Switch Google auth to desktop OAuth flow with embedded credentials

Replace device code flow with localhost redirect OAuth flow for simpler
UX. Embed default OAuth client credentials in binary with env var
overrides (CALENDARCHY_GOOGLE_CLIENT_ID, CALENDARCHY_GOOGLE_CLIENT_SECRET).
Simplify setup wizard to single y/n for Google, add 'S' key to re-enter
setup, and ensure Google auth completes before iCloud setup begins.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sovanesyan

Cargo.toml

@@ -6,7 +6,7 @@ edition = "2024"
 [dependencies]
 crossterm = "0.28"
 chrono = { version = "0.4", features = ["serde"] }
-tokio = { version = "1", features = ["rt-multi-thread", "macros", "time", "sync"] }
+tokio = { version = "1", features = ["rt-multi-thread", "macros", "time", "sync", "net", "io-util"] }
 reqwest = { version = "0.12", features = ["json", "rustls-tls"], default-features = false }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"

src/app.rs

@@ -30,9 +30,7 @@ pub struct SearchResult {
 pub enum SetupStep {
     Welcome,
     GoogleAsk,
-    GoogleOpenUrl,
-    GoogleClientId,
-    GoogleSecret,
+    GoogleAuthWaiting,
     ICloudAsk,
     ICloudMethod,     // Choose EventKit vs CalDAV (macOS only)
     ICloudOpenUrl,
@@ -52,8 +50,7 @@ pub enum ICloudMethod {
 pub struct SetupState {
     pub step: SetupStep,
     pub input: String,
-    pub google_client_id: Option<String>,
-    pub google_client_secret: Option<String>,
+    pub google_enabled: bool,
     pub icloud_method: Option<ICloudMethod>,
     pub icloud_apple_id: Option<String>,
     pub icloud_password: Option<String>,
@@ -66,8 +63,7 @@ impl SetupState {
         Self {
             step: SetupStep::Welcome,
             input: String::new(),
-            google_client_id: None,
-            google_client_secret: None,
+            google_enabled: false,
             icloud_method: None,
             icloud_apple_id: None,
             icloud_password: None,

src/auth.rs

@@ -1,4 +1,3 @@
-use chrono::{DateTime, Utc};
 use crate::google::TokenInfo;
 
 /// Trait for auth state display
@@ -11,16 +10,8 @@ pub trait AuthDisplay {
 pub enum GoogleAuthState {
     NotConfigured,
     NotAuthenticated,
-    AwaitingUserCode {
-        #[allow(dead_code)]
-        user_code: String,
-        #[allow(dead_code)]
-        verification_url: String,
-        device_code: String,
-        expires_at: DateTime<Utc>,
-    },
+    Authenticating,
     Authenticated(TokenInfo),
-    #[allow(dead_code)]
     Error(String),
 }
 

src/config.rs

@@ -14,15 +14,42 @@ pub struct Config {
     pub icloud: Option<ICloudConfig>,
 }
 
+/// Built-in Google OAuth credentials (public, identifies the app)
+pub const DEFAULT_GOOGLE_CLIENT_ID: &str =
+    "313544353824-1g092hbgrmd6pemvklv58ld9radn0rg3.apps.googleusercontent.com";
+pub const DEFAULT_GOOGLE_CLIENT_SECRET: &str = "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";
+
 /// Google Calendar configuration
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct GoogleConfig {
+    #[serde(default = "default_google_client_id")]
     pub client_id: String,
+    #[serde(default = "default_google_client_secret")]
     pub client_secret: String,
     #[serde(default = "default_calendar_id")]
     pub calendar_id: String,
 }
 
