Hello @eapl-gemugami, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello! Gemini here, providing a summary of this pull request. This PR aims to fix the cloudrun_service_to_service_receive sample and the related auth_validate_and_decode_bearer_token_on_flask sample. The core issue addressed is b/405225642. To resolve this and better demonstrate the full Flask application context required for the sample, the authentication validation logic previously in receive.py has been migrated directly into app.py. The PR also updates the associated test suite to reflect these changes, particularly how the ID token is fetched and how anonymous requests are handled (now correctly returning Unauthorized). Dependencies have also been updated.

Highlights

• Authentication Logic Update: The app.py now includes code to fetch service metadata (name, project ID, region, service URI) to correctly determine the audience for ID token validation. The main route explicitly checks for an Authorization header and validates the Bearer token, returning HTTPStatus.UNAUTHORIZED if missing or invalid.
• Test Suite Updates: The test suite (receive_auth_requests_test.py) has been updated to align with the changes. It now uses google.oauth2.id_token.fetch_id_token to obtain a token with the correct audience (the service URL). Tests for anonymous requests now correctly assert for HTTPStatus.UNAUTHORIZED.
• Dependency Updates: Required dependencies have been updated, including google-auth, adding google-cloud-run, and adding backoff for test retries.

Changelog

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Code moves and shifts,
From receive to app it drifts.
Tests now check auth,
On the secure Cloud Run path.
Fixing samples, a gift.

Code Review

The pull request successfully migrates the authentication logic for the cloudrun_service_to_service_receive and auth_validate_and_decode_bearer_token_on_flask samples into app.py, as intended. The updated test suite in receive_auth_requests_test.py correctly reflects the new behavior of the application, requiring authentication and validating the token. The use of backoff in the test is a good addition for robustness. However, there are a few areas related to error handling and file management that could be improved.

Summary of Findings

• Inclusion of temporary file: The file run/service-auth/text.py appears to be a temporary scratchpad and should be removed.
• Error Handling in app.py: There are several areas in app.py where error handling could be improved for robustness, including fetching metadata/service URI, parsing the Authorization header, and handling exceptions in the main route.
• Logging vs. Print: Using print statements for logging in parse_auth_header is less ideal than using Python's built-in logging module for better control over log levels and output.
• Test File Cleanup: There is a commented-out line in receive_auth_requests_test.py that should be removed.

Merge Readiness

The pull request implements the core functionality correctly and updates the tests appropriately. However, there is a high-severity issue (inclusion of a temporary file) and several medium-severity issues related to error handling that should be addressed before merging. I am unable to approve this pull request; please have other reviewers approve it once the requested changes are made.