Add Google Health API authorization support

[this-Aditya]

A new authorization service handles Google's oauth2 flow.
Because the same participant may already have a Fitbit account from before the Google Health migration, the identity payload also carries an optional legacy Fitbit user ID, so we can keep both linked to the same RestSourceUser without losing history.

PKCE is enabled for Google as an extra security layer on top of the standard oauth2 flow. If it turns out Google's auth servers don't play nicely with the PKCE flow in , I'll drop it and fall back to the plain oauth2 path.

[yatharthranjan]

Thanks @this-Aditya, looks nice. Has this been tested working? If so, can we release this soon (so at least we can authorise new participants on this, we can always pull the data later)

[yatharthranjan]

is this required config? should it not be oauth2 by default?

[this-Aditya]

Yeah, it is OAuth 2.0 by default. I only kept it here to highlight it.

[yatharthranjan]

likely remove it if that is the default and does not require configuration

[this-Aditya]

Should I do it now, or after the Garmin migration? We might be able to remove this configuration completely then, since we'll only be left with oauth 2.0.

[yatharthranjan]

yes i think for garmin, it should still be configurable if needed (especially for legacy deployments and until Garmin forces use of OAuth2.0)

[yatharthranjan]

what about other scopes like - nutrition, irn, ecg, location (some studies have been explicitly requesting location records for activities recently so would be good to include if possible)?

[this-Aditya]

Yeah, we can add these, but google docs says that we can only request the scopes for which we are collecting data. So, if we want to increase the number of data points, we can add them

[yatharthranjan]

yes shoudl at least add nutrition, irn and ecg

[this-Aditya]

okay

[this-Aditya]

Has this been tested working?

Yeah, I've tested it. If you'd like, you can also verify it on staging.

If so, can we release this soon (so at least we can authorise new participants on this, we can always pull the data later)

I think that even if we release it soon, we still need to pass google's verification process and CASA, which I think will take some time.

One more thing -- when participants authorize google, the current flow deregisters them from fitbit. If we initially add this to the rest sources only, I think it would be nice if they could choose a start date later, and the historical data would then be covered by backfill. Otherwise, we'll only receive data from the start date onward through push notifications.

[yatharthranjan]

I think that even if we release it soon, we still need to pass google's verification process and CASA, which I think will take some time.

I think for new deployments it would work up to 100 users without verification?

One more thing -- when participants authorize google, the current flow deregisters them from fitbit. If we initially add this to the rest sources only, I think it would be nice if they could choose a start date later, and the historical data would then be covered by backfill. Otherwise, we'll only receive data from the start date onward through push notifications.

If the updated push endpoint is not deployed yet (only authorise in updated rest-source-auth), then when we are ready and do deploy push-endpoint, should it not backfill from the start date?

[yatharthranjan]

I think more readable to just use oauthVersion from config here

[this-Aditya]

I've updated this in PR #333. As this PR derives usesPkce from the RestSourceClient, I think that's a better place to handle it than doing it here.

[yatharthranjan]

should we somehow mark this as deprecated?

[this-Aditya]

It would be nice if we could do this after september 2026, as they will still receive data from the fitbit app until september if they signed up using their google account.

[yatharthranjan]

I think ok to mark as deprecated (not decomissioned), with details on when it will be non-functional (sept 2026)

[this-Aditya]

I think for new deployments it would work up to 100 users without verification?

Yeah, there are 100 users in testing, but while the app is in testing, we need to manually add users' email addresses. (Alternatively, could you try making the user internal? I can't do that)

If we publish the app without verification, users can still select the advanced options and proceed with authorization, although they will see this warning:

[this-Aditya]

If the updated push endpoint is not deployed yet (only authorise in updated rest-source-auth), then when we are ready and do deploy push-endpoint, should it not backfill from the start date?

Sorry, I meant that the push endpoint is also deployed. But this version explicitly handles the inconsistencies between the documentation and the actual responses. Based on the real responses, we are only rejecting some data that contains partial information, otherwise, it is working perfectly fine on stage.

[yatharthranjan]

I think for the new deployments we can live with the warning as it will be better than asking participants to authorise again. But i will confirm with the study team what they prefer.

how long does CASA review take?

[this-Aditya]

I think for the new deployments we can live with the warning, as it will be better than asking participants to authorise again. But I will confirm with the study team what they prefer.

Yeah, but we can only recruit 100 participants, and we are now aiming for one client ID (I assume), so it would be across all projects. Is it sufficient before we get verified?

how long does CASA review take?

It depends on which third-party assessor lab we pick, and also varies by tier (we need at least Tier 2, or maybe Tier 3). But I think it is going to take substantial time. Some mention it takes 1-3 weeks once testing starts (or 2-4 weeks for Tier 3). And as we request restricted scopes, it can take longer (Google says this).

[yatharthranjan]

LGTM, please merge the base branch (outdated atm)

[mpgxvii]

Thanks! LGTM.