From c4e35ac21c9c577747684b3349ecf0a64caff6b6 Mon Sep 17 00:00:00 2001
From: Anish Sarkar <104695310+AnishSarkar22@users.noreply.github.com>
Date: Wed, 24 Jun 2026 16:06:49 +0530
Subject: [PATCH] chore: add GOOGLE_DESKTOP_CLIENT_ID to environment variables
 in workflows and update .env.example

---
 .github/workflows/desktop-release.yml | 2 ++
 surfsense_desktop/.env.example        | 9 ++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/desktop-release.yml b/.github/workflows/desktop-release.yml
index 7336fa9bd..3ad529671 100644
--- a/.github/workflows/desktop-release.yml
+++ b/.github/workflows/desktop-release.yml
@@ -113,6 +113,7 @@ jobs:
         env:
           HOSTED_BACKEND_URL: ${{ vars.HOSTED_BACKEND_URL }}
           HOSTED_FRONTEND_URL: ${{ vars.HOSTED_FRONTEND_URL }}
+          GOOGLE_DESKTOP_CLIENT_ID: ${{ vars.GOOGLE_DESKTOP_CLIENT_ID }}
           POSTHOG_KEY: ${{ secrets.POSTHOG_KEY }}
           POSTHOG_HOST: ${{ vars.POSTHOG_HOST }}
 
@@ -143,6 +144,7 @@ jobs:
         working-directory: surfsense_desktop
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GOOGLE_DESKTOP_CLIENT_ID: ${{ vars.GOOGLE_DESKTOP_CLIENT_ID }}
           WINDOWS_PUBLISHER_NAME: ${{ vars.WINDOWS_PUBLISHER_NAME }}
           AZURE_CODESIGN_ENDPOINT: ${{ vars.AZURE_CODESIGN_ENDPOINT }}
           AZURE_CODESIGN_ACCOUNT: ${{ vars.AZURE_CODESIGN_ACCOUNT }}
diff --git a/surfsense_desktop/.env.example b/surfsense_desktop/.env.example
index f4e797250..83e658db9 100644
--- a/surfsense_desktop/.env.example
+++ b/surfsense_desktop/.env.example
@@ -3,7 +3,14 @@
 
 # The hosted web frontend URL. Used to intercept OAuth redirects and keep them
 # inside the desktop app. Set to your production frontend domain.
-HOSTED_FRONTEND_URL=https://surfsense.com
+HOSTED_FRONTEND_URL=http://localhost:3000
+
+# The backend API URL used by desktop auth and refresh flows.
+HOSTED_BACKEND_URL=http://localhost:8000
+
+# Public Google OAuth Desktop app client ID. This is required for native
+# loopback + PKCE login and is safe to ship in the desktop app.
+GOOGLE_DESKTOP_CLIENT_ID=your_google_desktop_client_id.apps.googleusercontent.com
 
 # Runtime override for the above (read at app start, no rebuild required).
 # Useful for self-hosters whose backend NEXT_FRONTEND_URL differs from the