fix: prevent gmail.metadata scope from blocking query parameters#200
fix: prevent gmail.metadata scope from blocking query parameters#200jpoehnelt merged 5 commits intogoogleworkspace:mainfrom
Conversation
Discovery Documents list method scopes as alternatives (any one grants access), but passing all of them to yup_oauth2 caused Google to include restrictive scopes like gmail.metadata in the token. The API then enforced that scope's restrictions, blocking query parameters like `q`. Select only the first (broadest) scope from the method's scope list.
…uperset fallback gmail.metadata restricts API behavior (blocks `q` parameter) even when broader scopes are present in the token. Filter it out during login when broader Gmail scopes like gmail.modify or mail.google.com are selected. Also remove the superset fallback in token storage to prevent stale all-scopes tokens from being reused when a narrower scope is requested.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
🦋 Changeset detectedLatest commit: 89e5540 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
/gemini review |
jpoehnelt
added
cla: yes
The MCP server had the same bug as the CLI — passing all method scopes to get_token. Use select_scope to pick only the broadest scope.
|
Some conflicts to fix. |
|
More conflicts. |
googleworkspace-bot
added
area: mcp
area: core
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request provides a comprehensive fix for an issue where the restrictive gmail.metadata scope was blocking API calls with query parameters. The changes are well-structured and address the problem from multiple angles: 1. Selecting only the broadest scope from API discovery documents to avoid including restrictive ones by default. 2. Explicitly filtering out gmail.metadata during the login flow if broader Gmail scopes are present. 3. Making the token cache stricter to prevent the reuse of old tokens that contain restrictive scopes. The implementation is clean, idiomatic, and includes appropriate unit tests for the new logic. I have reviewed the changes and found no issues.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request correctly addresses an issue where the gmail.metadata scope was causing API calls to fail by being overly restrictive. The changes to filter this scope during login and to select only the broadest (first) scope for API calls are well-implemented. The removal of the superset token cache fallback is also a crucial part of this fix. I've found one critical issue in src/main.rs where methods that don't require any scopes would fail, and I've provided a suggestion to fix it.
3 participants
Summary
gmail.metadatafrom login scopes when broader Gmail scopes (gmail.modify,gmail.readonly,mail.google.com) are present. Google enforcesgmail.metadatarestrictions (e.g. blocking theqparameter) even when broader scopes are also in the token.yup_oauth2. Method scopes are alternatives, not cumulative.src/mcp_server.rs), which had the identical bug of passing all method scopes.Problem
Running
gws gmail users messages list --params '{"userId": "me", "q": "is:unread"}'returned403: Metadata scope does not support 'q' parameterbecause:yup_oauth2gmail.metadataalongside broader scopesgmail.metadatarestrictions even when broader scopes are present in the tokenChanges
src/main.rsselect_scope()picks only the first (broadest) scope per methodsrc/auth_commands.rsfilter_redundant_restrictive_scopes()stripsgmail.metadatawhen broader Gmail scopes are present at loginsrc/token_storage.rssrc/mcp_server.rsselect_scope()to the MCP server code path (same bug as CLI)Test plan
cargo clippy -- -D warningspassescargo test— 446 tests pass (6 new)gws gmail users messages list --params '{"userId": "me", "q": "is:unread"}'returns resultsgws gmail users messages list --params '{"userId": "me", "q": "is:unread in:inbox"}'worksgws drive files list --params '{"pageSize": 3}'still worksgmail.metadatain scope picker still works (filtered automatically)Fixes #174
🤖 Generated with Claude Code