copyhub-cli 1.0.4 → 1.0.6

package/README.md

@@ -214,6 +214,17 @@ Everything lives under **`~/.copyhub/`** (or `%USERPROFILE%\.copyhub` on Windows
 - **macOS**: you may need to grant **Accessibility** permissions for global shortcuts.
 - Some **`Control+Alt+…`** combinations do not register reliably on Windows; prefer alternatives suggested on the setup page.
 
+## Troubleshooting: `invalid_client` after Google sign-in
+
+That response comes from Google’s token endpoint when the **Client ID + Client Secret pair** does not match your OAuth client.
+
+1. **Use a “Web application” OAuth client** (not iOS/Android/Desktop-only flows meant for different redirect rules). Add **Authorized redirect URI**: `http://127.0.0.1:19999/oauth2callback` (change the port if you use `COPYHUB_OAUTH_REDIRECT_PORT` or saved `redirectPort`).
+2. **Where credentials come from**: If **`~/.copyhub/config.json` contains both Client ID and Secret** (wizard or `copyhub config`), CopyHub uses **that pair** for OAuth — env vars are **ignored** for those two fields until you remove them from config. If config does **not** have both, CopyHub uses **`COPYHUB_GOOGLE_CLIENT_ID` / `COPYHUB_GOOGLE_CLIENT_SECRET`** from the environment / `.env`. CopyHub never mixes env Client ID with file Secret (that mismatch triggers `invalid_client`).
+3. **Paste cleanly**: Re-open the localhost credential wizard or edit `config.json` so ID and secret have **no extra spaces or line breaks**.
+4. Run **`copyhub status`** and confirm **Client ID/Secret source** matches what you expect.
+
+If Google says **“The provided client secret is invalid”**, the secret does not match that Client ID (typo, truncated paste, or an old secret after you clicked **Reset secret** in Console). Download the client JSON again from Google Cloud, paste `client_id` and `client_secret` into the CopyHub wizard, and on **Mac/Safari** clear both fields before pasting so **iCloud Keychain** does not inject a saved password into the secret field.
+
 ## License
 
 MIT — see `package.json`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "copyhub-cli",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "CopyHub — clipboard, local history, Google Sheets sync (OAuth). Windows, macOS, Linux.",
   "type": "module",
   "bin": {

package/src/cli.js

@@ -9,7 +9,7 @@ import {
   saveConfig,
   loadSheetSyncTarget,
   DEFAULT_OAUTH_REDIRECT_PORT,
-  describeOAuthCredentialSource,
+  describeEffectiveOAuthCredentialSource,
   ENV_GOOGLE_CLIENT_ID,
   ENV_GOOGLE_CLIENT_SECRET,
   ENV_OAUTH_REDIRECT_PORT,
@@ -190,22 +190,14 @@ program
     const cfg = await loadConfig();
     const sheet = await loadSheetSyncTarget();
     const tok = await loadTokens();
-    const src = describeOAuthCredentialSource();
-
     if (!cfg) {
       console.log('OAuth config: missing');
       console.log(
         `  Set ${ENV_GOOGLE_CLIENT_ID} and ${ENV_GOOGLE_CLIENT_SECRET} in .env (see .env.example), run copyhub config, or copyhub login (browser wizard)`,
       );
     } else {
-      const srcLabel =
-        src === 'env'
-          ? 'environment / .env'
-          : src === 'mixed'
-            ? 'mixed .env + config file'
-            : CONFIG_PATH;
       console.log('OAuth config: ok');
-      console.log(`  Client ID/Secret source: ${srcLabel}`);
+      console.log(`  Client ID/Secret source: ${describeEffectiveOAuthCredentialSource()}`);
       console.log(`  Callback: http://127.0.0.1:${cfg.redirectPort}/oauth2callback`);
     }
 

