3361ed29e6
When `create_oauth_flow()` is called without an explicit `code_verifier` (i.e. during the initial auth flow in `start_auth_flow()`), the function never sets `autogenerate_code_verifier=True` on the Flow constructor. oauthlib 3.2+ automatically adds `code_challenge` to the authorization URL at the session level, so Google expects a matching `code_verifier` during the token exchange. However, since `Flow.code_verifier` remains `None`, that `None` gets stored in the session store and later passed back during the callback — causing Google to reject the token exchange with `(invalid_grant) Missing code verifier`. The fix adds `autogenerate_code_verifier=True` in the else branch so the Flow object generates and exposes a proper PKCE code verifier that gets stored and reused during the callback token exchange. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
42 KiB
42 KiB