feat: gdrive export and encryption service integration

[Sentiaus]

What changes were proposed in this PR?

Adds the backend required for Google Drive OAuth integration.

Schema changes: Adds a new user_oauth_token table (sql/updates/23.sql) to store encrypted OAuth tokens per provider. The provider column (google_drive, etc.) is intentionally generic so future integrations (AWS, Microsoft) can reuse the same table without a schema change. The auth blob is stored as a JWE-encrypted JSON string rather than a raw token.

Token encryption: Adds TokenEncryptionService using jose4j AES-256-GCM (DIRECT key management) to encrypt auth blobs at rest. The encryption key is read from auth.encryption.256-bit-secret in auth.conf, with AUTH_ENCRYPTION_SECRET as the env-var override. This follows the same pattern as the existing JWT secret key.

New endpoints — GoogleDriveAuthResource:

GET /api/auth/google/drive/connect — Returns a Google OAuth authorization URL for the frontend to open in a popup. Accepts a reauth query param; when true, sets prompt=consent to force Google to re-issue a refresh token (used when a previous token has returned invalid_grant). Requires REGULAR or ADMIN role.

GET /api/auth/google/drive/callback — Called by Google's OAuth redirect. Not role-gated (no Authorization header is present on a browser redirect). Authenticates the user via a short-lived JWT in the state query parameter, exchanges the code for tokens, encrypts the auth blob, and upserts into user_oauth_token.

GET /api/auth/google/drive/token — Decrypts the stored auth blob, uses the refresh token to fetch a short-lived access token from Google, and returns it to the frontend. Returns no_refresh_token if no record exists, or invalid_grant if Google rejects the refresh token. Requires REGULAR or ADMIN role.

GET /api/auth/google/config — Exposes clientId and redirectUri to the frontend so the Drive service doesn't need to hardcode them.

Config: Adds google.client-id, google.client-secret, and app-domain to UserSystemConfig and user-system.conf. These must be configured on the Texera GCP project before Drive integration will work.

Any related issues, documentation, discussions?

Closes #4240 (partial — frontend in follow-up PRs)

Google Documentation to enable Google Picker: https://developers.google.com/workspace/drive/picker/guides/overview

How was this PR tested?

• sbt "Auth/testOnly org.apache.texera.auth.TokenEncryptionServiceSpec" — 2 unit tests covering encrypt/decrypt round-trip and invalid-input error case
• Backend compiles cleanly: sbt amber/compile
• The /callback endpoint was tested manually via the full OAuth flow in a local dev environment

Was this PR authored or co-authored using generative AI tooling?

Commit messages and some implementation co-authored with Claude Sonnet 4.6

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.40%. Comparing base (34be37d) to head (6a4aa12).

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #5250      +/-   ##
============================================
- Coverage     49.62%   49.40%   -0.23%     
+ Complexity     2384     2381       -3     
============================================
  Files          1051     1051              
  Lines         40399    40399              
  Branches       4292     4292              
============================================
- Hits          20050    19960      -90     
- Misses        19165    19260      +95     
+ Partials       1184     1179       -5     

Flag	Coverage Δ		*Carryforward flag
access-control-service	41.89% <ø> (ø)
agent-service	33.76% <ø> (ø)		Carriedforward from e650919
amber	51.63% <ø> (-0.03%)	⬇️	Carriedforward from e650919
computing-unit-managing-service	0.00% <ø> (ø)
config-service	0.00% <ø> (ø)
file-service	38.42% <ø> (ø)
frontend	41.71% <ø> (-0.52%)	⬇️	Carriedforward from e650919
python	90.80% <ø> (ø)		Carriedforward from e650919
workflow-compiling-service	56.81% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[xuang7]

Thanks for the PR! Left a few comments. Please follow the formatting instructions in the
contributing guide and fix the formatting issues.

[xuang7]

We should avoid using the normal session JWT as the OAuth state. Since it is still a valid login token before expiration, it may be safer to use a dedicated short-lived OAuth state token instead.

[xuang7]

Suggest using path("refreshToken").asText("") here to avoid a possible NPE when the field is missing.

[Sentiaus]

@xuang7 I can add this, but seeing as this is wrapped in a try-catch, I feel like the error is fine/more defined, compared to getting "", sending a request to google and getting an error there.

[xuang7]

That makes sense. I agree we should not silently send an empty refresh token to Google. Maybe we can use path("refreshToken").asText("") to avoid the possible NPE, then explicitly check whether the token is empty and return no_refresh_token locally before making the Google request.

[xuang7]

LGTM overall! Left one comment. Could you add a short reply to each resolved previous comment so we can better track the update history? Also, please add the new table to sql/texera_ddl.sql. That should unblock the CI failure. @Sentiaus

Could you help review this PR as well? @aicam

[xuang7]

Disconnect currently only removes the local DB row, but it does not revoke the grant on Google’s side. Would it make sense to also revoke the token with Google before deleting the local row? That would better match the expected “Disconnect” behavior.

[chenlica]

@xuang7 Before the merge, I would like to have another member to review this PR.

@carloea2 Can you do it?

@Sentiaus In the description, can you also provide an overview of the design?