gemini-cli-extensions · karmel · Feb 11, 2026 · gemini-code-assist · Feb 11, 2026 · gemini-code-assist
diff --git a/package-lock.json b/package-lock.json
diff --git a/workspace-server/src/auth/AuthManager.ts b/workspace-server/src/auth/AuthManager.ts
@@ -39,6 +39,34 @@ export class AuthManager {
     this.scopes = scopes;
   }
 
+  public async isAuthenticated(): Promise<boolean> {
+    const credentials = await OAuthCredentialStorage.loadCredentials();
+    return !!(credentials && credentials.refresh_token);
+  }
+
+  public async saveCredentialsFromJson(jsonStr: string): Promise<void> {
+    try {
+      const tokens = JSON.parse(jsonStr);
+      // Validate input has required fields
+      if (!tokens.refresh_token || !tokens.access_token) {
+        throw new Error('Invalid credentials JSON: missing required fields');
+      }
-      const tokens = JSON.parse(jsonStr);
-      // Validate input has required fields
-      if (!tokens.refresh_token || !tokens.access_token) {
-        throw new Error('Invalid credentials JSON: missing required fields');
-      }
+      const credentialsSchema = z.object({
+        refresh_token: z.string().min(1, { message: 'refresh_token cannot be empty' }),
+        access_token: z.string().min(1, { message: 'access_token cannot be empty' }),
+        scope: z.string().optional(),
+        token_type: z.string().optional(),
+        expiry_date: z.number().optional(),
+      });
+      const tokens = credentialsSchema.parse(JSON.parse(jsonStr));
-      const tokens = JSON.parse(jsonStr);
-      // Validate input has required fields
-      if (!tokens.refresh_token || !tokens.access_token) {
-        throw new Error('Invalid credentials JSON: missing required fields');
-      }
+      const credentialsSchema = z.object({
+        refresh_token: z.string().min(1, { message: 'refresh_token cannot be empty' }),
+        access_token: z.string().min(1, { message: 'access_token cannot be empty' }),
+        scope: z.string().optional(),
+        token_type: z.string().optional(),
+        expiry_date: z.number().optional(),
+      });
+      const tokens = credentialsSchema.parse(JSON.parse(jsonStr));
+
+      this.client = new google.auth.OAuth2(CLIENT_ID);
+      this.client.setCredentials(tokens);
+      await OAuthCredentialStorage.saveCredentials(tokens);
+      logToFile('Credentials saved manually from JSON');
+    } catch (e) {
+      logToFile(`Error saving credentials from JSON: ${e}`);
+      throw e;
+    }
+  }
+
+  public async getAuthUrl(): Promise<string> {
+    const client = new google.auth.OAuth2(CLIENT_ID);
+    return this.generateAuthUrl(client, true); // true = manual mode
+  }
+
   public setOnStatusUpdate(callback: (message: string) => void) {
     this.onStatusUpdate = callback;
   }
@@ -294,40 +322,57 @@ export class AuthManager {
     });
   }
 
-  private async authWithWeb(client: Auth.OAuth2Client): Promise<OauthWebLogin> {
-    logToFile(
-      `Requesting authentication with scopes: ${this.scopes.join(', ')}`,
-    );
-
-    const port = await this.getAvailablePort();
-    const host = process.env['OAUTH_CALLBACK_HOST'] || 'localhost';
-
-    const localRedirectUri = `http://${host}:${port}/oauth2callback`;
-
-    const isGuiAvailable = shouldLaunchBrowser();
-
-    // SECURITY: Generate a random token for CSRF protection.
-    const csrfToken = crypto.randomBytes(32).toString('hex');
+  private generateAuthUrl(
+    client: Auth.OAuth2Client,
+    manual: boolean,
+    localRedirectUri?: string,
+    csrfToken?: string,
+  ): string {
+    // Generate a new CSRF token if not provided
+    const token = csrfToken || crypto.randomBytes(32).toString('hex');
 
