repoburg 1.3.136 → 1.3.138

package/backend/packages/gemini-core/src/code_assist/oauth2.ts

@@ -1,541 +0,0 @@
-/**
- * @license
- * Copyright 2025 Google LLC
- * SPDX-License-Identifier: Apache-2.0
- */
-
-import type { Credentials } from 'google-auth-library';
-import {
-  OAuth2Client,
-  Compute,
-  CodeChallengeMethod,
-} from 'google-auth-library';
-import * as http from 'node:http';
-import url from 'node:url';
-import * as crypto from 'node:crypto';
-import * as net from 'node:net';
-import * as path from 'node:path';
-import { promises as fs } from 'node:fs';
-import type { Config } from '../config/config';
-import { getErrorMessage, FatalAuthenticationError } from '../utils/errors';
-import { UserAccountManager } from '../utils/userAccountManager';
-import { AuthType } from '../core/contentGenerator';
-import readline from 'node:readline';
-import { Storage } from '../config/storage';
-import { OAuthCredentialStorage } from './oauth-credential-storage';
-import { FORCE_ENCRYPTED_FILE_ENV_VAR } from '../mcp/token-storage/index';
-
-const userAccountManager = new UserAccountManager();
-
-//  OAuth Client ID used to initiate OAuth2Client class.
-const OAUTH_CLIENT_ID =
-  '681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com';
-
-// OAuth Secret value used to initiate OAuth2Client class.
-// Note: It's ok to save this in git because this is an installed application
-// as described here: https://developers.google.com/identity/protocols/oauth2#installed
-// "The process results in a client ID and, in some cases, a client secret,
-// which you embed in the source code of your application. (In this context,
-// the client secret is obviously not treated as a secret.)"
-const OAUTH_CLIENT_SECRET = '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';
-
-// OAuth Scopes for Cloud Code authorization.
-const OAUTH_SCOPE = [
-  'https://www.googleapis.com/auth/cloud-platform',
-  'https://www.googleapis.com/auth/userinfo.email',
-  'https://www.googleapis.com/auth/userinfo.profile',
-];
-
-const HTTP_REDIRECT = 301;
-const SIGN_IN_SUCCESS_URL =
-  'https://developers.google.com/gemini-code-assist/auth_success_gemini';
-const SIGN_IN_FAILURE_URL =
-  'https://developers.google.com/gemini-code-assist/auth_failure_gemini';
-
-/**
- * An Authentication URL for updating the credentials of a Oauth2Client
- * as well as a promise that will resolve when the credentials have
- * been refreshed (or which throws error when refreshing credentials failed).
- */
-export interface OauthWebLogin {
-  authUrl: string;
-  loginCompletePromise: Promise<void>;
-}
-
-const oauthClientPromises = new Map<AuthType, Promise<OAuth2Client>>();
-
-function getUseEncryptedStorageFlag() {
-  return process.env[FORCE_ENCRYPTED_FILE_ENV_VAR] === 'true';
-}
-
-async function initOauthClient(
-  authType: AuthType,
-  config: Config,
-): Promise<OAuth2Client> {
-  const client = new OAuth2Client({
-    clientId: OAUTH_CLIENT_ID,
-    clientSecret: OAUTH_CLIENT_SECRET,
-  });
-  const useEncryptedStorage = getUseEncryptedStorageFlag();
-
-  if (
-    process.env['GOOGLE_GENAI_USE_GCA'] &&
-    process.env['GOOGLE_CLOUD_ACCESS_TOKEN']
-  ) {
-    client.setCredentials({
-      access_token: process.env['GOOGLE_CLOUD_ACCESS_TOKEN'],
-    });
-    await fetchAndCacheUserInfo(client);
-    return client;
-  }
-
-  client.on('tokens', async (tokens: Credentials) => {
-    if (useEncryptedStorage) {
-      await OAuthCredentialStorage.saveCredentials(tokens);
-    } else {
-      await cacheCredentials(tokens);
-    }
-  });
-
-  // If there are cached creds on disk, they always take precedence
-  if (await loadCachedCredentials(client)) {
-    // Found valid cached credentials.
-    // Check if we need to retrieve Google Account ID or Email
-    if (!userAccountManager.getCachedGoogleAccount()) {
-      try {
-        await fetchAndCacheUserInfo(client);
-      } catch (error) {
-        // Non-fatal, continue with existing auth.
-        console.warn('Failed to fetch user info:', getErrorMessage(error));
-      }
-    }
-    console.log('Loaded cached credentials.');
-    return client;
-  }
-
-  // In Google Cloud Shell, we can use Application Default Credentials (ADC)
-  // provided via its metadata server to authenticate non-interactively using
-  // the identity of the user logged into Cloud Shell.
