fix(auth): fall back to Discovery docs when -s specifies services not in static scope lists

[haunchen]

Summary

Fixes #236

When gws auth login -s chat (or any service not in the static scope lists) is used, the -s filter returns no matching scopes because MINIMAL_SCOPES, FULL_SCOPES, and READONLY_SCOPES only contain 7 common services (drive, sheets, gmail, calendar, docs, slides, tasks).

This PR adds a dynamic fallback: when the static filter produces no scopes for a requested service, gws fetches that service's Discovery document and extracts its OAuth scopes automatically. This leverages the existing fetch_discovery_document with 24h caching, consistent with the project's Dynamic Discovery philosophy.

Changes

• find_unmatched_services() — identifies which services from -s had zero matching scopes in the static list
• extract_scopes_from_doc() — pure function to extract scope URLs from a RestDescription, filtering out app-only scopes (chat.bot, chat.app.*, etc.) with optional readonly restriction
• fetch_scopes_for_unmatched_services() — resolves service aliases via resolve_service(), fetches Discovery docs, and extracts scopes; failures are silently skipped (graceful degradation)
• augment_with_dynamic_scopes() — integration wrapper applied at the three non-interactive return points in resolve_scopes (--readonly, --full, default)

Behavior

Scenario	Before	After
gws auth login -s chat	Empty scopes, login fails	Chat scopes fetched from Discovery
gws auth login -s drive,chat	Only drive scopes	Drive from static + chat from Discovery
gws auth login -s chat --readonly	Empty	Only chat.*.readonly scopes
gws auth login (no -s)	Unchanged	Unchanged (fallback never triggers)
Network unavailable during fallback	N/A	Silently skipped, same as before

Related issues

• gws auth login does not include Google Keep scope #184 — auth login does not include Google Keep scope (same root cause: Keep not in static lists, now resolved by dynamic fallback)
• "Something went wrong" in oauth screen #157 — OAuth consent screen error with too many scopes (this PR avoids that problem by NOT adding scopes to the static defaults — dynamic fetch only triggers when explicitly requested via -s)

Test plan

• cargo build — compiles clean
• cargo clippy -- -D warnings — zero warnings
• cargo test — all new tests pass (5 added), no regressions
• Manual: gws auth login -s chat fetches Chat API scopes
• Manual: gws auth login -s drive,chat includes both drive and chat scopes
• Manual: gws auth login -s chat --readonly returns only readonly chat scopes

[changeset-bot]

🦋 Changeset detected

Latest commit: 7c507f9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the gws auth login command's flexibility by introducing a dynamic scope resolution system. Previously, specifying services not hardcoded in static scope lists would lead to login failures. Now, the system intelligently fetches necessary OAuth scopes directly from Google's Discovery documents for such services, leveraging existing caching for efficiency. This change resolves issues where specific services like Google Chat or Keep were not supported, without expanding the default scope footprint, and ensures a more robust and adaptable authentication process.

Highlights

• Dynamic Scope Fallback: Implemented a dynamic fallback mechanism to fetch OAuth scopes from Google Discovery documents for services specified with -s that are not present in the static scope lists (e.g., MINIMAL_SCOPES, FULL_SCOPES, READONLY_SCOPES).
• New Helper Functions: Introduced find_unmatched_services() to identify services without static scope matches, extract_scopes_from_doc() to parse scopes from Discovery documents, fetch_scopes_for_unmatched_services() to handle the fetching process, and augment_with_dynamic_scopes() as an integration wrapper.
• Improved resolve_scopes: Modified the resolve_scopes function to incorporate the dynamic scope fetching at the non-interactive return points (for --readonly, --full, and default scenarios).
• Enhanced Test Coverage: Added new unit tests to validate the functionality of find_unmatched_services and extract_scopes_from_doc, ensuring correct identification of missing services, filtering of app-only scopes, and handling of readonly restrictions.

Changelog

• @googleworkspace/cli
  • fix(auth): dynamically fetch scopes from Discovery docs when -s specifies services not in static scope lists

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a valuable feature to dynamically fetch scopes from Discovery documents for services not in the static lists, which significantly improves the tool's flexibility. The implementation is well-structured with new helper functions. I've identified a couple of performance improvement opportunities in the new functions: one to avoid allocations in a loop, and another to parallelize network requests. Addressing these will make the new feature more robust and efficient.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements a dynamic fallback for resolving OAuth scopes, which is a great improvement for handling services not in the static lists. The changes are well-structured, introducing new helper functions for finding unmatched services and fetching their scopes from discovery documents. The new logic is correctly integrated into the resolve_scopes function for various scenarios (--readonly, --full, and default). The addition of unit tests for the new functionality is also appreciated. I have one suggestion to address code duplication, which will improve the long-term maintainability of the code.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This is an excellent pull request that addresses a significant limitation in scope resolution. The introduction of a dynamic fallback to Discovery documents for services not present in the static lists is a great enhancement, making the tool much more flexible and future-proof. The implementation is well-structured, with clear separation of concerns into new helper functions like find_unmatched_services, extract_scopes_from_doc, and fetch_scopes_for_unmatched_services. The asynchronous fetching of discovery documents is handled efficiently using futures::join_all. The addition of comprehensive unit tests for the new logic is also commendable. I have reviewed the changes and found no issues of high or critical severity. The code is robust, correct, and maintainable.