# OAuth Credential Refresh Scripts

Automated scripts to keep Google OAuth credentials fresh for VoiceCal.ai deployed on HuggingFace Spaces.

## Quick Start

### 1. Install Dependencies

```bash
# Install Playwright and dependencies
pip install -r scripts/requirements.txt

# Install Playwright browsers
playwright install chromium
```

### 2. Configure Environment Variables

Add to your `.env` file:

```bash
# Option 1: Use dedicated Google credentials
GOOGLE_EMAIL=your-google-email@gmail.com
GOOGLE_PASSWORD=your-google-password

# Option 2: Reuse SMTP credentials (script will use these as fallback)
SMTP_USERNAME=your-google-email@gmail.com
SMTP_PASSWORD=your-smtp-app-password

# Optional: For email notifications on failure
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
```

**Note:** If you already have `SMTP_USERNAME` and `SMTP_PASSWORD` set, you don't need to set `GOOGLE_EMAIL` and `GOOGLE_PASSWORD` separately - the script will use your SMTP credentials for OAuth login.

**Security Note**: Use app-specific passwords for Gmail SMTP, not your main password.

### 3. Run the Script

```bash
# Headed mode (visible browser) - recommended for first run
python scripts/refresh_oauth_credentials.py

# Headless mode (no UI) - for automated runs
python scripts/refresh_oauth_credentials.py --headless

# With email notification on failure
python scripts/refresh_oauth_credentials.py --headless --notify-email admin@example.com
```

## How It Works

The script automates the Google OAuth flow:

1. Fetches OAuth authorization URL from `/auth/login`
2. Navigates to Google's consent page
3. Enters your Google credentials
4. Grants consent (if needed)
5. Waits for redirect to `/auth/callback`
6. Verifies credentials were saved to HuggingFace Secrets

All actions are logged to `logs/oauth_refresh_YYYYMMDD_HHMMSS.log`

## Scheduling Options

### Option 1: Cron Job (Unix/Linux/Mac)

Run daily at noon:

```bash
# Edit crontab
crontab -e

# Add this line (adjust paths as needed)
0 12 * * * cd /path/to/voiceCal-ai-v3 && /path/to/python scripts/refresh_oauth_credentials.py --headless --notify-email your@email.com >> logs/cron.log 2>&1
```

### Option 2: GitHub Actions (Cloud-based)

Create `.github/workflows/refresh-oauth.yml`:

```yaml
name: Refresh OAuth Credentials

on:
  schedule:
    - cron: '0 12 * * *'  # Daily at noon UTC
  workflow_dispatch:  # Allow manual trigger

jobs:
  refresh:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v4
        with:
          python-version: '3.11'

      - name: Install dependencies
        run: |
          pip install -r scripts/requirements.txt
          playwright install chromium --with-deps

      - name: Refresh OAuth credentials
        env:
          GOOGLE_EMAIL: ${{ secrets.GOOGLE_EMAIL }}
          GOOGLE_PASSWORD: ${{ secrets.GOOGLE_PASSWORD }}
          SMTP_HOST: ${{ secrets.SMTP_HOST }}
          SMTP_USER: ${{ secrets.SMTP_USER }}
          SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
        run: |
          python scripts/refresh_oauth_credentials.py --headless --notify-email ${{ secrets.NOTIFY_EMAIL }}

      - name: Upload logs on failure
        if: failure()
        uses: actions/upload-artifact@v3
        with:
          name: oauth-refresh-logs
          path: logs/
```

**Setup GitHub Actions**:
1. Go to your GitHub repository → Settings → Secrets and variables → Actions
2. Add secrets: `GOOGLE_EMAIL`, `GOOGLE_PASSWORD`, `NOTIFY_EMAIL`, etc.
3. Push the workflow file to your repository
4. GitHub will run it daily at noon UTC

## Troubleshooting

### Script fails with "Timeout"

- Check your Google credentials are correct
- Ensure you don't have 2FA enabled (or add 2FA support)
- Try running in headed mode to see what's happening:
  ```bash
  python scripts/refresh_oauth_credentials.py
  ```

### "SMTP credentials not configured" warning

This is normal if you haven't set up email notifications. The script will still work.

### Credentials not updating in HuggingFace

- Check the logs for HuggingFace Secrets update messages
- Verify `HF_TOKEN` is set in your HuggingFace Space secrets
- The OAuth callback handler should automatically update secrets

### Screenshots on error

When an error occurs, the script saves a screenshot to `logs/error_screenshot_*.png` for debugging.

## Logs

All runs are logged to `logs/oauth_refresh_YYYYMMDD_HHMMSS.log`

View the latest log:
```bash
ls -t logs/oauth_refresh_*.log | head -1 | xargs cat
```

## Security Considerations

- Never commit `.env` file with real credentials
- Use app-specific passwords for SMTP, not your main password
- Store secrets in GitHub Actions Secrets, not in code
- Review logs for any leaked credentials before sharing
- Consider using a dedicated Google account for automation

## Manual Refresh Alternative

If the script fails, you can always manually refresh by visiting:
https://pgits-voicecal-ai-v3.hf.space/auth/login