copyhub-cli 1.0.4 → 1.0.5

package/README.md

@@ -214,6 +214,15 @@ Everything lives under **`~/.copyhub/`** (or `%USERPROFILE%\.copyhub` on Windows
 - **macOS**: you may need to grant **Accessibility** permissions for global shortcuts.
 - Some **`Control+Alt+…`** combinations do not register reliably on Windows; prefer alternatives suggested on the setup page.
 
+## Troubleshooting: `invalid_client` after Google sign-in
+
+That response comes from Google’s token endpoint when the **Client ID + Client Secret pair** does not match your OAuth client.
+
+1. **Use a “Web application” OAuth client** (not iOS/Android/Desktop-only flows meant for different redirect rules). Add **Authorized redirect URI**: `http://127.0.0.1:19999/oauth2callback` (change the port if you use `COPYHUB_OAUTH_REDIRECT_PORT` or saved `redirectPort`).
+2. **Where credentials come from**: If **`~/.copyhub/config.json` contains both Client ID and Secret** (wizard or `copyhub config`), CopyHub uses **that pair** for OAuth — env vars are **ignored** for those two fields until you remove them from config. If config does **not** have both, CopyHub uses **`COPYHUB_GOOGLE_CLIENT_ID` / `COPYHUB_GOOGLE_CLIENT_SECRET`** from the environment / `.env`. CopyHub never mixes env Client ID with file Secret (that mismatch triggers `invalid_client`).
+3. **Paste cleanly**: Re-open the localhost credential wizard or edit `config.json` so ID and secret have **no extra spaces or line breaks**.
+4. Run **`copyhub status`** and confirm **Client ID/Secret source** matches what you expect.
+
 ## License
 
 MIT — see `package.json`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "copyhub-cli",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "CopyHub — clipboard, local history, Google Sheets sync (OAuth). Windows, macOS, Linux.",
   "type": "module",
   "bin": {

package/src/cli.js

@@ -9,7 +9,7 @@ import {
   saveConfig,
   loadSheetSyncTarget,
   DEFAULT_OAUTH_REDIRECT_PORT,
-  describeOAuthCredentialSource,
+  describeEffectiveOAuthCredentialSource,
   ENV_GOOGLE_CLIENT_ID,
   ENV_GOOGLE_CLIENT_SECRET,
   ENV_OAUTH_REDIRECT_PORT,
@@ -190,22 +190,14 @@ program
     const cfg = await loadConfig();
     const sheet = await loadSheetSyncTarget();
     const tok = await loadTokens();
-    const src = describeOAuthCredentialSource();
-
     if (!cfg) {
       console.log('OAuth config: missing');
       console.log(
         `  Set ${ENV_GOOGLE_CLIENT_ID} and ${ENV_GOOGLE_CLIENT_SECRET} in .env (see .env.example), run copyhub config, or copyhub login (browser wizard)`,
       );
     } else {
-      const srcLabel =
-        src === 'env'
-          ? 'environment / .env'
-          : src === 'mixed'
-            ? 'mixed .env + config file'
-            : CONFIG_PATH;
       console.log('OAuth config: ok');
-      console.log(`  Client ID/Secret source: ${srcLabel}`);
+      console.log(`  Client ID/Secret source: ${describeEffectiveOAuthCredentialSource()}`);
       console.log(`  Callback: http://127.0.0.1:${cfg.redirectPort}/oauth2callback`);
     }
 

package/src/config.js

@@ -49,16 +49,37 @@ export function hasOAuthCredentialsInEnv() {
   return Boolean(id && sec);
 }
 
-/** @returns {'env' | 'file' | 'mixed'} */
-export function describeOAuthCredentialSource() {
-  const idEnv = Boolean(process.env[ENV_GOOGLE_CLIENT_ID]?.trim());
-  const secEnv = Boolean(process.env[ENV_GOOGLE_CLIENT_SECRET]?.trim());
-  if (idEnv && secEnv) return 'env';
-  if (idEnv || secEnv) return 'mixed';
-  return 'file';
+/**
+ * Matches {@link loadConfig}: saved config.json pair wins over env when both are complete.
+ * @returns {string}
+ */
+export function describeEffectiveOAuthCredentialSource() {
+  let filePair = false;
+  if (existsSync(CONFIG_PATH)) {
+    try {
+      const j = JSON.parse(readFileSync(CONFIG_PATH, 'utf8'));
+      const id = typeof j.clientId === 'string' ? j.clientId.trim() : '';
+      const sec = typeof j.clientSecret === 'string' ? j.clientSecret.trim() : '';
+      filePair = Boolean(id && sec);
+    } catch {
+      /* ignore */
+    }
+  }
+  const envPair = hasOAuthCredentialsInEnv();
+
+  if (filePair) {
+    return envPair
+      ? `${CONFIG_PATH} (env COPYHUB_GOOGLE_* ignored for Client ID/Secret)`
+      : CONFIG_PATH;
+  }
+  if (envPair) return 'environment / .env (COPYHUB_GOOGLE_CLIENT_ID + SECRET)';
+  return '(none)';
 }
 
