@mcpher/gas-fakes 2.2.6 → 2.3.0

package/README.md

@@ -19,8 +19,10 @@ For a complete guide on how to set up your local environment for authentication
 Collaborators should fork the repo and use the local versions of these files - see collaborators info.
 
 ### Use exactly the same code as in Apps Script
+## Usage
+Just as on Apps Script, everything is executed synchronously so you don't need to bother with handling Promises/async/await. Just write normal Apps Script code. Usually you would have an associated App Script project if that's your eventual target. Just like Apps Script, you need a manifest file (appsscript.json) so you can be sure that the correct scopes are authorized and asked for.
 
-Just as on Apps Script, everything is executed synchronously so you don't need to bother with handling Promises/async/await. Just write normal Apps Script code. Usually you would have an associated App Script project if that's your eventual target. Just like Apps Script, you need a manifest file (appsscript.json) so you can be sure that the correct scopes are authroized and asked for. 
+> **Note on `appsscript.json`:** For full fidelity with live Apps Script, you should have a manifest available. However, as a workaround for "pure" `gas-fakes` projects where there is no intention to run in live Apps Script, if `appsscript.json` is missing or has no scopes, the runtime will automatically emulate one using the `DEFAULT_SCOPES` and `EXTRA_SCOPES` defined in your `.env` file, and will default the script's `timeZone` to `America/New_York` (or `GF_TIMEZONE`).
 
 # gas-fakes-cli
 
@@ -168,11 +170,12 @@ As I mentioned earlier, to take this further, I'm going to need a lot of help to
 ## Read more docs
 
 - [gas fakes intro video](https://youtu.be/oEjpIrkYpEM)
-- [getting started](GETTING_STARTED.md) - how to handle authentication for restricted scopes.
+- [getting started](GETTING_STARTED.md) - how to handle authentication for Workspace scopes.
 - [readme](README.md)
 - [gas fakes cli](gas-fakes-cli.md)
 - [ksuite as a back end](ksuite_poc.md)
 - [msgraph as a back end](msgraph.md)
+- [gas-fakes in serverless containers](https://docs.google.com/presentation/d/1JlXF9T--DD4ERHopyP3WyAMhjRCxxHblgCP5ynxaJ3k/edit?usp=sharing)
 - [apps script - a lingua franca for workspace platforms](https://ramblings.mcpher.com/apps-script-a-lingua-franca/)
 - [Apps Script: A ‘Lingua Franca’ for the Multi-Cloud Era](https://ramblings.mcpher.com/apps-script-with-ksuite/)
 - [running gas-fakes on google cloud run](https://github.com/brucemcpherson/gas-fakes-containers)
@@ -191,17 +194,17 @@ As I mentioned earlier, to take this further, I'm going to need a lot of help to
 - [oddities](oddities.md) - a collection of oddities uncovered during this project
 - [named colors](named-colors.md)
 - [sandbox](sandbox.md)
-- [senstive scopes](senstive_scopes.md)
+- [senstive scopes](workspace_scopes.md)
 - [using apps script libraries with gas-fakes](libraries.md)
 - [how libhandler works](libhandler.md)
 - [article:using apps script libraries with gas-fakes](https://ramblings.mcpher.com/how-to-use-apps-script-libraries-directly-from-node/)
 - [named range identity](named-range-identity.md)
-- [adc and restricted scopes](https://ramblings.mcpher.com/how-to-allow-access-to-sensitive-scopes-with-application-default-credentials/)
+- [Workspace scopes with local authentication](workspace_scopes.md)
 - [push test pull](pull-test-push.md)
 - [sharing cache and properties between gas-fakes and live apps script](https://ramblings.mcpher.com/sharing-cache-and-properties-between-gas-fakes-and-live-apps-script/)
 - [gas-fakes-cli now has built in mcp server and gemini extension](https://ramblings.mcpher.com/gas-fakes-cli-now-has-built-in-mcp-server-and-gemini-extension/)
 - [gas-fakes CLI: Run apps script code directly from your terminal](https://ramblings.mcpher.com/gas-fakes-cli-run-apps-script-code-directly-from-your-terminal/)
-- [How to allow access to sensitive scopes with Application Default Credentials](https://ramblings.mcpher.com/how-to-allow-access-to-sensitive-scopes-with-application-default-credentials/)
+- [How to allow access to Workspace scopes with Application Default Credentials](https://ramblings.mcpher.com/how-to-allow-access-to-sensitive-scopes-with-application-default-credentials/)
 - [Supercharge Your Google Apps Script Caching with GasFlexCache](https://ramblings.mcpher.com/supercharge-your-google-apps-script-caching-with-gasflexcache/)
 - [Fake-Sandbox for Google Apps Script: Granular controls.](https://ramblings.mcpher.com/fake-sandbox-for-google-apps-script-granular-controls/)
 - [A Fake-Sandbox for Google Apps Script: Securely Executing Code Generated by Gemini CLI](https://ramblings.mcpher.com/gas-fakes-sandbox/)

