ulysses/static/js
Hriday Ranka 270b8570fc
feat(email): add Google OAuth2 for Google Workspace / .edu IMAP & SMTP (#237)
* feat(email): add Google OAuth2 for Google Workspace / .edu IMAP & SMTP

Google deprecated basic-auth (password) access for Google Workspace
accounts in May 2025. This means any .edu or org Google email account
could no longer connect via IMAP/SMTP with a username + password —
the email feature was silently broken for a large class of users.

This PR adds full OAuth2 (XOAUTH2) support for Google accounts so
Workspace / .edu emails work out of the box.

## What changed

### Backend
- `core/database.py`: add `oauth_provider`, `oauth_access_token`,
  `oauth_refresh_token`, `oauth_token_expiry`, and `display_name`
  columns to `EmailAccount` + idempotent migration
- `routes/email_helpers.py`: XOAUTH2 auth in `_imap_connect()` and
  `_send_smtp_message()`, automatic token refresh, OAuth fields in
  `_get_email_config()`
- `routes/email_routes.py`: OAuth authorize + callback routes,
  `_smtp_ready()` fix, OAuth fields through `_deliver()` closure,
  `display_name` in `From:` header

### Frontend
- `static/js/settings.js`: "Google Workspace / .edu" provider preset,
  "Connect with Google" button, success/error banner, display name field
- `static/js/document.js`: `_accountCanSend()` recognises OAuth accounts
  as SMTP-capable

* security: sign OAuth state, scope callback by owner, fix quotes & logs

Addresses reviewer feedback on the email OAuth2 PR:

- OAuth state is now HMAC-SHA256 signed (keyed with the app secret from
  secret_storage) encoding account_id + owner + a random nonce, and is
  verified with constant-time comparison in the callback before any
  token write. Replaces the bare account_id state, closing the CSRF /
  state-guessing gap.
- Callback extracts the owner from the verified state and re-checks it
  against EmailAccount.owner before writing tokens, matching the
  ownership guards used elsewhere in the email routes. Single-user mode
  (owner == "") still accepts any account, consistent with
  _assert_owns_account.
- Replaced curly/smart quotes in the Name/Email/Display Name input rows
  with plain ASCII so getElementById lookups and event wiring work.
- Stripped account name, SMTP host/user, owner, and raw provider error
  text from send-config and OAuth logs; failures now surface as generic
  error codes in the redirect instead of raw exception strings.

* test(email): add OAuth2 state, _smtp_ready, and XOAUTH2 tests

Move the OAuth state sign/verify helpers out of the setup_email_routes
closure into module-level make_oauth_state/verify_oauth_state in
email_helpers.py so they can be unit-tested, then add tests/test_email_oauth.py:

- signed state round-trips account_id + owner, nonce is unique per call
- tampered account_id, forged signature, and garbage states are rejected
- _smtp_ready treats an OAuth account (no password) as send-capable, and
  still rejects host+user-only accounts with neither password nor OAuth
- _xoauth2_string / _xoauth2_bytes produce the correct SASL XOAUTH2 framing

14 new tests; existing test_security_regressions.py still passes (28).

* refactor(email): single XOAUTH2 frame helper, use RuntimeError

Polish from self-review before merge:

- Collapse the XOAUTH2 framing to one source of truth: _xoauth2_raw()
  returns the unencoded SASL string used by both the SMTP and IMAP auth
  callbacks (each library base64-encodes it), and _xoauth2_bytes() is
  just its .encode(). Removes the unused base64 _xoauth2_string helper
  and the duplicated inline frame in _send_smtp_message.
- Raise RuntimeError (not bare Exception) for the "OAuth token
  unavailable" path, matching the convention used across src/.
- Update tests accordingly.

All 14 OAuth tests + 28 security regressions pass; SMTP/IMAP XOAUTH2
verified live against a real Workspace account.

* tests(email-oauth): cover the security-sensitive OAuth paths before merge

The previous tests only exercised pure helpers (state signing, _smtp_ready,
XOAUTH2 framing). This adds coverage for the actual token-custody and
ownership behaviour, pinning the real route handlers rather than
re-implementations of their logic.

Real OAuth callback route (pulled live from setup_email_routes()):
- missing code -> generic missing_code redirect, no account id / owner in URL
- provider error -> generic google_error redirect, raw error not echoed
- tampered/invalid state -> invalid_state redirect, auth code never leaked
- signed state with owner mismatch -> token write refused (ownership_error),
  DB row left untouched
- signed state with matching owner -> tokens written encrypted, and only to
  the intended account (a second account stays untouched)

Real accounts-list route:
- exposes oauth_provider status but never the access/refresh token values,
  encrypted or otherwise

Token storage / refresh helpers (isolated in-memory SQLite, mocked HTTP):
- refreshed access token stored encrypted; expiry is a timestamp, not a token
- fresh token uses cache (no refresh call); expired token triggers refresh
- refresh HTTP failure returns None silently, no exception or secret surfaced
- missing client credentials short-circuits to None

Password-account regression:
- password IMAP accounts call conn.login(); OAuth accounts call XOAUTH2
  authenticate() and never login()

28 tests pass (14 prior + 14 new).