+impl Default for GoogleConfig {
+    fn default() -> Self {
+        Self {
+            client_id: default_google_client_id(),
+            client_secret: default_google_client_secret(),
+            calendar_id: "primary".to_string(),
+        }
+    }
+}
+
+fn default_google_client_id() -> String {
+    std::env::var("CALENDARCHY_GOOGLE_CLIENT_ID")
+        .unwrap_or_else(|_| DEFAULT_GOOGLE_CLIENT_ID.to_string())
+}
+
+fn default_google_client_secret() -> String {
+    std::env::var("CALENDARCHY_GOOGLE_CLIENT_SECRET")
+        .unwrap_or_else(|_| DEFAULT_GOOGLE_CLIENT_SECRET.to_string())
+}
+
 /// iCloud Calendar configuration
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ICloudConfig {
@@ -109,7 +136,18 @@ impl Config {
         }
 
         let content = fs::read_to_string(&path)?;
-        let config: Config = serde_json::from_str(&content)?;
+        let mut config: Config = serde_json::from_str(&content)?;
+
+        // Env vars always override saved config
+        if let Some(ref mut google) = config.google {
+            if let Ok(id) = std::env::var("CALENDARCHY_GOOGLE_CLIENT_ID") {
+                google.client_id = id;
+            }
+            if let Ok(secret) = std::env::var("CALENDARCHY_GOOGLE_CLIENT_SECRET") {
+                google.client_secret = secret;
+            }
+        }
+
         Ok(config)
     }
 

src/google/auth.rs

@@ -1,28 +1,22 @@
 use crate::config::GoogleConfig;
 use crate::error::{CalendarchyError, Result};
-use crate::google::types::{DeviceCodeResponse, TokenInfo, TokenResponse};
+use crate::google::types::{TokenInfo, TokenResponse};
 use crate::logging::{log_request, log_response};
 use chrono::Utc;
 use reqwest::Client;
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::net::TcpListener;
 
-const DEVICE_CODE_URL: &str = "https://oauth2.googleapis.com/device/code";
+const AUTH_URL: &str = "https://accounts.google.com/o/oauth2/v2/auth";
 const TOKEN_URL: &str = "https://oauth2.googleapis.com/token";
-const CALENDAR_SCOPE: &str = "https://www.googleapis.com/auth/calendar";
+const CALENDAR_SCOPE: &str = "https://www.googleapis.com/auth/calendar.events";
+const REDIRECT_URI: &str = "http://127.0.0.1:18457";
 
 pub struct GoogleAuth {
     client: Client,
     config: GoogleConfig,
 }
 
-#[derive(Debug)]
-pub enum PollResult {
-    Success(TokenInfo),
-    Pending,
-    SlowDown,
-    Denied,
-    Expired,
-}
-
 impl GoogleAuth {
     pub fn new(config: GoogleConfig) -> Self {
         Self {
@@ -31,70 +25,80 @@ impl GoogleAuth {
         }
     }
 
-    /// Step 1: Request device code
-    pub async fn request_device_code(&self) -> Result<DeviceCodeResponse> {
-        log_request("POST", DEVICE_CODE_URL);
-        let response = self
-            .client
-            .post(DEVICE_CODE_URL)
-            .form(&[
-                ("client_id", self.config.client_id.as_str()),
-                ("scope", CALENDAR_SCOPE),
-            ])
-            .send()
-            .await?;
-        log_response(response.status().as_u16(), DEVICE_CODE_URL);
+    /// Get the authorization URL that the user should open in their browser
+    pub fn auth_url(&self) -> String {
+        format!(
+            "{}?client_id={}&redirect_uri={}&response_type=code&scope={}&access_type=offline&prompt=consent",
+            AUTH_URL,
+            urlencoding::encode(&self.config.client_id),
+            urlencoding::encode(REDIRECT_URI),
+            urlencoding::encode(CALENDAR_SCOPE),
+        )
+    }
 
-        if !response.status().is_success() {
-            let body = response.text().await.unwrap_or_default();
-            return Err(CalendarchyError::Auth(format!(
-                "Failed to get device code: {}",
-                body
-            )));
-        }
+    /// Start a localhost server, wait for the OAuth callback, and exchange the code for tokens.
+    /// Returns the tokens on success.
+    pub async fn authenticate_with_browser(&self) -> Result<TokenInfo> {
+        let listener = TcpListener::bind("127.0.0.1:18457").await
+            .map_err(|e| CalendarchyError::Auth(format!("Failed to start auth server: {}", e)))?;
+
+        // Wait for the callback
+        let (mut stream, _) = listener.accept().await
+            .map_err(|e| CalendarchyError::Auth(format!("Failed to accept connection: {}", e)))?;
+
+        let mut buf = vec![0u8; 4096];
+        let n = stream.read(&mut buf).await
+            .map_err(|e| CalendarchyError::Auth(format!("Failed to read request: {}", e)))?;
+
+        let request = String::from_utf8_lossy(&buf[..n]);
 
