fix(core): prevent OAuth server crash on unexpected requests (#19668)

2026-03-11 06:31:01 -07:00 · 2026-02-23 23:33:31 +05:30
parent 8b1dc15182
commit 2e3cbd6363
2 changed files with 65 additions and 0 deletions
--- a/packages/core/src/code_assist/oauth2.test.ts
+++ b/packages/core/src/code_assist/oauth2.test.ts
@@ -936,6 +936,70 @@ describe('oauth2', () => {
        );
      });

+      it('should handle unexpected requests (like /favicon.ico) without crashing', async () => {
+        const mockAuthUrl = 'https://example.com/auth';
+        const mockOAuth2Client = {
+          generateAuthUrl: vi.fn().mockReturnValue(mockAuthUrl),
+          on: vi.fn(),
+        } as unknown as OAuth2Client;
+        vi.mocked(OAuth2Client).mockImplementation(() => mockOAuth2Client);
+
+        vi.mocked(open).mockImplementation(
+          async () => ({ on: vi.fn() }) as never,
+        );
+
+        let requestCallback!: http.RequestListener;
+        let serverListeningCallback: (value: unknown) => void;
+        const serverListeningPromise = new Promise(
+          (resolve) => (serverListeningCallback = resolve),
+        );
+
+        const mockHttpServer = {
+          listen: vi.fn(
+            (_port: number, _host: string, callback?: () => void) => {
+              if (callback) callback();
+              serverListeningCallback(undefined);
+            },
+          ),
+          close: vi.fn(),
+          on: vi.fn(),
+          address: () => ({ port: 3000 }),
+        };
+        (http.createServer as Mock).mockImplementation((cb) => {
+          requestCallback = cb;
+          return mockHttpServer as unknown as http.Server;
+        });
+
+        const clientPromise = getOauthClient(
+          AuthType.LOGIN_WITH_GOOGLE,
+          mockConfig,
+        );
+        await serverListeningPromise;
+
+        // Simulate an unexpected request, like a browser requesting a favicon
+        const mockReq = {
+          url: '/favicon.ico',
+        } as http.IncomingMessage;
+        const mockRes = {
+          writeHead: vi.fn(),
+          end: vi.fn(),
+        } as unknown as http.ServerResponse;
+
+        await expect(async () => {
+          requestCallback(mockReq, mockRes);
+          await clientPromise;
+        }).rejects.toThrow(
+          'OAuth callback not received. Unexpected request: /favicon.ico',
+        );
+
+        // Assert that we correctly redirected to the failure page
+        expect(mockRes.writeHead).toHaveBeenCalledWith(301, {
+          Location:
+            'https://developers.google.com/gemini-code-assist/auth_failure_gemini',
+        });
+        expect(mockRes.end).toHaveBeenCalled();
+      });
+
      it('should handle token exchange failure with descriptive error', async () => {
        const mockAuthUrl = 'https://example.com/auth';
        const mockCode = 'test-code';
--- a/packages/core/src/code_assist/oauth2.ts
+++ b/packages/core/src/code_assist/oauth2.ts
@@ -490,6 +490,7 @@ async function authWithWeb(client: OAuth2Client): Promise<OauthWebLogin> {
              'OAuth callback not received. Unexpected request: ' + req.url,
            ),
          );
+          return;
        }
        // acquire the code from the querystring, and close the web server.
        const qs = new url.URL(req.url!, 'http://127.0.0.1:3000').searchParams;