-  if (authType === AuthType.CLOUD_SHELL) {
-    try {
-      console.log("Attempting to authenticate via Cloud Shell VM's ADC.");
-      const computeClient = new Compute({
-        // We can leave this empty, since the metadata server will provide
-        // the service account email.
-      });
-      await computeClient.getAccessToken();
-      console.log('Authentication successful.');
-
-      // Do not cache creds in this case; note that Compute client will handle its own refresh
-      return computeClient;
-    } catch (e) {
-      throw new Error(
-        `Could not authenticate using Cloud Shell credentials. Please select a different authentication method or ensure you are in a properly configured environment. Error: ${getErrorMessage(
-          e,
-        )}`,
-      );
-    }
-  }
-
-  if (config.isBrowserLaunchSuppressed()) {
-    let success = false;
-    const maxRetries = 2;
-    for (let i = 0; !success && i < maxRetries; i++) {
-      success = await authWithUserCode(client);
-      if (!success) {
-        console.error(
-          '\nFailed to authenticate with user code.',
-          i === maxRetries - 1 ? '' : 'Retrying...\n',
-        );
-      }
-    }
-    if (!success) {
-      throw new FatalAuthenticationError(
-        'Failed to authenticate with user code.',
-      );
-    }
-  } else {
-    const webLogin = await authWithWeb(client);
-
-    console.log(
-      `\n\nCode Assist login required.\n` +
-        `Attempting to open authentication page in your browser.\n` +
-        `Otherwise navigate to:\n\n${webLogin.authUrl}\n\n`,
-    );
-    try {
-      const { default: open } = await import('open');
-      // Attempt to open the authentication URL in the default browser.
-      // We do not use the `wait` option here because the main script's execution
-      // is already paused by `loginCompletePromise`, which awaits the server callback.
-      const childProcess = await open(webLogin.authUrl);
-
-      // IMPORTANT: Attach an error handler to the returned child process.
-      // Without this, if `open` fails to spawn a process (e.g., `xdg-open` is not found
-      // in a minimal Docker container), it will emit an unhandled 'error' event,
-      // causing the entire Node.js process to crash.
-      childProcess.on('error', (error) => {
-        console.error(
-          'Failed to open browser automatically. Please try running again with NO_BROWSER=true set.',
-        );
-        console.error('Browser error details:', getErrorMessage(error));
-      });
-    } catch (err) {
-      console.error(
-        'An unexpected error occurred while trying to open the browser:',
-        getErrorMessage(err),
-        '\nThis might be due to browser compatibility issues or system configuration.',
-        '\nPlease try running again with NO_BROWSER=true set for manual authentication.',
-      );
-      throw new FatalAuthenticationError(
-        `Failed to open browser: ${getErrorMessage(err)}`,
-      );
-    }
-    console.log('Waiting for authentication...');
-
-    // Add timeout to prevent infinite waiting when browser tab gets stuck
-    const authTimeout = 5 * 60 * 1000; // 5 minutes timeout
-    const timeoutPromise = new Promise<never>((_, reject) => {
-      setTimeout(() => {
-        reject(
-          new FatalAuthenticationError(
-            'Authentication timed out after 5 minutes. The browser tab may have gotten stuck in a loading state. ' +
-              'Please try again or use NO_BROWSER=true for manual authentication.',
-          ),
-        );
-      }, authTimeout);
-    });
-
-    await Promise.race([webLogin.loginCompletePromise, timeoutPromise]);
-  }
-
-  return client;
-}
-
-export async function getOauthClient(
-  authType: AuthType,
-  config: Config,
-): Promise<OAuth2Client> {
-  if (!oauthClientPromises.has(authType)) {
-    oauthClientPromises.set(authType, initOauthClient(authType, config));
-  }
-  return oauthClientPromises.get(authType)!;
-}
-
-async function authWithUserCode(client: OAuth2Client): Promise<boolean> {
-  const redirectUri = 'https://codeassist.google.com/authcode';
-  const codeVerifier = await client.generateCodeVerifierAsync();
-  const state = crypto.randomBytes(32).toString('hex');
-  const authUrl: string = client.generateAuthUrl({
-    redirect_uri: redirectUri,
-    access_type: 'offline',
-    scope: OAUTH_SCOPE,
-    code_challenge_method: CodeChallengeMethod.S256,
-    code_challenge: codeVerifier.codeChallenge,
-    state,
-  });
-  console.log('Please visit the following URL to authorize the application:');
-  console.log('');
-  console.log(authUrl);
-  console.log('');
-
-  const code = await new Promise<string>((resolve) => {
-    const rl = readline.createInterface({
-      input: process.stdin,
-      output: process.stdout,
-    });
-    rl.question('Enter the authorization code: ', (code) => {
-      rl.close();
-      resolve(code.trim());
-    });
-  });
-
-  if (!code) {
-    console.error('Authorization code is required.');
-    return false;
-  }
-
-  try {
-    const { tokens } = await client.getToken({
-      code,
-      codeVerifier: codeVerifier.codeVerifier,
-      redirect_uri: redirectUri,
-    });
-    client.setCredentials(tokens);
-  } catch (error) {
-    console.error(
-      'Failed to authenticate with authorization code:',
-      getErrorMessage(error),
-    );
-    return false;
-  }
-  return true;
-}
-
-async function authWithWeb(client: OAuth2Client): Promise<OauthWebLogin> {
-  const port = await getAvailablePort();
-  // The hostname used for the HTTP server binding (e.g., '0.0.0.0' in Docker).
