fix(auth): show env credential overrides

[Lubrsy706]

Summary

• Show OAuth client environment variables in gws auth status
• Add an explicit env_overrides_client_config flag when env credentials shadow client_secret.json
• Mask the env client ID so stale/deleted client overrides are visible without leaking full credentials

Fixes #715

Tests

• cargo fmt --check
• cargo test -p google-workspace-cli add_oauth_env_status_fields -- --nocapture
• cargo check -p google-workspace-cli
• git diff --check

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4f461d1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the 'gws auth status' command to provide better transparency regarding OAuth credential sources. By surfacing environment variable overrides and masking sensitive identifiers, it helps users diagnose configuration issues where environment variables might unintentionally take precedence over local files.

Highlights

• OAuth Environment Variable Visibility: Added functionality to expose OAuth client environment variables in the 'gws auth status' command output.
• Override Detection: Introduced an 'env_overrides_client_config' flag to explicitly indicate when environment variables are shadowing the local 'client_secret.json' configuration.
• Security Masking: Implemented masking for the environment-provided client ID to prevent credential leakage while maintaining visibility for debugging.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the auth status command to include information about OAuth environment variable overrides. It introduces the add_oauth_env_status_fields function to check for GOOGLE_WORKSPACE_CLI_CLIENT_ID and GOOGLE_WORKSPACE_CLI_CLIENT_SECRET, along with a unit test. A review comment identifies an inconsistency where empty environment variables are filtered out in the status check but not in the actual credential resolution logic, which could lead to misleading status reports.

[gemini-code-assist]

The environment variable check here is inconsistent with the actual credential resolution logic in resolve_client_credentials (lines 718-750). Specifically, resolve_client_credentials does not filter out empty strings, meaning it will attempt to use them if they are set in the environment. By filtering them here, gws auth status will report that no environment overrides are active even when the application is actually using them (albeit likely failing later). To ensure the status output accurately reflects the application's state, these filters should be removed, or resolve_client_credentials should be updated to also ignore empty strings.

    let env_client_id = std::env::var("GOOGLE_WORKSPACE_CLI_CLIENT_ID").ok();
    let env_client_secret_set = std::env::var("GOOGLE_WORKSPACE_CLI_CLIENT_SECRET").is_ok();

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request improves OAuth credential handling by ignoring empty environment variables and enhances the status command to report environment variable overrides. Review feedback highlights an opportunity to refactor duplicated environment variable resolution logic into a shared helper to ensure consistency. Additionally, a logic inconsistency was identified in the status command where the existing credential source detection does not yet account for empty environment variables, which could lead to inaccurate reporting.

[gemini-code-assist]

The logic for resolving credentials from environment variables is now duplicated in add_oauth_env_status_fields. To ensure consistency and improve maintainability, consider refactoring this into a shared helper function. This is particularly important for security-sensitive environment variables where the definition of "set" (e.g., handling empty vs. whitespace-only strings) should be uniform across the application.

[gemini-code-assist]

The addition of add_oauth_env_status_fields introduces a logic inconsistency with the credential_source detection later in this function (lines 1281-1284 in the full file). While the new status fields correctly filter out empty environment variables, the credential_source logic still uses is_ok(), which will incorrectly report environment_variables as the source if the variables are present but empty. This directly contradicts the PR's goal of accurately showing environment overrides.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request refactors OAuth credential resolution by introducing the oauth_client_env_credentials helper function, which ensures that empty environment variables are ignored. It also updates the status command to include information about OAuth environment variables in the output, including masked client IDs. Comprehensive unit tests were added to validate the new logic and ensure correct handling of empty strings. I have no feedback to provide.