feat(auth): add --no-localhost flag to gws auth login

[vinay-google]

This PR adds a --no-localhost flag to the gws auth login command.

When working in environments like headless servers, containers, or SSH sessions where a localhost redirect callback cannot be reached from the browser, users need a way to authenticate using an out-of-band (OOB) flow. This feature works similarly to clasp login --no-localhost.

Changes:

• Added --no-localhost to gws auth login options.
• When --no-localhost is specified, yup_oauth2 is configured to use InstalledFlowReturnMethod::Interactive and the urn:ietf:wg:oauth:2.0:oob redirect URI, prompting the user to paste the authorization code into the terminal after granting consent in their browser.

---

PR created automatically by Jules for task 14183664837181903487

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[changeset-bot]

🦋 Changeset detected

Latest commit: 210bee2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant enhancement to the gws auth login command by adding a --no-localhost flag. This flag facilitates authentication in non-browser environments, such as headless servers or SSH sessions, by enabling an out-of-band flow. Users can now authenticate by manually pasting a code, resolving a common pain point for developers working in restricted setups.

Highlights

• New --no-localhost flag: A new --no-localhost flag has been added to the gws auth login command, enabling an out-of-band (OOB) authentication flow.
• Out-of-band authentication support: When --no-localhost is used, the authentication process switches to an interactive mode, prompting the user to paste an authorization code into the terminal after granting consent in their browser. This is achieved by configuring yup_oauth2 to use InstalledFlowReturnMethod::Interactive and the urn:ietf:wg:oauth:2.0:oob redirect URI.
• Improved headless environment support: This change addresses authentication challenges in environments where a localhost redirect callback is not accessible, such as headless servers, containers, or SSH sessions.

Changelog

• src/auth_commands.rs
  • Added --no-localhost flag to the help message for gws auth login.
  • Implemented parsing logic to detect the --no-localhost flag from command-line arguments.
  • Modified the redirect_uris configuration for yup_oauth2::ApplicationSecret to prioritize urn:ietf:wg:oauth:2.0:oob when --no-localhost is active.
  • Updated the InstalledFlowReturnMethod for yup_oauth2::InstalledFlowAuthenticator to Interactive when --no-localhost is specified, enabling the out-of-band flow.

Activity

• No human activity has been recorded on this pull request yet. It was created automatically by Jules for task 14183664837181903487.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds a --no-localhost flag to the gws auth login command, enabling an out-of-band authentication flow for environments without a local web browser. The implementation correctly parses the new flag and configures yup_oauth2 to use the interactive flow when specified. The changes are logical and well-contained. I have one suggestion to simplify the logic for constructing the redirect_uris, which would improve clarity and correctness.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request adds the --no-localhost flag for gws auth login, enabling an out-of-band authentication flow for environments without a browser or localhost access. The implementation correctly uses yup_oauth2's Interactive flow when the flag is present. My review found one high-severity issue related to argument parsing. The existing manual parser can cause the new --no-localhost flag to be incorrectly consumed as a value for another flag like --account, leading to incorrect behavior. Please see the detailed comment.

[gemini-code-assist]

The manual argument parsing logic in this function has a bug that affects this new flag. If a user provides an argument-taking flag like --account without a value, followed by --no-localhost, the --no-localhost flag will be incorrectly consumed as the value for --account.

For example: gws auth login --account --no-localhost

This will result in account_email being Some("--no-localhost") and this no_localhost flag being ignored, leading to confusing errors.

The root cause is that argument-taking flags don't check if the next token is another flag. While a full refactor to use clap for subcommand arguments is a larger change, the current parser should be made more robust to prevent this kind of incorrect behavior.

A potential fix for the --account flag (and similar flags) would be to check that the value is not a flag itself:

if args[i] == "--account" && i + 1 < args.len() && !args[i + 1].starts_with('-') {
    // ...
}

Since this change would be outside the diff, I'm pointing out the issue here on the new code that is impacted by it.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request successfully adds the --no-localhost flag for out-of-band authentication, which is a great feature for headless environments. The implementation is mostly correct, but I've identified two high-severity issues. First, there's a blocking I/O call within an async function, which can freeze the application. Second, the manual argument parsing logic is fragile and can lead to incorrect behavior when flags are passed in a certain order. My review includes suggestions to fix both of these problems.

[gemini-code-assist]

The use of std::io::stdin().read_line() here is a blocking I/O operation inside an async block. This can block the entire worker thread of the async runtime, leading to poor performance and unresponsiveness, especially if other async tasks are pending. It's crucial to avoid blocking calls in async code.