-  const host = process.env['OAUTH_CALLBACK_HOST'] || 'localhost';
-  // The `redirectUri` sent to Google's authorization server MUST use a loopback IP literal
-  // (i.e., 'localhost' or '127.0.0.1'). This is a strict security policy for credentials of
-  // type 'Desktop app' or 'Web application' (when using loopback flow) to mitigate
-  // authorization code interception attacks.
-  const redirectUri = `http://localhost:${port}/oauth2callback`;
-  const state = crypto.randomBytes(32).toString('hex');
-  const authUrl = client.generateAuthUrl({
-    redirect_uri: redirectUri,
-    access_type: 'offline',
-    scope: OAUTH_SCOPE,
-    state,
-  });
-
-  const loginCompletePromise = new Promise<void>((resolve, reject) => {
-    const server = http.createServer(async (req, res) => {
-      try {
-        if (req.url!.indexOf('/oauth2callback') === -1) {
-          res.writeHead(HTTP_REDIRECT, { Location: SIGN_IN_FAILURE_URL });
-          res.end();
-          reject(
-            new FatalAuthenticationError(
-              'OAuth callback not received. Unexpected request: ' + req.url,
-            ),
-          );
-        }
-        // acquire the code from the querystring, and close the web server.
-        const qs = new url.URL(req.url!, 'http://localhost:3000').searchParams;
-        if (qs.get('error')) {
-          res.writeHead(HTTP_REDIRECT, { Location: SIGN_IN_FAILURE_URL });
-          res.end();
-
-          const errorCode = qs.get('error');
-          const errorDescription =
-            qs.get('error_description') || 'No additional details provided';
-          reject(
-            new FatalAuthenticationError(
-              `Google OAuth error: ${errorCode}. ${errorDescription}`,
-            ),
-          );
-        } else if (qs.get('state') !== state) {
-          res.end('State mismatch. Possible CSRF attack');
-
-          reject(
-            new FatalAuthenticationError(
-              'OAuth state mismatch. Possible CSRF attack or browser session issue.',
-            ),
-          );
-        } else if (qs.get('code')) {
-          try {
-            const { tokens } = await client.getToken({
-              code: qs.get('code')!,
-              redirect_uri: redirectUri,
-            });
-            client.setCredentials(tokens);
-
-            // Retrieve and cache Google Account ID during authentication
-            try {
-              await fetchAndCacheUserInfo(client);
-            } catch (error) {
-              console.warn(
-                'Failed to retrieve Google Account ID during authentication:',
-                getErrorMessage(error),
-              );
-              // Don't fail the auth flow if Google Account ID retrieval fails
-            }
-
-            res.writeHead(HTTP_REDIRECT, { Location: SIGN_IN_SUCCESS_URL });
-            res.end();
-            resolve();
-          } catch (error) {
-            res.writeHead(HTTP_REDIRECT, { Location: SIGN_IN_FAILURE_URL });
-            res.end();
-            reject(
-              new FatalAuthenticationError(
-                `Failed to exchange authorization code for tokens: ${getErrorMessage(error)}`,
-              ),
-            );
-          }
-        } else {
-          reject(
-            new FatalAuthenticationError(
-              'No authorization code received from Google OAuth. Please try authenticating again.',
-            ),
-          );
-        }
-      } catch (e) {
-        // Provide more specific error message for unexpected errors during OAuth flow
-        if (e instanceof FatalAuthenticationError) {
-          reject(e);
-        } else {
-          reject(
-            new FatalAuthenticationError(
-              `Unexpected error during OAuth authentication: ${getErrorMessage(e)}`,
-            ),
-          );
-        }
-      } finally {
-        server.close();
-      }
-    });
-
-    server.listen(port, host, () => {
-      // Server started successfully
-    });
-
-    server.on('error', (err) => {
-      reject(
-        new FatalAuthenticationError(
-          `OAuth callback server error: ${getErrorMessage(err)}`,
-        ),
-      );
-    });
-  });