package/src/config.js

@@ -22,6 +22,34 @@ function parseRedirectPortFromEnv() {
   return n;
 }
 
+/**
+ * Strip invisible / stray characters from pasted OAuth credentials (fixes many Mac copy-paste issues).
+ * @param {unknown} raw
+ * @returns {string}
+ */
+export function sanitizeOAuthCredentialInput(raw) {
+  if (raw == null) return '';
+  let s = String(raw);
+  s = s.replace(/^\uFEFF/, '');
+  s = s.replace(/[\u200b-\u200d\u2060]/g, '');
+  s = s.replace(/\r/g, '');
+  s = s.replace(/[\u00a0\u202f\u2007]/g, ' ');
+  s = s.trim();
+  if (
+    (s.startsWith('"') && s.endsWith('"')) ||
+    (s.startsWith("'") && s.endsWith("'"))
+  ) {
+    s = s.slice(1, -1).trim();
+  }
+  if (
+    (s.startsWith('\u201c') && s.endsWith('\u201d')) ||
+    (s.startsWith('\u2018') && s.endsWith('\u2019'))
+  ) {
+    s = s.slice(1, -1).trim();
+  }
+  return s;
+}
+
 /**
  * Port for the OAuth HTTP listener (env wins, then saved config, then default).
  * Does not require Client ID / Secret (used before credential bootstrap).
@@ -44,21 +72,44 @@ export function resolveOAuthListenPort() {
 
 /** Both Client ID and Secret come from environment (or .env). */
 export function hasOAuthCredentialsInEnv() {
-  const id = process.env[ENV_GOOGLE_CLIENT_ID]?.trim();
-  const sec = process.env[ENV_GOOGLE_CLIENT_SECRET]?.trim();
+  const id = sanitizeOAuthCredentialInput(process.env[ENV_GOOGLE_CLIENT_ID]);
+  const sec = sanitizeOAuthCredentialInput(process.env[ENV_GOOGLE_CLIENT_SECRET]);
   return Boolean(id && sec);
 }
 
-/** @returns {'env' | 'file' | 'mixed'} */
-export function describeOAuthCredentialSource() {
-  const idEnv = Boolean(process.env[ENV_GOOGLE_CLIENT_ID]?.trim());
-  const secEnv = Boolean(process.env[ENV_GOOGLE_CLIENT_SECRET]?.trim());
-  if (idEnv && secEnv) return 'env';
-  if (idEnv || secEnv) return 'mixed';
-  return 'file';
+/**
+ * Matches {@link loadConfig}: saved config.json pair wins over env when both are complete.
+ * @returns {string}
+ */
+export function describeEffectiveOAuthCredentialSource() {
+  let filePair = false;
+  if (existsSync(CONFIG_PATH)) {
+    try {
+      const j = JSON.parse(readFileSync(CONFIG_PATH, 'utf8'));
+      const id =
+        typeof j.clientId === 'string' ? sanitizeOAuthCredentialInput(j.clientId) : '';
+      const sec =
+        typeof j.clientSecret === 'string' ? sanitizeOAuthCredentialInput(j.clientSecret) : '';
+      filePair = Boolean(id && sec);
+    } catch {
+      /* ignore */
+    }
+  }
+  const envPair = hasOAuthCredentialsInEnv();
+
+  if (filePair) {
+    return envPair
+      ? `${CONFIG_PATH} (env COPYHUB_GOOGLE_* ignored for Client ID/Secret)`
+      : CONFIG_PATH;
+  }
+  if (envPair) return 'environment / .env (COPYHUB_GOOGLE_CLIENT_ID + SECRET)';
+  return '(none)';
 }
 
