diff --git a/backend/internal/handler/admin/gemini_oauth_handler.go b/backend/internal/handler/admin/gemini_oauth_handler.go index 50caaa26..8c398a1e 100644 --- a/backend/internal/handler/admin/gemini_oauth_handler.go +++ b/backend/internal/handler/admin/gemini_oauth_handler.go @@ -61,7 +61,11 @@ func (h *GeminiOAuthHandler) GenerateAuthURL(c *gin.Context) { if err != nil { msg := err.Error() // Treat missing/invalid OAuth client configuration as a user/config error. - if strings.Contains(msg, "OAuth client not configured") || strings.Contains(msg, "requires your own OAuth Client") { + if strings.Contains(msg, "OAuth client not configured") || + strings.Contains(msg, "requires your own OAuth Client") || + strings.Contains(msg, "requires a custom OAuth Client") || + strings.Contains(msg, "GEMINI_CLI_OAUTH_CLIENT_SECRET_MISSING") || + strings.Contains(msg, "built-in Gemini CLI OAuth client_secret is not configured") { response.BadRequest(c, "Failed to generate auth URL: "+msg) return } diff --git a/backend/internal/pkg/geminicli/constants.go b/backend/internal/pkg/geminicli/constants.go index f85e3b97..97234ffd 100644 --- a/backend/internal/pkg/geminicli/constants.go +++ b/backend/internal/pkg/geminicli/constants.go @@ -38,10 +38,8 @@ const ( // GeminiCLIOAuthClientID/Secret are the public OAuth client credentials used by Google Gemini CLI. // They enable the "login without creating your own OAuth client" experience, but Google may // restrict which scopes are allowed for this client. - GeminiCLIOAuthClientID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com" - // GeminiCLIOAuthClientSecret is intentionally not embedded in this repository. - // If you rely on the built-in Gemini CLI OAuth client, you MUST provide its client_secret via config/env. - GeminiCLIOAuthClientSecret = "" + GeminiCLIOAuthClientID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com" + GeminiCLIOAuthClientSecret = "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" // GeminiCLIOAuthClientSecretEnv is the environment variable name for the built-in client secret. GeminiCLIOAuthClientSecretEnv = "GEMINI_CLI_OAUTH_CLIENT_SECRET" diff --git a/backend/internal/pkg/geminicli/oauth_test.go b/backend/internal/pkg/geminicli/oauth_test.go index 14bc3c6b..2a430f9e 100644 --- a/backend/internal/pkg/geminicli/oauth_test.go +++ b/backend/internal/pkg/geminicli/oauth_test.go @@ -408,11 +408,10 @@ func TestBuildAuthorizationURL_WithProjectID(t *testing.T) { } } -func TestBuildAuthorizationURL_OAuthConfigError(t *testing.T) { - // 不设置环境变量,也不提供 client 凭据,EffectiveOAuthConfig 应该报错 +func TestBuildAuthorizationURL_UsesBuiltinSecretFallback(t *testing.T) { t.Setenv(GeminiCLIOAuthClientSecretEnv, "") - _, err := BuildAuthorizationURL( + authURL, err := BuildAuthorizationURL( OAuthConfig{}, "test-state", "test-challenge", @@ -420,8 +419,11 @@ func TestBuildAuthorizationURL_OAuthConfigError(t *testing.T) { "", "code_assist", ) - if err == nil { - t.Error("当 EffectiveOAuthConfig 失败时,BuildAuthorizationURL 应该返回错误") + if err != nil { + t.Fatalf("BuildAuthorizationURL() 不应报错: %v", err) + } + if !strings.Contains(authURL, "client_id="+GeminiCLIOAuthClientID) { + t.Errorf("应使用内置 Gemini CLI client_id,实际 URL: %s", authURL) } } @@ -685,15 +687,17 @@ func TestEffectiveOAuthConfig_WhitespaceTriming(t *testing.T) { } func TestEffectiveOAuthConfig_NoEnvSecret(t *testing.T) { - // 不设置环境变量且不提供凭据,应该报错 t.Setenv(GeminiCLIOAuthClientSecretEnv, "") - _, err := EffectiveOAuthConfig(OAuthConfig{}, "code_assist") - if err == nil { - t.Error("没有内置 secret 且未提供凭据时应该报错") + cfg, err := EffectiveOAuthConfig(OAuthConfig{}, "code_assist") + if err != nil { + t.Fatalf("不设置环境变量时应回退到内置 secret,实际报错: %v", err) } - if !strings.Contains(err.Error(), GeminiCLIOAuthClientSecretEnv) { - t.Errorf("错误消息应提及环境变量 %s,实际: %v", GeminiCLIOAuthClientSecretEnv, err) + if strings.TrimSpace(cfg.ClientSecret) == "" { + t.Error("ClientSecret 不应为空") + } + if cfg.ClientID != GeminiCLIOAuthClientID { + t.Errorf("ClientID 应回退为内置客户端 ID,实际: %q", cfg.ClientID) } }