@mcpher/gas-fakes 2.2.7 → 2.3.1

package/README.md

@@ -19,8 +19,10 @@ For a complete guide on how to set up your local environment for authentication
 Collaborators should fork the repo and use the local versions of these files - see collaborators info.
 
 ### Use exactly the same code as in Apps Script
+## Usage
+Just as on Apps Script, everything is executed synchronously so you don't need to bother with handling Promises/async/await. Just write normal Apps Script code. Usually you would have an associated App Script project if that's your eventual target. Just like Apps Script, you need a manifest file (appsscript.json) so you can be sure that the correct scopes are authorized and asked for.
 
-Just as on Apps Script, everything is executed synchronously so you don't need to bother with handling Promises/async/await. Just write normal Apps Script code. Usually you would have an associated App Script project if that's your eventual target. Just like Apps Script, you need a manifest file (appsscript.json) so you can be sure that the correct scopes are authroized and asked for. 
+> **Note on `appsscript.json`:** For full fidelity with live Apps Script, you should have a manifest available. However, as a workaround for "pure" `gas-fakes` projects where there is no intention to run in live Apps Script, if `appsscript.json` is missing or has no scopes, the runtime will automatically emulate one using the `DEFAULT_SCOPES` and `EXTRA_SCOPES` defined in your `.env` file, and will default the script's `timeZone` to `America/New_York` (or `GF_TIMEZONE`).
 
 # gas-fakes-cli
 
@@ -49,6 +51,17 @@ Configuration for your local Node environment is handled via environment variabl
 | `LOG_DESTINATION` | `CONSOLE` | Logging destination: `CONSOLE`, `CLOUD`, `BOTH`, or `NONE`. |
 | `STORE_TYPE` | `FILE` | Internal storage type for properties/cache: `FILE` (local) or `UPSTASH` (Redis). |
 
+### Note on Consumer Accounts and ADC
+
+If you are using a consumer account (gmail.com) or do not have access to Domain-Wide Delegation (DWD), you must use Application Default Credentials (`AUTH_TYPE="adc"`) to authenticate with Google Workspace assets.
+
+**Important Security Note:** Due to recent Workspace security changes, you **must** create and provide a custom OAuth2 client credentials JSON file during initialization (`gas-fakes init`) to avoid `403 Access Blocked` errors when using Workspace scopes (like Gmail or Drive).
+
+- **Guide:** [How to allow access to Workspace scopes with Application Default Credentials](https://ramblings.mcpher.com/how-to-allow-access-to-sensitive-scopes-with-application-default-credentials/)
+- **Link to Create Credentials:** [Google Cloud Console Credentials Page](https://console.cloud.google.com/apis/credentials)
+
+**Security Warning:** Always add your client credentials JSON file to your `.gitignore` to prevent it from being committed to GitHub or other source control.
+
 
 
 ### Cloud Logging Integration
@@ -168,11 +181,12 @@ As I mentioned earlier, to take this further, I'm going to need a lot of help to
 ## Read more docs
 
