fix(core): restore auth consent in headless mode and add unit tests (#19689)

packages/core/src/code_assist/oauth2.test.ts

@@ -32,6 +32,7 @@ import { writeToStdout } from '../utils/stdio.js';
 import { FatalCancellationError } from '../utils/errors.js';
 import process from 'node:process';
 import { coreEvents } from '../utils/events.js';
+import { isHeadlessMode } from '../utils/headless.js';
 
 vi.mock('node:os', async (importOriginal) => {
   const actual = await importOriginal<typeof import('node:os')>();
@@ -54,6 +55,9 @@ vi.mock('http');
 vi.mock('open');
 vi.mock('crypto');
 vi.mock('node:readline');
+vi.mock('../utils/headless.js', () => ({
+  isHeadlessMode: vi.fn(),
+}));
 vi.mock('../utils/browser.js', () => ({
   shouldAttemptBrowserLaunch: () => true,
 }));
@@ -98,6 +102,12 @@ global.fetch = vi.fn();
 
 describe('oauth2', () => {
   beforeEach(() => {
+    vi.mocked(isHeadlessMode).mockReturnValue(false);
+    (readline.createInterface as Mock).mockReturnValue({
+      question: vi.fn((_query, callback) => callback('')),
+      close: vi.fn(),
+      on: vi.fn(),
+    });
     vi.spyOn(coreEvents, 'listenerCount').mockReturnValue(1);
     vi.spyOn(coreEvents, 'emitConsentRequest').mockImplementation((payload) => {
       payload.onConfirm(true);

packages/core/src/mcp/oauth-provider.test.ts

@@ -36,6 +36,23 @@ vi.mock('../utils/events.js', () => ({
 vi.mock('../utils/authConsent.js', () => ({
   getConsentForOauth: vi.fn(() => Promise.resolve(true)),
 }));
+vi.mock('../utils/headless.js', () => ({
+  isHeadlessMode: vi.fn(() => false),
+}));
+vi.mock('node:readline', () => ({
+  default: {
+    createInterface: vi.fn(() => ({
+      question: vi.fn((_query, callback) => callback('')),
+      close: vi.fn(),
+      on: vi.fn(),
+    })),
+  },
+  createInterface: vi.fn(() => ({
+    question: vi.fn((_query, callback) => callback('')),
+    close: vi.fn(),
+    on: vi.fn(),
+  })),
+}));
 
 import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import * as http from 'node:http';

packages/core/src/utils/authConsent.test.ts

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { describe, it, expect, vi } from 'vitest';
+import { describe, it, expect, vi, beforeEach } from 'vitest';
 import type { Mock } from 'vitest';
 import readline from 'node:readline';
 import process from 'node:process';
@@ -27,12 +27,18 @@ vi.mock('./stdio.js', () => ({
 }));
 
 describe('getConsentForOauth', () => {
-  it('should use coreEvents when listeners are present', async () => {
+  beforeEach(() => {
     vi.restoreAllMocks();
+  });
+
+  describe('in interactive mode', () => {
+    beforeEach(() => {
+      (isHeadlessMode as Mock).mockReturnValue(false);
+    });
+
+    it('should emit consent request when UI listeners are present', async () => {
       const mockEmitConsentRequest = vi.spyOn(coreEvents, 'emitConsentRequest');
-    const mockListenerCount = vi
+      vi.spyOn(coreEvents, 'listenerCount').mockReturnValue(1);
-      .spyOn(coreEvents, 'listenerCount')
-      .mockReturnValue(1);
 
       mockEmitConsentRequest.mockImplementation((payload) => {
         payload.onConfirm(true);
@@ -48,18 +54,36 @@ describe('getConsentForOauth', () => {
           ),
         }),
       );
-
-    mockListenerCount.mockRestore();
-    mockEmitConsentRequest.mockRestore();
     });
 
-  it('should use readline when no listeners are present and not headless', async () => {
+    it('should return false when user declines via UI', async () => {
-    vi.restoreAllMocks();
+      const mockEmitConsentRequest = vi.spyOn(coreEvents, 'emitConsentRequest');
-    const mockListenerCount = vi
+      vi.spyOn(coreEvents, 'listenerCount').mockReturnValue(1);
-      .spyOn(coreEvents, 'listenerCount')
-      .mockReturnValue(0);
-    (isHeadlessMode as Mock).mockReturnValue(false);
 
