fix(auth): harden account manager token migration

steipete · steipete · commit f012ab5ee2f3 · 2026-05-15T18:41:04.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,6 +29,7 @@
 - CLI: make dry-runs for Admin group/user/org-unit edits, Contacts delete, Docs tab export, Drive tab download/share/unshare, and Gmail watch renew stay offline before auth/API calls; redact Admin user create passwords in dry-run output.
 - Auth: keep fresh OAuth saves working even when old file-keyring token entries are unreadable, and clarify that `--services all` means all user OAuth services while Workspace-only services use service accounts.
 - Auth: include Chat reaction scopes in `--services chat` and keep the generated auth scope table freshness-tested.
+- Auth: keep the accounts manager bound to loopback addresses, generate callback URLs from the actual listener host, and avoid deleting renamed-account tokens before replacements are stored.
 - Gmail: reject off-palette `gmail labels style` colors locally instead of forwarding an opaque Gmail API error.
 - Drive: make `drive share --dry-run` stop before permission creation for user and domain shares, including `--notify`.
 - Forms: make `forms create --description` apply the description with a follow-up batch update, and preserve zero-valued indexes in `forms move-question`.
diff --git a/docs/commands/gog-auth-manage.md b/docs/commands/gog-auth-manage.md
@@ -30,7 +30,7 @@ gog auth manage (login) [flags]
 | `--gmail-no-send` | `bool` | false | Block Gmail send operations (agent safety) |
 | `-h`<br>`--help` | `kong.helpFlag` |  | Show context-sensitive help. |
 | `-j`<br>`--json`<br>`--machine` | `bool` | false | Output JSON to stdout (best for scripting) |
-| `--listen-addr` | `string` |  | Address to listen on for OAuth callback (for example 0.0.0.0 or 0.0.0.0:8080) |
+| `--listen-addr` | `string` |  | Loopback address to listen on for the accounts manager (for example 127.0.0.1:8080 or [::1]:8080) |
 | `--no-input`<br>`--non-interactive`<br>`--noninteractive` | `bool` |  | Never prompt; fail instead (useful for CI) |
 | `-p`<br>`--plain`<br>`--tsv` | `bool` | false | Output stable, parseable text to stdout (TSV; no colors) |
 | `--redirect-host` | `string` |  | Hostname for OAuth callback; builds https://{host}/oauth2/callback |
diff --git a/internal/cmd/auth_accounts.go b/internal/cmd/auth_accounts.go
@@ -258,7 +258,7 @@ type AuthManageCmd struct {
 	ForceConsent bool          `name:"force-consent" help:"Force consent screen when adding accounts"`
 	ServicesCSV  string        `name:"services" help:"Services to authorize: user|all-user or comma-separated ${auth_services}; all means all user OAuth services. Workspace service-account-only services: admin, groups, keep" default:"user"`
 	Timeout      time.Duration `name:"timeout" help:"Server timeout duration" default:"10m"`
-	ListenAddr   string        `name:"listen-addr" help:"Address to listen on for OAuth callback (for example 0.0.0.0 or 0.0.0.0:8080)"`
+	ListenAddr   string        `name:"listen-addr" help:"Loopback address to listen on for the accounts manager (for example 127.0.0.1:8080 or [::1]:8080)"`
 	RedirectHost string        `name:"redirect-host" help:"Hostname for OAuth callback; builds https://{host}/oauth2/callback"`
 }
 
diff --git a/internal/cmd/auth_add.go b/internal/cmd/auth_add.go
@@ -263,13 +263,10 @@ func (c *AuthAddCmd) Run(ctx context.Context, flags *RootFlags) error {
 	}
 	sort.Strings(serviceNames)
 