 - [gas fakes intro video](https://youtu.be/oEjpIrkYpEM)
-- [getting started](GETTING_STARTED.md) - how to handle authentication for restricted scopes.
+- [getting started](GETTING_STARTED.md) - how to handle authentication for Workspace scopes.
 - [readme](README.md)
 - [gas fakes cli](gas-fakes-cli.md)
 - [ksuite as a back end](ksuite_poc.md)
 - [msgraph as a back end](msgraph.md)
+- [gas-fakes in serverless containers](https://docs.google.com/presentation/d/1JlXF9T--DD4ERHopyP3WyAMhjRCxxHblgCP5ynxaJ3k/edit?usp=sharing)
 - [apps script - a lingua franca for workspace platforms](https://ramblings.mcpher.com/apps-script-a-lingua-franca/)
 - [Apps Script: A ‘Lingua Franca’ for the Multi-Cloud Era](https://ramblings.mcpher.com/apps-script-with-ksuite/)
 - [running gas-fakes on google cloud run](https://github.com/brucemcpherson/gas-fakes-containers)
@@ -191,17 +205,17 @@ As I mentioned earlier, to take this further, I'm going to need a lot of help to
 - [oddities](oddities.md) - a collection of oddities uncovered during this project
 - [named colors](named-colors.md)
 - [sandbox](sandbox.md)
-- [senstive scopes](senstive_scopes.md)
+- [senstive scopes](workspace_scopes.md)
 - [using apps script libraries with gas-fakes](libraries.md)
 - [how libhandler works](libhandler.md)
 - [article:using apps script libraries with gas-fakes](https://ramblings.mcpher.com/how-to-use-apps-script-libraries-directly-from-node/)
 - [named range identity](named-range-identity.md)
-- [sensitive scopes with local authentication](senstive_scopes.md)
+- [Workspace scopes with local authentication](workspace_scopes.md)
 - [push test pull](pull-test-push.md)
 - [sharing cache and properties between gas-fakes and live apps script](https://ramblings.mcpher.com/sharing-cache-and-properties-between-gas-fakes-and-live-apps-script/)
 - [gas-fakes-cli now has built in mcp server and gemini extension](https://ramblings.mcpher.com/gas-fakes-cli-now-has-built-in-mcp-server-and-gemini-extension/)
 - [gas-fakes CLI: Run apps script code directly from your terminal](https://ramblings.mcpher.com/gas-fakes-cli-run-apps-script-code-directly-from-your-terminal/)
-- [How to allow access to sensitive scopes with Application Default Credentials](https://ramblings.mcpher.com/how-to-allow-access-to-sensitive-scopes-with-application-default-credentials/)
+- [How to allow access to Workspace scopes with Application Default Credentials](https://ramblings.mcpher.com/how-to-allow-access-to-sensitive-scopes-with-application-default-credentials/)
 - [Supercharge Your Google Apps Script Caching with GasFlexCache](https://ramblings.mcpher.com/supercharge-your-google-apps-script-caching-with-gasflexcache/)
 - [Fake-Sandbox for Google Apps Script: Granular controls.](https://ramblings.mcpher.com/fake-sandbox-for-google-apps-script-granular-controls/)
 - [A Fake-Sandbox for Google Apps Script: Securely Executing Code Generated by Gemini CLI](https://ramblings.mcpher.com/gas-fakes-sandbox/)

package/package.json

@@ -7,13 +7,13 @@
     "@mcpher/fake-gasenum": "^1.0.6",
     "@mcpher/gas-flex-cache": "^1.1.5",
     "@microsoft/microsoft-graph-client": "^3.0.7",
-    "@modelcontextprotocol/sdk": "^1.27.1",
+    "@modelcontextprotocol/sdk": "^1.28.0",
     "@sindresorhus/is": "^7.2.0",
     "acorn": "^8.16.0",
-    "archiver": "^7.0.1",
+    "archiver": "^4.0.2",
     "commander": "^14.0.3",
     "dotenv": "^17.3.1",
-    "fast-xml-parser": "^5.5.8",
+    "fast-xml-parser": "^5.5.9",
     "get-stream": "^9.0.1",
     "google-auth-library": "^10.6.2",
     "googleapis": "^171.4.0",
@@ -39,7 +39,7 @@
   },
   "name": "@mcpher/gas-fakes",
   "author": "bruce mcpherson",
-  "version": "2.2.7",
+  "version": "2.3.1",
   "license": "MIT",
   "main": "main.js",
   "description": "An implementation of the Google Workspace Apps Script runtime: Run native App Script Code on Node and Cloud Run",

package/src/cli/lib-manager.js

@@ -6,8 +6,10 @@ import { checkForGcloudCli, spawnCommand } from "./utils.js";
 async function getAccessToken(pattern) {
   if (pattern == 1) {
     // Authorization pattern 1
+    // We use cloud-platform as it provides sufficient access for Drive API fetching
+    // while avoiding the 'well-known client ID' block that targets Workspace scopes like drive.readonly.
     const auth = await Auth.setAuth(
-      ["https://www.googleapis.com/auth/drive.readonly"],
+      ["https://www.googleapis.com/auth/cloud-platform"],
       true
     );
     auth.cachedCredential = null;

