Surfaced by the merge of #99 (Google OAuth2 sources) on top of #73 (Edit CalDAV source).
The Edit button in `templates/dashboard_sources.html` is rendered for every source unconditionally. Clicking Edit on a Google OAuth2 source today:
- Renders an empty username/password form (the form fields don't make sense for OAuth2).
- On submit, `update_source` in `src/web/mod.rs` calls `crypto::decrypt_password(&state.secret_key, &existing_password_enc)` on the existing row. OAuth2 sources have `password_enc` as `""` (CLI `add-google` flow) or NULL (web flow), so decryption fails with "Failed to decrypt stored credentials."
- Even if the decrypt succeeded, the connection test would call `CaldavClient::new(url, username, password)` with basic auth, which Google rejects.
Neither PR is individually at fault; the interaction was created by the merge.
Suggested fix
In `templates/dashboard_sources.html`, hide the Edit button when `s.auth_type == "oauth2"`. Replace it with a "Reconnect Google" affordance that re-runs the OAuth2 consent flow (reuse `google_connect`).
As defense in depth, both `edit_source_form` and `update_source` should early-return (redirect to /dashboard/sources with a flash) when the source's `auth_type` is not `basic`, so URL-hacking the path doesn't crash.
Out of scope but worth thinking about
The OAuth2 source is fundamentally not editable in the same fields as a basic-auth source. The only useful "edit" is renaming, choosing a different `write_calendar_href`, or revoking and reconnecting. A future iteration could split the Edit form by `auth_type` rather than gating it out entirely.
cc @bboles as Google Calendar provider maintainer per MAINTAINERS.md.
Surfaced by the merge of #99 (Google OAuth2 sources) on top of #73 (Edit CalDAV source).
The Edit button in `templates/dashboard_sources.html` is rendered for every source unconditionally. Clicking Edit on a Google OAuth2 source today:
Neither PR is individually at fault; the interaction was created by the merge.
Suggested fix
In `templates/dashboard_sources.html`, hide the Edit button when `s.auth_type == "oauth2"`. Replace it with a "Reconnect Google" affordance that re-runs the OAuth2 consent flow (reuse `google_connect`).
As defense in depth, both `edit_source_form` and `update_source` should early-return (redirect to /dashboard/sources with a flash) when the source's `auth_type` is not `basic`, so URL-hacking the path doesn't crash.
Out of scope but worth thinking about
The OAuth2 source is fundamentally not editable in the same fields as a basic-auth source. The only useful "edit" is renaming, choosing a different `write_calendar_href`, or revoking and reconnecting. A future iteration could split the Edit form by `auth_type` rather than gating it out entirely.
cc @bboles as Google Calendar provider maintainer per MAINTAINERS.md.