-	migratedEmail, err := googleauth.MigrateStoredSubjectIdentity(store, client, identity)
+	migratedEmail, err := googleauth.FindStoredSubjectIdentityEmail(store, client, identity)
 	if err != nil {
 		return wrapAuthAddStoreError(err)
 	}
-	if migratedEmail != "" {
-		u.Err().Linef("Migrated auth account from %s to %s", migratedEmail, authorizedEmail)
-	}
 
 	if err := store.SetToken(client, authorizedEmail, secrets.Token{
 		Client:       client,
@@ -281,6 +278,15 @@ func (c *AuthAddCmd) Run(ctx context.Context, flags *RootFlags) error {
 	}); err != nil {
 		return wrapAuthAddStoreError(err)
 	}
+	if migratedEmail != "" {
+		if err := googleauth.MigrateStoredEmailReferences(store, client, migratedEmail, authorizedEmail); err != nil {
+			return wrapAuthAddStoreError(err)
+		}
+		if err := googleauth.DeleteStoredEmailAlias(store, client, migratedEmail); err != nil {
+			u.Err().Linef("Warning: failed to remove stale auth account %s: %v", migratedEmail, err)
+		}
+		u.Err().Linef("Migrated auth account from %s to %s", migratedEmail, authorizedEmail)
+	}
 	if override != "" {
 		cfg, err := config.ReadConfig()
 		if err != nil {
diff --git a/internal/googleapi/client_auth.go b/internal/googleapi/client_auth.go
@@ -102,6 +102,10 @@ func (p *persistingTokenSource) Token() (*oauth2.Token, error) {
 	}
 
 	if !strings.EqualFold(p.email, persistEmail) {
+		if err := googleauth.MigrateStoredEmailReferences(p.store, p.client, p.email, persistEmail); err != nil {
+			slog.Warn("migrate renamed token email references failed", "old_email", p.email, "new_email", persistEmail, "client", p.client, "err", err)
+		}
+
 		aliasDeleter, ok := p.store.(tokenAliasDeleter)
 		if !ok {
 			slog.Debug("token store cannot delete renamed email alias", "old_email", p.email, "new_email", persistEmail, "client", p.client)
diff --git a/internal/googleapi/client_more_test.go b/internal/googleapi/client_more_test.go
@@ -45,6 +45,11 @@ type stubStore struct {
 	deleteEmail  string
 	deleteCalls  int
 	deleteErr    error
+
+	defaultEmail     string
+	setDefaultClient string
+	setDefaultEmail  string
+	setDefaultCalls  int
 }
 
 func (s *stubStore) Keys() ([]string, error) { return nil, nil }
@@ -79,9 +84,20 @@ func (s *stubStore) DeleteTokenAlias(client string, email string) error {
 	return s.DeleteToken(client, email)
 }
 
-func (s *stubStore) ListTokens() ([]secrets.Token, error)     { return nil, nil }
-func (s *stubStore) GetDefaultAccount(string) (string, error) { return "", nil }
-func (s *stubStore) SetDefaultAccount(string, string) error   { return nil }
+func (s *stubStore) ListTokens() ([]secrets.Token, error) { return nil, nil }
+func (s *stubStore) GetDefaultAccount(string) (string, error) {
+	return s.defaultEmail, nil
+}
+
+func (s *stubStore) SetDefaultAccount(client string, email string) error {
+	s.setDefaultClient = client
+	s.setDefaultEmail = email
+	s.setDefaultCalls++
+	s.defaultEmail = email
+
+	return nil
+}
+
 func (s *stubStore) GetToken(client string, email string) (secrets.Token, error) {
 	s.lastClient = client
 	s.lastEmail = email
@@ -264,8 +280,20 @@ func TestPersistingTokenSource_BackfillsSubjectFromIDToken(t *testing.T) {
 }
 
 func TestPersistingTokenSource_MigratesRenamedEmailFromIDToken(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+	t.Setenv("XDG_CONFIG_HOME", filepath.Join(home, "xdg"))
+
+	cfg := config.File{
+		AccountAliases: map[string]string{"work": "old@example.com"},
+		AccountClients: map[string]string{"old@example.com": "work-client"},
+	}
+	if err := config.WriteConfig(cfg); err != nil {
+		t.Fatalf("WriteConfig: %v", err)
+	}
+
 	stored := secrets.Token{Email: "old@example.com", RefreshToken: "same-token", Subject: "sub-123"}
-	store := &stubStore{tok: stored}
+	store := &stubStore{tok: stored, defaultEmail: "old@example.com"}
 	base := oauth2.StaticTokenSource((&oauth2.Token{
 		AccessToken:  "access",
 		RefreshToken: "same-token",
@@ -294,6 +322,27 @@ func TestPersistingTokenSource_MigratesRenamedEmailFromIDToken(t *testing.T) {
 		t.Fatalf("expected old alias delete, got calls=%d client=%q email=%q", store.deleteCalls, store.deleteClient, store.deleteEmail)
 	}
 
