fix: harden file keyring OAuth reauth

steipete · steipete · commit 0b0b3386dc78 · 2026-05-14T11:04:26.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@
 
 ### Fixed
 
+- Auth: keep fresh OAuth saves working even when old file-keyring token entries are unreadable, and clarify that `--services all` means all user OAuth services while Workspace-only services use service accounts.
 - Gmail: reject off-palette `gmail labels style` colors locally instead of forwarding an opaque Gmail API error.
 - Drive: make `drive share --dry-run` stop before permission creation for user and domain shares, including `--notify`.
 - Forms: make `forms create --description` apply the description with a follow-up batch update, and preserve zero-valued indexes in `forms move-question`.
diff --git a/docs/commands/gog-auth-add.md b/docs/commands/gog-auth-add.md
@@ -44,7 +44,7 @@ gog auth add <email> [flags]
 | `--remote` | `bool` |  | Remote/server-friendly manual flow (print URL, then exchange code) |
 | `--results-only` | `bool` |  | In JSON mode, emit only the primary result (drops envelope fields like nextPageToken) |
 | `--select`<br>`--pick`<br>`--project` | `string` |  | In JSON mode, select comma-separated fields (best-effort; supports dot paths). Desire path: use --fields for most commands. |
-| `--services` | `string` | user | Services to authorize: user\|all or comma-separated gmail,calendar,chat,classroom,drive,driveactivity,drivelabels,docs,slides,contacts,tasks,sheets,people,forms,sites,meet,appscript,analytics,searchconsole,ads,youtube,photos (Keep uses service account: gog auth service-account set) |
+| `--services` | `string` | user | Services to authorize: user\|all-user or comma-separated gmail,calendar,chat,classroom,drive,driveactivity,drivelabels,docs,slides,contacts,tasks,sheets,people,forms,sites,meet,appscript,analytics,searchconsole,ads,youtube,photos; all means all user OAuth services. Workspace service-account-only services: admin, groups, keep |
 | `--step` | `int` |  | Remote auth step: 1=print URL, 2=exchange code |
 | `--timeout` | `time.Duration` |  | Authorization timeout (manual flows default to 5m) |
 | `-v`<br>`--verbose` | `bool` |  | Enable verbose logging |
diff --git a/docs/commands/gog-auth-manage.md b/docs/commands/gog-auth-manage.md
@@ -36,7 +36,7 @@ gog auth manage (login) [flags]
 | `--redirect-host` | `string` |  | Hostname for OAuth callback; builds https://{host}/oauth2/callback |
 | `--results-only` | `bool` |  | In JSON mode, emit only the primary result (drops envelope fields like nextPageToken) |
 | `--select`<br>`--pick`<br>`--project` | `string` |  | In JSON mode, select comma-separated fields (best-effort; supports dot paths). Desire path: use --fields for most commands. |
-| `--services` | `string` | user | Services to authorize: user\|all or comma-separated gmail,calendar,chat,classroom,drive,driveactivity,drivelabels,docs,slides,contacts,tasks,sheets,people,forms,sites,meet,appscript,analytics,searchconsole,ads,youtube,photos (Keep uses service account: gog auth service-account set) |
