Switch from Service Account to OAuth2 for Google Calendar (Personal Gmail)

- Replace JWT service account authentication with OAuth2 refresh token flow
- Service accounts cannot create Google Meet links for personal Gmail accounts
- Update edge function to use OAuth2 token exchange
- Change database column from google_service_account_json to google_oauth_config
- Add helper tool (get-google-refresh-token.html) to generate OAuth credentials
- Update IntegrasiTab UI to show OAuth config instead of service account
- Add SQL migration file for new google_oauth_config column

OAuth2 Config format:
{
  "client_id": "...",
  "client_secret": "...",
  "refresh_token": "..."
}

This approach works with personal @gmail.com accounts without requiring
Google Workspace or Domain-Wide Delegation.

supabase/functions/create-google-meet-event/index.ts

@@ -6,14 +6,10 @@ const corsHeaders = {
   "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",
 };
 
-interface GoogleServiceAccount {
-  type: string;
-  project_id: string;
-  private_key_id: string;
-  private_key: string;
-  client_email: string;
+interface GoogleOAuthConfig {
   client_id: string;
-  token_uri: string;
+  client_secret: string;
+  refresh_token: string;
 }
 
 interface CreateMeetRequest {
@@ -27,80 +23,17 @@ interface CreateMeetRequest {
   notes?: string;
 }
 
-// Function to create JWT and get access token using native Web Crypto API
-async function getGoogleAccessToken(serviceAccount: GoogleServiceAccount): Promise<string> {
+// Function to get access token from refresh token (OAuth2)
+async function getGoogleAccessToken(oauthConfig: GoogleOAuthConfig): Promise<string> {
   try {
-    const now = Math.floor(Date.now() / 1000);
-
-    // Build JWT header and payload manually
-    const header = {
-      alg: "RS256",
-      typ: "JWT",
-    };
-
-    const payload = {
-      iss: serviceAccount.client_email,
-      scope: "https://www.googleapis.com/auth/calendar",
-      aud: serviceAccount.token_uri,
-      exp: now + 3600,
-      iat: now,
-    };
-
-    // Encode header and payload (base64url)
-    const base64UrlEncode = (str: string) => {
-      return btoa(str)
-        .replace(/\+/g, "-")
-        .replace(/\//g, "_")
-        .replace(/=/g, "");
-    };
-
-    const encodedHeader = base64UrlEncode(JSON.stringify(header));
-    const encodedPayload = base64UrlEncode(JSON.stringify(payload));
-    const signatureInput = `${encodedHeader}.${encodedPayload}`;
-
-    // Convert PEM to binary
-    const keyData = serviceAccount.private_key
-      .replace(/-----BEGIN PRIVATE KEY-----/g, "")
-      .replace(/-----END PRIVATE KEY-----/g, "")
-      .replace(/\s/g, "");
-
-    const binaryKey = Uint8Array.from(atob(keyData), c => c.charCodeAt(0));
-
-    // Import private key using native Web Crypto API
-    const privateKey = await crypto.subtle.importKey(
-      "pkcs8",
-      binaryKey,
-      {
-        name: "RSASSA-PKCS1-v1_5",
-        hash: "SHA-256",
-      },
-      false,
-      ["sign"]
-    );
-
-    // Sign the JWT
-    const signature = await crypto.subtle.sign(
-      "RSASSA-PKCS1-v1_5",
-      privateKey,
-      new TextEncoder().encode(signatureInput)
-    );
-
-    // Encode signature
-    const encodedSignature = btoa(String.fromCharCode(...new Uint8Array(signature)))
-      .replace(/\+/g, "-")
-      .replace(/\//g, "_")
-      .replace(/=/g, "");
-
-    const token = `${signatureInput}.${encodedSignature}`;
-    console.log("Generated JWT (first 100 chars):", token.substring(0, 100));
-
-    // Exchange JWT for access token
-    const response = await fetch(serviceAccount.token_uri, {
+    const response = await fetch("https://oauth2.googleapis.com/token", {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: new URLSearchParams({
-        grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
-        assertion: token,
+        client_id: oauthConfig.client_id,
+        client_secret: oauthConfig.client_secret,
+        refresh_token: oauthConfig.refresh_token,
+        grant_type: "refresh_token",
       }),
     });
 
@@ -138,7 +71,7 @@ serve(async (req: Request): Promise<Response> => {
     // Get platform settings
     const { data: settings, error: settingsError } = await supabase
       .from("platform_settings")
-      .select("integration_google_calendar_id, google_service_account_json")
+      .select("integration_google_calendar_id, google_oauth_config")
       .single();
 
     if (settingsError) {
@@ -158,36 +91,36 @@ serve(async (req: Request): Promise<Response> => {
       );
     }
 
-    // Get service account from settings
-    const serviceAccountJson = settings?.google_service_account_json;
+    // Get OAuth config from settings
+    const oauthConfigJson = settings?.google_oauth_config;
 
-    if (!serviceAccountJson) {
+    if (!oauthConfigJson) {
       return new Response(
         JSON.stringify({
           success: false,
-          message: "Google Service Account JSON belum dikonfigurasi. Tambahkan di Pengaturan > Integrasi."
+          message: "Google OAuth Config belum dikonfigurasi. Tambahkan di Pengaturan > Integrasi. Format: {\"client_id\":\"...\",\"client_secret\":\"...\",\"refresh_token\":\"...\"}"
         }),
         { status: 400, headers: { ...corsHeaders, "Content-Type": "application/json" } }
       );
     }
 
-    // Parse service account JSON
-    let serviceAccount: GoogleServiceAccount;
+    // Parse OAuth config JSON
+    let oauthConfig: GoogleOAuthConfig;
     try {
-      serviceAccount = JSON.parse(serviceAccountJson);
+      oauthConfig = JSON.parse(oauthConfigJson);
     } catch (error: any) {
-      console.error("Failed to parse service account JSON:", error);
+      console.error("Failed to parse OAuth config JSON:", error);
       return new Response(
         JSON.stringify({
           success: false,
-          message: "Format Google Service Account JSON tidak valid: " + error.message
+          message: "Format Google OAuth Config tidak valid: " + error.message
         }),
         { status: 400, headers: { ...corsHeaders, "Content-Type": "application/json" } }
       );
     }
 
-    // Get access token
-    const accessToken = await getGoogleAccessToken(serviceAccount);
+    // Get access token using OAuth2 refresh token
+    const accessToken = await getGoogleAccessToken(oauthConfig);
     console.log("Got access token");
 
     // Build event data
@@ -205,8 +138,6 @@ serve(async (req: Request): Promise<Response> => {
         dateTime: endDate.toISOString(),
         timeZone: "Asia/Jakarta",
       },
-      // Note: attendees removed because service accounts need Domain-Wide Delegation
-      // Client email is included in description instead
       conferenceData: {
         createRequest: {
           requestId: body.slot_id,