feat: Add Google Drive OAuth authentication for private document access

[Gambitnl]

Replace public document sharing requirement with proper OAuth 2.0 authentication.

Changes:

• Add Google OAuth dependencies (google-auth, google-auth-oauthlib, google-api-python-client)
• Create src/google_drive_auth.py module with OAuth flow implementation
• Update app.py Document Viewer with OAuth authorization UI
• Add comprehensive setup guide (GOOGLE_DRIVE_SETUP.md)
• Update .gitignore to protect OAuth credentials

Benefits:

• Access private Google Docs without making them publicly shared
• Secure OAuth 2.0 flow with token refresh handling
• Better security for campaign notes and session logs
• Enables using historical session notes (sessions 1-5) for character profiling

Technical details:

• Uses out-of-band OAuth flow compatible with Gradio
• Token storage in outputs/gdrive_token.json
• Auto-refresh for expired tokens
• Read-only Drive API scope

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello @Gambitnl, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly upgrades the application's document viewing capabilities by integrating Google Drive OAuth 2.0 authentication. This change eliminates the need for users to make their Google Docs publicly accessible, thereby enhancing security and privacy. The new system allows the application to securely fetch content from private Google Docs, which can then be used for internal processes like character profiling, making the tool more robust and user-friendly for handling sensitive campaign notes and session logs.

Highlights

• Google Drive OAuth Integration: Implemented OAuth 2.0 authentication to allow secure access to private Google Docs, replacing the previous requirement for public sharing.
• New google_drive_auth.py Module: Introduced a dedicated module to encapsulate the Google Drive OAuth flow, credential management, and API interactions for document retrieval.
• Updated Gradio UI for Authorization: The 'Document Viewer' tab in app.py now includes a comprehensive user interface for managing Google Drive authorization, including status checks, starting/completing the flow, and revoking access.
• Detailed Setup Guide: Added GOOGLE_DRIVE_SETUP.md which provides step-by-step instructions for configuring Google Cloud Project, enabling the Drive API, and setting up OAuth credentials.
• Dependency and .gitignore Updates: Included necessary Google authentication libraries in requirements.txt and added credential files (gdrive_credentials.json, gdrive_token.json) to .gitignore for security.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request is a significant improvement, replacing public document sharing with a secure Google Drive OAuth 2.0 flow. The implementation is well-structured with a dedicated authentication module and comprehensive setup documentation. My review focuses on enhancing the robustness and correctness of the implementation. I've identified a critical issue regarding state management in the Gradio application that needs to be addressed to ensure correct behavior for concurrent users or multiple browser tabs. Additionally, I've provided suggestions to improve error handling by using exceptions instead of string comparisons and to make the Google Doc ID parsing more reliable.

[gemini-code-assist]

The use of a global variable OAUTH_FLOW to manage the OAuth flow state is not safe for a web application, even one like Gradio. This will cause issues if multiple users access the app concurrently, or if a single user opens it in multiple browser tabs, as they will all share the same OAUTH_FLOW instance, leading to race conditions and incorrect behavior. The correct way to handle user-specific state in Gradio is by using gr.State.

To fix this, you should:

1. Add a gr.State component to your UI to hold the flow object: oauth_flow_state = gr.State(None).
2. Update start_oauth_flow to return the flow object and wire it to oauth_flow_state in the .click() handler's outputs.
3. Update complete_oauth_flow to accept the flow object from oauth_flow_state as an input.
4. On successful authorization, complete_oauth_flow should return None to clear the oauth_flow_state.

[gemini-code-assist]

The error handling in view_google_doc relies on checking if the returned content string starts with "Error". This is a fragile pattern because the error message could change, or a valid document could coincidentally start with that word. A more robust approach is to have get_document_content and other functions in src/google_drive_auth.py raise specific exceptions for different error conditions (e.g., AuthenticationError, DocumentNotFoundError). The calling function view_google_doc can then use a try...except block to catch these specific exceptions and format an appropriate error message for the user. This makes the code cleaner, more reliable, and decouples the UI from the implementation details of the auth module.