+| `--services` | `string` | user | Services to authorize: user\|all-user or comma-separated gmail,calendar,chat,classroom,drive,driveactivity,drivelabels,docs,slides,contacts,tasks,sheets,people,forms,sites,meet,appscript,analytics,searchconsole,ads,youtube,photos; all means all user OAuth services. Workspace service-account-only services: admin, groups, keep |
 | `--timeout` | `time.Duration` | 10m | Server timeout duration |
 | `-v`<br>`--verbose` | `bool` |  | Enable verbose logging |
 | `--version` | `kong.VersionFlag` |  | Print version and exit |
diff --git a/docs/commands/gog-login.md b/docs/commands/gog-login.md
@@ -44,7 +44,7 @@ gog login <email> [flags]
 | `--remote` | `bool` |  | Remote/server-friendly manual flow (print URL, then exchange code) |
 | `--results-only` | `bool` |  | In JSON mode, emit only the primary result (drops envelope fields like nextPageToken) |
 | `--select`<br>`--pick`<br>`--project` | `string` |  | In JSON mode, select comma-separated fields (best-effort; supports dot paths). Desire path: use --fields for most commands. |
-| `--services` | `string` | user | Services to authorize: user\|all or comma-separated gmail,calendar,chat,classroom,drive,driveactivity,drivelabels,docs,slides,contacts,tasks,sheets,people,forms,sites,meet,appscript,analytics,searchconsole,ads,youtube,photos (Keep uses service account: gog auth service-account set) |
+| `--services` | `string` | user | Services to authorize: user\|all-user or comma-separated gmail,calendar,chat,classroom,drive,driveactivity,drivelabels,docs,slides,contacts,tasks,sheets,people,forms,sites,meet,appscript,analytics,searchconsole,ads,youtube,photos; all means all user OAuth services. Workspace service-account-only services: admin, groups, keep |
 | `--step` | `int` |  | Remote auth step: 1=print URL, 2=exchange code |
 | `--timeout` | `time.Duration` |  | Authorization timeout (manual flows default to 5m) |
 | `-v`<br>`--verbose` | `bool` |  | Enable verbose logging |
diff --git a/docs/spec.md b/docs/spec.md
@@ -175,7 +175,7 @@ Flag aliases:
 - `gog auth credentials list`
 - `gog auth credentials remove [<client>|all]`
 - `gog --client <name> auth credentials <credentials.json|->`
-- `gog auth add <email> [--services user|all|gmail,calendar,chat,classroom,drive,driveactivity,drivelabels,docs,slides,contacts,tasks,sheets,people,forms,photos,appscript,ads,groups,keep,admin] [--readonly] [--drive-scope full|readonly|file] [--gmail-scope full|readonly] [--extra-scopes CSV] [--manual] [--remote] [--step 1|2] [--auth-url URL] [--listen-addr HOST[:PORT]] [--redirect-host HOST] [--timeout DURATION] [--force-consent]`
+- `gog auth add <email> [--services user|all-user|all|gmail,calendar,chat,classroom,drive,driveactivity,drivelabels,docs,slides,contacts,tasks,sheets,people,forms,sites,meet,photos,appscript,analytics,searchconsole,ads,youtube] [--readonly] [--drive-scope full|readonly|file] [--gmail-scope full|readonly] [--extra-scopes CSV] [--manual] [--remote] [--step 1|2] [--auth-url URL] [--listen-addr HOST[:PORT]] [--redirect-host HOST] [--timeout DURATION] [--force-consent]`
 - `gog auth services [--markdown]`
 - `gog auth manage [--services ...] [--listen-addr HOST[:PORT]] [--redirect-host HOST]`
 - `gog auth keep <email> --key <service-account.json>` (Google Keep; Workspace only)
diff --git a/internal/cmd/auth.go b/internal/cmd/auth.go
@@ -57,7 +57,7 @@ type AuthCmd struct {
 