package/src/cli/setup.js

@@ -283,12 +283,28 @@ export async function initializeConfiguration(options = {}) {
       "https://www.googleapis.com/auth/userinfo.email",
       "openid",
       "https://www.googleapis.com/auth/cloud-platform",
-      "https://www.googleapis.com/auth/drive.readonly",
     ];
     responses.DEFAULT_SCOPES = DEFAULT_SCOPES_VALUES.join(",");
-    responses.EXTRA_SCOPES = manifestScopes
-      .filter(s => !DEFAULT_SCOPES_VALUES.includes(s))
-      .join(",");
+
+    let extraScopes = manifestScopes.filter(s => !DEFAULT_SCOPES_VALUES.includes(s));
+
+    // Restricted scopes that trigger blocks for the default 'well-known' ADC client ID
+    const restrictedMatch = (s) =>
+      s.includes("auth/drive") ||
+      s.includes("auth/spreadsheets") ||
+      s.includes("auth/documents") ||
+      s.includes("auth/forms") ||
+      s.includes("auth/presentations") ||
+      s.includes("auth/script.external_request");
+
+    if (responses.AUTH_TYPE === "adc" && !responses.CLIENT_CREDENTIAL_FILE) {
+      const toSkip = extraScopes.filter(restrictedMatch);
+      if (toSkip.length > 0) {
+        console.log(`\n\x1b[1;33mWarning: ADC requested with Workspace scopes (${toSkip.map(s => s.split("/").pop()).join(", ")}). Google now blocks these scopes when using the default gcloud CLI client ID. You MUST provide a custom OAuth client credential file.\x1b[0m`);
+      }
+    }
+
+    responses.EXTRA_SCOPES = extraScopes.join(",");
 
     const googleQuestions = [
       {
@@ -306,7 +322,7 @@ export async function initializeConfiguration(options = {}) {
       {
         type: responses.AUTH_TYPE === "adc" ? "text" : null,
         name: "CLIENT_CREDENTIAL_FILE",
-        message: "Enter path to OAuth client credentials JSON (optional, required for restricted scopes with ADC)",
+        message: "Enter path to OAuth client credentials JSON (optional, required for Workspace scopes with ADC)",
         initial: existingConfig.CLIENT_CREDENTIAL_FILE || "",
       }
       ];
@@ -663,10 +679,26 @@ export async function authenticateUser(options = {}) {
         ...(EXTRA_SCOPES || "").split(","),
       ])).filter(s => s).join(",");
 
-      const adcScopes = AUTH_TYPE === "dwd" 
+      let adcScopes = AUTH_TYPE === "dwd" 
         ? Array.from(new Set((DEFAULT_SCOPES || "").split(","))).filter(s => s).join(",")
         : scopes;
 
+      const hasClientId = CLIENT_CREDENTIAL_FILE && fs.existsSync(path.resolve(process.cwd(), CLIENT_CREDENTIAL_FILE));
+      if (AUTH_TYPE !== "dwd" && !hasClientId) {
+        const scopeList = adcScopes.split(",");
+        const workspaceScopes = scopeList.filter(s => 
+          s.includes("auth/drive") || 
+          s.includes("auth/spreadsheets") || 
+          s.includes("auth/documents") || 
+          s.includes("auth/forms") ||
+          s.includes("auth/presentations")
+        );
+        
+        if (workspaceScopes.length > 0) {
+          console.warn(`\n\x1b[1;33mWarning: Workspace scopes (${workspaceScopes.map(s => s.split("/").pop()).join(", ")}) requested with ADC and no CLIENT_CREDENTIAL_FILE. This is expected to be blocked by Google.\x1b[0m`);
+        }
+      }
+
       console.log(`...requesting scopes: ${adcScopes}`);
 
       const driveAccessFlag = "--enable-gdrive-access";