-/** @returns {Promise<CopyHubConfig | null>} */
+/**
+ * OAuth credentials: use env pair OR file pair only — never mix ID from one source with secret from another (Google returns invalid_client).
+ * @returns {Promise<CopyHubConfig | null>}
+ */
 export async function loadConfig() {
   /** @type {{ clientId?: string, clientSecret?: string, redirectPort?: number }} */
   const fromFile = {};
@@ -66,29 +87,46 @@ export async function loadConfig() {
   if (existsSync(CONFIG_PATH)) {
     const raw = await readFile(CONFIG_PATH, 'utf8');
     const j = JSON.parse(raw);
-    if (typeof j.clientId === 'string' && j.clientId) fromFile.clientId = j.clientId;
-    if (typeof j.clientSecret === 'string' && j.clientSecret) {
-      fromFile.clientSecret = j.clientSecret;
+    if (typeof j.clientId === 'string') {
+      const id = j.clientId.trim();
+      if (id) fromFile.clientId = id;
+    }
+    if (typeof j.clientSecret === 'string') {
+      const sec = j.clientSecret.trim();
+      if (sec) fromFile.clientSecret = sec;
     }
     if (typeof j.redirectPort === 'number' && Number.isFinite(j.redirectPort)) {
       fromFile.redirectPort = j.redirectPort;
     }
   }
 
-  const envId = process.env[ENV_GOOGLE_CLIENT_ID]?.trim();
-  const envSecret = process.env[ENV_GOOGLE_CLIENT_SECRET]?.trim();
+  const envId = process.env[ENV_GOOGLE_CLIENT_ID]?.trim() ?? '';
+  const envSecret = process.env[ENV_GOOGLE_CLIENT_SECRET]?.trim() ?? '';
   const envPort = parseRedirectPortFromEnv();
 
-  const clientId = envId || fromFile.clientId;
-  const clientSecret = envSecret || fromFile.clientSecret;
-
   const filePort =
     typeof fromFile.redirectPort === 'number'
       ? fromFile.redirectPort
       : DEFAULT_OAUTH_REDIRECT_PORT;
   const redirectPort = envPort ?? filePort;
 
-  if (!clientId || !clientSecret) return null;
+  let clientId;
+  let clientSecret;
+
+  /**
+   * Prefer ~/.copyhub/config.json when it holds a full OAuth pair (wizard / copyhub config).
+   * Otherwise many machines still have COPYHUB_GOOGLE_* in shell or ~/.copyhub/.env from a template —
+   * those used to override fresh wizard credentials and caused invalid_client on the callback.
+   */
+  if (fromFile.clientId && fromFile.clientSecret) {
+    clientId = fromFile.clientId;
+    clientSecret = fromFile.clientSecret;
+  } else if (envId && envSecret) {
+    clientId = envId;
+    clientSecret = envSecret;
+  } else {
+    return null;
+  }
 
   return { clientId, clientSecret, redirectPort };
 }
@@ -170,6 +208,11 @@ export async function mergeConfigPartial(partial) {
   const out = { ...existing, ...partial };
   delete out.sheetTab;
   delete out.sheetDailyPrefix;
+  for (const key of ['clientId', 'clientSecret', 'googleSheetId']) {
+    if (typeof out[key] === 'string') {
+      out[key] = /** @type {string} */ (out[key]).trim();
+    }
+  }
   await writeFile(CONFIG_PATH, JSON.stringify(out, null, 2), 'utf8');
 }
 
@@ -189,8 +232,8 @@ export async function saveConfig(cfg) {
   }
   const out = {
     ...existing,
-    clientId: cfg.clientId,
-    clientSecret: cfg.clientSecret,
+    clientId: cfg.clientId.trim(),
+    clientSecret: cfg.clientSecret.trim(),
     redirectPort: cfg.redirectPort ?? DEFAULT_OAUTH_REDIRECT_PORT,
   };
   if (cfg.googleSheetId !== undefined) out.googleSheetId = cfg.googleSheetId;