 func parseAuthServices(servicesCSV string) ([]googleauth.Service, error) {
 	trimmed := strings.ToLower(strings.TrimSpace(servicesCSV))
-	if trimmed == "" || trimmed == "user" || trimmed == literalAll {
+	if trimmed == "" || trimmed == "user" || trimmed == "all-user" || trimmed == literalAll {
 		return googleauth.UserServices(), nil
 	}
 
@@ -69,8 +69,9 @@ func parseAuthServices(servicesCSV string) ([]googleauth.Service, error) {
 		if err != nil {
 			return nil, err
 		}
-		if svc == googleauth.ServiceKeep {
-			return nil, usage("Keep auth is Workspace-only and requires a service account. Use: gog auth service-account set <email> --key <service-account.json>")
+		switch svc {
+		case googleauth.ServiceAdmin, googleauth.ServiceGroups, googleauth.ServiceKeep:
+			return nil, usage(fmt.Sprintf("%s auth is Workspace/service-account-only. Use: gog auth service-account set <email> --key <service-account.json>", svc))
 		}
 		if _, ok := seen[svc]; ok {
 			continue
diff --git a/internal/cmd/auth_accounts.go b/internal/cmd/auth_accounts.go
@@ -254,7 +254,7 @@ func (c *AuthRemoveCmd) Run(ctx context.Context, flags *RootFlags) error {
 
 type AuthManageCmd struct {
 	ForceConsent bool          `name:"force-consent" help:"Force consent screen when adding accounts"`
-	ServicesCSV  string        `name:"services" help:"Services to authorize: user|all or comma-separated ${auth_services} (Keep uses service account: gog auth service-account set)" default:"user"`
+	ServicesCSV  string        `name:"services" help:"Services to authorize: user|all-user or comma-separated ${auth_services}; all means all user OAuth services. Workspace service-account-only services: admin, groups, keep" default:"user"`
 	Timeout      time.Duration `name:"timeout" help:"Server timeout duration" default:"10m"`
 	ListenAddr   string        `name:"listen-addr" help:"Address to listen on for OAuth callback (for example 0.0.0.0 or 0.0.0.0:8080)"`
 	RedirectHost string        `name:"redirect-host" help:"Hostname for OAuth callback; builds https://{host}/oauth2/callback"`
diff --git a/internal/cmd/auth_add.go b/internal/cmd/auth_add.go
@@ -28,7 +28,7 @@ type AuthAddCmd struct {
 	AuthCode     string        `name:"auth-code" hidden:"" help:"UNSAFE: Authorization code from browser (manual flow; skips state check; not valid with --remote)"`
 	Timeout      time.Duration `name:"timeout" help:"Authorization timeout (manual flows default to 5m)"`
 	ForceConsent bool          `name:"force-consent" help:"Force consent screen to obtain a refresh token"`
-	ServicesCSV  string        `name:"services" help:"Services to authorize: user|all or comma-separated ${auth_services} (Keep uses service account: gog auth service-account set)" default:"user"`
+	ServicesCSV  string        `name:"services" help:"Services to authorize: user|all-user or comma-separated ${auth_services}; all means all user OAuth services. Workspace service-account-only services: admin, groups, keep" default:"user"`
 	Readonly     bool          `name:"readonly" help:"Use read-only scopes where available (still includes OIDC identity scopes)"`
 	DriveScope   string        `name:"drive-scope" help:"Drive scope mode: full|readonly|file" enum:"full,readonly,file" default:"full"`
 	GmailScope   string        `name:"gmail-scope" help:"Gmail scope mode: full|readonly" enum:"full,readonly" default:"full"`
diff --git a/internal/cmd/auth_add_test.go b/internal/cmd/auth_add_test.go
@@ -138,6 +138,54 @@ func (s *setTokenErrorStore) SetToken(string, string, secrets.Token) error {
 	return s.err
 }
 
