Extension OAuth + store: flatten action JSON, open auth URLs, spotiflac:// callback

Third-party extensions (e.g. Spotify PKCE addons) need three things the current app does not fully provide:

Extension button results – The Go runtime returned { success, result: { message, open_auth_url, … } } while Flutter read message / open_auth_url only on the outer map, so OAuth buttons appeared to do nothing. InvokeAction now merges the extension’s return object onto the top-level JSON (arrays/non-objects still use result).

Flutter – extension_detail_page: unwrap nested result for compatibility, merge setting_updates into saved extension settings (for copyable OAuth URLs), and launchUrl when open_auth_url is set.

Mobile OAuth return – spotiflac://callback?code=…&state=<extension_id> was not handled on Android (manifest + MainActivity) or iOS (AppDelegate open URL + cold-start launchOptions). This wires SetExtensionAuthCodeByID + invokeExtensionAction(..., "completeSpotifyLogin") so PKCE extensions can finish login after the browser redirect.

Extension store HTTP – Add Cache-Control: no-cache on registry and extension package downloads to reduce stale CDN/proxy responses.

Testing: Install a metadata extension that uses PKCE; tap Connect; confirm browser opens, return via spotiflac://callback, and tokens complete without pasting the code manually.

extension InvokeAction JSON was nested under result while the Flutter settings UI only read the top level, so OAuth-related buttons never showed messages or opened the browser. This PR flattens that payload, merges optional setting_updates, launches open_auth_url, adds spotiflac://callback handling on Android and iOS, and sends no-cache on store HTTP fetches. Needed for extensions like SpoitiLists (Spotify Web API + PKCE).

android/app/src/main/AndroidManifest.xml

@@ -86,6 +86,20 @@
                 <category android:name="android.intent.category.BROWSABLE" />
                 <data android:scheme="https" android:host="music.youtube.com" />
             </intent-filter>
+
+            <!-- Extension OAuth (PKCE) redirect: spotiflac://callback?code=...&state=<extension_id> -->
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+                <data android:scheme="spotiflac" android:host="callback" />
+            </intent-filter>
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+                <data android:scheme="spotiflac" android:host="spotify-callback" />
+            </intent-filter>
         </activity>
 
         <!-- Download Service -->

android/app/src/main/kotlin/com/zarz/spotiflac/MainActivity.kt

@@ -4,6 +4,7 @@ import android.app.Activity
 import android.content.Intent
 import android.net.Uri
 import android.os.Build
+import android.os.Bundle
 import androidx.activity.OnBackPressedCallback
 import androidx.activity.result.contract.ActivityResultContracts
 import androidx.documentfile.provider.DocumentFile
@@ -1861,9 +1862,54 @@ class MainActivity: FlutterFragmentActivity() {
     // We handle these URLs ourselves via receive_sharing_intent + ShareIntentService.
     override fun shouldHandleDeeplinking(): Boolean = false
 
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+        handleExtensionOAuthIntent(intent)
+    }
+
     override fun onNewIntent(intent: Intent) {
         super.onNewIntent(intent)
         setIntent(intent)
+        handleExtensionOAuthIntent(intent)
+    }
+
+    /**
+     * Deliver Spotify (or other) OAuth authorization code to the extension runtime
+     * and run its token exchange (e.g. completeSpotifyLogin). State must be the extension id.
+     */
+    private fun handleExtensionOAuthIntent(intent: Intent?) {
+        val uri = intent?.data ?: return
+        if (!uri.scheme.equals("spotiflac", ignoreCase = true)) {
+            return
+        }
+        val host = (uri.host ?: "").lowercase(Locale.US)
+        val path = (uri.path ?: "").lowercase(Locale.US)
+        val isCallback =
+            host == "callback" ||
+                host == "spotify-callback" ||
+                path.contains("callback")
+        if (!isCallback) {
+            return
+        }
+        val code = uri.getQueryParameter("code")?.trim().orEmpty()
+        if (code.isEmpty()) {
+            return
+        }
+        val extId = uri.getQueryParameter("state")?.trim().orEmpty()
+        if (extId.isEmpty()) {
+            android.util.Log.w("SpotiFLAC", "Extension OAuth redirect missing state (extension id)")
+            return
+        }
+        intent.data = null
+        scope.launch(Dispatchers.IO) {
+            try {
+                Gobackend.setExtensionAuthCodeByID(extId, code)
+                val json = Gobackend.invokeExtensionActionJSON(extId, "completeSpotifyLogin")
+                android.util.Log.i("SpotiFLAC", "Extension OAuth complete for $extId: $json")
+            } catch (e: Exception) {
+                android.util.Log.w("SpotiFLAC", "Extension OAuth failed: ${e.message}")
+            }
+        }
     }
 
     override fun onDestroy() {