package/package.json

@@ -3,7 +3,7 @@
     "node": ">=20.11.0"
   },
   "dependencies": {
-    "@azure/identity": "^4.13.0",
+    "@azure/identity": "^4.13.1",
     "@mcpher/fake-gasenum": "^1.0.6",
     "@mcpher/gas-flex-cache": "^1.1.5",
     "@microsoft/microsoft-graph-client": "^3.0.7",
@@ -13,7 +13,7 @@
     "archiver": "^7.0.1",
     "commander": "^14.0.3",
     "dotenv": "^17.3.1",
-    "fast-xml-parser": "^5.4.2",
+    "fast-xml-parser": "^5.5.9",
     "get-stream": "^9.0.1",
     "google-auth-library": "^10.6.2",
     "googleapis": "^171.4.0",
@@ -39,7 +39,7 @@
   },
   "name": "@mcpher/gas-fakes",
   "author": "bruce mcpherson",
-  "version": "2.2.6",
+  "version": "2.3.0",
   "license": "MIT",
   "main": "main.js",
   "description": "An implementation of the Google Workspace Apps Script runtime: Run native App Script Code on Node and Cloud Run",

package/src/cli/lib-manager.js

@@ -6,8 +6,10 @@ import { checkForGcloudCli, spawnCommand } from "./utils.js";
 async function getAccessToken(pattern) {
   if (pattern == 1) {
     // Authorization pattern 1
+    // We use cloud-platform as it provides sufficient access for Drive API fetching
+    // while avoiding the 'well-known client ID' block that targets Workspace scopes like drive.readonly.
     const auth = await Auth.setAuth(
-      ["https://www.googleapis.com/auth/drive.readonly"],
+      ["https://www.googleapis.com/auth/cloud-platform"],
       true
     );
     auth.cachedCredential = null;

package/src/cli/setup.js

@@ -285,9 +285,26 @@ export async function initializeConfiguration(options = {}) {
       "https://www.googleapis.com/auth/cloud-platform",
     ];
     responses.DEFAULT_SCOPES = DEFAULT_SCOPES_VALUES.join(",");
-    responses.EXTRA_SCOPES = manifestScopes
-      .filter(s => !DEFAULT_SCOPES_VALUES.includes(s))
-      .join(",");
+
+    let extraScopes = manifestScopes.filter(s => !DEFAULT_SCOPES_VALUES.includes(s));
+
+    // Restricted scopes that trigger blocks for the default 'well-known' ADC client ID
+    const restrictedMatch = (s) =>
+      s.includes("auth/drive") ||
+      s.includes("auth/spreadsheets") ||
+      s.includes("auth/documents") ||
+      s.includes("auth/forms") ||
+      s.includes("auth/presentations") ||
+      s.includes("auth/script.external_request");
+
+    if (responses.AUTH_TYPE === "adc" && !responses.CLIENT_CREDENTIAL_FILE) {
+      const toSkip = extraScopes.filter(restrictedMatch);
+      if (toSkip.length > 0) {
+        console.log(`\n\x1b[1;33mWarning: ADC requested with Workspace scopes (${toSkip.map(s => s.split("/").pop()).join(", ")}). Google now blocks these scopes when using the default gcloud CLI client ID. You MUST provide a custom OAuth client credential file.\x1b[0m`);
+      }
+    }
+
+    responses.EXTRA_SCOPES = extraScopes.join(",");
 