+type listTokenErrorStore struct {
+	*memSecretsStore
+	err error
+}
+
+func (s *listTokenErrorStore) ListTokens() ([]secrets.Token, error) {
+	return nil, s.err
+}
+
+func TestAuthAddCmd_ListTokenFailureDoesNotBlockFreshTokenSave(t *testing.T) {
+	origAuth := authorizeGoogle
+	origOpen := openSecretsStore
+	origKeychain := ensureKeychainAccess
+	origFetch := fetchAuthorizedIdentity
+	t.Cleanup(func() {
+		authorizeGoogle = origAuth
+		openSecretsStore = origOpen
+		ensureKeychainAccess = origKeychain
+		fetchAuthorizedIdentity = origFetch
+	})
+
+	ensureKeychainAccess = func() error { return nil }
+	authorizeGoogle = func(context.Context, googleauth.AuthorizeOptions) (string, error) {
+		return "rt", nil
+	}
+	fetchAuthorizedIdentity = func(context.Context, string, string, []string, time.Duration) (googleauth.Identity, error) {
+		return googleauth.Identity{Subject: "sub-123", Email: "user@example.com"}, nil
+	}
+
+	store := &listTokenErrorStore{
+		memSecretsStore: newMemSecretsStore(),
+		err:             errors.New("read encoded file keyring item: aes.KeyUnwrap(): integrity check failed"),
+	}
+	openSecretsStore = func() (secrets.Store, error) { return store, nil }
+
+	if err := Execute([]string{"auth", "add", "user@example.com", "--services", "gmail", "--manual"}); err != nil {
+		t.Fatalf("Execute: %v", err)
+	}
+
+	tok, err := store.GetToken(config.DefaultClientName, "user@example.com")
+	if err != nil {
+		t.Fatalf("GetToken: %v", err)
+	}
+	if tok.RefreshToken != "rt" || tok.Subject != "sub-123" {
+		t.Fatalf("unexpected saved token: %#v", tok)
+	}
+}
+
 func TestAuthAddCmd_StoreFailureReportsOAuthCompleted(t *testing.T) {
 	origAuth := authorizeGoogle
 	origOpen := openSecretsStore
@@ -240,7 +288,7 @@ func TestAuthAddCmd_KeepRejected(t *testing.T) {
 	if !errors.As(err, &ee) || ee.Code != 2 {
 		t.Fatalf("expected exit code 2, got %T %#v", err, err)
 	}
-	if !strings.Contains(err.Error(), "Keep auth") {
+	if !strings.Contains(err.Error(), "keep auth") {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if authorizeCalled {
diff --git a/internal/googleauth/identity_migration.go b/internal/googleauth/identity_migration.go
@@ -18,7 +18,10 @@ func MigrateStoredSubjectIdentity(store secrets.Store, client string, identity I
 
 	tokens, err := store.ListTokens()
 	if err != nil {
-		return "", fmt.Errorf("list tokens for subject identity migration: %w", err)
+		// Subject migration is best-effort compatibility cleanup. A stale or
+		// corrupted token must not make a freshly completed OAuth flow fail
+		// before the new refresh token is saved.
+		return "", nil
 	}
 
 	for _, tok := range tokens {

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ type AuthCmd struct {`
`57`	`57`
`58`	`58`	`func parseAuthServices(servicesCSV string) ([]googleauth.Service, error) {`
`59`	`59`	`trimmed := strings.ToLower(strings.TrimSpace(servicesCSV))`
`60`		`- if trimmed == "" \|\| trimmed == "user" \|\| trimmed == literalAll {`
	`60`	`+ if trimmed == "" \|\| trimmed == "user" \|\| trimmed == "all-user" \|\| trimmed == literalAll {`
`61`	`61`	`return googleauth.UserServices(), nil`
`62`	`62`	`}`
`63`	`63`
`@@ -69,8 +69,9 @@ func parseAuthServices(servicesCSV string) ([]googleauth.Service, error) {`
`69`	`69`	`if err != nil {`
`70`	`70`	`return nil, err`
`71`	`71`	`}`
`72`		`- if svc == googleauth.ServiceKeep {`
`73`		`- return nil, usage("Keep auth is Workspace-only and requires a service account. Use: gog auth service-account set <email> --key <service-account.json>")`
	`72`	`+ switch svc {`
	`73`	`+ case googleauth.ServiceAdmin, googleauth.ServiceGroups, googleauth.ServiceKeep:`
	`74`	`+ return nil, usage(fmt.Sprintf("%s auth is Workspace/service-account-only. Use: gog auth service-account set <email> --key <service-account.json>", svc))`
`74`	`75`	`}`
`75`	`76`	`if _, ok := seen[svc]; ok {`
`76`	`77`	`continue`