From c2ac2a85d12d7649ca164e10d517c24af61bf72c Mon Sep 17 00:00:00 2001 From: jpoehnelt-bot Date: Thu, 5 Mar 2026 15:26:19 -0700 Subject: [PATCH] Clean up nits from PR #175 auth fix - Update stale docstring on resolve_account to reflect fallthrough behavior - Add breadcrumb comment on string-based error matching in main.rs - Move identity scope injection before authenticator build for readability --- .changeset/auth-pr175-nits.md | 9 +++++++++ src/auth.rs | 3 +-- src/auth_commands.rs | 18 +++++++++--------- src/main.rs | 1 + 4 files changed, 20 insertions(+), 11 deletions(-) create mode 100644 .changeset/auth-pr175-nits.md diff --git a/.changeset/auth-pr175-nits.md b/.changeset/auth-pr175-nits.md new file mode 100644 index 0000000..5d32d82 --- /dev/null +++ b/.changeset/auth-pr175-nits.md @@ -0,0 +1,9 @@ +--- +"@googleworkspace/cli": patch +--- + +Clean up nits from PR #175 auth fix + +- Update stale docstring on `resolve_account` to match new fallthrough behavior +- Add breadcrumb comment on string-based error matching in `main.rs` +- Move identity scope injection before authenticator build for readability diff --git a/src/auth.rs b/src/auth.rs index 777afa2..c99aa6c 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -111,8 +111,7 @@ pub async fn get_token(scopes: &[&str], account: Option<&str>) -> anyhow::Result /// Resolve which account to use: /// 1. Explicit `account` parameter takes priority. /// 2. Fall back to `accounts.json` default. -/// 3. If no registry exists but legacy `credentials.enc` exists, fail with upgrade message. -/// 4. If nothing exists, return None (will fall through to standard error). +/// 3. If no registry exists, return None to allow legacy `credentials.enc` fallthrough. fn resolve_account(account: Option<&str>) -> anyhow::Result> { let registry = crate::accounts::load_accounts()?; diff --git a/src/auth_commands.rs b/src/auth_commands.rs index 8f53df1..09d8e5e 100644 --- a/src/auth_commands.rs +++ b/src/auth_commands.rs @@ -282,6 +282,15 @@ async fn handle_login(args: &[String]) -> Result<(), GwsError> { ..Default::default() }; + // Ensure openid + email scopes are always present so we can identify the user + // via the userinfo endpoint after login. + let identity_scopes = ["openid", "https://www.googleapis.com/auth/userinfo.email"]; + for s in &identity_scopes { + if !scopes.iter().any(|existing| existing == s) { + scopes.push(s.to_string()); + } + } + // Use a temp file for yup-oauth2's token persistence, then encrypt it let temp_path = config_dir().join("credentials.tmp"); @@ -311,15 +320,6 @@ async fn handle_login(args: &[String]) -> Result<(), GwsError> { .await .map_err(|e| GwsError::Auth(format!("Failed to build authenticator: {e}")))?; - // Ensure openid + email scopes are always present so we can identify the user - // via the userinfo endpoint after login. - let identity_scopes = ["openid", "https://www.googleapis.com/auth/userinfo.email"]; - for s in &identity_scopes { - if !scopes.iter().any(|existing| existing == s) { - scopes.push(s.to_string()); - } - } - // Request a token — this triggers the browser OAuth flow let scope_refs: Vec<&str> = scopes.iter().map(|s| s.as_str()).collect(); let token = auth diff --git a/src/main.rs b/src/main.rs index e3373d3..914b485 100644 --- a/src/main.rs +++ b/src/main.rs @@ -243,6 +243,7 @@ async fn run() -> Result<(), GwsError> { // propagate the error instead of silently falling back to unauthenticated. // Only fall back to None if no credentials exist at all. let err_msg = format!("{e:#}"); + // NB: matches the bail!() message in auth::load_credentials_inner if err_msg.starts_with("No credentials found") { (None, executor::AuthMethod::None) } else {