MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-04-21 18:44:30 -07:00
Code Issues Packages Projects Releases Wiki Activity

feat(core): require user consent before MCP server OAuth (#18132)

Browse Source
This commit is contained in:
Emily Hedlund
2026-02-03 16:26:00 -05:00
committed by GitHub
parent 1fc59484b1
commit 69f8273481
7 changed files with 255 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/core/src/code_assist/oauth2.test.ts
+13 -85
View File
@@ -9,7 +9,6 @@ import type { Mock } from 'vitest';
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
import {
getOauthClient,
getConsentForOauth,
resetOauthClientForTesting,
clearCachedCredentialFile,
clearOauthClientCache,
@@ -30,10 +29,7 @@ import { FORCE_ENCRYPTED_FILE_ENV_VAR } from '../mcp/token-storage/index.js';
import { GEMINI_DIR, homedir as pathsHomedir } from '../utils/paths.js';
import { debugLogger } from '../utils/debugLogger.js';
import { writeToStdout } from '../utils/stdio.js';
import {
FatalAuthenticationError,
FatalCancellationError,
} from '../utils/errors.js';
import { FatalCancellationError } from '../utils/errors.js';
import process from 'node:process';
import { coreEvents } from '../utils/events.js';
@@ -1255,6 +1251,18 @@ describe('oauth2', () => {
stdinOnSpy.mockRestore();
stdinRemoveListenerSpy.mockRestore();
});
it('should throw FatalCancellationError when consent is denied', async () => {
vi.spyOn(coreEvents, 'emitConsentRequest').mockImplementation(
(payload) => {
payload.onConfirm(false);
},
);
await expect(
getOauthClient(AuthType.LOGIN_WITH_GOOGLE, mockConfig),
).rejects.toThrow(FatalCancellationError);
});
});
describe('clearCachedCredentialFile', () => {
@@ -1515,84 +1523,4 @@ describe('oauth2', () => {
expect(fs.existsSync(credsPath)).toBe(true); // The unencrypted file should remain
});
});
describe('getConsentForOauth', () => {
it('should use coreEvents when listeners are present', async () => {
vi.restoreAllMocks();
const mockEmitConsentRequest = vi.spyOn(coreEvents, 'emitConsentRequest');
const mockListenerCount = vi
.spyOn(coreEvents, 'listenerCount')
.mockReturnValue(1);
mockEmitConsentRequest.mockImplementation((payload) => {
payload.onConfirm(true);
});
const result = await getConsentForOauth();
expect(result).toBe(true);
expect(mockEmitConsentRequest).toHaveBeenCalled();
mockListenerCount.mockRestore();
mockEmitConsentRequest.mockRestore();
});
it('should use readline when no listeners are present and stdin is a TTY', async () => {
vi.restoreAllMocks();
const mockListenerCount = vi
.spyOn(coreEvents, 'listenerCount')
.mockReturnValue(0);
const originalIsTTY = process.stdin.isTTY;
Object.defineProperty(process.stdin, 'isTTY', {
value: true,
configurable: true,
});
const mockReadline = {
on: vi.fn((event, callback) => {
if (event === 'line') {
callback('y');
}
}),
close: vi.fn(),
};
(readline.createInterface as Mock).mockReturnValue(mockReadline);
const result = await getConsentForOauth();
expect(result).toBe(true);
expect(readline.createInterface).toHaveBeenCalled();
expect(writeToStdout).toHaveBeenCalledWith(
expect.stringContaining('Do you want to continue? [Y/n]: '),
);
mockListenerCount.mockRestore();
Object.defineProperty(process.stdin, 'isTTY', {
value: originalIsTTY,
configurable: true,
});
});
it('should throw FatalAuthenticationError when no listeners and not a TTY', async () => {
vi.restoreAllMocks();
const mockListenerCount = vi
.spyOn(coreEvents, 'listenerCount')
.mockReturnValue(0);
const originalIsTTY = process.stdin.isTTY;
Object.defineProperty(process.stdin, 'isTTY', {
value: false,
configurable: true,
});
await expect(getConsentForOauth()).rejects.toThrow(
FatalAuthenticationError,
);
mockListenerCount.mockRestore();
Object.defineProperty(process.stdin, 'isTTY', {
value: originalIsTTY,
configurable: true,
});
});
});
});
packages/core/src/code_assist/oauth2.ts
+2 -48
View File
@@ -45,6 +45,7 @@ import {
exitAlternateScreen,
} from '../utils/terminal.js';
import { coreEvents, CoreEvent } from '../utils/events.js';
import { getConsentForOauth } from '../utils/authConsent.js';
export const authEvents = new EventEmitter();
@@ -269,7 +270,7 @@ async function initOauthClient(
await triggerPostAuthCallbacks(client.credentials);
} else {
const userConsent = await getConsentForOauth();
const userConsent = await getConsentForOauth('Code Assist login required.');
if (!userConsent) {
throw new FatalCancellationError('Authentication cancelled by user.');
}
@@ -377,53 +378,6 @@ async function initOauthClient(
return client;
}
export async function getConsentForOauth(): Promise<boolean> {
const prompt =
'Code Assist login required. Opening authentication page in your browser. ';
if (coreEvents.listenerCount(CoreEvent.ConsentRequest) === 0) {
if (!process.stdin.isTTY) {
throw new FatalAuthenticationError(
'Code Assist login required, but interactive consent could not be obtained.\n' +
'Please run Gemini CLI in an interactive terminal to authenticate, or use NO_BROWSER=true for manual authentication.',
);
}
return getOauthConsentNonInteractive(prompt);
}
return getOauthConsentInteractive(prompt);
}
async function getOauthConsentNonInteractive(prompt: string) {
const rl = readline.createInterface({
input: process.stdin,
output: createWorkingStdio().stdout,
terminal: true,
});
const fullPrompt = prompt + 'Do you want to continue? [Y/n]: ';
writeToStdout(`\n${fullPrompt}`);
return new Promise<boolean>((resolve) => {
rl.on('line', (answer) => {
rl.close();
resolve(['y', ''].includes(answer.trim().toLowerCase()));
});
});
}
async function getOauthConsentInteractive(prompt: string) {
const fullPrompt = prompt + '\n\nDo you want to continue?';
return new Promise<boolean>((resolve) => {
coreEvents.emitConsentRequest({
prompt: fullPrompt,
onConfirm: (confirmed: boolean) => {
resolve(confirmed);
},
});
});
}
export async function getOauthClient(
authType: AuthType,
config: Config,