Skip to content

fix: surface auth errors instead of sending unauthenticated requests#196

Open
tjp2021 wants to merge 1 commit intogoogleworkspace:mainfrom
tjp2021:fix/stop-silent-auth-failure
Open

fix: surface auth errors instead of sending unauthenticated requests#196
tjp2021 wants to merge 1 commit intogoogleworkspace:mainfrom
tjp2021:fix/stop-silent-auth-failure

Conversation

@tjp2021
Copy link

@tjp2021 tjp2021 commented Mar 5, 2026

Summary

  • Auth errors are silently swallowed, causing confusing 401 responses
  • Now prints the actual error message + troubleshooting steps and exits

The Bug

main.rs:239-242 catches all auth::get_token() errors and silently continues with AuthMethod::None:

// Before
Err(_) => (None, executor::AuthMethod::None),

This sends the HTTP request without an Authorization header, producing:

{"error":{"code":401,"message":"Access denied. No credentials provided."}}

Users see a generic Google API 401 with no indication that the CLI failed to load their local credentials. This is the root cause of #137, #151, and #156.

The Fix

// After
Err(e) => {
    eprintln!("Authentication failed: {e:#}");
    eprintln!();
    eprintln!("Troubleshooting:");
    eprintln!("  1. Run `gws auth login --account <your-email>` to re-authenticate");
    eprintln!("  2. Run `gws auth status` to check credential state");
    eprintln!("  3. If the problem persists, run `gws auth logout` then `gws auth login`");
    std::process::exit(1);
}

Before

$ gws drive files list
{"error":{"code":401,"message":"Access denied. No credentials provided."}}

After

$ gws drive files list
Authentication failed: Failed to decrypt credentials: ...

Troubleshooting:
  1. Run `gws auth login --account <your-email>` to re-authenticate
  2. Run `gws auth status` to check credential state
  3. If the problem persists, run `gws auth logout` then `gws auth login`

Why this matters

At least 5 open issues (#137, #151, #156, #179, #187) stem from users seeing 401 after successful login. The silent error swallowing makes this nearly impossible to debug — users assume the CLI is sending credentials when it isn't.

This doesn't fix the underlying credential decryption issues (keyring, encryption key mismatches, etc.), but it makes them visible so users can actually troubleshoot or report the real error.

Fixes #137, #151, #156

Test Plan

  • Change is type-safe (eprintln! + process::exit are infallible)
  • cargo test (maintainer — I don't have Rust toolchain installed)
  • Verify successful auth flow unaffected (Ok path is unchanged)
  • Verify failed auth now shows the error instead of 401

🤖 Generated with Claude Code

@tjp2021 @claude
fix: stop silently swallowing authentication errors
65cb263 
When `auth::get_token()` fails, the error was silently caught and the
request sent without any Authorization header, resulting in a confusing
401 "Access denied. No credentials provided" response from Google APIs.

This affected users on macOS Apple Silicon and other platforms where
credential decryption can fail due to keyring issues, encryption key
mismatches, or corrupted credential files. Because the error was
swallowed, users saw a generic 401 with no indication that the CLI
failed to load their credentials.

Now the CLI prints the actual error message and troubleshooting steps,
then exits with code 1 instead of sending an unauthenticated request.

Fixes googleworkspace#137, googleworkspace#151, googleworkspace#156

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tjp2021 tjp2021 requested a review from jpoehnelt as a code owner March 5, 2026 18:28
@changeset-bot
Copy link

changeset-bot bot commented Mar 5, 2026

⚠️ No Changeset found

Latest commit: 65cb263

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Mar 5, 2026

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@google-cla
Copy link

google-cla bot commented Mar 5, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@tjp2021 tjp2021 mentioned this pull request Mar 5, 2026
Open
@jpoehnelt jpoehnelt added area: auth cla: no This human has *not* signed the Contributor License Agreement. complexity: low Small, straightforward change labels Mar 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jpoehnelt jpoehnelt Awaiting requested review from jpoehnelt jpoehnelt is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

area: auth cla: no This human has *not* signed the Contributor License Agreement. complexity: low Small, straightforward change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

credentials saved successfully but 401 on all commands + auth export outputs truncated values - macOS Apple Silicon

2 participants

@tjp2021 @jpoehnelt