     // The state now contains a JSON payload indicating the flow mode and CSRF token.
     const statePayload = {
-      uri: isGuiAvailable ? localRedirectUri : undefined,
-      manual: !isGuiAvailable,
-      csrf: csrfToken,
+      uri: localRedirectUri,
+      manual: manual,
+      csrf: token,
     };
     const state = Buffer.from(JSON.stringify(statePayload)).toString('base64');
 
     // The redirect URI for Google's auth server is the cloud function
     const cloudFunctionRedirectUri =
       'https://google-workspace-extension.geminicli.com';
 
-    const authUrl = client.generateAuthUrl({
+    return client.generateAuthUrl({
       redirect_uri: cloudFunctionRedirectUri, // Tell Google to go to the cloud function
       access_type: 'offline',
       scope: this.scopes,
       state: state, // Pass our JSON payload in the state
       prompt: 'consent', // Make sure we get a refresh token
     });
+  }
+
+  private async authWithWeb(client: Auth.OAuth2Client): Promise<OauthWebLogin> {
+    logToFile(
+      `Requesting authentication with scopes: ${this.scopes.join(', ')}`,
+    );
+
+    const port = await this.getAvailablePort();
+    const host = process.env['OAUTH_CALLBACK_HOST'] || 'localhost';
+
+    const localRedirectUri = `http://${host}:${port}/oauth2callback`;
+
+    const isGuiAvailable = shouldLaunchBrowser();
+
+    // SECURITY: Generate a random token for CSRF protection.
+    const csrfToken = crypto.randomBytes(32).toString('hex');
+
+    const authUrl = this.generateAuthUrl(
+      client,
+      !isGuiAvailable,
+      isGuiAvailable ? localRedirectUri : undefined,
+      csrfToken,
+    );
 
     const loginCompletePromise = new Promise<void>((resolve, reject) => {
       const server = http.createServer(async (req, res) => {

diff --git a/workspace-server/src/index.ts b/workspace-server/src/index.ts
@@ -143,6 +143,58 @@ async function main() {
     },
   );
 
+  server.registerTool(
+    'auth.login',
+    {
+      description: 'Initiates or completes the authentication flow.',
+      inputSchema: {
+        credentialsJson: z
+          .string()
+          .optional()
+          .describe(
+            'The credentials JSON string pasted from the browser authentication page (if completing the flow).',
+          ),
+      },
+    },
+    async (input) => {
+      if (input.credentialsJson) {
+        // Complete the flow
+        await authManager.saveCredentialsFromJson(input.credentialsJson);
+        return {
+          content: [
+            {
+              type: 'text',
+              text: 'Authentication successful! Credentials saved.',
+            },
+          ],
+        };
+      }
+
+      // Check if already authenticated
+      if (await authManager.isAuthenticated()) {
+        return {
+          content: [
+            {
+              type: 'text',
+              text: 'Already authenticated.',
+            },
+          ],
+        };
+      }
+
+      // Initiate the flow
+      const authUrl = await authManager.getAuthUrl();
+      return {
+        content: [
+          {
+            type: 'text',
+            text: `To authenticate, please visit this URL:\n${authUrl}\n\nAfter authenticating, copy the JSON credentials and run this tool again with the 'credentialsJson' argument.`,
+          },
+        ],
+      };
+    },
+  );
+
   server.registerTool(
     'docs.create',
     {

diff --git a/workspace-server/src/utils/open-wrapper.ts b/workspace-server/src/utils/open-wrapper.ts
@@ -36,7 +36,7 @@ const createMockChildProcess = () => ({
 const openWrapper = async (url: string): Promise<any> => {
   // Check if we should launch the browser
   if (!shouldLaunchBrowser()) {
-    console.log(
+    console.error(
       `Browser launch not supported. Please open this URL in your browser: ${url}`,
     );
     return createMockChildProcess();
@@ -47,7 +47,7 @@ const openWrapper = async (url: string): Promise<any> => {
     await openBrowserSecurely(url);
     return createMockChildProcess();
   } catch {
-    console.log(
+    console.error(
       `Failed to open browser. Please open this URL in your browser: ${url}`,
     );
     return createMockChildProcess();