* fix(email-oauth): drop raw exception text from token-refresh log

Google token refresh failures now log the account id only, matching
the conservative logging used elsewhere on the OAuth path — no raw
provider/exception details surfacing in logs.

* fix(email-oauth): bring OAuth UI parity to the Integrations email form

The Google Workspace / .edu provider preset, Display Name field, and
Connect-with-Google flow were only wired into the Email-tab account
form. The Integrations-tab form (a separate code path for the same
account type) was missing all three, so the OAuth option was invisible
from that entry point. Mirrors the same PROVIDERS entry, OAuth section,
and connect handler so both forms behave identically.

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Alexandre Teixeira <111787685+alteixeira20@users.noreply.github.com>
2026-06-15 17:02:58 +01:00
..
calendar feat: add Sun/Mon week-start setting to calendar (#3875) (#4031) 2026-06-15 15:30:25 +09:00
color fix: theme color parsing breaks on #rgb shorthand hex (#1213) 2026-06-03 00:30:03 +09:00
compare fix: correct Three Jugs eval prompt answer (#2542) (#2544) 2026-06-15 19:21:39 +09:00
editor fix: computeSnap throws when ctx.otherLayers is not an array (#1716) 2026-06-03 13:34:25 +09:00
emailLibrary Harden email HTML URL sanitization (#2496) 2026-06-04 20:47:47 +02:00
markdown Ignore non-string markdown table rows (#1648) 2026-06-03 14:17:02 +09:00
model fix: model cost/info matches first substring key (gpt-4o-mini billed as gpt-4o) (#1439) 2026-06-04 03:05:37 +01:00
research Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615 2026-06-15 21:20:15 +09:00
util fix: monthly schedule label shows 21th/22th/31th (ordinal suffix for days >20) (#1577) 2026-06-03 08:57:47 +09:00
a11y.js Improve accessibility across core flows (#86) 2026-06-01 22:04:00 +02:00
admin.js Fix failing post-merge tests 2026-06-15 22:49:06 +09:00
assistant.js Rename Character copy to Persona 2026-06-02 12:42:15 +09:00
calendar.js Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615 2026-06-15 21:20:15 +09:00
censor.js Ignore censor preference storage errors (#1652) 2026-06-03 14:16:55 +09:00
chat.js Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615 2026-06-15 21:20:15 +09:00
chatRenderer.js fix(chat): make resend message non-destructive 2026-06-15 15:02:48 +09:00
chatStream.js Open email context for agent, email search across All Mail, cookbook serve polish 2026-06-15 20:47:51 +09:00
codeRunner.js Fix/windows llama cpp serve and test upstream (#2669) 2026-06-05 14:53:33 +02:00
colorPicker.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
composerArrowUpRecall.js feat(chat): recall last user message on empty composer ArrowUp (#1175) 2026-06-08 13:06:05 +02:00
cookbook-deps-recipes.js Cookbook/Dependencies: Pip/uv vs Docker variant toggle on recipe panel 2026-06-14 22:47:26 +09:00
cookbook-diagnosis.js Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615 2026-06-15 21:20:15 +09:00
cookbook-hwfit.js Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615 2026-06-15 21:20:15 +09:00
cookbook.js Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615 2026-06-15 21:20:15 +09:00
cookbookDownload.js Cookbook UI: Ollama browser, advanced serve fold, API tokens form, diagnosis toolbar, polish 2026-06-09 09:46:19 +09:00
cookbookProgressSignal.js Don't falsely declare a dependency build stale (#1568) (#1768) 2026-06-03 13:23:35 +09:00
cookbookRunning.js Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615 2026-06-15 21:20:15 +09:00
cookbookSchedule.js Cookbook UI: Ollama browser, advanced serve fold, API tokens form, diagnosis toolbar, polish 2026-06-09 09:46:19 +09:00
cookbookServe.js Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615 2026-06-15 21:20:15 +09:00
document.js feat(email): add Google OAuth2 for Google Workspace / .edu IMAP & SMTP (#237) 2026-06-15 17:02:58 +01:00
documentLibrary.js Cookbook UI: Ollama browser, advanced serve fold, API tokens form, diagnosis toolbar, polish 2026-06-09 09:46:19 +09:00
dragSort.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
emailInbox.js Open email context for agent, email search across All Mail, cookbook serve polish 2026-06-15 20:47:51 +09:00
emailLibrary.js Open email context for agent, email search across All Mail, cookbook serve polish 2026-06-15 20:47:51 +09:00
emojiPicker.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
emojiShortcodes.js Render emoji shortcodes as icons in chat (#345) (#629) 2026-06-05 02:28:42 +02:00
escMenuStack.js fix: make transient dropdown/popup menus close on Escape 2026-06-01 14:23:22 -04:00