-/** @returns {Promise<CopyHubConfig | null>} */
+/**
+ * OAuth credentials: use env pair OR file pair only — never mix ID from one source with secret from another (Google returns invalid_client).
+ * @returns {Promise<CopyHubConfig | null>}
+ */
 export async function loadConfig() {
   /** @type {{ clientId?: string, clientSecret?: string, redirectPort?: number }} */
   const fromFile = {};
@@ -66,29 +117,46 @@ export async function loadConfig() {
   if (existsSync(CONFIG_PATH)) {
     const raw = await readFile(CONFIG_PATH, 'utf8');
     const j = JSON.parse(raw);
-    if (typeof j.clientId === 'string' && j.clientId) fromFile.clientId = j.clientId;
-    if (typeof j.clientSecret === 'string' && j.clientSecret) {
-      fromFile.clientSecret = j.clientSecret;
+    if (typeof j.clientId === 'string') {
+      const id = sanitizeOAuthCredentialInput(j.clientId);
+      if (id) fromFile.clientId = id;
+    }
+    if (typeof j.clientSecret === 'string') {
+      const sec = sanitizeOAuthCredentialInput(j.clientSecret);
+      if (sec) fromFile.clientSecret = sec;
     }
     if (typeof j.redirectPort === 'number' && Number.isFinite(j.redirectPort)) {
       fromFile.redirectPort = j.redirectPort;
     }
   }
 
-  const envId = process.env[ENV_GOOGLE_CLIENT_ID]?.trim();
-  const envSecret = process.env[ENV_GOOGLE_CLIENT_SECRET]?.trim();
+  const envId = sanitizeOAuthCredentialInput(process.env[ENV_GOOGLE_CLIENT_ID]);
+  const envSecret = sanitizeOAuthCredentialInput(process.env[ENV_GOOGLE_CLIENT_SECRET]);
   const envPort = parseRedirectPortFromEnv();
 
-  const clientId = envId || fromFile.clientId;
-  const clientSecret = envSecret || fromFile.clientSecret;
-
   const filePort =
     typeof fromFile.redirectPort === 'number'
       ? fromFile.redirectPort
       : DEFAULT_OAUTH_REDIRECT_PORT;
   const redirectPort = envPort ?? filePort;
 
-  if (!clientId || !clientSecret) return null;
+  let clientId;
+  let clientSecret;
+
+  /**
+   * Prefer ~/.copyhub/config.json when it holds a full OAuth pair (wizard / copyhub config).
+   * Otherwise many machines still have COPYHUB_GOOGLE_* in shell or ~/.copyhub/.env from a template —
+   * those used to override fresh wizard credentials and caused invalid_client on the callback.
+   */
+  if (fromFile.clientId && fromFile.clientSecret) {
+    clientId = fromFile.clientId;
+    clientSecret = fromFile.clientSecret;
+  } else if (envId && envSecret) {
+    clientId = envId;
+    clientSecret = envSecret;
+  } else {
+    return null;
+  }
 
   return { clientId, clientSecret, redirectPort };
 }
@@ -170,6 +238,15 @@ export async function mergeConfigPartial(partial) {
   const out = { ...existing, ...partial };
   delete out.sheetTab;
   delete out.sheetDailyPrefix;
+  if (typeof out.clientId === 'string') {
+    out.clientId = sanitizeOAuthCredentialInput(out.clientId);
+  }
+  if (typeof out.clientSecret === 'string') {
+    out.clientSecret = sanitizeOAuthCredentialInput(out.clientSecret);
+  }
+  if (typeof out.googleSheetId === 'string') {
+    out.googleSheetId = sanitizeOAuthCredentialInput(out.googleSheetId);
+  }
   await writeFile(CONFIG_PATH, JSON.stringify(out, null, 2), 'utf8');
 }
 
@@ -189,11 +266,16 @@ export async function saveConfig(cfg) {
   }
   const out = {
     ...existing,
-    clientId: cfg.clientId,
-    clientSecret: cfg.clientSecret,
+    clientId: sanitizeOAuthCredentialInput(cfg.clientId),
+    clientSecret: sanitizeOAuthCredentialInput(cfg.clientSecret),
     redirectPort: cfg.redirectPort ?? DEFAULT_OAUTH_REDIRECT_PORT,
   };
-  if (cfg.googleSheetId !== undefined) out.googleSheetId = cfg.googleSheetId;
+  if (cfg.googleSheetId !== undefined) {
+    out.googleSheetId =
+      typeof cfg.googleSheetId === 'string'
+        ? sanitizeOAuthCredentialInput(cfg.googleSheetId)
+        : cfg.googleSheetId;
+  }
   delete out.sheetTab;
   delete out.sheetDailyPrefix;
   await writeFile(CONFIG_PATH, JSON.stringify(out, null, 2), 'utf8');