package/src/oauth.js

@@ -77,6 +77,52 @@ function escapeHtml(s) {
     .replace(/'/g, ''');
 }
 
+/**
+ * User-visible explanation when exchanging auth code for tokens fails (e.g. invalid_client).
+ * @param {unknown} err
+ */
+function formatOAuthTokenExchangeMessage(err) {
+  const g = /** @type {{ response?: { data?: { error?: string; error_description?: string } } } } */ (
+    err
+  );
+  const code = g.response?.data?.error;
+  const desc = (g.response?.data?.error_description || '').trim();
+  const fallback = /** @type {Error} */ (err)?.message || String(err);
+
+  if (code === 'invalid_client') {
+    return (
+      'OAuth invalid_client: Google rejected the Client ID / Client Secret pair. ' +
+      'In Google Cloud Console use OAuth client type "Web application" and add redirect URI http://127.0.0.1:<port>/oauth2callback (port matches CopyHub). Paste fresh credentials into the wizard — no spaces before/after. ' +
+      'If COPYHUB_GOOGLE_CLIENT_ID / COPYHUB_GOOGLE_CLIENT_SECRET are set in your shell or ~/.copyhub/.env, set BOTH to match that client or unset both so credentials from ~/.copyhub/config.json are used (CopyHub never mixes env ID with file secret). ' +
+      (desc ? `Google says: ${desc}` : `(${fallback})`)
+    );
+  }
+
+  if (code === 'invalid_grant') {
+    return (
+      'OAuth invalid_grant: the authorization code expired or was already used. Close extra browser tabs and run copyhub login again.' +
+      (desc ? ` ${desc}` : '')
+    );
+  }
+
+  return desc ? `${code || 'OAuth'}: ${desc}` : fallback;
+}
+
+/** @param {string} bodyText */
+function oauthTokenExchangeErrorPage(bodyText) {
+  const esc = escapeHtml(bodyText);
+  return `<!DOCTYPE html>
+<html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><title>CopyHub OAuth error</title>
+<style>
+body{font-family:system-ui,sans-serif;margin:0;min-height:100vh;display:flex;align-items:center;justify-content:center;background:#f0f4fa;padding:24px;}
+.box{background:#fff;padding:28px 32px;border-radius:14px;max-width:520px;box-shadow:0 4px 24px rgba(20,24,36,.08);line-height:1.55;color:#141824;}
+h1{font-size:1.15rem;margin:0 0 12px;}
+pre{white-space:pre-wrap;word-break:break-word;background:#f8fafc;padding:12px 14px;border-radius:8px;font-size:13px;color:#334155;border:1px solid #e2e8f0;}
+code{background:#eff6ff;padding:2px 8px;border-radius:6px;font-size:13px;}
+</style></head><body><div class="box"><h1>Could not finish sign-in</h1><pre>${esc}</pre>
+<p style="margin-top:16px;color:#64748b;font-size:14px;">Fix the issue, then run <code>copyhub login</code> again.</p></div></body></html>`;
+}
+
 /**
  * @param {string} bootstrapToken
  * @param {number} listenPort
@@ -181,7 +227,7 @@ function credentialSetupPageHtml(bootstrapToken, listenPort) {
   <div class="wrap">
     <div class="brand">CopyHub</div>
     <h1>Google Cloud OAuth</h1>
-    <p class="sub">Paste your OAuth 2.0 Client ID and Client Secret (same as <code>${ENV_GOOGLE_CLIENT_ID}</code> / <code>${ENV_GOOGLE_CLIENT_SECRET}</code> in <code>.env</code>). Stored in <code>~/.copyhub/config.json</code>.</p>
+    <p class="sub">Paste your OAuth 2.0 Client ID and Client Secret (same as <code>${ENV_GOOGLE_CLIENT_ID}</code> / <code>${ENV_GOOGLE_CLIENT_SECRET}</code> in <code>.env</code>). Stored in <code>~/.copyhub/config.json</code>. After saving here, CopyHub uses this pair for sign-in — not leftover variables from shell or <code>.env</code>.</p>
 
     <div class="card">
       <p class="hint" style="margin-top:0;"><strong>Authorized redirect URI</strong> in Google Cloud Console must include:</p>
@@ -741,7 +787,18 @@ export async function runLoginFlow() {
             server.close(() => reject(new Error('Missing authorization code')));
             return;
           }
-          const { tokens } = await oauth2Client.getToken(code);
+          let tokens;
+          try {
+            const exchanged = await oauth2Client.getToken(code);
+            tokens = exchanged.tokens;
+          } catch (tokenErr) {
+            const msg = formatOAuthTokenExchangeMessage(tokenErr);
+            console.error('[CopyHub OAuth]', msg);
+            res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
+            res.end(oauthTokenExchangeErrorPage(msg));
+            server.close(() => reject(new Error(msg)));
+            return;
+          }
           oauth2Client.setCredentials(tokens);
           await saveTokens(tokens);
           setupToken = randomBytes(24).toString('hex');