Add Arabic language support and globe dropdown to portal

- app.html: replace lang toggle button with 🌐 dropdown (EN / 中文 / العربية)
- Add full Arabic (ar) translation for all UI strings
- RTL support: dir="rtl" + Cairo font when Arabic is selected
- Date locale switches to ar-SA for Arabic
- Login logo: use logo_ark_transparent.png (120px, no background)
- Add Google OAuth login UI (btn-google, login-divider)
- Update submodule pointer (webpage: logo, spacing, paper meta fixes)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: JihaoXin

ark/webapp/config.py

@@ -28,6 +28,8 @@ def _env_file() -> Path:
     "SLURM_PARTITION": "",
     "SLURM_ACCOUNT": "",
     "SLURM_CONDA_ENV": "ark",
+    "GOOGLE_CLIENT_ID": "",
+    "GOOGLE_CLIENT_SECRET": "",
 }
 
 
@@ -70,6 +72,11 @@ def _write_default_env():
 # Admin emails (comma-separated). Admins can disable/enable the webapp and kill all jobs.
 ADMIN_EMAILS=
 
+# Google OAuth (optional). Get credentials at console.cloud.google.com → APIs & Services → Credentials.
+# Redirect URI to register: {BASE_URL}/auth/google/callback
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
 PROJECTS_ROOT={_root / 'ark_webapp' / 'projects'}
 SECRET_KEY={secrets.token_hex(32)}
 DB_PATH={_root / 'ark_webapp' / 'webapp.db'}
@@ -117,6 +124,9 @@ def __init__(self):
         raw_admins = merged.get("ADMIN_EMAILS", "")
         self.admin_emails: list[str] = [e.strip().lower() for e in raw_admins.split(",") if e.strip()]
 
+        self.google_client_id: str = merged.get("GOOGLE_CLIENT_ID", "")
+        self.google_client_secret: str = merged.get("GOOGLE_CLIENT_SECRET", "")
+
         self.projects_root.mkdir(parents=True, exist_ok=True)
 
 

ark/webapp/routes.py

@@ -34,8 +34,32 @@ def _disabled_flag() -> _Path:
 from fastapi.responses import FileResponse, HTMLResponse, JSONResponse, RedirectResponse, StreamingResponse
 from starlette.requests import Request
 
+from authlib.integrations.starlette_client import OAuth as _OAuth
+
 from .auth import make_token, verify_token
 from .config import get_settings
+
+# Lazy-initialized Google OAuth client
+_google_oauth: _OAuth | None = None
+
+
+def _get_google_oauth() -> _OAuth | None:
+    """Return authlib OAuth client if Google credentials are configured."""
+    global _google_oauth
+    if _google_oauth is not None:
+        return _google_oauth
+    settings = get_settings()
+    if not settings.google_client_id or not settings.google_client_secret:
+        return None
+    _google_oauth = _OAuth()
+    _google_oauth.register(
+        name="google",
+        client_id=settings.google_client_id,
+        client_secret=settings.google_client_secret,
+        server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
+        client_kwargs={"scope": "openid email profile"},
+    )
+    return _google_oauth
 from .db import (
     Project,
     User,
@@ -363,6 +387,86 @@ async def auth_logout(request: Request):
     return RedirectResponse("/")
 
 
+_GOOGLE_REDIRECT_URI = "https://kaust-ark.github.io/oauth-callback"
+
+
+@router.get("/auth/google")
+async def auth_google(request: Request):
+    oauth = _get_google_oauth()
+    if not oauth:
+        raise HTTPException(400, "Google login is not configured on this server.")
+    return await oauth.google.authorize_redirect(request, _GOOGLE_REDIRECT_URI)
+
+
+@router.get("/auth/google/callback")
+async def auth_google_callback(request: Request):
+    oauth = _get_google_oauth()
+    if not oauth:
+        raise HTTPException(400, "Google login is not configured on this server.")
+    settings = get_settings()
+    try:
+        token = await oauth.google.authorize_access_token(request)
+    except Exception as exc:
+        logger.warning(f"Google OAuth error: {exc}")
+        return RedirectResponse("/?google_error=1")
+
+    userinfo = token.get("userinfo") or {}
+    email = (userinfo.get("email") or "").strip().lower()
+    if not email:
+        return RedirectResponse("/?google_error=1")
+
+    # Apply same allow-list checks as magic link
+    denied = False
+    if settings.allowed_emails:
+        if email not in settings.allowed_emails:
+            denied = True
+    elif settings.email_domains:
+        if email.split("@")[-1] not in settings.email_domains:
+            denied = True
+
+    if denied:
+        return HTMLResponse(
+            f"""<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <title>Access Denied — ARK</title>
+  <style>
+    body {{ font-family: sans-serif; display: flex; align-items: center; justify-content: center;
+           min-height: 100vh; margin: 0; background: #f0fdfa; }}
+    .card {{ background: #fff; border-radius: 16px; padding: 48px 52px; max-width: 420px;
+             box-shadow: 0 4px 24px rgba(0,0,0,.08); text-align: center; }}
+    h2 {{ color: #991b1b; margin-bottom: 12px; }}
+    p {{ color: #555; line-height: 1.6; }}
+    a {{ color: #0d9488; }}
+    .back {{ margin-top: 24px; display: inline-block; color: #0d9488; font-size: .9rem; }}
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h2>Access Denied</h2>
+    <p>Your Google account (<strong>{email}</strong>) is not authorized to access ARK.</p>
+    <p>To request access, contact<br/>
+       <a href="mailto:jihao.xin@kaust.edu.sa">jihao.xin@kaust.edu.sa</a></p>
+    <a class="back" href="/">← Back to login</a>
+  </div>
+</body>
+</html>""",
+            status_code=403,
+        )
+
+    with get_session(settings.db_path) as session:
+        user = get_or_create_user_by_email(session, email)
+        request.session["user_id"] = user.id
+    return RedirectResponse("/")
+
+
+@router.get("/auth/google/enabled")
+async def auth_google_enabled():
+    """Frontend polls this to know whether to show Google button."""
+    return JSONResponse({"enabled": _get_google_oauth() is not None})
+
+
 @router.get("/api/me")
 async def api_me(request: Request):
     user = _get_current_user(request)