package/src/oauth.js

@@ -14,6 +14,7 @@ import {
   loadSheetSyncTarget,
   loadOverlayAcceleratorFromConfigSync,
   loadOverlayPlatformFromConfigSync,
+  sanitizeOAuthCredentialInput,
 } from './config.js';
 import { saveTokens, loadTokens } from './tokens.js';
 import { TOKENS_PATH } from './paths.js';
@@ -77,6 +78,57 @@ function escapeHtml(s) {
     .replace(/'/g, ''');
 }
 
+/**
+ * User-visible explanation when exchanging auth code for tokens fails (e.g. invalid_client).
+ * @param {unknown} err
+ */
+function formatOAuthTokenExchangeMessage(err) {
+  const g = /** @type {{ response?: { data?: { error?: string; error_description?: string } } } } */ (
+    err
+  );
+  const code = g.response?.data?.error;
+  const desc = (g.response?.data?.error_description || '').trim();
+  const fallback = /** @type {Error} */ (err)?.message || String(err);
+
+  if (code === 'invalid_client') {
+    const secretInvalid = /client secret is invalid|invalid_client_secret/i.test(desc);
+    const secretHint = secretInvalid
+      ? 'Google says the Client Secret is wrong for this Client ID. Open Cloud Console → APIs & Services → Credentials → your Web client → reset secret or download JSON again; paste client_id and client_secret from that JSON into the CopyHub wizard (Safari/Chrome may autofill an old secret — clear fields first). '
+      : '';
+    return (
+      'OAuth invalid_client: Google rejected the Client ID / Client Secret pair. ' +
+      secretHint +
+      'Use OAuth client type "Web application" and add redirect URI http://127.0.0.1:<port>/oauth2callback (port matches CopyHub). Prefer pasting values from the client\'s Download JSON file to avoid typos. ' +
+      'If COPYHUB_GOOGLE_CLIENT_ID / COPYHUB_GOOGLE_CLIENT_SECRET exist in shell or ~/.copyhub/.env, they must match this client or remove both so ~/.copyhub/config.json is used. ' +
+      (desc ? `Google says: ${desc}` : `(${fallback})`)
+    );
+  }
+
+  if (code === 'invalid_grant') {
+    return (
+      'OAuth invalid_grant: the authorization code expired or was already used. Close extra browser tabs and run copyhub login again.' +
+      (desc ? ` ${desc}` : '')
+    );
+  }
+
+  return desc ? `${code || 'OAuth'}: ${desc}` : fallback;
+}
+
+/** @param {string} bodyText */
+function oauthTokenExchangeErrorPage(bodyText) {
+  const esc = escapeHtml(bodyText);
+  return `<!DOCTYPE html>
+<html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><title>CopyHub OAuth error</title>
+<style>
+body{font-family:system-ui,sans-serif;margin:0;min-height:100vh;display:flex;align-items:center;justify-content:center;background:#f0f4fa;padding:24px;}
+.box{background:#fff;padding:28px 32px;border-radius:14px;max-width:520px;box-shadow:0 4px 24px rgba(20,24,36,.08);line-height:1.55;color:#141824;}
+h1{font-size:1.15rem;margin:0 0 12px;}
+pre{white-space:pre-wrap;word-break:break-word;background:#f8fafc;padding:12px 14px;border-radius:8px;font-size:13px;color:#334155;border:1px solid #e2e8f0;}
+code{background:#eff6ff;padding:2px 8px;border-radius:6px;font-size:13px;}
+</style></head><body><div class="box"><h1>Could not finish sign-in</h1><pre>${esc}</pre>
+<p style="margin-top:16px;color:#64748b;font-size:14px;">Fix the issue, then run <code>copyhub login</code> again.</p></div></body></html>`;
+}
+
 /**
  * @param {string} bootstrapToken
  * @param {number} listenPort
@@ -181,7 +233,8 @@ function credentialSetupPageHtml(bootstrapToken, listenPort) {
   <div class="wrap">
     <div class="brand">CopyHub</div>
     <h1>Google Cloud OAuth</h1>
-    <p class="sub">Paste your OAuth 2.0 Client ID and Client Secret (same as <code>${ENV_GOOGLE_CLIENT_ID}</code> / <code>${ENV_GOOGLE_CLIENT_SECRET}</code> in <code>.env</code>). Stored in <code>~/.copyhub/config.json</code>.</p>
+    <p class="sub">Paste your OAuth 2.0 Client ID and Client Secret (same as <code>${ENV_GOOGLE_CLIENT_ID}</code> / <code>${ENV_GOOGLE_CLIENT_SECRET}</code> in <code>.env</code>). Stored in <code>~/.copyhub/config.json</code>. After saving here, CopyHub uses this pair for sign-in — not leftover variables from shell or <code>.env</code>.</p>
+    <p class="hint" style="margin-bottom:20px;"><strong>Mac / Safari:</strong> copy from Google Cloud → Credentials → your <strong>Web client</strong> → <strong>Download JSON</strong> and paste <code>client_id</code> / <code>client_secret</code> exactly. Clear both fields if the browser autofills an old secret.</p>
 
