Skip to content

[codex] Fix Google Calendar auth recovery#8968

Merged
Git-on-my-level merged 1 commit into
BasedHardware:mainfrom
Git-on-my-level:codex/fix-calendar-auth-recovery
Jul 3, 2026
Merged

[codex] Fix Google Calendar auth recovery#8968
Git-on-my-level merged 1 commit into
BasedHardware:mainfrom
Git-on-my-level:codex/fix-calendar-auth-recovery

Conversation

@Git-on-my-level

@Git-on-my-level Git-on-my-level commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • make Google Calendar conversation auto-linking opt-in via GOOGLE_CALENDAR_AUTO_LINK_ENABLED so generic sync/reprocess jobs do not call or mutate Calendar for every connected user
  • mark Google Calendar integrations as reauth_required and disconnected when refresh credentials are permanently unusable (missing_refresh_token or Google invalid_grant)
  • declare Google OAuth client secrets for all backend Cloud Run services, including backend-sync, so token refresh config is preserved by runtime-env deploy rendering

Root cause

Calendar auto-linking was running inside generic conversation processing for every non-discarded conversation with timestamps and google_calendar.connected == true. When access tokens expired, backend-sync and pusher repeatedly attempted refresh; backend-sync was missing Google OAuth client env, and permanently invalid user credentials stayed marked connected, so future jobs retried indefinitely.

Validation

  • cd backend && pytest -q tests/unit/test_google_calendar_auth_recovery.py tests/unit/test_calendar_linking_helpers_async.py tests/unit/test_calendar_link_async.py tests/unit/test_google_credentials.py
  • cd backend && python scripts/validate-backend-runtime-env.py --env prod && python scripts/validate-backend-runtime-env.py --env dev
  • cd backend && python scripts/scan_import_time_side_effects.py
  • cd backend && python scripts/scan_async_blockers.py
  • git diff --check
  • cd backend && CLOUD_RUN_VPC_NETWORK=dummy-net CLOUD_RUN_VPC_SUBNET=dummy-subnet OMI_LLM_GATEWAY_URL=http://dummy python scripts/render-backend-runtime-env.py --env prod | rg -n 'backend_sync_secrets|GOOGLE_CLIENT|backend_secrets|backend_integration_secrets'\n\nCloses Investigate Google Calendar OAuth 401s causing sync failures #8965

Review in cubic

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 4 files

Confidence score: 4/5

  • In backend/tests/unit/test_google_calendar_auth_recovery.py, the third assertion is brittle because it depends on exact whitespace in a source snippet, so harmless formatting/refactor changes could fail CI and block otherwise valid merges. This is likely non-production risk, but de-risk by rewriting the assertion to validate behavior (or a less formatting-sensitive pattern) before merging.

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread backend/tests/unit/test_google_calendar_auth_recovery.py Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 05fda48fab

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +56 to +57
updated.pop('access_token', None)
await run_blocking(db_executor, users_db.set_integration, uid, 'google_calendar', updated)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Delete the stale Calendar token on reauth

When invalid_grant or a missing refresh token hits this path, updated.pop('access_token', None) only removes the key from the local payload; users_db.set_integration persists with set(..., merge=True), so omitted fields are left untouched in Firestore. For affected Calendar users, the old access token remains stored even after the integration is marked disconnected/reauth_required, defeating the credential cleanup this branch appears to intend; use a Firestore delete sentinel or a non-merge overwrite for the token field.

Useful? React with 👍 / 👎.

@Git-on-my-level Git-on-my-level force-pushed the codex/fix-calendar-auth-recovery branch from 05fda48 to 8a24a1d Compare July 3, 2026 21:59
@Git-on-my-level Git-on-my-level merged commit e13e6ba into BasedHardware:main Jul 3, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant