Fix PKCE code verifier not being generated for initial OAuth flow

When `create_oauth_flow()` is called without an explicit `code_verifier`
(i.e. during the initial auth flow in `start_auth_flow()`), the function
never sets `autogenerate_code_verifier=True` on the Flow constructor.

oauthlib 3.2+ automatically adds `code_challenge` to the authorization
URL at the session level, so Google expects a matching `code_verifier`
during the token exchange. However, since `Flow.code_verifier` remains
`None`, that `None` gets stored in the session store and later passed
back during the callback — causing Google to reject the token exchange
with `(invalid_grant) Missing code verifier`.

The fix adds `autogenerate_code_verifier=True` in the else branch so
the Flow object generates and exposes a proper PKCE code verifier that
gets stored and reused during the callback token exchange.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

auth/google_auth.py

@@ -306,6 +306,12 @@ def create_oauth_flow(
         flow_kwargs["code_verifier"] = code_verifier
         # Preserve the original verifier when re-creating the flow in callback.
         flow_kwargs["autogenerate_code_verifier"] = False
+    else:
+        # Generate PKCE code verifier for the initial auth flow.
+        # Without this, oauthlib 3.2+ adds code_challenge to the auth URL
+        # at the session level, but Flow.code_verifier stays None.
+        # Google then rejects the token exchange with "Missing code verifier".
+        flow_kwargs["autogenerate_code_verifier"] = True
 
     # Try environment variables first
     env_config = load_client_secrets_from_env()