fix(auth): prioritize GEMINI_API_KEY env var and skip unnecessary key…

[galz10]

Summary

This PR updates the authentication logic to prioritize the GEMINI_API_KEY environment variable over the system keychain. This prevents unnecessary keychain access prompts for users who have configured the CLI via environment variables.

Details

Previously, the application would unconditionally attempt to load credentials from the system keychain on startup, even if a valid GEMINI_API_KEY was present in the environment. This often triggered system prompts (e.g., macOS Keychain Access) or errors in environments where keychain access is restricted or unwanted.

This change refactors useAuth.ts to:

1. Check process.env['GEMINI_API_KEY'] first.
2. If the environment variable is present, use it immediately and skip the keychain read.
3. Only fall back to loadApiKey() (keychain access) if the environment variable is missing.

Additionally, ApiAuthDialog.tsx has been updated to initialize the text buffer with the environment variable value if available, improving the UI experience.

Related Issues

Related to internal ticket: manual-request-prevent-keychain-access

How to Validate

1. Setup Environment Variable:

   export GEMINI_API_KEY="your-test-api-key"

2. Run the CLI:

   npm run start

3. Expected Result:

   • The application should start without prompting for keychain access.
   • If the API Key dialog appears (e.g. forced), the key should be pre-filled.

4. Verify Fallback (Edge Case):

   • Unset the environment variable (unset GEMINI_API_KEY).
   • Run the CLI.
   • Verify that the application still correctly loads stored credentials from the keychain if they exist.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello @galz10, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the authentication mechanism by ensuring that the GEMINI_API_KEY environment variable takes precedence over any locally stored API keys. This change streamlines the API key retrieval process, making it more efficient and user-friendly by immediately leveraging environment-defined keys for both application logic and UI presentation.

Highlights

• Environment Variable Prioritization: The GEMINI_API_KEY environment variable is now prioritized over locally stored keys when determining the API key to use for authentication.
• UI Pre-fill Enhancement: The API key input dialog will automatically pre-fill with the GEMINI_API_KEY from environment variables, if available, improving user experience by reducing manual input.
• Optimized API Key Loading: The reloadApiKey function has been optimized to immediately use the GEMINI_API_KEY environment variable if present, thereby skipping potentially unnecessary asynchronous operations to load a stored key.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to prioritize the GEMINI_API_KEY environment variable and optimize authentication by skipping unnecessary key loading. While the intention is good, the implementation introduces a subtle but important bug in both modified files. The use of the logical OR operator (||) to check for the environment variable's presence causes an explicitly empty GEMINI_API_KEY to be ignored, incorrectly falling back to a stored key. My review includes comments with high severity to address this by using checks that correctly handle an empty string as a valid, intentional value, ensuring the environment variable behavior is predictable and correct.

[github-actions]

Size Change: +1.16 kB (+0.01%)

Total Size: 21.6 MB

Filename	Size	Change
./bundle/gemini.js	21.6 MB	+1.16 kB (+0.01%)

ℹ️ View Unchanged

Filename	Size
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB

_{compressed-size-action}

[jacob314]

when I login with oauth and then log in with a key I still get the dialog to enter an API key even though I already have one exported in my ENV. I should not see the API KEY entry dialog at all if GEMINI_API_KEY is set

[galz10]

when I login with oauth and then log in with a key I still get the dialog to enter an API key even though I already have one exported in my ENV. I should not see the API KEY entry dialog at all if GEMINI_API_KEY is set

Fixed

[jacob314]

This review was generated by Gemini CLI.

Reviewing the changes to prioritize GEMINI_API_KEY.

Logic & Correctness:
The prioritization logic in useAuth.ts and the flow through AuthDialog -> useAuth effect -> Authenticated looks correct.

• The empty string case (GEMINI_API_KEY="") is handled correctly: useAuth sees the empty key, transitions to AwaitingApiKeyInput, and allows the user to enter a key.

Tests:
In packages/cli/src/ui/auth/ApiAuthDialog.test.tsx:
The shift from calls[0] to calls[1] for mockedUseKeypress is correct due to the new hook call in the parent component.

• Suggestion: It would be helpful to add a small comment explaining that calls[0] is the dialog's handler (Ctrl+C) and calls[1] is the TextInput's handler to prevent future confusion.

Code Unreachability:
In ApiAuthDialog.tsx, you added:

const initialApiKey = process.env['GEMINI_API_KEY'] || defaultValue;

It seems this line might effectively be dead code because:

1. If GEMINI_API_KEY is set and truthy, useAuth transitions directly to Authenticated, so this dialog is never shown.
2. If GEMINI_API_KEY is empty, useAuth transitions to AwaitingApiKeyInput, but the env var is empty, so it falls back to defaultValue (which is also empty).
   This is harmless, but worth noting that the pre-fill behavior likely never triggers in practice.

React:

• handleClear in ApiAuthDialog.tsx awaits clearApiKey() before setting state. Ensure this doesn't cause issues if the component unmounts during the async call (though unlikely in this modal flow).

Overall, looks good!

[jacob314]

In packages/cli/src/ui/auth/ApiAuthDialog.tsx, you use the isMounted ref pattern. While acceptable here, consider using a cancellable promise pattern for better async management.

Example:

// const pendingPromise = useRef<{ cancel: () => void } | null>(null);
// useEffect(() => () => pendingPromise.current?.cancel(), []);
//
// const handleClear = () => {
//   pendingPromise.current?.cancel();
//   const { promise, cancel } = makeCancellable(clearApiKey());
//   pendingPromise.current = { cancel };
//   promise.then(() => buffer.setText(''));
// };

[jacob314]

Approved once the two comments mentioned are addressed.

[jacob314]