feat: implement PKCE support in OAuth flows (#1142)

- Implemented PKCE support in `AuthorizationCodeFlow` class inside `src/auth/auth_code_flow.ts` by using `generateCodeVerifierAsync` to generate the code verifier and code challenge.
- Passed `code_challenge` and `code_challenge_method` (`'S256'`) into `generateAuthUrl` and then passed the `codeVerifier` into `getToken`.
- Added unit tests to `test/auth/auth_code_flow.ts` to ensure PKCE is not regressed and both methods receive the correct parameters.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: sqrrrl <346343+sqrrrl@users.noreply.github.com>

Author: sqrrrl

package-lock.json

@@ -56,16 +56,24 @@ export class AuthorizationCodeFlow {
     const scope = Array.isArray(scopes) ? scopes.join(' ') : scopes;
     const redirectUri = await this.getRedirectUri();
     const expectedState = generateState();
+
+    // Generate PKCE code verifier and challenge
+    const {codeVerifier, codeChallenge} = await this.oauth2Client.generateCodeVerifierAsync();
+
     const authUrl = this.oauth2Client.generateAuthUrl({
       redirect_uri: redirectUri,
       access_type: 'offline',
       scope: scope,
       state: expectedState,
+      code_challenge: codeChallenge,
+      code_challenge_method: 'S256' as any, // Temporary workaround since @types/google-auth-library isn't fully synced or the type restricts literal strings, but type checking fails without deep import or `any` here.
     });
+
     const code = await this.promptAndReturnCode(authUrl, expectedState);
     const tokens = await this.oauth2Client.getToken({
       code,
       redirect_uri: redirectUri,
+      codeVerifier,
     });
     this.oauth2Client.setCredentials(tokens.tokens);
     return this.oauth2Client;

src/auth/auth_code_flow.ts

@@ -39,9 +39,7 @@ import {initClaspInstance} from '../core/clasp.js';
 function validateProjectDir(projectDir: string): string | null {
   const resolved = path.resolve(projectDir);
   const allowedBases = [os.homedir(), process.cwd()];
-  const isAllowed = allowedBases.some(
-    base => resolved === base || resolved.startsWith(base + path.sep),
-  );
+  const isAllowed = allowedBases.some(base => resolved === base || resolved.startsWith(base + path.sep));
   if (!isAllowed) {
     return (
       `Security Error: projectDir must be within the user home directory or ` +

src/mcp/server.ts

@@ -17,7 +17,9 @@
 import {expect} from 'chai';
 import {describe, it} from 'mocha';
 
-import {generateState, parseAuthResponseUrl} from '../../src/auth/auth_code_flow.js';
+import {OAuth2Client} from 'google-auth-library';
+import sinon from 'sinon';
+import {AuthorizationCodeFlow, generateState, parseAuthResponseUrl} from '../../src/auth/auth_code_flow.js';
 
 describe('OAuth state parameter (CSRF protection)', function () {
   describe('generateState', function () {
@@ -42,9 +44,7 @@ describe('OAuth state parameter (CSRF protection)', function () {
 
   describe('parseAuthResponseUrl', function () {
     it('extracts code, state, and error from a URL', function () {
-      const result = parseAuthResponseUrl(
-        'http://localhost:12345?code=test_code&state=test_state',
-      );
+      const result = parseAuthResponseUrl('http://localhost:12345?code=test_code&state=test_state');
       expect(result.code).to.equal('test_code');
       expect(result.state).to.equal('test_state');
       expect(result.error).to.be.null;
@@ -57,11 +57,56 @@ describe('OAuth state parameter (CSRF protection)', function () {
     });
 
     it('extracts error when present', function () {
-      const result = parseAuthResponseUrl(
-        'http://localhost:12345?error=access_denied',
-      );
+      const result = parseAuthResponseUrl('http://localhost:12345?error=access_denied');
       expect(result.error).to.equal('access_denied');
       expect(result.code).to.be.null;
     });
   });
 });
+
+describe('AuthorizationCodeFlow (PKCE implementation)', function () {
+  it('should pass code challenge and verifier to OAuth2Client', async function () {
+    const oauth2Client = new OAuth2Client();
+
+    const generateCodeVerifierAsyncStub = sinon.stub(oauth2Client, 'generateCodeVerifierAsync').resolves({
+      codeVerifier: 'test_verifier',
+      codeChallenge: 'test_challenge',
+    });
+    const generateAuthUrlStub = sinon.stub(oauth2Client, 'generateAuthUrl').returns('http://auth.url');
+    const getTokenStub = sinon.stub(oauth2Client, 'getToken').resolves({
+      tokens: {access_token: 'test_access_token'},
+      res: null,
+    });
+    const setCredentialsStub = sinon.stub(oauth2Client, 'setCredentials');
+
+    class TestFlow extends AuthorizationCodeFlow {
+      async getRedirectUri() {
+        return 'http://localhost';
+      }
+      async promptAndReturnCode(_url: string, _state: string) {
+        return 'test_auth_code';
+      }
+    }
+
+    const flow = new TestFlow(oauth2Client);
+    await flow.authorize(['scope1', 'scope2']);
+
+    expect(generateCodeVerifierAsyncStub.calledOnce).to.be.true;
+
+    // Verify generateAuthUrl was called with PKCE params
+    const authUrlArgs = generateAuthUrlStub.firstCall.args[0];
+    expect(authUrlArgs).to.include({
+      code_challenge: 'test_challenge',
+      code_challenge_method: 'S256',
+    });
+
+    // Verify getToken was called with PKCE verifier
+    const getTokenArgs = getTokenStub.firstCall.args[0] as any;
+    expect(getTokenArgs).to.include({
+      code: 'test_auth_code',
+      codeVerifier: 'test_verifier',
+    });
+
+    expect(setCredentialsStub.calledOnce).to.be.true;
+  });
+});

test/auth/auth_code_flow.ts

@@ -14,10 +14,10 @@
 
 // Tests for credential file permission hardening.
 
-import {expect} from 'chai';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
+import {expect} from 'chai';
 import {afterEach, describe, it} from 'mocha';
 
 import {FileCredentialStore} from '../../src/auth/file_credential_store.js';