@dguido/google-workspace-mcp 2.0.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +52 -2
  2. package/dist/index.js +1892 -670
  3. package/dist/index.js.map +4 -4
  4. package/package.json +4 -2
package/README.md CHANGED
@@ -189,7 +189,7 @@ Set `GOOGLE_DRIVE_OAUTH_CREDENTIALS` environment variable or place `gcp-oauth.ke
189
189
 
190
190
  ### "Authentication failed" or browser doesn't open
191
191
 
192
- Ensure credential type is "Desktop app" (not "Web application") and ports 3000-3004 are available.
192
+ Ensure credential type is "Desktop app" (not "Web application"). The server uses an ephemeral port assigned by the OS, so no specific ports need to be available.
193
193
 
194
194
  ### "Tokens expired" or "Invalid grant"
195
195
 
@@ -200,6 +200,8 @@ rm ~/.config/google-workspace-mcp/tokens.json
200
200
  npx @dguido/google-workspace-mcp auth
201
201
  ```
202
202
 
203
+ **To avoid weekly re-authentication:** Publish your OAuth app (see [Avoiding Token Expiry](#avoiding-token-expiry) below).
204
+
203
205
  ### "API not enabled"
204
206
 
205
207
  Enable the missing API in [Google Cloud Console](https://console.cloud.google.com) > APIs & Services > Library.
@@ -212,11 +214,59 @@ Revoke app access at [Google Account Permissions](https://myaccount.google.com/p
212
214
 
213
215
  ## Security
214
216
 
215
- - OAuth 2.0 with automatic token refresh
217
+ - RFC 8252-compliant OAuth 2.0 with PKCE (Proof Key for Code Exchange)
218
+ - Loopback-only authentication server (127.0.0.1)
219
+ - State parameter for CSRF protection
220
+ - Automatic token refresh
216
221
  - Tokens stored with 0600 permissions
217
222
  - All processing happens locally
218
223
  - Never commit `gcp-oauth.keys.json` or tokens to version control
219
224
 
225
+ ## Avoiding Token Expiry
226
+
227
+ OAuth apps in "Testing" status automatically expire tokens after 7 days. To avoid weekly re-authentication:
228
+
229
+ ### Option 1: Publish Your OAuth App (Recommended)
230
+
231
+ 1. Go to [Google Cloud Console](https://console.cloud.google.com) > APIs & Services > OAuth consent screen
232
+ 2. Click "PUBLISH APP"
233
+ 3. For personal use, you don't need to complete Google's verification process
234
+ 4. Published apps keep tokens valid until explicitly revoked
235
+
236
+ **Note:** Publishing makes your app available to any Google user, but since you control the OAuth credentials, only you can authenticate.
237
+
238
+ ### Option 2: Use Internal App (Workspace Only)
239
+
240
+ If you have a Google Workspace account:
241
+
242
+ 1. Set User Type to "Internal" on the OAuth consent screen
243
+ 2. Internal apps don't expire tokens and don't require publishing
244
+
245
+ ### Monitoring Token Age
246
+
247
+ Use `get_status` with `diagnose: true` to check token age:
248
+
249
+ ```
250
+ # Tokens older than 6 days will show a warning
251
+ # Token created_at timestamp is tracked automatically
252
+ ```
253
+
254
+ ## Scope Filtering
255
+
256
+ When you limit services via `GOOGLE_WORKSPACE_SERVICES`, only the OAuth scopes for those services are requested during authentication. This provides:
257
+
258
+ - **Cleaner consent screen** - Users see only the permissions they need
259
+ - **Principle of least privilege** - App only has access to enabled services
260
+
261
+ For example, setting `GOOGLE_WORKSPACE_SERVICES=drive,calendar` will only request Drive and Calendar scopes, not Gmail or Contacts.
262
+
263
+ **Note:** If you change enabled services, re-authenticate to update granted scopes:
264
+
265
+ ```bash
266
+ rm ~/.config/google-workspace-mcp/tokens.json
267
+ npx @dguido/google-workspace-mcp auth
268
+ ```
269
+
220
270
  ## Development
221
271
 
222
272
  ```bash