+	if store.setDefaultCalls != 1 || store.setDefaultClient != config.DefaultClientName || store.setDefaultEmail != "new@example.com" {
+		t.Fatalf("expected default migration, got calls=%d client=%q email=%q", store.setDefaultCalls, store.setDefaultClient, store.setDefaultEmail)
+	}
+
+	updated, err := config.ReadConfig()
+	if err != nil {
+		t.Fatalf("ReadConfig: %v", err)
+	}
+
+	if updated.AccountAliases["work"] != "new@example.com" {
+		t.Fatalf("expected alias migrated, got %#v", updated.AccountAliases)
+	}
+
+	if updated.AccountClients["new@example.com"] != "work-client" {
+		t.Fatalf("expected account client migrated, got %#v", updated.AccountClients)
+	}
+
+	if _, ok := updated.AccountClients["old@example.com"]; ok {
+		t.Fatalf("expected old account client removed, got %#v", updated.AccountClients)
+	}
+
 	pts, ok := ts.(*persistingTokenSource)
 	if !ok {
 		t.Fatalf("expected persistingTokenSource")
diff --git a/internal/googleauth/accounts_server.go b/internal/googleauth/accounts_server.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"html/template"
 	"io"
+	"log/slog"
 	"net"
 	"net/http"
 	"os"
@@ -100,6 +101,15 @@ func StartManageServer(ctx context.Context, opts ManageServerOptions) error {
 
 	opts.Client = client
 
+	listenAddr, err := normalizeListenAddr(opts.ListenAddr)
+	if err != nil {
+		return err
+	}
+
+	if validationErr := validateManagementListenAddr(listenAddr); validationErr != nil {
+		return validationErr
+	}
+
 	if strings.TrimSpace(opts.RedirectURI) != "" {
 		resolvedRedirectURI, normalizeErr := normalizeRedirectURI(opts.RedirectURI)
 		if normalizeErr != nil {
@@ -118,11 +128,6 @@ func StartManageServer(ctx context.Context, opts ManageServerOptions) error {
 		return fmt.Errorf("failed to generate CSRF token: %w", err)
 	}
 
-	listenAddr, err := normalizeListenAddr(opts.ListenAddr)
-	if err != nil {
-		return err
-	}
-
 	ln, err := (&net.ListenConfig{}).Listen(ctx, "tcp", listenAddr)
 	if err != nil {
 		return fmt.Errorf("failed to start listener: %w", err)
@@ -170,8 +175,7 @@ func StartManageServer(ctx context.Context, opts ManageServerOptions) error {
 		}
 	}()
 
-	port := ln.Addr().(*net.TCPAddr).Port
-	url := fmt.Sprintf("http://127.0.0.1:%d", port)
+	url := listenerBaseURL(ln)
 
 	fmt.Fprintln(os.Stderr, "Opening accounts manager in browser...")
 	fmt.Fprintln(os.Stderr, "If the browser doesn't open, visit:", url)
@@ -438,9 +442,9 @@ func (ms *ManageServer) handleOAuthCallback(w http.ResponseWriter, r *http.Reque
 	}
 
 	if needKeychain {
-		if err := ensureKeychainAccess(); err != nil { //nolint:contextcheck,nolintlint // keychain ops don't use context; nolint unused on non-Darwin
+		if keychainErr := ensureKeychainAccess(); keychainErr != nil { //nolint:contextcheck,nolintlint // keychain ops don't use context; nolint unused on non-Darwin
 			w.WriteHeader(http.StatusInternalServerError)
-			renderErrorPage(w, "Keychain is locked: "+err.Error())
+			renderErrorPage(w, "Keychain is locked: "+keychainErr.Error())
 
 			return
 		}
@@ -451,15 +455,14 @@ func (ms *ManageServer) handleOAuthCallback(w http.ResponseWriter, r *http.Reque
 		serviceNames = append(serviceNames, string(svc))
 	}
 