+      mockEmitConsentRequest.mockImplementation((payload) => {
+        payload.onConfirm(false);
+      });
+
+      const result = await getConsentForOauth('Login required.');
+
+      expect(result).toBe(false);
+    });
+
+    it('should throw FatalAuthenticationError when no UI listeners are present', async () => {
+      vi.spyOn(coreEvents, 'listenerCount').mockReturnValue(0);
+
+      await expect(getConsentForOauth('Login required.')).rejects.toThrow(
+        FatalAuthenticationError,
+      );
+    });
+  });
+
+  describe('in non-interactive mode', () => {
+    beforeEach(() => {
+      (isHeadlessMode as Mock).mockReturnValue(true);
+    });
+
+    it('should use readline to prompt for consent', async () => {
       const mockReadline = {
         on: vi.fn((event, callback) => {
           if (event === 'line') {
@@ -73,27 +97,46 @@ describe('getConsentForOauth', () => {
       const result = await getConsentForOauth('Login required.');
 
       expect(result).toBe(true);
-    expect(readline.createInterface).toHaveBeenCalled();
+      expect(readline.createInterface).toHaveBeenCalledWith(
-    expect(writeToStdout).toHaveBeenCalledWith(
+        expect.objectContaining({
-      expect.stringContaining(
+          terminal: true,
-        'Login required. Opening authentication page in your browser.',
+        }),
-      ),
+      );
+      expect(writeToStdout).toHaveBeenCalledWith(
+        expect.stringContaining('Login required.'),
       );
-
-    mockListenerCount.mockRestore();
     });
 
-  it('should throw FatalAuthenticationError when no listeners and headless', async () => {
+    it('should accept empty response as "yes"', async () => {
-    vi.restoreAllMocks();
+      const mockReadline = {
-    const mockListenerCount = vi
+        on: vi.fn((event, callback) => {
-      .spyOn(coreEvents, 'listenerCount')
+          if (event === 'line') {
-      .mockReturnValue(0);
+            callback('');
-    (isHeadlessMode as Mock).mockReturnValue(true);
+          }
+        }),
+        close: vi.fn(),
+      };
+      (readline.createInterface as Mock).mockReturnValue(mockReadline);
 
-    await expect(getConsentForOauth('Login required.')).rejects.toThrow(
+      const result = await getConsentForOauth('Login required.');
-      FatalAuthenticationError,
-    );
 
-    mockListenerCount.mockRestore();
+      expect(result).toBe(true);
+    });
+
+    it('should return false when user declines via readline', async () => {
+      const mockReadline = {
+        on: vi.fn((event, callback) => {
+          if (event === 'line') {
+            callback('n');
+          }
+        }),
+        close: vi.fn(),
+      };
+      (readline.createInterface as Mock).mockReturnValue(mockReadline);
+
+      const result = await getConsentForOauth('Login required.');
+
+      expect(result).toBe(false);
+    });
   });
 });

packages/core/src/utils/authConsent.ts

@@ -12,22 +12,21 @@ import { isHeadlessMode } from './headless.js';
 
 /**
  * Requests consent from the user for OAuth login.
- * Handles both TTY and non-TTY environments.
+ * Handles both interactive and non-interactive (headless) modes.
  */
 export async function getConsentForOauth(prompt: string): Promise<boolean> {
   const finalPrompt = prompt + ' Opening authentication page in your browser. ';
 
-  if (coreEvents.listenerCount(CoreEvent.ConsentRequest) === 0) {
   if (isHeadlessMode()) {
-      throw new FatalAuthenticationError(
-        'Interactive consent could not be obtained.\n' +
-          'Please run Gemini CLI in an interactive terminal to authenticate, or use NO_BROWSER=true for manual authentication.',
-      );
-    }
     return getOauthConsentNonInteractive(finalPrompt);
-  }
+  } else if (coreEvents.listenerCount(CoreEvent.ConsentRequest) > 0) {
-
     return getOauthConsentInteractive(finalPrompt);
+  }
+  throw new FatalAuthenticationError(
+    'Authentication consent could not be obtained.\n' +
+      'Please run Gemini CLI in an interactive terminal to authenticate, ' +
+      'or use NO_BROWSER=true for manual authentication.',
+  );
 }
 
 async function getOauthConsentNonInteractive(prompt: string) {