feat: Add OAuth credentials reset button to settings page

- Add Reset OAuth Credentials button to settings page
- Add POST /admin/settings/reset-oauth endpoint
- Add CSRF exclusions for admin settings, sync, and logout routes
- Create oauth_reset_success.html partial template

Allows users to clear OAuth credentials encrypted with wrong key.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: StuMason

src/polar_flow_server/admin/routes.py

@@ -795,6 +795,44 @@ async def admin_settings(
     )
 
 
+@post("/settings/reset-oauth", sync_to_thread=False, status_code=HTTP_200_OK)
+async def reset_oauth_credentials(
+    request: Request[Any, Any, Any],
+    session: AsyncSession,
+) -> Template:
+    """Reset OAuth credentials - clears client ID and secret from database."""
+    # Auth check
+    if not is_authenticated(request):
+        return Template(
+            template_name="admin/partials/sync_error.html",
+            context={"error": "Authentication required. Please log in."},
+        )
+
+    try:
+        # Get app settings and clear OAuth credentials
+        stmt = select(AppSettings).where(AppSettings.id == 1)
+        result = await session.execute(stmt)
+        app_settings = result.scalar_one_or_none()
+
+        if app_settings:
+            app_settings.polar_client_id = None
+            app_settings.polar_client_secret_encrypted = None
+            await session.commit()
+
+        # Return the "no credentials" state HTML
+        return Template(
+            template_name="admin/partials/oauth_reset_success.html",
+            context={},
+        )
+
+    except Exception as e:
+        await session.rollback()
+        return Template(
+            template_name="admin/partials/sync_error.html",
+            context={"error": f"Failed to reset credentials: {str(e)}"},
+        )
+
+
 # ============================================================================
 # Chart Data API Routes (JSON endpoints for Chart.js)
 # ============================================================================

src/polar_flow_server/app.py

@@ -96,6 +96,9 @@ def create_app() -> Litestar:
             "/admin/login",  # Login form - entry point, no session yet
             "/admin/setup",  # Setup flow - entry point, no session yet
             "/admin/oauth/callback",  # OAuth callback from Polar (admin dashboard)
+            "/admin/settings",  # Settings pages (reset-oauth, etc.)
+            "/admin/sync",  # Sync trigger from dashboard
+            "/admin/logout",  # Logout action
             "/oauth/",  # OAuth endpoints for SaaS (callback, exchange, start)
             "/users/",  # API routes use API key auth, not sessions
             "/health",

src/polar_flow_server/templates/admin/partials/oauth_reset_success.html

@@ -0,0 +1,19 @@
+<!-- OAuth Credentials Reset Success - replaces the credentials card -->
+<div class="bg-white shadow rounded-lg p-6 mb-6">
+    <h2 class="text-lg font-semibold text-gray-900 mb-4">Polar OAuth Credentials</h2>
+
+    <div class="p-4 bg-yellow-50 rounded-lg border border-yellow-200">
+        <div class="flex">
+            <svg class="h-5 w-5 text-yellow-400 mr-3" fill="currentColor" viewBox="0 0 20 20">
+                <path fill-rule="evenodd" d="M8.257 3.099c.765-1.36 2.722-1.36 3.486 0l5.58 9.92c.75 1.334-.213 2.98-1.742 2.98H4.42c-1.53 0-2.493-1.646-1.743-2.98l5.58-9.92zM11 13a1 1 0 11-2 0 1 1 0 012 0zm-1-8a1 1 0 00-1 1v3a1 1 0 002 0V6a1 1 0 00-1-1z" clip-rule="evenodd" />
+            </svg>
+            <div>
+                <h3 class="text-sm font-medium text-yellow-800">OAuth credentials have been reset</h3>
+                <p class="text-sm text-yellow-700 mt-1">Configure your Polar OAuth app to start syncing data.</p>
+                <a href="/admin" class="mt-2 inline-block text-sm font-medium text-yellow-800 underline">
+                    Run setup wizard
+                </a>
+            </div>
+        </div>
+    </div>
+</div>

src/polar_flow_server/templates/admin/settings.html

@@ -41,8 +41,26 @@ <h2 class="text-lg font-semibold text-gray-900 mb-4">Polar OAuth Credentials</h2
 
             <div class="text-sm text-gray-600">
                 <p>OAuth credentials are stored encrypted in the database.</p>
-                <p class="mt-1">You can update them by running the setup wizard again or editing below.</p>
+                <p class="mt-1">If you need to update your credentials, reset them first then re-enter.</p>
             </div>
+
+            <form
+                hx-post="/admin/settings/reset-oauth"
+                hx-confirm="Are you sure you want to reset OAuth credentials? You will need to re-enter them."
+                hx-swap="outerHTML"
+                hx-target="closest .bg-white"
+                class="mt-4"
+            >
+                <button
+                    type="submit"
+                    class="inline-flex items-center px-4 py-2 border border-red-300 rounded-md shadow-sm text-sm font-medium text-red-700 bg-white hover:bg-red-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-red-500"
+                >
+                    <svg class="h-4 w-4 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16" />
+                    </svg>
+                    Reset OAuth Credentials
+                </button>
+            </form>
         </div>
         {% else %}
         <div class="p-4 bg-yellow-50 rounded-lg border border-yellow-200">