docs: add OAuth and SMTP setup instructions

[rushikesh249]

Summary

This PR improves onboarding documentation by adding missing setup steps that were causing authentication and email verification issues.

Changes

• Added Google OAuth Setup (Local Development) section:
  • OAuth Client ID creation steps
  • Correct Authorized JavaScript Origins
  • Troubleshooting guidance
• Added Email Verification Setup (Gmail SMTP App Password) section:
  • App password steps
  • SMTP config snippet
  • Security note (do not commit credentials)
• Fixed frontend .env documentation:
  • Removed quotes from VITE_BASE_URL and VITE_GOOGLE_CLIENT_ID
  • Added note to restart frontend after .env changes

Motivation

Reduces contributor onboarding friction and prevents recurring errors like:

• 401 invalid_client
• origin is not allowed
• 535 5.7.8 Username and Password not accepted

Summary by CodeRabbit

• Documentation
  • Clarified frontend env var formatting (no quotes) and added restart reminder.
  • Consolidated env guidance into Frontend Configuration.
  • Added Google OAuth (local dev) setup with authorized origins/redirect guidance.
  • Added Gmail SMTP App Password workflow with a sample SMTP config for email verification.
  • Reinforced never committing credentials and expanded contribution/process guidance.
  • Fixed license encoding display (MIT ©).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Fixes #211

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates README.md to consolidate frontend configuration, remove quotes from frontend .env examples, add Google OAuth (local) and Gmail SMTP email verification setup instructions, and expand contribution/process guidance.

Changes

Cohort / File(s)

Summary

Documentation: README README.md

Consolidated frontend env guidance (removed quotes from .env examples, added restart note); replaced inline .env creation with reference to Frontend Configuration; added "Google OAuth Setup (Local Development)" with authorized JavaScript origins/redirects guidance; added "Email Verification Setup (Gmail SMTP App Password)" including sample SMTP YAML; retained warning not to commit credentials; expanded contribution/process content.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Update README.md #95 — Related README changes for frontend env values and Google OAuth configuration.
• Updated README.md #92 — Overlapping README edits adding OAuth and SMTP/email verification setup.

Suggested reviewers

• bhavik-mangla

Poem

🐇 I hopped through lines by candlelight,
I freed the env vars from quotes so bright,
I set the OAuth path and tuned SMTP keys,
A tiny hop, a tweak — documentation breeze,
Now spring the app and watch it take flight.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: adding OAuth and SMTP setup instructions to documentation. It is concise, specific, and directly reflects the primary objective of improving onboarding documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @README.md:
- Around line 126-130: This duplicate `.env` snippet only sets VITE_BASE_URL and
should be removed or replaced: delete the shorter "3. Create a `.env` file and
add: VITE_BASE_URL=..." block and instead reference the earlier Frontend
Configuration section that contains the full `.env` example (including
VITE_BASE_URL and VITE_GOOGLE_CLIENT_ID), or update this block to match the
complete variables by adding VITE_GOOGLE_CLIENT_ID and any other entries so both
sections are consistent.
- Around line 167-176: The SMTP YAML snippet in the README uses malformed code
fences (double backticks and incorrect closing ticks) so the block doesn't
render; fix the code fence by replacing the opening ``yaml marker that precedes
the smtp: block with a proper triple-backtick fence (```yaml) and replace the
malformed closing backticks after senderEmail with a proper triple-backtick
(```) to close the block so the yaml snippet (smtp: host, port, username,
password, senderEmail) renders correctly.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cb07eaf and 7d842f1.

📒 Files selected for processing (1)

• README.md

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

README.md

148-148: Bare URL used

(MD034, no-bare-urls)

---

149-149: Bare URL used

(MD034, no-bare-urls)

---

150-150: Bare URL used

(MD034, no-bare-urls)

---

151-151: Bare URL used

(MD034, no-bare-urls)

---

171-171: Bare URL used

(MD034, no-bare-urls)

---

173-173: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (3)

README.md (3)

100-104: LGTM! Improved environment variable documentation.

The unquoted format is correct for Vite environment variables, and the note about restarting the frontend is helpful for developers.

---

179-251: LGTM! Comprehensive contribution guidelines.

The extended contribution guidelines provide clear, step-by-step instructions for new contributors. The inclusion of best practices, testing reminders, and the video demonstration suggestion all help reduce onboarding friction.

---

152-152: No changes needed to the OAuth redirect URI documentation.

The README instruction is correct for this architecture. The application uses client-side OAuth 2.0 (frontend as the OAuth client), not server-side. The backend only validates the ID token received from the frontend using the Client ID (see auth.go, GoogleLogin function). Since the frontend JavaScript library handles the OAuth callback at the origin URLs listed (lines 148-151), the redirect URIs should indeed be the same as the Authorized JavaScript origins.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @README.md:
- Around line 163-171: The README's SMTP YAML code block is malformed (starts
with "``yaml" and ends with stray backticks) which breaks rendering; fix the
fenced code block around the "smtp:" configuration by using a proper
triple-backtick fence with language specifier (```yaml) at the start and a
matching closing triple-backtick (```) at the end so the "smtp" block (host,
port, username, password, senderEmail) renders as valid YAML.
- Line 148: The README's Step 8 is misleading: clarify or remove the instruction
to add "Authorized redirect URIs" since this app uses the client-side One Tap
implicit flow (google.accounts.id.initialize()), which only requires "Authorized
JavaScript origins"; update the text to either delete Step 8 or change it to
state that adding Redirect URIs is optional and not required for this
client-side ID token flow, and note that the ID token is obtained client-side
and posted to the backend for validation.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7d842f1 and bbe0c32.