package/src/services/scriptapp/app.js

@@ -114,7 +114,9 @@ const checkScopesMatch = (required) => {
       "https://www.googleapis.com/auth/script.external_request",
       "https://www.googleapis.com/auth/documents",
       "https://www.googleapis.com/auth/presentations",
-      "https://www.googleapis.com/auth/forms"
+      "https://www.googleapis.com/auth/forms",
+      "https://www.googleapis.com/auth/drive",
+      "https://www.googleapis.com/auth/spreadsheets"
     ]
     const hasIgnore = ignores.some(i => i.replace(/\/$/, "") === ns)
     if (hasIgnore) {

package/src/support/auth.js

@@ -167,6 +167,22 @@ const setAuth = async (scopes = [], mcpLoading = false) => {
 
     if (!useDwd) {
       id.authMethod = 'adc'
+      
+      const workspaceScopes = scopes.filter(s => 
+        s.includes('auth/drive') || 
+        s.includes('auth/spreadsheets') || 
+        s.includes('auth/documents') || 
+        s.includes('auth/forms') ||
+        s.includes('auth/presentations')
+      )
+      
+      const creds = await id.auth.getCredentials();
+      const isDefaultClient = creds && creds.client_id === '764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com';
+
+      if (isDefaultClient && workspaceScopes.length > 0) {
+        throw new Error(`ADC error: Google no longer allows the use of the default gcloud client ID for regular Workspace scopes (${workspaceScopes.map(s => s.split('/').pop()).join(', ')}). You must use a custom client credential file. See https://docs.cloud.google.com/docs/authentication/troubleshoot-adc#access_blocked_when_using_scopes`);
+      }
+
       id.authClient = await id.auth.getClient({ scopes })
       id.sourceClient = id.authClient
     } else {
@@ -175,11 +191,21 @@ const setAuth = async (scopes = [], mcpLoading = false) => {
       id.authMethod = 'dwd'
       const targetPrincipal = `${saName}@${id.projectId}.iam.gserviceaccount.com`
 
-      const sourceScopes = scopes.filter(s => s === 'openid' || s === 'https://www.googleapis.com/auth/userinfo.email')
+      // For DWD source client, we only need identity and enough scope to sign JWT
+      // cloud-platform is sufficient for IAM signJwt and avoid Drive-related blocks
+      const sourceScopes = scopes.filter(s => 
+        s === 'openid' || 
+        s === 'https://www.googleapis.com/auth/userinfo.email' ||
+        s === 'https://www.googleapis.com/auth/cloud-platform'
+      )
+      
       id.sourceClient = await id.auth.getClient(sourceScopes.length > 0 ? { scopes: sourceScopes } : {})
 
-      const { tokenInfo: userInfo } = await _getTokenInfo(id.sourceClient);
-      const userEmail = process.env.GOOGLE_WORKSPACE_SUBJECT || userInfo.email
+      let userEmail = process.env.GOOGLE_WORKSPACE_SUBJECT;
+      if (!userEmail) {
+        const { tokenInfo: userInfo } = await _getTokenInfo(id.sourceClient);
+        userEmail = userInfo.email;
+      }
 
       const dwdClient = new OAuth2Client()
       dwdClient._token = null

package/src/support/sxauth.js

@@ -52,6 +52,24 @@ export const sxInit = async ({ manifestPath, claspPath, settingsPath, cachePath,
     getIfExists(claspFile)
   ])
 
+  // Emulate manifest scopes from .env if missing or empty
+  if (!manifest.oauthScopes || manifest.oauthScopes.length === 0) {
+    const envScopes = Array.from(new Set([
+      ...(process.env.DEFAULT_SCOPES || "").split(","),
+      ...(process.env.EXTRA_SCOPES || "").split(",")
+    ])).map(s => s.trim()).filter(s => s);
+
+    if (envScopes.length > 0) {
+      manifest.oauthScopes = envScopes;
+      if (!manifest.timeZone) {
+        manifest.timeZone = process.env.GF_TIMEZONE || "America/New_York";
+      }
+      if (!_loggedSummary) {
+        syncLog(`...appsscript.json missing or missing scopes. Emulating manifest using scopes from .env file`);
+      }
+    }
+  }
+
   const settings = {
     manifest: manifestFile,
     clasp: claspFile,