     <div class="card">
       <p class="hint" style="margin-top:0;"><strong>Authorized redirect URI</strong> in Google Cloud Console must include:</p>
@@ -189,13 +242,13 @@ function credentialSetupPageHtml(bootstrapToken, listenPort) {
       <p class="hint">Port comes from <code>${ENV_OAUTH_REDIRECT_PORT}</code> (currently <strong>${listenPort}</strong>) or your saved config.</p>
     </div>
 
-    <form method="POST" action="/credentials">
+    <form method="POST" action="/credentials" autocomplete="off">
       <input type="hidden" name="t" value="${tVal}" />
       <div class="card">
         <label class="field-label" for="cid">Client ID</label>
-        <input id="cid" type="text" name="clientId" autocomplete="off" spellcheck="false" required />
+        <input id="cid" type="text" name="clientId" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" required />
         <label class="field-label" for="csec" style="margin-top:16px;">Client secret</label>
-        <input id="csec" type="password" name="clientSecret" autocomplete="new-password" spellcheck="false" required />
+        <input id="csec" type="text" name="clientSecret" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" required placeholder="Usually starts with GOCSPX-" />
       </div>
       <button type="submit" class="submit">Save and continue to Google sign-in</button>
     </form>
@@ -270,8 +323,8 @@ async function runCredentialBootstrap() {
             res.end('Forbidden');
             return;
           }
-          const clientId = (params.get('clientId') || '').trim();
-          const clientSecret = (params.get('clientSecret') || '').trim();
+          const clientId = sanitizeOAuthCredentialInput(params.get('clientId'));
+          const clientSecret = sanitizeOAuthCredentialInput(params.get('clientSecret'));
           if (!clientId || !clientSecret) {
             res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
             res.end('<p>Client ID and Client secret are required.</p>');
@@ -741,7 +794,18 @@ export async function runLoginFlow() {
             server.close(() => reject(new Error('Missing authorization code')));
             return;
           }
-          const { tokens } = await oauth2Client.getToken(code);
+          let tokens;
+          try {
+            const exchanged = await oauth2Client.getToken(code);
+            tokens = exchanged.tokens;
+          } catch (tokenErr) {
+            const msg = formatOAuthTokenExchangeMessage(tokenErr);
+            console.error('[CopyHub OAuth]', msg);
+            res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
+            res.end(oauthTokenExchangeErrorPage(msg));
+            server.close(() => reject(new Error(msg)));
+            return;
+          }
           oauth2Client.setCredentials(tokens);
           await saveTokens(tokens);
           setupToken = randomBytes(24).toString('hex');