feat[Go]: implement Box OAuth connector callback and poll-result APIs

[hunnyboy1217]

Closes #15662.

GET /api/v1/connectors/box/oauth/web/callback (BoxWebOAuthCallback)
POST /api/v1/connectors/box/oauth/web/result (PollBoxWebOAuthResult)

The callback endpoint is public (registered without auth middleware, matching the Google/Gmail pattern). Box redirects the user's browser here after consent; the handler reads the state from Redis, exchanges the authorization code for an access + refresh token pair via POST https://api.box.com/oauth2/token, stores the result in Redis, and renders an HTML self-closing popup page.

The result endpoint requires authentication. It retrieves the stored credential set, verifies the caller owns the flow (user_id match), deletes the Redis key, and returns the full credential payload — mirroring Python poll_box_web_result.

Redis key scheme reuses the existing helpers:
state: box_web_flow_state:{flow_id}
result: box_web_flow_result:{flow_id}

BOX_WEB_OAUTH_REDIRECT_URI env var is forwarded to the token exchange when set; omitted otherwise (Box accepts the absence when the redirect_uri was optional).

Changed files:
internal/service/connector.go – Box types + BoxWebOAuthCallback +
PollBoxWebOAuthResult + exchangeBoxOAuthCode
internal/handler/connector.go – interface extension + two new handlers
internal/router/router.go – callback registered at engine + apiNoAuth;
result registered in auth-protected connector group

What problem does this PR solve?

Briefly describe what this PR aims to solve. Include background context that will help reviewers understand the purpose of the PR.

Type of change

• Bug Fix (non-breaking change which fixes an issue)
• New Feature (non-breaking change which adds functionality)
• Documentation Update
• Refactoring
• Performance Improvement
• Other (please describe):

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds Box OAuth web-flow integration to the connector service. It implements state validation, authorization code exchange with Box's token endpoint, Redis-backed credential storage, and polling retrieval. HTTP handlers expose the callback and result endpoints, wired to unprotected and protected routes respectively.

Changes

Box OAuth Integration

Layer / File(s)	Summary
Box OAuth service constants and implementation internal/service/connector.go	OAuth token endpoint and timeout constants added; boxWebOAuthState and boxWebOAuthResult Redis-backed structs defined; BoxWebOAuthCallback validates OAuth state, exchanges authorization code via HTTP POST to Box token endpoint, stores credentials in Redis, and returns HTML popup payload; PollBoxWebOAuthResult retrieves stored result, enforces user ownership, deletes Redis entry, and returns credentials; exchangeBoxOAuthCode helper performs token exchange with HTTP/JSON error handling; defaultBoxWebOAuthRedirectURI reads environment configuration.
Handler interface extension and HTTP methods internal/handler/connector.go	Connector service interface extended with BoxWebOAuthCallback and PollBoxWebOAuthResult method signatures; BoxWebOAuthCallback handler extracts query parameters (state, error, error_description, code), calls service method, and returns HTML as text/html; charset=utf-8; PollBoxWebOAuthResult handler authenticates user, binds JSON request into PollBoxWebOAuthResultRequest, calls service method, and returns JSON response with standard error handling.
HTTP routing for Box OAuth endpoints internal/router/router.go	Box OAuth callback route /connectors/box/oauth/web/callback added to unprotected /api/v1 routes alongside Gmail and Google Drive OAuth callbacks; Box OAuth polling/result endpoint /box/oauth/web/result added as protected POST handler under /api/v1/connector; OAuth callback route grouping and comments updated to clarify these routes do not use auth middleware.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• #15662: Implements the Box OAuth web-flow callback and polling/result endpoints in the connector service layer, directly addressing the integration requirements.

Suggested labels

size:XL

🐰 A Box arrives with OAuth flair,
Web flows dance through the air,
State validations, tokens exchanged,
Redis remembers what's arranged,
Credentials polled with care!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat[Go]: implement Box OAuth connector callback and poll-result APIs' is clear, specific, and directly describes the main change—adding two Box OAuth endpoints to the Go layer.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description comprehensively covers the problem solved, implementation details, and includes a checked 'New Feature' type. All key technical decisions and Redis key schemes are documented.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[hunnyboy1217]

Hi, @Haruko386,
Please review this PR.