Implement full OAuth 2.0 flow for Google Calendar and Microsoft
Outlook with client-side EncryptID encryption. Tokens are exchanged
server-side using provider secrets, passed to the client via a
one-time retrieval code, then encrypted with the user's passkey
(AES-256-GCM) and stored only in the browser. The server never
persists OAuth tokens.
New files:
- src/lib/oauth.ts — server-side OAuth helpers for both providers
- src/lib/pending-tokens.ts — ephemeral in-memory token store (60s TTL)
- src/app/api/auth/{google,microsoft}/* — OAuth authorize/callback/refresh routes
- src/app/api/auth/calendars/route.ts — list connected calendar sources
- src/hooks/useCalendarTokens.ts — client-side encrypted token management
- src/components/ConnectCalendarBanner.tsx — connect calendar prompt with status feedback
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Jeff Emmett