workspace-mcp 1.0.1__py3-none-any.whl → 1.0.3__py3-none-any.whl

auth/google_auth.py

@@ -27,7 +27,7 @@ DEFAULT_CREDENTIALS_DIR = ".credentials"
 # This should be more robust in a production system once OAuth2.1 is implemented in client.
 _SESSION_CREDENTIALS_CACHE: Dict[str, Credentials] = {}
 # Centralized Client Secrets Path Logic
-_client_secrets_env = os.getenv("GOOGLE_CLIENT_SECRETS")
+_client_secrets_env = os.getenv("GOOGLE_CLIENT_SECRET_PATH") or os.getenv("GOOGLE_CLIENT_SECRETS")
 if _client_secrets_env:
     CONFIG_CLIENT_SECRETS_PATH = _client_secrets_env
 else:
@@ -151,22 +151,128 @@ def load_credentials_from_session(session_id: str) -> Optional[Credentials]:
         logger.debug(f"No credentials found in session cache for session_id: {session_id}")
     return credentials
 
+def load_client_secrets_from_env() -> Optional[Dict[str, Any]]:
+    """
+    Loads the client secrets from environment variables.
+
+    Environment variables used:
+        - GOOGLE_OAUTH_CLIENT_ID: OAuth 2.0 client ID
+        - GOOGLE_OAUTH_CLIENT_SECRET: OAuth 2.0 client secret
+        - GOOGLE_OAUTH_REDIRECT_URI: (optional) OAuth redirect URI
+
+    Returns:
+        Client secrets configuration dict compatible with Google OAuth library,
+        or None if required environment variables are not set.
+    """
+    client_id = os.getenv("GOOGLE_OAUTH_CLIENT_ID")
+    client_secret = os.getenv("GOOGLE_OAUTH_CLIENT_SECRET")
+    redirect_uri = os.getenv("GOOGLE_OAUTH_REDIRECT_URI")
+
+    if client_id and client_secret:
+        # Create config structure that matches Google client secrets format
+        web_config = {
+            "client_id": client_id,
+            "client_secret": client_secret,
+            "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+            "token_uri": "https://oauth2.googleapis.com/token",
+            "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs"
+        }
+
+        # Add redirect_uri if provided via environment variable
+        if redirect_uri:
+            web_config["redirect_uris"] = [redirect_uri]
+
+        # Return the full config structure expected by Google OAuth library
+        config = {"web": web_config}
+
+        logger.info("Loaded OAuth client credentials from environment variables")
+        return config
+
+    logger.debug("OAuth client credentials not found in environment variables")
+    return None
+
 def load_client_secrets(client_secrets_path: str) -> Dict[str, Any]:
-    """Loads the client secrets file."""
+    """
+    Loads the client secrets from environment variables (preferred) or from the client secrets file.
+
+    Priority order:
+    1. Environment variables (GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET)
+    2. File-based credentials at the specified path
+
+    Args:
+        client_secrets_path: Path to the client secrets JSON file (used as fallback)
+
+    Returns:
+        Client secrets configuration dict
+
+    Raises:
+        ValueError: If client secrets file has invalid format
+        IOError: If file cannot be read and no environment variables are set
+    """
+    # First, try to load from environment variables
+    env_config = load_client_secrets_from_env()
+    if env_config:
+        # Extract the "web" config from the environment structure
+        return env_config["web"]
+
+    # Fall back to loading from file
     try:
         with open(client_secrets_path, 'r') as f:
             client_config = json.load(f)
             # The file usually contains a top-level key like "web" or "installed"
             if "web" in client_config:
+                logger.info(f"Loaded OAuth client credentials from file: {client_secrets_path}")
                 return client_config["web"]
             elif "installed" in client_config:
-                 return client_config["installed"]
+                logger.info(f"Loaded OAuth client credentials from file: {client_secrets_path}")
+                return client_config["installed"]
             else:
                  logger.error(f"Client secrets file {client_secrets_path} has unexpected format.")
                  raise ValueError("Invalid client secrets file format")
     except (IOError, json.JSONDecodeError) as e:
         logger.error(f"Error loading client secrets file {client_secrets_path}: {e}")
         raise
+def check_client_secrets() -> Optional[str]:
+    """
+    Checks for the presence of OAuth client secrets, either as environment
+    variables or as a file.
+
+    Returns:
+        An error message string if secrets are not found, otherwise None.
+    """
+    env_config = load_client_secrets_from_env()
+    if not env_config and not os.path.exists(CONFIG_CLIENT_SECRETS_PATH):
+        logger.error(f"OAuth client credentials not found. No environment variables set and no file at {CONFIG_CLIENT_SECRETS_PATH}")
+        return f"OAuth client credentials not found. Please set GOOGLE_OAUTH_CLIENT_ID and GOOGLE_OAUTH_CLIENT_SECRET environment variables or provide a client secrets file at {CONFIG_CLIENT_SECRETS_PATH}."
+    return None
+
+def create_oauth_flow(scopes: List[str], redirect_uri: str, state: Optional[str] = None) -> Flow:
+    """Creates an OAuth flow using environment variables or client secrets file."""
+    # Try environment variables first
+    env_config = load_client_secrets_from_env()
+    if env_config:
+        # Use client config directly
+        flow = Flow.from_client_config(
+            env_config,
+            scopes=scopes,
+            redirect_uri=redirect_uri,
+            state=state
+        )
+        logger.debug("Created OAuth flow from environment variables")
+        return flow
+
+    # Fall back to file-based config
+    if not os.path.exists(CONFIG_CLIENT_SECRETS_PATH):
+        raise FileNotFoundError(f"OAuth client secrets file not found at {CONFIG_CLIENT_SECRETS_PATH} and no environment variables set")
+
+    flow = Flow.from_client_secrets_file(
+        CONFIG_CLIENT_SECRETS_PATH,
+        scopes=scopes,
+        redirect_uri=redirect_uri,
+        state=state
+    )
+    logger.debug(f"Created OAuth flow from client secrets file: {CONFIG_CLIENT_SECRETS_PATH}")
+    return flow
 
