fix: enhance account resolution and export command handling

[iamrajiv]

Description

Fixes #137

Two bugs caused auth to be broken for users with legacy (pre-multi-account) credentials.

Bug 1: 401 on all commands despite successful auth

resolve_account() in auth.rs would bail! when it found legacy credentials.enc without an account registry (accounts.json), demanding users re-login. But get_token() already handles Ok(None) by falling back to the legacy credential path — the bail was actively preventing valid credentials from being used.

The error was then silently swallowed in main.rs:

Err(_) => (None, AuthMethod::None)

This resulted in unauthenticated requests and 401 responses.

Fix: resolve_account() now returns Ok(None) for the legacy case, allowing get_token() to use the legacy path naturally. Additionally main.rs now logs credential errors to stderr instead of silently discarding them.

Bug 2: auth export outputs masked/truncated credentials

The masking is intentional as a security default, but the --unmasked flag was undocumented and the command lacked --account support. It always read from the legacy credentials.enc path, failing for multi-account users.

Fix: handle_export now resolves accounts the same way get_token does, supports --account EMAIL, and the help text documents both --unmasked and --account.

Changes

• src/auth.rs — resolve_account() returns Ok(None) instead of bailing on legacy credentials; made pub for reuse
• src/auth_commands.rs — handle_export gains --account support, uses load_encrypted_from_path with resolved path, help text updated
• src/main.rs — credential loading errors logged to stderr instead of silently discarded

Checklist

• My code follows the AGENTS.md guidelines (no generated google-* crates).
• I have run cargo fmt --all to format the code perfectly.
• I have run cargo clippy -- -D warnings and resolved all warnings.
• I have added tests that prove my fix is effective or that my feature works.
• I have provided a Changeset file (e.g. via pnpx changeset) to document my changes.

[changeset-bot]

🦋 Changeset detected

Latest commit: e7244d4

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the authentication system by fixing two long-standing bugs. It ensures that users with older credential formats can authenticate correctly without encountering 401 errors and provides more robust and user-friendly control over credential exports, particularly for multi-account setups. The changes also improve diagnostic capabilities by making authentication failures visible to the user.

Highlights

• Authentication Bug Fix: Resolved a critical bug causing 401 errors for users with legacy (pre-multi-account) credentials by modifying resolve_account() to gracefully handle the absence of an account registry, allowing the system to fall back to legacy credential paths.
• Enhanced auth export Command: Improved the gws auth export command to support account-specific exports via the --account EMAIL flag and documented the --unmasked option, addressing issues where it previously output masked credentials and lacked multi-account support.
• Improved Error Reporting: Credential loading errors are now explicitly logged to stderr with a warning message, providing clearer feedback to users instead of silently discarding authentication failures.

Changelog

• .changeset/fix-auth-legacy-credentials.md
  • Added a new changeset entry detailing the authentication and export command fixes.
• src/auth.rs
  • Changed resolve_account function visibility to pub for broader reuse.
  • Modified resolve_account to return Ok(None) instead of bailing when legacy credentials are found without an account registry, allowing fallback to the legacy credential path.
  • Added new tests: resolve_account_no_registry_no_legacy_returns_none and resolve_account_explicit_unknown_account_errors.
• src/auth_commands.rs
  • Updated the help text for the auth export command to document --unmasked and --account EMAIL flags.
  • Modified handle_auth_command to parse --unmasked and --account flags for the export subcommand.
  • Updated handle_export to accept an optional account parameter.
  • Implemented account resolution within handle_export using crate::auth::resolve_account to determine the correct credential path.
  • Changed handle_export to use credential_store::load_encrypted_from_path with the resolved path.
  • Added new tests for mask_secret utility function.
  • Added new tests: handle_export_subcommand_parses_unmasked_flag and handle_export_subcommand_parses_account_flag.
• src/main.rs
  • Modified the error handling for auth::get_token to print a warning to stderr when credential loading fails, advising the user to run gws auth login, instead of silently proceeding unauthenticated.

Activity

• The pull request was created by iamrajiv.
• The author has completed a checklist indicating adherence to guidelines, formatting, linting, testing, and changeset creation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[jpoehnelt]

can you rebase?

[codecov]

Codecov Report

❌ Patch coverage is 79.68750% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 55.43%. Comparing base (6ed836c) to head (5501f84).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
src/auth_commands.rs	81.63%	9 Missing ⚠️
src/main.rs	0.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #141      +/-   ##
==========================================
+ Coverage   54.88%   55.43%   +0.54%     
==========================================
  Files          38       38              
  Lines       13085    13163      +78     
==========================================
+ Hits         7182     7297     +115     
+ Misses       5903     5866      -37     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gemini-code-assist]

Code Review

This pull request effectively addresses the reported issues regarding legacy credential handling and enhances the auth export command. The changes in src/auth.rs correctly modify resolve_account to return Ok(None) for legacy credentials without a registry, allowing for proper fallback. The src/main.rs update to log credential loading errors to stderr significantly improves user diagnosability, preventing silent 401 errors. Furthermore, the src/auth_commands.rs modifications introduce --account support and --unmasked documentation for the export command, along with appropriate argument parsing and credential loading logic. The added test cases provide good coverage for the new and modified functionalities.

[lucasverra]

@gmail personal account since 2004 so i guess i will wait for this fix to enter stable release 😃