fileHandler.js feat(ui): allow expanding consolidated file chip regardless of count (#1849) (#2086) 2026-06-04 14:02:52 +01:00
gallery.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
galleryEditor.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
group.js Harden chat streaming DOM sinks (#2498) 2026-06-04 20:49:37 +02:00
init.js fix(ui): keep minimized windows above composer (#1197) 2026-06-02 23:31:09 +09:00
keyboard-shortcuts.js Ignore AltGr keystrokes in Ctrl+Alt keyboard shortcuts (#825) 2026-06-02 11:12:54 +09:00
langIcons.js fix: langIcon throws on an explicit null opts argument (#1740) 2026-06-03 13:29:21 +09:00
markdown.js Cookbook UI: Ollama browser, advanced serve fold, API tokens form, diagnosis toolbar, polish 2026-06-09 09:46:19 +09:00
memory.js Open email context for agent, email search across All Mail, cookbook serve polish 2026-06-15 20:47:51 +09:00
modalManager.js feat: Claude Agent integration + cookbook reconnect + UI polish 2026-06-04 08:27:26 +09:00
modalSnap.js Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615 2026-06-15 21:20:15 +09:00
modelPicker.js Cookbook UI: Ollama browser, advanced serve fold, API tokens form, diagnosis toolbar, polish 2026-06-09 09:46:19 +09:00
models.js Cookbook UI: Ollama browser, advanced serve fold, API tokens form, diagnosis toolbar, polish 2026-06-09 09:46:19 +09:00
modelSort.js Ignore invalid model sort inputs (#1653) 2026-06-03 14:16:52 +09:00
MODULE_SUMMARY.md docs: fix stale documentation references (#1769) 2026-06-03 13:23:21 +09:00
notes.js fix(notes): reset search filter on panel reopen so stale query doesn't hide notes (#2920) 2026-06-15 11:55:46 +02:00
package.json Fix test suite: ESM module loading and stub isolation (#844) 2026-06-02 11:29:29 +09:00
platform.js Ignore AltGr keystrokes in Ctrl+Alt keyboard shortcuts (#825) 2026-06-02 11:12:54 +09:00
presets.js Keep presets loading with bad local state (#1417) 2026-06-03 04:09:28 +09:00
providerDeviceFlow.js feat: add ChatGPT Subscription provider (#2876) 2026-06-08 10:19:18 +02:00
providers.js Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615 2026-06-15 21:20:15 +09:00
rag.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
researchSynapse.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
search-chat.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
search.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
section-management.js Fix Models section collapse dead pause and missing animation 2026-06-01 16:53:46 +02:00
sessions.js Sessions: Esc + outside-click also close the Move-to-folder submenu 2026-06-10 22:39:23 +09:00
settings.js feat(email): add Google OAuth2 for Google Workspace / .edu IMAP & SMTP (#237) 2026-06-15 17:02:58 +01:00
sidebar-layout.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
signature.js Constrain signature uploads to PNG data (#2844) 2026-06-05 13:17:43 +02:00
skills.js Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615 2026-06-15 21:20:15 +09:00
slashAutocomplete.js feat: add ChatGPT Subscription provider (#2876) 2026-06-08 10:19:18 +02:00
slashCommands.js Fix pinned skill prompt submission race (#3841) 2026-06-15 15:39:44 +09:00
spinner.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
storage.js feat(agent): confine agent file/shell tools to a selectable workspace (#3665) 2026-06-11 18:17:54 +02:00
streamingRenderer.js fix(chat): stop code-block button flicker during streaming (#3023) 2026-06-06 04:08:54 -06:00
streamingSegmenter.js fix(chat): stop code-block button flicker during streaming (#3023) 2026-06-06 04:08:54 -06:00
tasks.js Tasks: optional persona for LLM + research tasks (biases output voice) 2026-06-10 23:36:18 +09:00
theme.js fix: theme color parsing breaks on #rgb shorthand hex (#1213) 2026-06-03 00:30:03 +09:00
tileManager.js fix(ui): restore all-edge modal snap zones (#2260) 2026-06-15 12:36:34 +02:00
tourAutoplay.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
tourHints.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
tts-ai.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
ui.js Revert "fix(ui): allow manual prompt bar resize (#1201)" 2026-06-03 23:03:58 +09:00
voiceRecorder.js Odysseus v1.0 2026-05-31 23:58:26 +09:00
windowDrag.js fix(windowDrag): disable duplicate top-edge fullscreen snap (#3495) 2026-06-15 16:10:40 +09:00
windowResize.js Make tool windows resizable by dragging edges or corners 2026-06-01 19:49:23 +02:00
workspace.js feat(agent): confine agent file/shell tools to a selectable workspace (#3665) 2026-06-11 18:17:54 +02:00