     const googleQuestions = [
       {
@@ -303,12 +320,12 @@ export async function initializeConfiguration(options = {}) {
         initial: existingConfig.GOOGLE_SERVICE_ACCOUNT_NAME || "gas-fakes-sa",
       },
       {
-        type: "text",
+        type: responses.AUTH_TYPE === "adc" ? "text" : null,
         name: "CLIENT_CREDENTIAL_FILE",
-        message: "Enter path to OAuth client credentials JSON (optional, required for restricted scopes with ADC)",
+        message: "Enter path to OAuth client credentials JSON (optional, required for Workspace scopes with ADC)",
         initial: existingConfig.CLIENT_CREDENTIAL_FILE || "",
       }
-    ];
+      ];
 
     const googleResponses = await prompts(googleQuestions);
     if (typeof googleResponses.GOOGLE_CLOUD_PROJECT === "undefined") {
@@ -342,10 +359,10 @@ export async function initializeConfiguration(options = {}) {
       message: "What type of Microsoft account are you using?",
       choices: [
         { title: "Consumer (Personal, Outlook.com, Hotmail, etc.)", value: "consumers" },
-        { title: "Business/Education (Work or School)", value: "organizations" },
+        { title: "Business/Education (Work or School) ", value: "organizations" },
         { title: "Standard Multi-tenant", value: "common" }
       ],
-      initial: existingConfig.MS_GRAPH_TENANT_ID === "consumers" ? 0 : (existingConfig.MS_GRAPH_TENANT_ID === "organizations" ? 1 : 2)
+      initial: existingConfig.MS_GRAPH_TENANT_ID === "organizations" ? 1 : (existingConfig.MS_GRAPH_TENANT_ID === "common" ? 2 : 0)
     });
 
     if (typeof msAccountType.type === "undefined") {
@@ -604,13 +621,13 @@ export async function authenticateUser(options = {}) {
       const msScopes = mapGasScopesToMsGraph(gasScopes);
 
       try {
+        const tenantId = process.env.MS_GRAPH_TENANT_ID || 'consumers';
         const azCmd = `az config set core.login_experience_v2=off && az login --allow-no-subscriptions --output none`;
 
         console.log(`Executing: ${azCmd}`);
         try {
           runCommandSync(azCmd);
           console.log(`\n\x1b[1;32mSuccess!\x1b[0m Azure CLI session discovered.`);
-          const tenantId = process.env.MS_GRAPH_TENANT_ID || 'consumers';
           console.log(`Silent fallback is now enabled for: \x1b[1;36m${tenantId}\x1b[0m`);
         } catch (e) {
           console.error(`\x1b[1;31mAzure CLI Login failed.\x1b[0m`);
@@ -662,7 +679,27 @@ export async function authenticateUser(options = {}) {
         ...(EXTRA_SCOPES || "").split(","),
       ])).filter(s => s).join(",");
 
-      console.log(`...requesting scopes: ${scopes}`);
+      let adcScopes = AUTH_TYPE === "dwd" 
+        ? Array.from(new Set((DEFAULT_SCOPES || "").split(","))).filter(s => s).join(",")
+        : scopes;
+
+      const hasClientId = CLIENT_CREDENTIAL_FILE && fs.existsSync(path.resolve(process.cwd(), CLIENT_CREDENTIAL_FILE));
+      if (AUTH_TYPE !== "dwd" && !hasClientId) {
+        const scopeList = adcScopes.split(",");
+        const workspaceScopes = scopeList.filter(s => 
+          s.includes("auth/drive") || 
+          s.includes("auth/spreadsheets") || 
+          s.includes("auth/documents") || 
+          s.includes("auth/forms") ||
+          s.includes("auth/presentations")
+        );
+        
+        if (workspaceScopes.length > 0) {
+          console.warn(`\n\x1b[1;33mWarning: Workspace scopes (${workspaceScopes.map(s => s.split("/").pop()).join(", ")}) requested with ADC and no CLIENT_CREDENTIAL_FILE. This is expected to be blocked by Google.\x1b[0m`);
+        }
+      }
+
+      console.log(`...requesting scopes: ${adcScopes}`);
 