To fix this, you should move the blocking operation to a dedicated thread pool using tokio::task::spawn_blocking.

Suggested change

	let mut user_input = String::new();
	std::io::stdin()
	.read_line(&mut user_input)
	.map_err(|e| format!("Failed to read code: {e}"))?;
	let user_input = tokio::task::spawn_blocking(|| {
	let mut line = String::new();
	std::io::stdin().read_line(&mut line).map(|_| line)
	})
	.await
	.map_err(|e| format!("Failed to join blocking task: {e}"))?
	.map_err(|e| format!("Failed to read code: {e}"))?;

[googleworkspace-bot]

/gemini review

[jpoehnelt]

@jules address pr review comments

[gemini-code-assist]

Code Review

This pull request introduces a --no-localhost flag for the gws auth login command, enabling an out-of-band authentication flow for headless environments. The implementation correctly uses yup_oauth2's interactive flow when the flag is present. However, there is a critical copy-paste error in src/auth_commands.rs that duplicates code and will cause a compilation failure. This needs to be fixed before merging.

[gemini-code-assist]

This block of code appears to have a copy-paste error, resulting in duplicated logic and a syntax error that will prevent compilation. The if no_localhost block is defined twice, and the first definition incorrectly includes http://localhost in the redirect_uris for the --no-localhost case. The logic should be consolidated into a single, correct if/else block.

    let redirect_uris = if no_localhost {
        vec!["urn:ietf:wg:oauth:2.0:oob".to_string()]
    } else {
        vec!["http://localhost".to_string()]
    };

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a --no-localhost flag for the gws auth login command, enabling an out-of-band authentication flow. This is a valuable addition for users in environments without a graphical browser or where localhost redirects are not feasible, such as on headless servers or in containers. The implementation correctly uses yup_oauth2's InstalledFlowReturnMethod::Interactive and handles user input for the authorization code. I've found one critical issue in the handling of pasted URLs which could lead to authentication failures, and I've provided a suggestion to address it. Otherwise, the changes look good.

[gemini-code-assist]

The current logic for handling a pasted URL is flawed. If a user pastes a string that is a valid URL but does not contain a code query parameter (e.g., https://google.com), the code will fall through and treat the entire URL string as the authorization code. This will lead to a cryptic authentication failure later on.

It's better to fail early with a clear error message if a URL is provided but it's not the expected redirect URL containing the authorization code.

Suggested change

	if let Ok(parsed_url) = reqwest::Url::parse(input) {
	for (k, v) in parsed_url.query_pairs() {
	if k == "code" {
	return Ok(v.to_string());
	}
	}
	}
	// Otherwise, assume they pasted just the code
	Ok(input.to_string())
	if let Ok(parsed_url) = reqwest::Url::parse(input) {
	for (k, v) in parsed_url.query_pairs() {
	if k == "code" {
	return Ok(v.to_string());
	}
	}
	// If a URL was pasted but no 'code' was found, it's an error.
	return Err("Pasted URL does not contain an authorization code.".to_string());
	}
	// Otherwise, assume they pasted just the code
	Ok(input.to_string())

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request adds a --no-localhost flag for an out-of-band authentication flow, which is a great feature for environments without a local browser. The implementation is mostly solid, but I've found a potential bug in how pasted URLs are handled when retrieving the authorization code. My review includes a suggestion to make this logic more robust.

[gemini-code-assist]

The current logic for parsing the authorization code from a pasted URL can lead to silent failures. If a user pastes a valid URL that does not contain a code query parameter (e.g., the URL of the consent screen itself), the code will fall through and incorrectly treat the entire URL string as the authorization code. This will cause the authentication to fail downstream with a potentially confusing error.

A more robust approach is to check if the input looks like an HTTP URL. If it does, we should strictly expect to find a code parameter. If no code is found, we should return an error rather than falling through. This provides clearer feedback to the user if they paste the wrong URL.