-        let device_code: DeviceCodeResponse = response.json().await?;
-        Ok(device_code)
+        // Extract the authorization code from the request
+        let code = extract_code(&request)
+            .ok_or_else(|| CalendarchyError::Auth("No authorization code in callback".to_string()))?;
+
+        // Send a response to the browser
+        let response = "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r\n\
+            <html><body style=\"font-family:system-ui;display:flex;justify-content:center;align-items:center;height:100vh;margin:0\">\
+            <h2>Authenticated! You can close this tab.</h2></body></html>";
+        let _ = stream.write_all(response.as_bytes()).await;
+        let _ = stream.shutdown().await;
+
+        // Exchange the code for tokens
+        self.exchange_code(&code).await
     }
 
-    /// Step 2: Poll for token (call this repeatedly)
-    pub async fn poll_for_token(&self, device_code: &str) -> Result<PollResult> {
+    /// Exchange an authorization code for tokens
+    async fn exchange_code(&self, code: &str) -> Result<TokenInfo> {
         log_request("POST", TOKEN_URL);
         let response = self
             .client
             .post(TOKEN_URL)
             .form(&[
                 ("client_id", self.config.client_id.as_str()),
                 ("client_secret", self.config.client_secret.as_str()),
-                ("device_code", device_code),
-                ("grant_type", "urn:ietf:params:oauth:grant-type:device_code"),
+                ("code", code),
+                ("grant_type", "authorization_code"),
+                ("redirect_uri", REDIRECT_URI),
             ])
             .send()
             .await?;
         log_response(response.status().as_u16(), TOKEN_URL);
 
-        if response.status().is_success() {
-            let token_response: TokenResponse = response.json().await?;
-            let token_info = TokenInfo {
-                access_token: token_response.access_token,
-                refresh_token: token_response.refresh_token,
-                expires_at: Utc::now() + chrono::Duration::seconds(token_response.expires_in as i64),
-                token_type: token_response.token_type,
-            };
-            Ok(PollResult::Success(token_info))
-        } else {
-            let error: serde_json::Value = response.json().await?;
-            match error.get("error").and_then(|e| e.as_str()) {
-                Some("authorization_pending") => Ok(PollResult::Pending),
-                Some("slow_down") => Ok(PollResult::SlowDown),
-                Some("access_denied") => Ok(PollResult::Denied),
-                Some("expired_token") => Ok(PollResult::Expired),
-                _ => Err(CalendarchyError::Auth(format!(
-                    "Unknown error: {:?}",
-                    error
-                ))),
-            }
+        if !response.status().is_success() {
+            let body = response.text().await.unwrap_or_default();
+            return Err(CalendarchyError::Auth(format!(
+                "Failed to exchange code: {}",
+                body
+            )));
         }
+
+        let token_response: TokenResponse = response.json().await?;
+        Ok(TokenInfo {
+            access_token: token_response.access_token,
+            refresh_token: token_response.refresh_token,
+            expires_at: Utc::now() + chrono::Duration::seconds(token_response.expires_in as i64),
+            token_type: token_response.token_type,
+        })
     }
 
     /// Refresh an expired token
@@ -130,3 +134,16 @@ impl GoogleAuth {
         })
     }
 }
+
+/// Extract the authorization code from an HTTP request line
+fn extract_code(request: &str) -> Option<String> {
+    let first_line = request.lines().next()?;
+    let path = first_line.split_whitespace().nth(1)?;
+    let query = path.split('?').nth(1)?;
+    for param in query.split('&') {
+        if let Some(value) = param.strip_prefix("code=") {
+            return Some(urlencoding::decode(value).ok()?.to_string());
+        }
+    }
+    None
+}

src/google/types.rs

@@ -16,15 +16,6 @@ impl TokenInfo {
     }
 }
 
-/// Device code response from Google
-#[derive(Debug, Deserialize)]
-pub struct DeviceCodeResponse {
-    pub device_code: String,
-    pub user_code: String,
-    pub verification_url: String,
-    pub expires_in: u64,
-}
-
 /// Token endpoint response
 #[derive(Debug, Deserialize)]
 pub struct TokenResponse {