 # --- Core OAuth Logic ---
 
@@ -206,8 +312,7 @@ async def start_auth_flow(
             OAUTH_STATE_TO_SESSION_ID_MAP[oauth_state] = mcp_session_id
             logger.info(f"[start_auth_flow] Stored mcp_session_id '{mcp_session_id}' for oauth_state '{oauth_state}'.")
 
-        flow = Flow.from_client_secrets_file(
-            CONFIG_CLIENT_SECRETS_PATH, # Use module constant
+        flow = create_oauth_flow(
             scopes=SCOPES, # Use global SCOPES
             redirect_uri=redirect_uri, # Use passed redirect_uri
             state=oauth_state
@@ -240,7 +345,7 @@ async def start_auth_flow(
         return "\n".join(message_lines)
 
     except FileNotFoundError as e:
-        error_text = f"OAuth client secrets file not found: {e}. Please ensure '{CONFIG_CLIENT_SECRETS_PATH}' is correctly configured."
+        error_text = f"OAuth client credentials not found: {e}. Please either:\n1. Set environment variables: GOOGLE_OAUTH_CLIENT_ID and GOOGLE_OAUTH_CLIENT_SECRET\n2. Ensure '{CONFIG_CLIENT_SECRETS_PATH}' file exists"
         logger.error(error_text, exc_info=True)
         raise Exception(error_text)
     except Exception as e:
@@ -249,12 +354,12 @@ async def start_auth_flow(
         raise Exception(error_text)
 
 def handle_auth_callback(
-    client_secrets_path: str,
     scopes: List[str],
     authorization_response: str,
-    redirect_uri: str, # Made redirect_uri a required parameter
+    redirect_uri: str,
     credentials_base_dir: str = DEFAULT_CREDENTIALS_DIR,
-    session_id: Optional[str] = None
+    session_id: Optional[str] = None,
+    client_secrets_path: Optional[str] = None  # Deprecated: kept for backward compatibility
 ) -> Tuple[str, Credentials]:
     """
     Handles the callback from Google, exchanges the code for credentials,
@@ -262,12 +367,12 @@ def handle_auth_callback(
     and returns them.
 
