b87cbfa21a
Brings the Google Drive provider to the web build. Native uses PKCE + a reverse-DNS redirect + keychain refresh token; none of that works in a browser, and the GIS popup token model is broken by the app's COOP `same-origin` header (needed for Turso's SharedArrayBuffer) which severs the popup's opener handle and fires `popup_closed` instantly. So web uses a full-page redirect, which doesn't rely on `window.opener` and works under COOP. - auth/webRedirectFlow.ts: builds the implicit (response_type=token) auth URL, begins the redirect (CSRF state + return path in sessionStorage), and parses the token from the callback fragment. Implicit flow because a secretless Web client can't do a code exchange. - auth/webTokenStore.ts: sessionStorage-backed access-token store (no refresh token in this model; the token is short-lived). - WebDriveAuth: browser DriveAuth — reads the stored token, fails AUTH_FAILED once expired (prompts a reconnect; no background refresh), accountLabel via about.get. - app/gdrive-callback: OAuth return route — validates state, stores the token, marks Drive the active cloud provider (+ account label), routes back. - buildGoogleDriveProvider: web branch builds the provider on WebDriveAuth + globalThis.fetch (Drive REST is CORS-enabled; streaming stays Tauri-only so web buffers). Official Web client id baked (NEXT_PUBLIC_GOOGLE_WEB_CLIENT_ID overrides). googleDriveConnect web Connect = redirect; Disconnect clears the token. Drive row shown on web. No background token refresh: a secretless browser client gets no refresh token and Google blocks hidden-iframe silent renewal, so the user reconnects per session (a server-side token broker would be needed for auto-refresh; out of scope). Tests cover the redirect helpers, token store, and WebDriveAuth. Ops: add `https://web.readest.com/gdrive-callback` + `http://localhost:3000/gdrive-callback` to the Web client's Authorized redirect URIs. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>