fix(auth): remove hardcoded OAuth client secret from published npm package (CWE-798) (#1139)

- Removed DEFAULT_CLASP_OAUTH_CLIENT_SECRET completely from the codebase
- Default login now runs as a public client (client ID only)
- Explicitly added build/ to .npmignore
- Preserved full backward compatibility for --creds and V1 .clasprc.json files

Closes the vulnerability reported via Google OSS VRP.

Co-authored-by: g0w6y <g0w6y@users.noreply.github.com>

Author: g0w6y

.npmignore

@@ -1,3 +1,4 @@
 src
 test
 .*
+build

src/auth/auth.ts

@@ -25,7 +25,7 @@ import {AuthorizationCodeFlow} from './auth_code_flow.js';
 import {CredentialStore} from './credential_store.js';
 import {FileCredentialStore} from './file_credential_store.js';
 import {LocalServerAuthorizationCodeFlow} from './localhost_auth_code_flow.js';
-import {DEFAULT_CLASP_OAUTH_CLIENT_ID, DEFAULT_CLASP_OAUTH_CLIENT_SECRET} from './oauth_client.js';
+import {DEFAULT_CLASP_OAUTH_CLIENT_ID} from './oauth_client.js';
 import {ServerlessAuthorizationCodeFlow} from './serverless_auth_code_flow.js';
 
 const debug = Debug('clasp:auth');
@@ -268,7 +268,6 @@ function createDefaultOAuthClient() {
   // Default client
   const client = new OAuth2Client({
     clientId: DEFAULT_CLASP_OAUTH_CLIENT_ID,
-    clientSecret: DEFAULT_CLASP_OAUTH_CLIENT_SECRET,
     redirectUri: 'http://localhost',
   });
   debug('Created built-in oauth client, id: %s', client._clientId);

src/auth/file_credential_store.ts

@@ -18,7 +18,7 @@
 
 import fs from 'fs';
 import {CredentialStore, StoredCredential} from './credential_store.js';
-import {DEFAULT_CLASP_OAUTH_CLIENT_ID, DEFAULT_CLASP_OAUTH_CLIENT_SECRET} from './oauth_client.js';
+import {DEFAULT_CLASP_OAUTH_CLIENT_ID} from './oauth_client.js';
 
 // Initial .clasprc.json format, single credential per file
 type V1LocalFileFormat = {
@@ -165,7 +165,6 @@ export class FileCredentialStore implements CredentialStore {
         expiry_date: store.exprity_date,
         token_type: store.token_type,
         client_id: DEFAULT_CLASP_OAUTH_CLIENT_ID,
-        client_secret: DEFAULT_CLASP_OAUTH_CLIENT_SECRET,
       };
     }
     return null;

src/auth/oauth_client.ts

@@ -1,22 +1,27 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 
 // Shared constants and helpers for identifying clasp OAuth clients.
+//
+// NOTE: The hardcoded client secret has been removed for security reasons.
+// Default login now runs as a public client (client ID only, no secret).
+// This eliminates the sensitive data exposure in the published npm tarball.
 
 export const DEFAULT_CLASP_OAUTH_CLIENT_ID =
   '1072944905499-vm2v2i5dvn0a0d2o4ca36i1vge8cvbn0.apps.googleusercontent.com';
-export const DEFAULT_CLASP_OAUTH_CLIENT_SECRET = 'v6V3fKV_zWU7iw1DrpO1rknX';
 
 export type OAuthClientType = 'google-provided' | 'user-provided';