Add OAuth connect/disconnect UI for services

Update token management page to show OAuth connect buttons for services that support OAuth authentication. Distinguish between OAuth and manual token services, showing appropriate UI elements for each type.

Author: dgellow

internal/config/unmarshal_test.go

@@ -272,9 +272,9 @@ func TestOAuthAuthConfig_UnmarshalJSON(t *testing.T) {
 	assert.Equal(t, []string{"example.com"}, config.AllowedDomains)
 	assert.Equal(t, []string{"https://claude.ai", "https://example.com"}, config.AllowedOrigins)
 	assert.Equal(t, "test-client-id", config.GoogleClientID)
-	assert.Equal(t, "test-secret-value", config.GoogleClientSecret)
-	assert.Equal(t, "this-is-a-very-long-jwt-secret-key", config.JWTSecret)
-	assert.Equal(t, "exactly-32-bytes-long-encryptkey", config.EncryptionKey)
+	assert.Equal(t, Secret("test-secret-value"), config.GoogleClientSecret)
+	assert.Equal(t, Secret("this-is-a-very-long-jwt-secret-key"), config.JWTSecret)
+	assert.Equal(t, Secret("exactly-32-bytes-long-encryptkey"), config.EncryptionKey)
 }
 
 func TestOAuthAuthConfig_ValidationErrors(t *testing.T) {

internal/server/templates.go

@@ -25,12 +25,14 @@ type TokenPageData struct {
 
 // ServiceTokenData represents a single service in the token page
 type ServiceTokenData struct {
-	Name          string
-	DisplayName   string
-	Instructions  string
-	HelpURL       string
-	TokenFormat   string
-	HasToken      bool
-	RequiresToken bool
-	AuthType      string // "oauth", "bearer", or "none"
+	Name             string
+	DisplayName      string
+	Instructions     string
+	HelpURL          string
+	TokenFormat      string
+	HasToken         bool
+	RequiresToken    bool
+	AuthType         string // "oauth", "bearer", or "none"
+	SupportsOAuth    bool   // Whether this service supports OAuth authentication
+	IsOAuthConnected bool   // Whether the user has connected OAuth for this service
 }

internal/server/templates/tokens.html

@@ -143,6 +143,30 @@
             background-color: #c82333;
         }
 
+        button.oauth {
+            background-color: #4285f4;
+            color: white;
+        }
+        
+        button.oauth:hover {
+            background-color: #357ae8;
+        }
+        
+        .oauth-status {
+            display: flex;
+            align-items: center;
+            gap: 10px;
+            margin-top: 15px;
+        }
+        
+        .oauth-connected {
+            color: #2e7d32;
+            font-size: 14px;
+            display: flex;
+            align-items: center;
+            gap: 5px;
+        }
+        
         .message {
             padding: 12px;
             margin-bottom: 20px;
@@ -206,25 +230,44 @@ <h2>{{.DisplayName}}</h2>
                 {{end}}
             </div>
 
-            <form method="POST" action="/my/tokens/set">
-                <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
-                <input type="hidden" name="service" value="{{.Name}}">
-                <input type="password" 
-                       name="token" 
-                       placeholder="{{if .HasToken}}Enter new token to update{{else}}Enter your {{.DisplayName}} token{{end}}"
-                       {{if .TokenFormat}}pattern="{{.TokenFormat}}" title="Token must match pattern: {{.TokenFormat}}"{{end}}
-                       required>
-                <button type="submit" class="primary">
-                    {{if .HasToken}}Update Token{{else}}Save Token{{end}}
-                </button>
-            </form>
-            
-            {{if .HasToken}}
-            <form method="POST" action="/my/tokens/delete" class="delete-form">
-                <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
-                <input type="hidden" name="service" value="{{.Name}}">
-                <button type="submit" class="danger">Remove Token</button>
-            </form>
+            {{if .SupportsOAuth}}
+                {{if .IsOAuthConnected}}
+                <div class="oauth-status">
+                    <span class="oauth-connected">✓ Connected via OAuth</span>
+                    <form method="POST" action="/oauth/disconnect" style="display: inline;">
+                        <input type="hidden" name="service" value="{{.Name}}">
+                        <button type="submit" class="danger">Disconnect {{.DisplayName}}</button>
+                    </form>
+                </div>
+                {{else}}
+                <div class="oauth-status">
+                    <form method="GET" action="/oauth/connect" style="display: inline;">
+                        <input type="hidden" name="service" value="{{.Name}}">
+                        <button type="submit" class="oauth">Connect with {{.DisplayName}}</button>
+                    </form>
+                </div>
+                {{end}}
+            {{else}}
+                <form method="POST" action="/my/tokens/set">
+                    <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
+                    <input type="hidden" name="service" value="{{.Name}}">
+                    <input type="password" 
+                           name="token" 
+                           placeholder="{{if .HasToken}}Enter new token to update{{else}}Enter your {{.DisplayName}} token{{end}}"
+                           {{if .TokenFormat}}pattern="{{.TokenFormat}}" title="Token must match pattern: {{.TokenFormat}}"{{end}}
+                           required>
+                    <button type="submit" class="primary">
+                        {{if .HasToken}}Update Token{{else}}Save Token{{end}}
+                    </button>
+                </form>
+                
+                {{if .HasToken}}
+                <form method="POST" action="/my/tokens/delete" class="delete-form">
+                    <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
+                    <input type="hidden" name="service" value="{{.Name}}">
+                    <button type="submit" class="danger">Remove Token</button>
+                </form>
+                {{end}}
             {{end}}
             {{else}}
             <div class="instructions">

internal/server/token_handlers.go

@@ -86,17 +86,34 @@ func (h *TokenHandlers) ListTokensHandler(w http.ResponseWriter, r *http.Request
 				if serverConfig.UserAuthentication.DisplayName != "" {
 					service.DisplayName = serverConfig.UserAuthentication.DisplayName
 				}
-				if serverConfig.UserAuthentication.Type == config.UserAuthTypeManual {
+
+				// Check if this service supports OAuth
+				if serverConfig.UserAuthentication.Type == config.UserAuthTypeOAuth {
+					service.SupportsOAuth = true
+					service.Instructions = fmt.Sprintf("Connect your %s account via OAuth", service.DisplayName)
+
+					// Check if OAuth is already connected
+					storedToken, err := h.tokenStore.GetUserToken(r.Context(), userEmail, name)
+					if err == nil && storedToken.Type == storage.TokenTypeOAuth {
+						service.IsOAuthConnected = true
+						service.HasToken = true
+					}
+				} else if serverConfig.UserAuthentication.Type == config.UserAuthTypeManual {
 					if serverConfig.UserAuthentication.Instructions != "" {
 						service.Instructions = serverConfig.UserAuthentication.Instructions
 					}
 					service.HelpURL = serverConfig.UserAuthentication.HelpURL
+
+					// Check if manual token exists
+					_, err := h.tokenStore.GetUserToken(r.Context(), userEmail, name)
+					service.HasToken = err == nil
 				}
 				service.TokenFormat = serverConfig.UserAuthentication.TokenFormat
+			} else {
+				// No UserAuthentication config means manual token
+				_, err := h.tokenStore.GetUserToken(r.Context(), userEmail, name)
+				service.HasToken = err == nil
 			}
-
-			_, err := h.tokenStore.GetUserToken(r.Context(), userEmail, name)
-			service.HasToken = err == nil
 		} else {
 			// Determine if it's OAuth authenticated or uses bearer tokens
 			if h.oauthEnabled {