-	if _, err := MigrateStoredSubjectIdentity(ms.store, ms.client, identity); err != nil {
+	migratedEmail, err := FindStoredSubjectIdentityEmail(ms.store, ms.client, identity)
+	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
-		renderErrorPage(w, "Failed to migrate stored token: "+err.Error())
+		renderErrorPage(w, "Failed to inspect stored token: "+err.Error())
 
 		return
 	}
 
-	// Store the token after subject migration so deleting the old email alias
-	// cannot remove the freshly written subject-keyed token.
 	if err := ms.store.SetToken(ms.client, email, secrets.Token{
 		Subject:      identity.Subject,
 		Email:        email,
@@ -473,6 +476,19 @@ func (ms *ManageServer) handleOAuthCallback(w http.ResponseWriter, r *http.Reque
 		return
 	}
 
+	if migratedEmail != "" {
+		if err := MigrateStoredEmailReferences(ms.store, ms.client, migratedEmail, email); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			renderErrorPage(w, "Failed to migrate stored token references: "+err.Error())
+
+			return
+		}
+
+		if err := DeleteStoredEmailAlias(ms.store, ms.client, migratedEmail); err != nil {
+			slog.Warn("delete migrated token alias failed", "old_email", migratedEmail, "new_email", email, "client", ms.client, "err", err)
+		}
+	}
+
 	// Render success page with the new template
 	w.WriteHeader(http.StatusOK)
 	renderSuccessPageWithDetails(w, email, serviceNames)
diff --git a/internal/googleauth/accounts_server_test.go b/internal/googleauth/accounts_server_test.go
@@ -75,6 +75,10 @@ func (s *fakeStore) DeleteToken(client string, email string) error {
 	return nil
 }
 
+func (s *fakeStore) DeleteTokenAlias(client string, email string) error {
+	return s.DeleteToken(client, email)
+}
+
 func (s *fakeStore) DeleteDefaultAccount(client string) error {
 	s.deleteDefault = true
 	s.deleteDefaultCalled = client
@@ -758,7 +762,7 @@ func TestManageServer_HandleOAuthCallback_Success(t *testing.T) {
 	}
 }
 
-func TestManageServer_HandleOAuthCallback_MigratesBeforeSetToken(t *testing.T) {
+func TestManageServer_HandleOAuthCallback_MigratesAndDeletesAliasAfterSetToken(t *testing.T) {
 	t.Setenv("HOME", t.TempDir())
 	t.Setenv("XDG_CONFIG_HOME", t.TempDir())
 
@@ -831,12 +835,26 @@ func TestManageServer_HandleOAuthCallback_MigratesBeforeSetToken(t *testing.T) {
 		t.Fatalf("status: %d body: %s", rr.Code, rr.Body.String())
 	}
 
-	wantOps := []string{"delete:old@example.com", "set:new@example.com"}
+	wantOps := []string{"set:new@example.com", "delete:old@example.com"}
 	if len(store.ops) != len(wantOps) || store.ops[0] != wantOps[0] || store.ops[1] != wantOps[1] {
 		t.Fatalf("unexpected store ops: %#v", store.ops)
 	}
 }
 
+func TestStartManageServerRejectsNonLoopbackListenAddr(t *testing.T) {
+	err := StartManageServer(context.Background(), ManageServerOptions{
+		ListenAddr: "0.0.0.0:0",
+		Timeout:    50 * time.Millisecond,
+	})
+	if err == nil {
+		t.Fatalf("expected non-loopback listen addr error")
+	}
+
+	if !errors.Is(err, errNonLoopbackManageAddr) {
+		t.Fatalf("expected errNonLoopbackManageAddr, got %v", err)
+	}
+}
+
 func TestManageServer_HandleOAuthCallback_FileBackendSkipsKeychain(t *testing.T) {
 	origRead := readClientCredentials
 	origEndpoint := oauthEndpoint
diff --git a/internal/googleauth/identity_migration.go b/internal/googleauth/identity_migration.go
@@ -9,6 +9,20 @@ import (
 )
 
 func MigrateStoredSubjectIdentity(store secrets.Store, client string, identity Identity) (string, error) {
+	oldEmail, err := FindStoredSubjectIdentityEmail(store, client, identity)
+	if err != nil || oldEmail == "" {
+		return oldEmail, err
+	}
+
+	newEmail := normalizeEmail(identity.Email)
+	if err := MigrateStoredEmailReferences(store, client, oldEmail, newEmail); err != nil {
+		return "", err
+	}
+
+	return oldEmail, nil
+}
+
+func FindStoredSubjectIdentityEmail(store secrets.Store, client string, identity Identity) (string, error) {
 	subject := strings.TrimSpace(identity.Subject)
 	newEmail := normalizeEmail(identity.Email)
 
