feat: add RolesAllowed to Drive token/connect endpoints and handle invalid_grant reauth

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Sentiaus

amber/src/main/scala/org/apache/texera/web/resource/auth/GoogleDriveAuthResource.scala

@@ -26,16 +26,14 @@ import org.apache.texera.web.resource.auth.GoogleDriveAuthResource._
 import org.apache.texera.dao.jooq.generated.tables.daos.UserDao
 import org.apache.texera.dao.SqlServer
 import org.apache.texera.config.UserSystemConfig
-import org.apache.texera.auth.JwtAuth.{jwtClaims, TOKEN_EXPIRE_TIME_IN_MINUTES}
+import org.apache.texera.auth.JwtAuth.{TOKEN_EXPIRE_TIME_IN_MINUTES, jwtClaims}
 import org.apache.texera.auth.JwtAuth
-import com.google.api.client.googleapis.auth.oauth2.{GoogleRefreshTokenRequest,
-  GoogleAuthorizationCodeTokenRequest,
-  GoogleTokenResponse,
-  GoogleAuthorizationCodeRequestUrl}
+import com.google.api.client.googleapis.auth.oauth2.{GoogleAuthorizationCodeRequestUrl, GoogleAuthorizationCodeTokenRequest, GoogleRefreshTokenRequest, GoogleTokenResponse}
 import com.google.api.client.auth.oauth2.TokenResponseException
 import com.google.api.client.http.javanet.NetHttpTransport
 import com.google.api.client.json.gson.GsonFactory
 
+import javax.annotation.security.RolesAllowed
 import javax.ws.rs._
 import javax.ws.rs.core.MediaType
 import javax.ws.rs.core.Response
@@ -66,6 +64,7 @@ class GoogleDriveAuthResource extends LazyLogging {
 
   @GET
   @Path("/token")
+  @RolesAllowed(Array("REGULAR", "ADMIN"))
   def getDriveAccessToken(@Auth sessionUser: SessionUser): Response = {
     val user = userDao.fetchOneByUid(sessionUser.getUid)
     val refreshToken = user.getGoogleDriveRefreshToken
@@ -145,6 +144,7 @@ class GoogleDriveAuthResource extends LazyLogging {
 
   @GET
   @Path("/connect")
+  @RolesAllowed(Array("REGULAR", "ADMIN"))
   def getOAuth(
                 @Auth sessionUser: SessionUser,
                 @QueryParam("reauth") @DefaultValue("false") reauth: Boolean

frontend/src/app/dashboard/component/user/list-item/list-item.component.ts

@@ -119,6 +119,7 @@ export class ListItemComponent implements OnChanges, OnInit {
   private _entry?: DashboardEntry;
   hovering: boolean = false;
   isDriveConnected = false;
+  driveNeedsReauth = false;
   exportMenuVisible = false;
 
   @Input()
@@ -156,6 +157,7 @@ export class ListItemComponent implements OnChanges, OnInit {
       .pipe(untilDestroyed(this))
       .subscribe(res => {
         this.isDriveConnected = res.status === "ok";
+        this.driveNeedsReauth = res.status === "invalid_grant";
       });
     this.driveService
       .onConnected()
@@ -286,7 +288,7 @@ export class ListItemComponent implements OnChanges, OnInit {
 
   public onClickDriveAction(): void {
     if (!this.isDriveConnected) {
-      this.driveService.connect();
+      this.driveService.connect(this.driveNeedsReauth);
       return;
     }
     if (!this.entry.id) return;

frontend/src/app/dashboard/component/user/user-dataset/user-dataset-explorer/dataset-detail.component.ts

@@ -155,6 +155,7 @@ export class DatasetDetailComponent implements OnInit {
   public viewCount: number = 0;
   public displayPreciseViewCount = false;
   public isDriveConnected = false;
+  public driveNeedsReauth = false;
   public fileExportMenuVisible = false;
   public versionExportMenuVisible = false;
 
@@ -268,6 +269,7 @@ export class DatasetDetailComponent implements OnInit {
       .pipe(untilDestroyed(this))
       .subscribe(res => {
         this.isDriveConnected = res.status === "ok";
+        this.driveNeedsReauth = res.status === "invalid_grant";
       });
     this.driveService
       .onConnected()
@@ -304,7 +306,7 @@ export class DatasetDetailComponent implements OnInit {
 
   public onClickDriveExportVersion(): void {
     if (!this.isDriveConnected) {
-      this.driveService.connect();
+      this.driveService.connect(this.driveNeedsReauth);
       return;
     }
     if (!this.did || !this.selectedVersion?.dvid) return;
@@ -321,7 +323,7 @@ export class DatasetDetailComponent implements OnInit {
 
   public onClickDriveExportFile(): void {
     if (!this.isDriveConnected) {
-      this.driveService.connect();
+      this.driveService.connect(this.driveNeedsReauth);
       return;
     }
     if (!this.currentDisplayedFileName) return;

frontend/src/app/workspace/component/menu/menu.component.ts

@@ -137,6 +137,7 @@ export class MenuComponent implements OnInit, OnDestroy {
   public isExportDeactivate: boolean = false;
   public showRegion: boolean = false;
   public isDriveConnected = false;
+  public driveNeedsReauth = false;
   public exportMenuVisible = false;
   public showGrid: boolean = false;
   public showNumWorkers: boolean = false;
@@ -260,6 +261,7 @@ export class MenuComponent implements OnInit, OnDestroy {
       .pipe(untilDestroyed(this))
       .subscribe(res => {
         this.isDriveConnected = res.status === "ok";
+        this.driveNeedsReauth = res.status === "invalid_grant";
       });
     this.driveService
       .onConnected()
@@ -672,7 +674,7 @@ export class MenuComponent implements OnInit, OnDestroy {
 
   public onClickDriveExportWorkflow(): void {
     if (!this.isDriveConnected) {
-      this.driveService.connect();
+      this.driveService.connect(this.driveNeedsReauth);
       return;
     }
     const workflowContent: WorkflowContent = this.workflowActionService.getWorkflowContent();