Implement Google OAuth authentication

[grovecj]

Description

Add Google OAuth2 authentication to the backend, following the pattern from mlb-stats.

Tasks

• Add Spring Security OAuth2 dependencies
• Configure Google OAuth2 client in application.yml
• Create SecurityConfig with OAuth2 login
• Create User entity and repository
• Create CustomOAuth2UserService to handle user creation/lookup
• Add role-based access (USER, ADMIN, OWNER)
• Configure CORS for desktop app requests
• Add /api/auth/me endpoint to get current user
• Store owner email in environment variable for OWNER role assignment

Configuration

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: ${GOOGLE_CLIENT_ID}
            client-secret: ${GOOGLE_CLIENT_SECRET}
            scope: openid, profile, email

Database Schema

CREATE TABLE users (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    email VARCHAR(255) UNIQUE NOT NULL,
    name VARCHAR(255),
    picture_url VARCHAR(512),
    role VARCHAR(50) NOT NULL DEFAULT 'USER',
    created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
    last_login_at TIMESTAMP WITH TIME ZONE
);

Endpoints

• GET /api/auth/me - Get current authenticated user
• POST /api/auth/logout - Logout (invalidate session)
• OAuth2 login handled by Spring Security at /oauth2/authorization/google

Desktop App Integration

The desktop app will need to:

1. Open browser for OAuth flow
2. Handle callback URL (custom protocol or localhost redirect)
3. Store auth token/session for API requests

Acceptance Criteria

• Users can log in via Google
• User info is stored in database
• Owner email gets OWNER role automatically
• API endpoints can be protected with @PreAuthorize
• Desktop app can authenticate and make API calls