-
-  return {
-    authUrl,
-    loginCompletePromise,
-  };
-}
-
-export function getAvailablePort(): Promise<number> {
-  return new Promise((resolve, reject) => {
-    let port = 0;
-    try {
-      const portStr = process.env['OAUTH_CALLBACK_PORT'];
-      if (portStr) {
-        port = parseInt(portStr, 10);
-        if (isNaN(port) || port <= 0 || port > 65535) {
-          return reject(
-            new Error(`Invalid value for OAUTH_CALLBACK_PORT: "${portStr}"`),
-          );
-        }
-        return resolve(port);
-      }
-      const server = net.createServer();
-      server.listen(0, () => {
-        const address = server.address()! as net.AddressInfo;
-        port = address.port;
-      });
-      server.on('listening', () => {
-        server.close();
-        server.unref();
-      });
-      server.on('error', (e) => reject(e));
-      server.on('close', () => resolve(port));
-    } catch (e) {
-      reject(e);
-    }
-  });
-}
-
-async function loadCachedCredentials(client: OAuth2Client): Promise<boolean> {
-  const useEncryptedStorage = getUseEncryptedStorageFlag();
-  if (useEncryptedStorage) {
-    const credentials = await OAuthCredentialStorage.loadCredentials();
-    if (credentials) {
-      client.setCredentials(credentials);
-      return true;
-    }
-    return false;
-  }
-
-  const pathsToTry = [
-    Storage.getOAuthCredsPath(),
-    process.env['GOOGLE_APPLICATION_CREDENTIALS'],
-  ].filter((p): p is string => !!p);
-
-  for (const keyFile of pathsToTry) {
-    try {
-      const creds = await fs.readFile(keyFile, 'utf-8');
-      client.setCredentials(JSON.parse(creds));
-
-      // This will verify locally that the credentials look good.
-      const { token } = await client.getAccessToken();
-      if (!token) {
-        continue;
-      }
-
-      // This will check with the server to see if it hasn't been revoked.
-      await client.getTokenInfo(token);
-
-      return true;
-    } catch (error) {
-      // Log specific error for debugging, but continue trying other paths
-      console.debug(
-        `Failed to load credentials from ${keyFile}:`,
-        getErrorMessage(error),
-      );
-    }
-  }
-
-  return false;
-}
-
-async function cacheCredentials(credentials: Credentials) {
-  const filePath = Storage.getOAuthCredsPath();
-  await fs.mkdir(path.dirname(filePath), { recursive: true });
-
-  const credString = JSON.stringify(credentials, null, 2);
-  await fs.writeFile(filePath, credString, { mode: 0o600 });
-  try {
-    await fs.chmod(filePath, 0o600);
-  } catch {
-    /* empty */
-  }
-}
-
-export function clearOauthClientCache() {
-  oauthClientPromises.clear();
-}
-
-export async function clearCachedCredentialFile() {
-  try {
-    const useEncryptedStorage = getUseEncryptedStorageFlag();
-    if (useEncryptedStorage) {
-      await OAuthCredentialStorage.clearCredentials();
-    } else {
-      await fs.rm(Storage.getOAuthCredsPath(), { force: true });
-    }
-    // Clear the Google Account ID cache when credentials are cleared
-    await userAccountManager.clearCachedGoogleAccount();
-    // Clear the in-memory OAuth client cache to force re-authentication
-    clearOauthClientCache();
-  } catch (e) {
-    console.error('Failed to clear cached credentials:', e);
-  }
-}
-
-async function fetchAndCacheUserInfo(client: OAuth2Client): Promise<void> {
-  try {
-    const { token } = await client.getAccessToken();
-    if (!token) {
-      return;
-    }
-
-    const response = await fetch(
-      'https://www.googleapis.com/oauth2/v2/userinfo',
-      {
-        headers: {
-          Authorization: `Bearer ${token}`,
-        },
-      },
-    );
-
-    if (!response.ok) {
-      console.error(
-        'Failed to fetch user info:',
-        response.status,
-        response.statusText,
-      );
-      return;
-    }
-
-    const userInfo = await response.json();
-    await userAccountManager.cacheGoogleAccount(userInfo.email);
-  } catch (error) {
-    console.error('Error retrieving user info:', error);
-  }
-}
-
-// Helper to ensure test isolation
-export function resetOauthClientForTesting() {
-  oauthClientPromises.clear();
-}