Bug: Google Calendar OAuth connection failing with Error 400 (redirect_uri_mismatch)

Objective

• Restore the ability for inspectors to connect their Google Calendar via the OAuth flow in Account Settings
• The current OAuth flow returns Error 400: redirect_uri_mismatch for all users, blocking the integration entirely
• No inspector at any company can successfully complete the connection until resolved

Background

• Adam Wright (RJ Inspections) and Rob Johnson (RJ Inspections) both attempted to connect via the "Connect Google Calendar" button in Account Settings and received Google's Error 400: redirect_uri_mismatch screen
• Adam initially suspected the issue was related to the "Google Account Linked" SSO badge also visible on the account settings page — confirmed via code review that these are two separate systems; the SSO badge (GoogleAccountLink.tsx → authClient.linkSocial()) has no relationship to the calendar OAuth flow
• The redirect URI sent to Google during the OAuth consent request is constructed at runtime in gcalOAuthClient.ts from the BETTER_AUTH_URL or SERVER_URL environment variable — if either resolves to a value not registered in the Google Cloud Console OAuth app config, Google rejects the request
• No inspector has a confirmed working calendar connection; previously appearing "linked" status in the admin view is attributable to the SSO link, not a calendar token
• The company-level integration toggle is not the cause — the Error 400 fires at Google's consent screen, after the backend has already generated the auth URL successfully

Product Decisions

Locked

1. The "Google Account Linked" SSO badge and the "Connect Google Calendar" button are separate systems — this issue concerns the calendar OAuth flow only

Open

1. Redirect URI registration — Engineering needs to confirm what URI BETTER_AUTH_URL/SERVER_URL resolves to in production and verify it matches what's registered in the Google Cloud Console for the OAuth app (or GOOGLE_CAL_CLIENT_ID if a separate credential is in use)

Scope

Backend

• src/util/functions/googleCalendar/gcalOAuthClient.ts — constructs the redirect URI at runtime from BETTER_AUTH_URL or SERVER_URL; the resolved value in the deployed environment is the likely mismatch source
• src/routes/googleCalendar.ts — /auth-url endpoint generates the consent URL; /callback endpoint receives the redirect and exchanges the code for tokens

Frontend

• src/app/tools/settings/integrations/google_calendar/GoogleCalendarConnect.tsx — renders the "Connect Google Calendar" button that initiates the flow
• src/app/tools/settings/account/page.tsx — hosts both GoogleAccountLink (SSO) and GoogleCalendarConnect (calendar) on the same page; the visual proximity of these two components contributed to user and operator confusion about connection state

References

• Reported by Adam Wright and Rob Johnson, RJ Inspections
• Related: ATT-1357 (Google Calendar sync feature, now Done)