Suggested change

	try:
	doc_id_start = doc_url.find("/d/") + 3
	doc_id_end = doc_url.find("/edit")
	if doc_id_end == -1:
	doc_id_end = doc_url.find("/view")
	if doc_id_end == -1:
	doc_id_end = len(doc_url)
	doc_id = doc_url[doc_id_start:doc_id_end]
	export_url = f"https://docs.google.com/document/d/{doc_id}/export?format=txt"
	response = requests.get(export_url)
	response.raise_for_status()
	NOTEBOOK_CONTEXT = response.text or ""
	return NOTEBOOK_CONTEXT
	if not is_authenticated():
	return "Error: Not authenticated with Google Drive. Please authorize first using the 'Authorize Google Drive' section below."
	content = get_document_content(doc_url)
	# Only update NOTEBOOK_CONTEXT if we got valid content
	if not content.startswith("Error"):
	NOTEBOOK_CONTEXT = content
	return content
	except Exception as e:
	try:
	# This change requires refactoring get_document_content() to raise exceptions on errors.
	content = get_document_content(doc_url)
	NOTEBOOK_CONTEXT = content
	return content
	except Exception as e:
	# For better user feedback, you could catch specific custom exceptions
	# from the google_drive_auth module here.
	return f"Error: {e}"

[gemini-code-assist]

Catching a broad Exception can hide bugs and make debugging difficult. It's better to catch more specific exceptions that you expect can be raised by flow.fetch_token(). According to the google-auth-oauthlib library, this would typically be a subclass of google.auth.exceptions.GoogleAuthError. This makes your error handling more explicit and robust.

Suggested change

	except Exception as e:
	print(f"Error exchanging code for token: {e}")
	return False
	except Exception as e: # Consider catching a more specific exception, e.g., from google.auth.exceptions
	print(f"Error exchanging code for token: {e}")
	return False

[gemini-code-assist]

Similar to other parts of the code, this except Exception is too broad. When refreshing a token, the google-auth library can raise a google.auth.exceptions.RefreshError. Catching this specific exception makes the code more robust and clearly documents the expected failure mode. If a refresh fails, the token file might be corrupt, and it could be a good idea to delete it to force a full re-authentication.

Suggested change

	if creds and creds.expired and creds.refresh_token:
	try:
	creds.refresh(Request())
	TOKEN_FILE.write_text(creds.to_json())
	except Exception as e:
	print(f"Error refreshing token: {e}")
	return None
	if creds and creds.expired and creds.refresh_token:
	try:
	creds.refresh(Request())
	TOKEN_FILE.write_text(creds.to_json())
	except Exception as e: # Consider catching google.auth.exceptions.RefreshError
	print(f"Error refreshing token: {e}")
	# The token may be invalid, consider deleting it to force re-auth.
	# TOKEN_FILE.unlink(missing_ok=True)
	return None

[gemini-code-assist]

The instruction hardcodes the directory name Video_chunking. This might be confusing for users who have cloned the repository under a different name. It's better to use a more generic term like "project root directory" to avoid confusion and make the documentation more generally applicable.

Suggested change

	**Important:** The file MUST be named exactly `gdrive_credentials.json` and placed in the root of your Video_chunking directory.
	**Important:** The file MUST be named exactly `gdrive_credentials.json` and placed in the project root directory.

[gemini-code-assist]

The current implementation for extracting the document ID uses string.find(), which can be brittle. For example, it might not correctly handle URLs with extra query parameters. Using a regular expression is a more robust way to parse the ID from various Google Doc URL formats.

This also simplifies the code by removing the chained if statements.

Suggested change

	# If it's already just an ID (no slashes), return as-is
	if '/' not in doc_url:
	return doc_url
	# Extract from URL format: https://docs.google.com/document/d/{ID}/edit
	doc_id_start = doc_url.find("/d/") + 3
	doc_id_end = doc_url.find("/edit")
	if doc_id_end == -1:
	doc_id_end = doc_url.find("/view")
	if doc_id_end == -1:
	doc_id_end = len(doc_url)
	return doc_url[doc_id_start:doc_id_end]
	import re
	def _extract_doc_id(doc_url: str) -> str:
	"""
	Extract document ID from Google Docs URL.
	Args:
	doc_url: Full URL or just the document ID
	Returns:
	Document ID string
	"""
	# Regex to find the document ID in various URL formats
	match = re.search(r'/d/([a-zA-Z0-9-_]+)', doc_url)
	if match:
	return match.group(1)
	# If no match, assume the input is the ID itself.
	return doc_url

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Replace deprecated OOB OAuth redirect

The OAuth flow is hard‑wired to redirect_uri='urn:ietf:wg:oauth:2.0:oob'. Google permanently disabled the OOB redirect for new client IDs in 2022, so users who follow the new setup guide will receive invalid_request errors when trying to authorize. The flow should use the loopback/localhost pattern via InstalledAppFlow.run_local_server (or an equivalent custom callback) so that newly created credentials can complete authentication.

Useful? React with 👍 / 👎.