feat: Add --port flag to gws auth login for orgs that block Desktop OAuth flow

[VictorML11]

Problem

Organizations with strict Google Workspace admin policies (admin_policy_enforced) block the "installed" (Desktop) OAuth flow that gws auth login uses. This prevents users in managed Workspace accounts from authenticating, even when they have a valid OAuth client.

The root cause is that gws uses yup_oauth2::InstalledFlowReturnMethod::HTTPRedirect, which binds to a random port. Google identifies this as a Desktop/installed flow pattern, which some orgs block via API Controls.

Error

Access to your account data is restricted by policies within your organization.
Error 400: admin_policy_enforced

Discovery

Through testing, I found that the same org that blocks Desktop OAuth allows Web Application type OAuth clients with a fixed redirect URI. The difference:

Flow	Redirect URI	Org Policy
Desktop (current gws)	http://localhost:<random_port>	BLOCKED
Web Application (fixed port)	http://localhost:8080	ALLOWED

Confirmed by creating a Web Application OAuth client with http://localhost:8080 as redirect URI and successfully authenticating with the org account.

Suggested Fix

A 3-line change in the Rust source:

src/auth_commands.rs

- redirect_uris: vec!["http://localhost".to_string()],
+ redirect_uris: vec![format!("http://localhost{}", port.map_or(String::new(), |p| format!(":{p}")))],

- yup_oauth2::InstalledFlowReturnMethod::HTTPRedirect,
+ match port {
+     Some(p) => yup_oauth2::InstalledFlowReturnMethod::HTTPPortRedirect(p),
+     None => yup_oauth2::InstalledFlowReturnMethod::HTTPRedirect,
+ },

CLI interface

gws auth login --port 8080

• When --port is provided: uses HTTPPortRedirect(port) with fixed redirect URI — compatible with Web Application type OAuth clients
• When --port is omitted: current behavior (random port, Desktop flow) — no breaking change

src/oauth_config.rs

The save_client_config function should also support both "installed" and "web" client types, since users with this org restriction will need to create a Web Application type client instead of Desktop.

Setup for Affected Users

Users with admin_policy_enforced would:

1. Create a Web Application (not Desktop) OAuth client in GCP Console
2. Set redirect URI to http://localhost:8080
3. Run gws auth login --port 8080

Environment

• gws v0.18.0
• Managed Google Workspace account
• macOS
• yup-oauth2 v12 supports HTTPPortRedirect(u16) already — no dependency changes needed

[VictorML11]

Created a PR with the implementation: #559

The change adds a --port flag to gws auth login — when provided, it uses HTTPPortRedirect(port) instead of HTTPRedirect, enabling authentication with Web Application type OAuth clients for organizations that block Desktop OAuth.

No breaking changes — without --port, current behavior is preserved.

Waiting for feedback.