📒 Files selected for processing (1)

• README.md

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

README.md

144-144: Bare URL used

(MD034, no-bare-urls)

---

145-145: Bare URL used

(MD034, no-bare-urls)

---

146-146: Bare URL used

(MD034, no-bare-urls)

---

147-147: Bare URL used

(MD034, no-bare-urls)

---

167-167: Bare URL used

(MD034, no-bare-urls)

---

169-169: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (3)

README.md (3)

100-104: LGTM! Correct Vite .env syntax.

The unquoted values and the note about restarting the frontend are helpful improvements that will prevent common developer errors with Vite environment variables.

---

126-126: Good refactoring to avoid duplication.

Referencing the earlier "Frontend Configuration" section follows the DRY principle and makes the documentation easier to maintain.

---

144-147: Static analysis bare URL warnings are false positives.

The markdownlint warnings about bare URLs at these lines can be safely ignored:

• Lines 144-147: OAuth origin URLs are intentionally bare so developers can copy them exactly
• Lines 167, 169: Email addresses in SMTP configuration examples

These are appropriate in documentation context.

Also applies to: 167-169

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@README.md`:
- Line 252: Replace the malformed sequence "MIT © [AOSSIE](https://aossie.org)"
with the correct copyright symbol "MIT © [AOSSIE](https://aossie.org)" in the
README content and ensure the README is saved with UTF-8 encoding (no stray
byte-order-mark or wrong charset) so the © renders correctly.
- Line 255: Remove the stray backtick character found at the end of README.md
(line with a single "`") — delete that trailing backtick so the file ends
cleanly without the extraneous character.
- Line 91: Remove the stray backtick character (`) present in the README
content—delete the single backtick so the file no longer contains the lone
backtick character.

♻️ Duplicate comments (1)

README.md (1)

148-148: Step 8 guidance about redirect URIs is still misleading.

This concern was raised in a previous review but remains unaddressed. Since this application uses Google's client-side One Tap flow (google.accounts.id.initialize()), it only requires "Authorized JavaScript origins" (Step 7). "Authorized redirect URIs" (Step 8) is not necessary for this client-side implementation.

Consider either removing Step 8 or adding a note that it's optional and not required for the client-side OAuth flow used in this application.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bbe0c32 and d3f86ce.

📒 Files selected for processing (1)

• README.md

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

README.md

144-144: Bare URL used

(MD034, no-bare-urls)

---

145-145: Bare URL used

(MD034, no-bare-urls)

---

146-146: Bare URL used

(MD034, no-bare-urls)

---

147-147: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (3)

README.md (3)

100-104: Good improvement to frontend .env documentation.

Removing quotes from environment variable values is correct for Vite configuration, and the note about restarting the frontend is helpful for developers.

---

126-126: Good fix addressing duplicate configuration.

Referencing the earlier Frontend Configuration section eliminates duplication and improves documentation consistency.

---

152-172: Well-documented SMTP setup with proper security guidance.

The Email Verification Setup section provides clear instructions for Gmail SMTP configuration. The YAML code block is now properly formatted (addressing previous review feedback), and the security warning about credentials is appropriate.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@README.md`:
- Line 1: Remove the leading UTF-8 Byte Order Mark (the invisible character at
the start of the file) from the README.md file and re-save the file as UTF-8
without BOM so the first character is a plain '<' (or whatever the first visible
character should be) to prevent parsing issues with tools and scripts.

🧹 Nitpick comments (1)

README.md (1)

62-66: Add language identifier to the code block.

The fenced code block would benefit from a language identifier for proper syntax highlighting and better readability.

♻️ Proposed enhancement

-```
+```env
 VITE_BASE_URL=http://localhost:1313
 VITE_GOOGLE_CLIENT_ID=<YOUR_GOOGLE_OAUTH_CLIENT_ID>
 > **Note:** Do NOT wrap values in quotes. Restart frontend after changes.

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>📜 Review details</summary>

**Configuration used**: defaults

**Review profile**: CHILL

**Plan**: Pro

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between d3f86ceba053cd4515b1019d6bf2a7a0babf94ed and fcf25f42896eb6670dc2fbb2c88db24eb0ed812e.

</details>

<details>
<summary>📒 Files selected for processing (1)</summary>

* `README.md`

</details>

<details>
<summary>🔇 Additional comments (3)</summary><blockquote>

<details>
<summary>README.md (3)</summary><blockquote>

`79-79`: **Good consolidation.**

Referencing the earlier Frontend Configuration section instead of duplicating the .env setup improves maintainability and reduces redundancy.

---

`85-99`: **Excellent OAuth setup documentation.**

The OAuth setup instructions are comprehensive and clear. The note about "Authorized redirect URIs" being optional (line 97) correctly addresses the client-side Google One Tap flow implementation, and the reminder about exact URL matching (line 99) prevents common configuration errors.

---

`100-116`: **Clear and security-conscious SMTP setup guide.**

The email verification setup provides clear step-by-step instructions for Gmail SMTP configuration, includes a practical YAML example, and appropriately warns against committing credentials to version control.

</blockquote></details>

</blockquote></details>

<sub>✏️ Tip: You can disable this entire section by setting `review_details` to `false` in your review settings.</sub>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[rushikesh249]

✅ Addressed CodeRabbit feedback:

• Fixed malformed SMTP YAML code fence
• Clarified OAuth Redirect URI step (optional for One Tap flow)
• Removed stray backticks / encoding issues
• Removed UTF-8 BOM

All checks are green now. Ready to merge. 🚀