utils/calendar/redirectUri.ts`
|
|
- OAuth callback route: `server/src/app/api/auth/google/calendar/callback/route.ts`
|
|
- Token refresh reads tenant secrets fallback: `server/src/services/calendar/providers/GoogleCalendarAdapter.ts`
|
|
- Pub/Sub verification job: `server/src/lib/jobs/handlers/calendarWebhookMaintenanceHandler.ts` (calls `GoogleCalendarAdapter.registerWebhookSubscription()` which is currently a no-op placeholder)
|
|
|
|
## Observations
|
|
- Multiple “hosted detection” branches select app-level Google credentials (based on `NEXTAUTH_URL` containing `https://algapsa.com`).
|
|
- Email provider persistence already writes user-provided client id/secret into tenant secrets in some paths, but also persists them into DB config columns and may override with hosted secrets if present.
|
|
- Docs for Gmail setup already describe tenant secrets for `google_service_account_key`: `docs/inbound-email/setup/gmail.md`, but implementation currently uses app secret.
|
|
- Calendar runbook already assumes tenant-provided OAuth apps: `docs/integrations/calendar-sync-operations.md`.
|
|
|
|
## Decisions (proposed)
|
|
- Add a dedicated “Google” integration settings panel under Integrations → Communication.
|
|
- Default to one shared OAuth app for Gmail + Calendar (still allow separate credentials if needed).
|
|
- Prefer reusing existing secret key names to avoid larger refactors.
|
|
- `${BASE_URL}` redirect URIs are canonical; no tenant-specific redirect URI overrides.
|
|
- Remove/disable Google “hosted uses app secrets” paths and require tenant secrets instead.
|
|
- Do not migrate; tenants reconfigure.
|
|
- Reset existing Google providers back to an initial/disconnected state for the fresh cutover.
|
|
- Implement Google Calendar change callbacks (current code expects Pub/Sub push to `/api/calendar/webhooks/google`).
|
|
- Add scheduled Google maintenance jobs (token preflight refresh + Gmail watch renewal + Calendar notification verification) using the job runner abstraction (PG Boss/Temporal).
|
|
|
|
## Open Questions
|
|
- Whether to build a “connected Google accounts” abstraction vs continue per-integration OAuth token storage.
|
|
- Calendar notifications feasibility: confirm Pub/Sub vs native Calendar push channels based on what Google supports for Calendar updates with our stack.
|