       const driveAccessFlag = "--enable-gdrive-access";
       const activeConfig = AC || "default";
@@ -684,7 +721,7 @@ export async function authenticateUser(options = {}) {
       runCommandSync(`gcloud auth login ${driveAccessFlag}`);
 
       let clientFlag = "";
-      if (CLIENT_CREDENTIAL_FILE) {
+      if (AUTH_TYPE !== "dwd" && CLIENT_CREDENTIAL_FILE) {
         const clientPath = path.resolve(process.cwd(), CLIENT_CREDENTIAL_FILE);
         if (fs.existsSync(clientPath)) {
           console.log(`...using client credentials from ${clientPath}`);
@@ -693,7 +730,8 @@ export async function authenticateUser(options = {}) {
       }
 
       console.log("Setting up Application Default Credentials (ADC)...");
-      runCommandSync(`gcloud auth application-default login --scopes="${scopes}" ${clientFlag}`);
+      const adcScopeFlag = `--scopes="${adcScopes}"`;
+      runCommandSync(`gcloud auth application-default login ${adcScopeFlag} ${clientFlag}`.trim());
       runCommandSync(`gcloud auth application-default set-quota-project ${projectId}`);
 
       // --- DWD Specific Setup (if configured) ---

package/src/services/scriptapp/app.js

@@ -114,7 +114,9 @@ const checkScopesMatch = (required) => {
       "https://www.googleapis.com/auth/script.external_request",
       "https://www.googleapis.com/auth/documents",
       "https://www.googleapis.com/auth/presentations",
-      "https://www.googleapis.com/auth/forms"
+      "https://www.googleapis.com/auth/forms",
+      "https://www.googleapis.com/auth/drive",
+      "https://www.googleapis.com/auth/spreadsheets"
     ]
     const hasIgnore = ignores.some(i => i.replace(/\/$/, "") === ns)
     if (hasIgnore) {

package/src/services/spreadsheetapp/fakecontainerinfo.js

@@ -0,0 +1,58 @@
+import { Proxies } from "../../support/proxies.js";
+
+/**
+ * create a new FakeContainerInfo instance
+ * @param  {...any} args
+ * @returns {FakeContainerInfo}
+ */
+export const newFakeContainerInfo = (...args) => {
+  return Proxies.guard(new FakeContainerInfo(...args));
+};
+
+/**
+ * Access to the chart's container position.
+ */
+export class FakeContainerInfo {
+  /**
+   * @param {object} overlayPosition The overlayPosition object from Sheets API
+   */
+  constructor(overlayPosition) {
+    this.__overlayPosition = overlayPosition || {};
+  }
+
+  /**
+   * Returns the column index where the drawing is anchored.
+   * @returns {number}
+   */
+  getAnchorColumn() {
+    return (this.__overlayPosition.anchorCell?.columnIndex || 0) + 1;
+  }
+
+  /**
+   * Returns the row index where the drawing is anchored.
+   * @returns {number}
+   */
+  getAnchorRow() {
+    return (this.__overlayPosition.anchorCell?.rowIndex || 0) + 1;
+  }
+
+  /**
+   * Returns the horizontal offset in pixels from the anchor column.
+   * @returns {number}
+   */
+  getOffsetX() {
+    return this.__overlayPosition.offsetXPixels || 0;
+  }
+
+  /**
+   * Returns the vertical offset in pixels from the anchor row.
+   * @returns {number}
+   */
+  getOffsetY() {
+    return this.__overlayPosition.offsetYPixels || 0;
+  }
+
+  toString() {
+    return "ContainerInfo";
+  }
+}

package/src/services/spreadsheetapp/fakeembeddedchart.js

@@ -2,6 +2,7 @@ import { Proxies } from "../../support/proxies.js";
 import { notYetImplemented, signatureArgs } from "../../support/helpers.js";
 import { batchUpdate } from "./sheetrangehelpers.js";
 import { newFakeEmbeddedChartBuilder } from "./fakeembeddedchartbuilder.js";
+import { newFakeContainerInfo } from "./fakecontainerinfo.js";
 
 /**
  * @returns {FakeEmbeddedChart}
@@ -25,13 +26,20 @@ export class FakeEmbeddedChart {
     const props = [
       "getAs",
       "getBlob",
-      "getContainerInfo",
     ];
     props.forEach((f) => {
       this[f] = () => notYetImplemented(f);
     });
   }
 