     Args:
-        client_secrets_path: Path to the Google client secrets JSON file.
         scopes: List of OAuth scopes requested.
         authorization_response: The full callback URL from Google.
         redirect_uri: The redirect URI.
         credentials_base_dir: Base directory for credential files.
         session_id: Optional MCP session ID to associate with the credentials.
+        client_secrets_path: (Deprecated) Path to client secrets file. Ignored if environment variables are set.
 
     Returns:
         A tuple containing the user_google_email and the obtained Credentials object.
@@ -278,13 +383,16 @@ def handle_auth_callback(
         HttpError: If fetching user info fails.
     """
     try:
+        # Log deprecation warning if old parameter is used
+        if client_secrets_path:
+            logger.warning("The 'client_secrets_path' parameter is deprecated. Use GOOGLE_OAUTH_CLIENT_ID and GOOGLE_OAUTH_CLIENT_SECRET environment variables instead.")
+
         # Allow HTTP for localhost in development
         if 'OAUTHLIB_INSECURE_TRANSPORT' not in os.environ:
             logger.warning("OAUTHLIB_INSECURE_TRANSPORT not set. Setting it for localhost development.")
             os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'
 
-        flow = Flow.from_client_secrets_file(
-            client_secrets_path,
+        flow = create_oauth_flow(
             scopes=scopes,
             redirect_uri=redirect_uri
         )

auth/oauth_callback_server.py

@@ -15,7 +15,7 @@ import socket
 from fastapi import FastAPI, Request
 import uvicorn
 
-from auth.google_auth import handle_auth_callback, CONFIG_CLIENT_SECRETS_PATH
+from auth.google_auth import handle_auth_callback, check_client_secrets
 from auth.scopes import OAUTH_STATE_TO_SESSION_ID_MAP, SCOPES
 from auth.oauth_responses import create_error_response, create_success_response, create_server_error_response
 
@@ -59,6 +59,11 @@ class MinimalOAuthServer:
                 return create_error_response(error_message)
 
             try:
+                # Check if we have credentials available (environment variables or file)
+                error_message = check_client_secrets()
+                if error_message:
+                    return create_server_error_response(error_message)
+
                 logger.info(f"OAuth callback: Received code (state: {state}). Attempting to exchange for tokens.")
 
                 mcp_session_id: Optional[str] = OAUTH_STATE_TO_SESSION_ID_MAP.pop(state, None)
@@ -69,7 +74,6 @@ class MinimalOAuthServer:
 
                 # Exchange code for credentials
                 verified_user_id, credentials = handle_auth_callback(
-                    client_secrets_path=CONFIG_CLIENT_SECRETS_PATH,
                     scopes=SCOPES,
                     authorization_response=str(request.url),
                     redirect_uri=f"{self.base_uri}:{self.port}/oauth2callback",
@@ -106,7 +110,7 @@ class MinimalOAuthServer:
             hostname = parsed_uri.hostname or 'localhost'
         except Exception:
             hostname = 'localhost'
-            
+
         try:
             with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
                 s.bind((hostname, self.port))