Suggested change

	// If they pasted a full URL (e.g. http://localhost/?code=4/0Aea...&scope=...)
	if let Ok(parsed_url) = reqwest::Url::parse(input) {
	for (k, v) in parsed_url.query_pairs() {
	if k == "code" {
	return Ok(v.to_string());
	}
	}
	}
	// Otherwise, assume they pasted just the code
	Ok(input.to_string())
	// If they pasted a full URL (e.g. http://localhost/?code=4/0Aea...&scope=...)
	if input.starts_with("http") {
	if let Ok(parsed_url) = reqwest::Url::parse(input) {
	if let Some(code) = parsed_url.query_pairs().find_map(|(k, v)| if k == "code" { Some(v) } else { None }) {
	return Ok(code.into_owned());
	}
	}
	// It looked like a URL, but we couldn't parse it or find a code.
	return Err("The pasted URL is invalid or does not contain a 'code' parameter.".to_string());
	}
	// Otherwise, assume they pasted just the code
	Ok(input.to_string())

[codecov]

Codecov Report

❌ Patch coverage is 65.74074% with 37 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.03%. Comparing base (f07dd2b) to head (210bee2).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
src/auth_commands.rs	65.74%	37 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #231      +/-   ##
==========================================
+ Coverage   57.69%   58.03%   +0.34%     
==========================================
  Files          38       38              
  Lines       14328    14418      +90     
==========================================
+ Hits         8267     8368     +101     
+ Misses       6061     6050      -11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a --no-localhost flag for the gws auth login command, enabling an out-of-band authentication flow. This is a valuable feature for users in environments without a local browser, such as SSH sessions or containers. The implementation correctly uses yup_oauth2's interactive flow. However, I've found a critical issue where a blocking I/O call is made within an async context, which could cause the application to hang. I've provided a suggestion to resolve this by using tokio::task::spawn_blocking.

[gemini-code-assist]

The use of std::io::stdin().read_line() within an async block is a blocking operation. This can block the Tokio runtime's worker thread, preventing other asynchronous tasks from running and potentially causing your application to hang, especially if the user takes a long time to provide input.

To fix this, you should perform the blocking I/O operation on a dedicated thread pool using tokio::task::spawn_blocking.

Suggested change

	let mut user_input = String::new();
	std::io::stdin()
	.read_line(&mut user_input)
	.map_err(|e| format!("Failed to read code: {e}"))?;
	let user_input = tokio::task::spawn_blocking(|| {
	let mut input = String::new();
	std::io::stdin().read_line(&mut input).map(|_| input)
	})
	.await
	.map_err(|e| format!("Task join error: {e}"))?
	.map_err(|e| format!("Failed to read code: {e}"))?;

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a --no-localhost flag for an out-of-band authentication flow, which is a valuable feature for headless environments. The implementation correctly leverages yup_oauth2's interactive flow and includes a refactoring of argument parsing for better code structure. The addition of tests for the new logic is also a good practice. I have identified one high-severity issue concerning a blocking I/O call within an async function and have provided a code suggestion to resolve it.

[gemini-code-assist]

The use of std::io::stdin().read_line() within an async block is a blocking operation that can starve the Tokio runtime executor, preventing other asynchronous tasks from running. This can lead to performance degradation or even deadlocks in the application.

To fix this, you should perform the blocking I/O operation on a dedicated blocking thread using tokio::task::spawn_blocking.

Suggested change

	let mut user_input = String::new();
	std::io::stdin()
	.read_line(&mut user_input)
	.map_err(|e| format!("Failed to read code: {e}"))?;
	let user_input = tokio::task::spawn_blocking(|| {
	let mut input = String::new();
	std::io::stdin().read_line(&mut input).map(|_| input)
	})
	.await
	.map_err(|e| format!("Task join error: {e}"))?
	.map_err(|e| format!("Failed to read code: {e}"))?;

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a --no-localhost flag for the gws auth login command, enabling an out-of-band authentication flow for environments without a local web server. The implementation correctly refactors argument parsing, adjusts the OAuth flow based on the new flag, and adds corresponding tests. My review identifies one high-severity issue related to using blocking I/O within an async context, which is against async programming best practices. I've provided details and suggested solutions in the specific comment.

[gemini-code-assist]

Using std::io::stdin() for I/O within an async block is a blocking operation. This can block the current thread and prevent other asynchronous tasks from running, potentially leading to performance issues or deadlocks in more complex applications.

While this might not cause a noticeable problem in the current context of a simple CLI prompt, it is a good practice to use non-blocking alternatives in async code.

Consider one of the following approaches:

1. Wrap the blocking call in tokio::task::spawn_blocking. This moves the operation to a dedicated thread pool.
2. Use tokio::io::stdin() along with tokio::io::AsyncBufReadExt to perform the read asynchronously.

Both solutions would require adding the necessary use statements for tokio components.

[jpoehnelt-bot]

Consolidating this thread into the central discussion for the auth UX/user journey work: #245