@@ -34,20 +48,6 @@ func MigrateStoredSubjectIdentity(store secrets.Store, client string, identity I
 			continue
 		}
 
-		if err := store.DeleteToken(client, oldEmail); err != nil {
-			return "", fmt.Errorf("delete stale token for %s: %w", oldEmail, err)
-		}
-
-		if defaultEmail, getErr := store.GetDefaultAccount(client); getErr == nil && normalizeEmail(defaultEmail) == oldEmail {
-			if setErr := store.SetDefaultAccount(client, newEmail); setErr != nil {
-				return "", fmt.Errorf("set migrated default account: %w", setErr)
-			}
-		}
-
-		if err := migrateStoredSubjectConfig(oldEmail, newEmail); err != nil {
-			return "", err
-		}
-
 		return oldEmail, nil
 	}
 
@@ -85,6 +85,49 @@ func tokensForSubjectMigration(store secrets.Store, client string) ([]secrets.To
 	return tokens, nil
 }
 
+type tokenAliasDeleter interface {
+	DeleteTokenAlias(client string, email string) error
+}
+
+func DeleteStoredEmailAlias(store secrets.Store, client string, email string) error {
+	email = normalizeEmail(email)
+	if email == "" {
+		return nil
+	}
+
+	aliasDeleter, ok := store.(tokenAliasDeleter)
+	if !ok {
+		return nil
+	}
+
+	if err := aliasDeleter.DeleteTokenAlias(client, email); err != nil {
+		return fmt.Errorf("delete stale token alias for %s: %w", email, err)
+	}
+
+	return nil
+}
+
+func MigrateStoredEmailReferences(store secrets.Store, client string, oldEmail string, newEmail string) error {
+	oldEmail = normalizeEmail(oldEmail)
+	newEmail = normalizeEmail(newEmail)
+
+	if oldEmail == "" || newEmail == "" || oldEmail == newEmail {
+		return nil
+	}
+
+	if defaultEmail, getErr := store.GetDefaultAccount(client); getErr == nil && normalizeEmail(defaultEmail) == oldEmail {
+		if setErr := store.SetDefaultAccount(client, newEmail); setErr != nil {
+			return fmt.Errorf("set migrated default account: %w", setErr)
+		}
+	}
+
+	if err := migrateStoredSubjectConfig(oldEmail, newEmail); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func migrateStoredSubjectConfig(oldEmail string, newEmail string) error {
 	if err := config.UpdateConfig(func(cfg *config.File) error {
 		for alias, target := range cfg.AccountAliases {
diff --git a/internal/googleauth/identity_migration_test.go b/internal/googleauth/identity_migration_test.go
diff --git a/internal/googleauth/oauth_flow_more_test.go b/internal/googleauth/oauth_flow_more_test.go
diff --git a/internal/googleauth/oauth_network.go b/internal/googleauth/oauth_network.go

Original file line number	Diff line number	Diff line change
`@@ -258,7 +258,7 @@ type AuthManageCmd struct {`
`258`	`258`	ForceConsent bool `name:"force-consent" help:"Force consent screen when adding accounts"`
`259`	`259`	ServicesCSV string `name:"services" help:"Services to authorize: user\|all-user or comma-separated ${auth_services}; all means all user OAuth services. Workspace service-account-only services: admin, groups, keep" default:"user"`
`260`	`260`	Timeout time.Duration `name:"timeout" help:"Server timeout duration" default:"10m"`
`261`		- ListenAddr string `name:"listen-addr" help:"Address to listen on for OAuth callback (for example 0.0.0.0 or 0.0.0.0:8080)"`
	`261`	+ ListenAddr string `name:"listen-addr" help:"Loopback address to listen on for the accounts manager (for example 127.0.0.1:8080 or [::1]:8080)"`
`262`	`262`	RedirectHost string `name:"redirect-host" help:"Hostname for OAuth callback; builds https://{host}/oauth2/callback"`
`263`	`263`	`}`
`264`	`264`