auth/service_decorator.py

@@ -193,29 +193,37 @@ def require_google_service(
             # Original authentication logic is handled automatically
     """
     def decorator(func: Callable) -> Callable:
+        # Inspect the original function signature
+        original_sig = inspect.signature(func)
+        params = list(original_sig.parameters.values())
+
+        # The decorated function must have 'service' as its first parameter.
+        if not params or params[0].name != 'service':
+            raise TypeError(
+                f"Function '{func.__name__}' decorated with @require_google_service "
+                "must have 'service' as its first parameter."
+            )
+
+        # Create a new signature for the wrapper that excludes the 'service' parameter.
+        # This is the signature that FastMCP will see.
+        wrapper_sig = original_sig.replace(parameters=params[1:])
+
         @wraps(func)
         async def wrapper(*args, **kwargs):
-            # Extract user_google_email from function parameters
-            sig = inspect.signature(func)
-            param_names = list(sig.parameters.keys())
+            # Note: `args` and `kwargs` are now the arguments for the *wrapper*,
+            # which does not include 'service'.
 
-            # Find user_google_email parameter
-            user_google_email = None
-            if 'user_google_email' in kwargs:
-                user_google_email = kwargs['user_google_email']
-            else:
-                # Look for user_google_email in positional args
-                try:
-                    user_email_index = param_names.index('user_google_email')
-                    if user_email_index < len(args):
-                        user_google_email = args[user_email_index]
-                except ValueError:
-                    pass
+            # Extract user_google_email from the arguments passed to the wrapper
+            bound_args = wrapper_sig.bind(*args, **kwargs)
+            bound_args.apply_defaults()
+            user_google_email = bound_args.arguments.get('user_google_email')
 
             if not user_google_email:
-                raise Exception("user_google_email parameter is required but not found")
+                # This should ideally not be reached if 'user_google_email' is a required parameter
+                # in the function signature, but it's a good safeguard.
+                raise Exception("'user_google_email' parameter is required but was not found.")
 
-            # Get service configuration
+            # Get service configuration from the decorator's arguments
             if service_type not in SERVICE_CONFIGS:
                 raise Exception(f"Unknown service type: {service_type}")
 
@@ -226,7 +234,7 @@ def require_google_service(
             # Resolve scopes
             resolved_scopes = _resolve_scopes(scopes)
 
-            # Check cache first if enabled
+            # --- Service Caching and Authentication Logic (largely unchanged) ---
             service = None
             actual_user_email = user_google_email
 
@@ -236,7 +244,6 @@ def require_google_service(
                 if cached_result:
                     service, actual_user_email = cached_result
 
-            # If not cached, authenticate
             if service is None:
                 try:
                     tool_name = func.__name__
@@ -247,30 +254,22 @@ def require_google_service(
                         user_google_email=user_google_email,
                         required_scopes=resolved_scopes,
                     )
-
-                    # Cache the service if caching is enabled
                     if cache_enabled:
                         cache_key = _get_cache_key(user_google_email, service_name, service_version, resolved_scopes)
                         _cache_service(cache_key, service, actual_user_email)
-
                 except GoogleAuthenticationError as e:
                     raise Exception(str(e))
 
-            # Inject service as first parameter
-            if 'service' in param_names:
-                kwargs['service'] = service
-            else:
-                # Insert service as first positional argument
-                args = (service,) + args
-
-            # Call the original function with refresh error handling
+            # --- Call the original function with the service object injected ---
             try:
-                return await func(*args, **kwargs)
+                # Prepend the fetched service object to the original arguments
+                return await func(service, *args, **kwargs)
             except RefreshError as e:
-                # Handle token refresh errors gracefully
                 error_message = _handle_token_refresh_error(e, actual_user_email, service_name)
                 raise Exception(error_message)
 
