Merge pull request #621 from cagedbird043/fix/gemini-auth-url-613

fix: 修复 Gemini 授权链接生成失败（issue #613）

backend/internal/handler/admin/gemini_oauth_handler.go

@@ -61,7 +61,11 @@ func (h *GeminiOAuthHandler) GenerateAuthURL(c *gin.Context) {
 	if err != nil {
 		msg := err.Error()
 		// Treat missing/invalid OAuth client configuration as a user/config error.
-		if strings.Contains(msg, "OAuth client not configured") || strings.Contains(msg, "requires your own OAuth Client") {
+		if strings.Contains(msg, "OAuth client not configured") ||
+			strings.Contains(msg, "requires your own OAuth Client") ||
+			strings.Contains(msg, "requires a custom OAuth Client") ||
+			strings.Contains(msg, "GEMINI_CLI_OAUTH_CLIENT_SECRET_MISSING") ||
+			strings.Contains(msg, "built-in Gemini CLI OAuth client_secret is not configured") {
 			response.BadRequest(c, "Failed to generate auth URL: "+msg)
 			return
 		}

backend/internal/pkg/geminicli/constants.go

@@ -38,10 +38,8 @@ const (
 	// GeminiCLIOAuthClientID/Secret are the public OAuth client credentials used by Google Gemini CLI.
 	// They enable the "login without creating your own OAuth client" experience, but Google may
 	// restrict which scopes are allowed for this client.
-	GeminiCLIOAuthClientID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com"
-	// GeminiCLIOAuthClientSecret is intentionally not embedded in this repository.
-	// If you rely on the built-in Gemini CLI OAuth client, you MUST provide its client_secret via config/env.
-	GeminiCLIOAuthClientSecret = ""
+	GeminiCLIOAuthClientID     = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com"
+	GeminiCLIOAuthClientSecret = "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"
 
 	// GeminiCLIOAuthClientSecretEnv is the environment variable name for the built-in client secret.
 	GeminiCLIOAuthClientSecretEnv = "GEMINI_CLI_OAUTH_CLIENT_SECRET"

backend/internal/pkg/geminicli/oauth_test.go

@@ -408,11 +408,10 @@ func TestBuildAuthorizationURL_WithProjectID(t *testing.T) {
 	}
 }
 
-func TestBuildAuthorizationURL_OAuthConfigError(t *testing.T) {
-	// 不设置环境变量，也不提供 client 凭据，EffectiveOAuthConfig 应该报错
+func TestBuildAuthorizationURL_UsesBuiltinSecretFallback(t *testing.T) {
 	t.Setenv(GeminiCLIOAuthClientSecretEnv, "")
 
-	_, err := BuildAuthorizationURL(
+	authURL, err := BuildAuthorizationURL(
 		OAuthConfig{},
 		"test-state",
 		"test-challenge",
@@ -420,8 +419,11 @@ func TestBuildAuthorizationURL_OAuthConfigError(t *testing.T) {
 		"",
 		"code_assist",
 	)
-	if err == nil {
-		t.Error("当 EffectiveOAuthConfig 失败时，BuildAuthorizationURL 应该返回错误")
+	if err != nil {
+		t.Fatalf("BuildAuthorizationURL() 不应报错: %v", err)
+	}
+	if !strings.Contains(authURL, "client_id="+GeminiCLIOAuthClientID) {
+		t.Errorf("应使用内置 Gemini CLI client_id，实际 URL: %s", authURL)
 	}
 }
 
@@ -685,15 +687,17 @@ func TestEffectiveOAuthConfig_WhitespaceTriming(t *testing.T) {
 }
 
 func TestEffectiveOAuthConfig_NoEnvSecret(t *testing.T) {
-	// 不设置环境变量且不提供凭据，应该报错
 	t.Setenv(GeminiCLIOAuthClientSecretEnv, "")
 
-	_, err := EffectiveOAuthConfig(OAuthConfig{}, "code_assist")
-	if err == nil {
-		t.Error("没有内置 secret 且未提供凭据时应该报错")
+	cfg, err := EffectiveOAuthConfig(OAuthConfig{}, "code_assist")
+	if err != nil {
+		t.Fatalf("不设置环境变量时应回退到内置 secret，实际报错: %v", err)
 	}
-	if !strings.Contains(err.Error(), GeminiCLIOAuthClientSecretEnv) {
-		t.Errorf("错误消息应提及环境变量 %s，实际: %v", GeminiCLIOAuthClientSecretEnv, err)
+	if strings.TrimSpace(cfg.ClientSecret) == "" {
+		t.Error("ClientSecret 不应为空")
+	}
+	if cfg.ClientID != GeminiCLIOAuthClientID {
+		t.Errorf("ClientID 应回退为内置客户端 ID，实际: %q", cfg.ClientID)
 	}
 }