+  /**
+   * Returns information about where the chart is positioned within a sheet.
+   * @returns {FakeContainerInfo}
+   */
+  getContainerInfo() {
+    return newFakeContainerInfo(this.__apiChart.position?.overlayPosition);
+  }
+
   /**
    * Returns the ID of this chart.
    * @returns {number}

package/src/support/auth.js

@@ -167,6 +167,22 @@ const setAuth = async (scopes = [], mcpLoading = false) => {
 
     if (!useDwd) {
       id.authMethod = 'adc'
+      
+      const workspaceScopes = scopes.filter(s => 
+        s.includes('auth/drive') || 
+        s.includes('auth/spreadsheets') || 
+        s.includes('auth/documents') || 
+        s.includes('auth/forms') ||
+        s.includes('auth/presentations')
+      )
+      
+      const creds = await id.auth.getCredentials();
+      const isDefaultClient = creds && creds.client_id === '764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com';
+
+      if (isDefaultClient && workspaceScopes.length > 0) {
+        throw new Error(`ADC error: Google no longer allows the use of the default gcloud client ID for regular Workspace scopes (${workspaceScopes.map(s => s.split('/').pop()).join(', ')}). You must use a custom client credential file. See https://docs.cloud.google.com/docs/authentication/troubleshoot-adc#access_blocked_when_using_scopes`);
+      }
+
       id.authClient = await id.auth.getClient({ scopes })
       id.sourceClient = id.authClient
     } else {
@@ -175,7 +191,14 @@ const setAuth = async (scopes = [], mcpLoading = false) => {
       id.authMethod = 'dwd'
       const targetPrincipal = `${saName}@${id.projectId}.iam.gserviceaccount.com`
 
-      const sourceScopes = scopes.filter(s => s === 'openid' || s === 'https://www.googleapis.com/auth/userinfo.email')
+      // For DWD source client, we only need identity and enough scope to sign JWT
+      // cloud-platform is sufficient for IAM signJwt and avoid Drive-related blocks
+      const sourceScopes = scopes.filter(s => 
+        s === 'openid' || 
+        s === 'https://www.googleapis.com/auth/userinfo.email' ||
+        s === 'https://www.googleapis.com/auth/cloud-platform'
+      )
+      
       id.sourceClient = await id.auth.getClient(sourceScopes.length > 0 ? { scopes: sourceScopes } : {})
 
       const { tokenInfo: userInfo } = await _getTokenInfo(id.sourceClient);

package/src/support/msgraph/msauth.js

@@ -166,7 +166,7 @@ async function isGcpEnv() {
  * Gets a Microsoft Graph token.
  */
 export async function getMsGraphToken(scopes = ['User.Read']) {
-  const envTenant = process.env.MS_GRAPH_TENANT_ID || 'common';
+  const envTenant = process.env.MS_GRAPH_TENANT_ID || 'consumers';
   const clientId = process.env.MS_GRAPH_CLIENT_ID;
   const clientSecret = process.env.MS_GRAPH_CLIENT_SECRET;
   const msAuthType = process.env.MS_AUTH_TYPE;

package/src/support/sxauth.js

@@ -52,6 +52,24 @@ export const sxInit = async ({ manifestPath, claspPath, settingsPath, cachePath,
     getIfExists(claspFile)
   ])
 
+  // Emulate manifest scopes from .env if missing or empty
+  if (!manifest.oauthScopes || manifest.oauthScopes.length === 0) {
+    const envScopes = Array.from(new Set([
+      ...(process.env.DEFAULT_SCOPES || "").split(","),
+      ...(process.env.EXTRA_SCOPES || "").split(",")
+    ])).map(s => s.trim()).filter(s => s);
+
+    if (envScopes.length > 0) {
+      manifest.oauthScopes = envScopes;
+      if (!manifest.timeZone) {
+        manifest.timeZone = process.env.GF_TIMEZONE || "America/New_York";
+      }
+      if (!_loggedSummary) {
+        syncLog(`...appsscript.json missing or missing scopes. Emulating manifest using scopes from .env file`);
+      }
+    }
+  }
+
   const settings = {
     manifest: manifestFile,
     clasp: claspFile,