+        # Set the wrapper's signature to the one without 'service'
+        wrapper.__signature__ = wrapper_sig
         return wrapper
     return decorator
 

core/context.py

@@ -0,0 +1,22 @@
+# core/context.py
+import contextvars
+from typing import Optional
+
+# Context variable to hold injected credentials for the life of a single request.
+_injected_oauth_credentials = contextvars.ContextVar(
+    "injected_oauth_credentials", default=None
+)
+
+def get_injected_oauth_credentials():
+    """
+    Retrieve injected OAuth credentials for the current request context.
+    This is called by the authentication layer to check for request-scoped credentials.
+    """
+    return _injected_oauth_credentials.get()
+
+def set_injected_oauth_credentials(credentials: Optional[dict]):
+    """
+    Set or clear the injected OAuth credentials for the current request context.
+    This is called by the service decorator.
+    """
+    _injected_oauth_credentials.set(credentials)

core/server.py

@@ -11,7 +11,7 @@ from mcp import types
 from mcp.server.fastmcp import FastMCP
 from starlette.requests import Request
 
-from auth.google_auth import handle_auth_callback, start_auth_flow, CONFIG_CLIENT_SECRETS_PATH
+from auth.google_auth import handle_auth_callback, start_auth_flow, check_client_secrets
 from auth.oauth_callback_server import get_oauth_redirect_uri, ensure_oauth_callback_available
 from auth.oauth_responses import create_error_response, create_success_response, create_server_error_response
 
@@ -119,11 +119,10 @@ async def oauth2_callback(request: Request) -> HTMLResponse:
         return create_error_response(error_message)
 
     try:
-        client_secrets_path = CONFIG_CLIENT_SECRETS_PATH
-        if not os.path.exists(client_secrets_path):
-            logger.error(f"OAuth client secrets file not found at {client_secrets_path}")
-            # This is a server configuration error, should not happen in a deployed environment.
-            return HTMLResponse(content="Server Configuration Error: Client secrets not found.", status_code=500)
+        # Check if we have credentials available (environment variables or file)
+        error_message = check_client_secrets()
+        if error_message:
+            return create_server_error_response(error_message)
 
         logger.info(f"OAuth callback: Received code (state: {state}). Attempting to exchange for tokens.")
 
@@ -136,7 +135,6 @@ async def oauth2_callback(request: Request) -> HTMLResponse:
         # Exchange code for credentials. handle_auth_callback will save them.
         # The user_id returned here is the Google-verified email.
         verified_user_id, credentials = handle_auth_callback(
-            client_secrets_path=client_secrets_path,
             scopes=SCOPES, # Ensure all necessary scopes are requested
             authorization_response=str(request.url),
             redirect_uri=get_oauth_redirect_uri_for_current_mode(),

core/utils.py

@@ -160,3 +160,39 @@ def extract_office_xml_text(file_bytes: bytes, mime_type: str) -> Optional[str]:
     except Exception as e:
         logger.error(f"Failed to extract office XML text for {mime_type}: {e}", exc_info=True)
         return None
+
+import functools
+from googleapiclient.errors import HttpError
+
+def handle_http_errors(tool_name: str):
+    """
+    A decorator to handle Google API HttpErrors in a standardized way.
+
+    It wraps a tool function, catches HttpError, logs a detailed error message,
+    and raises a generic Exception with a user-friendly message.
+
+    Args:
+        tool_name (str): The name of the tool being decorated (e.g., 'list_calendars').
+                         This is used for logging purposes.
+    """
+    def decorator(func):
+        @functools.wraps(func)
+        async def wrapper(*args, **kwargs):
+            try:
+                return await func(*args, **kwargs)
+            except HttpError as error:
+                user_google_email = kwargs.get('user_google_email', 'N/A')
+                message = (
+                    f"API error in {tool_name}: {error}. "
+                    f"You might need to re-authenticate for user '{user_google_email}'. "
+                    f"LLM: Try 'start_google_auth' with the user's email and the appropriate service_name."
+                )
+                logger.error(message, exc_info=True)
+                raise Exception(message)
+            except Exception as e:
+                # Catch any other unexpected errors
+                message = f"An unexpected error occurred in {tool_name}: {e}"
+                logger.exception(message)
+                raise Exception(message)
+        return wrapper
+    return decorator