* fix(plugin-oauth): surface real error and propagate state on local errors
Clicking "Connect Google Account" could show the generic
"Authentication failed!" snack with no detail. Two issues caused this:
1. The catch in connectOAuth swallowed the actual error. Log it and
include the message in the snack so failures are diagnosable.
2. When the Electron main process emitted a local OAuth error
(invalid_auth_url, failed_to_open_browser), the IPC payload had no
state, and handleRedirectError silently dropped any callback whose
state did not match. Echo the state from the auth URL on the main
side, and treat missing-state errors as trusted local failures on
the renderer side (they are not CSRF-relevant). This rejects the
pending flow immediately instead of waiting for the 5-minute timeout.
* fix(plugin-oauth): apply review feedback on connect-OAuth UX
- Split the try block in connectOAuth so a failure of _loadDynamicOptions
no longer surfaces as an "Authentication failed" snack on top of the
success snack. The OAuth connection itself succeeded; loadOptions has
its own per-field error reporting.
- Sanitize the surfaced error: collapse whitespace and cap to 200 chars
so a long HttpErrorResponse message doesn't blow up the snack.
- Log the message field instead of the raw Error, per CLAUDE.md
anti-pattern #11 (log history is exportable).
- Use undefined instead of null for the state echo in the main process
to match the renderer/preload signatures.
---------
Co-authored-by: Claude <noreply@anthropic.com>
Google's Desktop OAuth client requires loopback redirect URIs
(http://127.0.0.1:<port>) and blocks embedded webviews. This replaces
the custom URI scheme + BrowserWindow approach with a temporary loopback
HTTP server and shell.openExternal for the system browser.
- Add PLUGIN_OAUTH_PREPARE IPC to start loopback server and return port
- Open auth URL in system browser instead of Electron BrowserWindow
- Make getRedirectUri() async to support IPC port retrieval
- Validate OAuth config before starting loopback server to prevent leaks
- Force 200 status on OPTIONS preflight responses in CORS bypass
Add OAuth support for plugins with PKCE, token persistence in local-only
IndexedDB, and Electron/web redirect handling. Extend two-way sync with
dueDay, dueWithTime, and timeEstimate field mappings including mutually
exclusive field clearing. Support remote issue deletion on task delete
and remote deletion detection during polling.
Add Google Calendar plugin (disabled from bundled builds pending legal
review) as a development reference for the plugin OAuth and two-way
sync APIs.
Additional fixes:
- Restore accidentally deleted focus-mode translation keys
- Remove full Task[] from deleteTasks action to prevent op-log bloat
- Add dueDay/deadlineDay format validation guards (#6908)
- Fix Android reminder alarm cancel intent matching
- Validate dueDay format to prevent false overdue from corrupted data
- Fix PKCE test expectation after utility consolidation