fix(auth): include Gmail settings scope

[Lubrsy706]

Closes #668.

Summary

• add https://www.googleapis.com/auth/gmail.settings.basic to the minimal and full OAuth scope sets
• expose the same scope in the manual scope picker
• add coverage to keep the settings scope present

Testing

• git diff --check
• cargo fmt --check
• cargo test -p google-workspace-cli resolve_scopes_returns_defaults_when_no_flag
• cargo test -p google-workspace-cli filter_restrictive

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6528f7a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the Google Workspace CLI authentication configuration to include the 'gmail.settings.basic' scope. This change ensures that users have the necessary permissions to access basic Gmail settings, and includes corresponding updates to the manual scope picker and verification tests to maintain configuration integrity.

Highlights

• OAuth Scope Expansion: Added the 'gmail.settings.basic' scope to both the minimal and full OAuth scope sets.
• Scope Picker Update: Exposed the new Gmail settings scope in the manual scope selection interface.
• Test Coverage: Updated unit tests to verify that the new scope is correctly included in the resolved scope lists.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds the gmail.settings.basic scope to the minimal and full scope definitions, the scope registry, and associated tests. Feedback indicates that the filter_redundant_restrictive_scopes function should also be updated to include this new scope in its RESTRICTIVE_SCOPES list to ensure proper handling when broader permissions are granted.

[gemini-code-assist]

Adding https://www.googleapis.com/auth/gmail.settings.basic to the default scope sets requires an update to the filter_redundant_restrictive_scopes function (located around line 862). This function is designed to remove restrictive scopes that are redundant when broader scopes (like https://mail.google.com/) are present, preventing Google from enforcing the narrower scope's limitations on the access token. Please add an entry for this new scope to the RESTRICTIVE_SCOPES constant within that function to ensure it is filtered out when full Gmail access is granted.

[Lubrsy706]

Thanks for catching this. I added gmail.settings.basic to the redundant restrictive-scope filter when https://mail.google.com/ is present, with regression coverage for both filtering and keeping it when only gmail.modify is present.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request adds the https://www.googleapis.com/auth/gmail.settings.basic scope to the Google Workspace CLI, updating the minimal and full scope lists, redundancy filtering logic, and unit tests. Feedback indicates that adding this restricted scope to MINIMAL_SCOPES contradicts existing documentation and may increase authentication risks for unverified OAuth applications.

[gemini-code-assist]

Adding https://www.googleapis.com/auth/gmail.settings.basic to MINIMAL_SCOPES contradicts the documentation above (lines 258-262), which states that these scopes should never trigger Google's restricted_client or unverified-app blocks. This scope is explicitly classified as Restricted in setup.rs (line 194). While other restricted scopes like gmail.modify are already present, adding more restricted scopes increases the likelihood of authentication failures for users with unverified OAuth apps.

References

1. Avoid introducing changes that are outside the primary goal of a pull request to prevent scope creep.

[Lubrsy706]

Good point. I removed gmail.settings.basic from MINIMAL_SCOPES so the default login set stays unchanged. The scope remains available in the picker and --full, which addresses the filters use case without making the default scope set broader.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request adds the gmail.settings.basic scope to the Google Workspace CLI, including it in the full scope list and marking it as redundant when the root Gmail scope is present. The reviewer pointed out that this scope is also redundant when gmail.modify is present, recommending that gmail.modify be added as a broader alternative and that the unit tests be updated to reflect this logic.

[gemini-code-assist]

The gmail.settings.basic scope is redundant when https://www.googleapis.com/auth/gmail.modify is present, as the latter grants full read/write access to Gmail resources and their settings. To maintain consistency with the handling of gmail.metadata and to avoid potential token limitations enforced by Google when redundant restrictive scopes are included, gmail.modify should be added to the list of broader alternatives.

            "https://www.googleapis.com/auth/gmail.settings.basic",
            &[
                "https://mail.google.com/",
                "https://www.googleapis.com/auth/gmail.modify",
            ],

[gemini-code-assist]

This test case incorrectly asserts that gmail.settings.basic should be retained when gmail.modify is present. Since gmail.modify is a broader scope that encompasses settings management, gmail.settings.basic is redundant and should be filtered out by filter_redundant_restrictive_scopes. The test should be updated to verify this deduplication logic, ensuring consistency with how other Gmail scopes like gmail.metadata are handled.

    #[test]
    fn filter_restrictive_removes_settings_basic_when_modify_present() {
        let scopes = vec![
            "https://www.googleapis.com/auth/gmail.modify".to_string(),
            "https://www.googleapis.com/auth/gmail.settings.basic".to_string(),
        ];
        let result = filter_redundant_restrictive_scopes(scopes);
        assert_eq!(result, vec!["https://www.googleapis.com/auth/gmail.modify"]);
    }