feat(core): add host validation to GoogleCredentialProvider (#5962)

Co-authored-by: Brian Ray <62354532+emeryray2002@users.noreply.github.com>
2025-12-21 09:17:53 +00:00 · 2025-08-11 12:40:30 -04:00
parent b0b12af2ce
commit aa5c80dec4
3 changed files with 73 additions and 13 deletions
--- a/packages/core/src/mcp/google-auth-provider.test.ts
+++ b/packages/core/src/mcp/google-auth-provider.test.ts
@@ -12,34 +12,78 @@ import { MCPServerConfig } from '../config/config.js';
 vi.mock('google-auth-library');

 describe('GoogleCredentialProvider', () => {
+  const validConfig = {
+    url: 'https://test.googleapis.com',
+    oauth: {
+      scopes: ['scope1', 'scope2'],
+    },
+  } as MCPServerConfig;
+
  it('should throw an error if no scopes are provided', () => {
-    expect(() => new GoogleCredentialProvider()).toThrow(
+    const config = {
+      url: 'https://test.googleapis.com',
+    } as MCPServerConfig;
+    expect(() => new GoogleCredentialProvider(config)).toThrow(
      'Scopes must be provided in the oauth config for Google Credentials provider',
    );
  });

  it('should use scopes from the config if provided', () => {
+    new GoogleCredentialProvider(validConfig);
+    expect(GoogleAuth).toHaveBeenCalledWith({
+      scopes: ['scope1', 'scope2'],
+    });
+  });
+
+  it('should throw an error for a non-allowlisted host', () => {
    const config = {
+      url: 'https://example.com',
+      oauth: {
+        scopes: ['scope1', 'scope2'],
+      },
+    } as MCPServerConfig;
+    expect(() => new GoogleCredentialProvider(config)).toThrow(
+      'Host "example.com" is not an allowed host for Google Credential provider.',
+    );
+  });
+
+  it('should allow luci.app', () => {
+    const config = {
+      url: 'https://luci.app',
      oauth: {
        scopes: ['scope1', 'scope2'],
      },
    } as MCPServerConfig;
    new GoogleCredentialProvider(config);
-    expect(GoogleAuth).toHaveBeenCalledWith({
-      scopes: ['scope1', 'scope2'],
-    });
+  });
+
+  it('should allow sub.luci.app', () => {
+    const config = {
+      url: 'https://sub.luci.app',
+      oauth: {
+        scopes: ['scope1', 'scope2'],
+      },
+    } as MCPServerConfig;
+    new GoogleCredentialProvider(config);
+  });
+
+  it('should not allow googleapis.com without a subdomain', () => {
+    const config = {
+      url: 'https://googleapis.com',
+      oauth: {
+        scopes: ['scope1', 'scope2'],
+      },
+    } as MCPServerConfig;
+    expect(() => new GoogleCredentialProvider(config)).toThrow(
+      'Host "googleapis.com" is not an allowed host for Google Credential provider.',
+    );
  });

  describe('with provider instance', () => {
    let provider: GoogleCredentialProvider;

    beforeEach(() => {
-      const config = {
-        oauth: {
-          scopes: ['scope1', 'scope2'],
-        },
-      } as MCPServerConfig;
-      provider = new GoogleCredentialProvider(config);
+      provider = new GoogleCredentialProvider(validConfig);
      vi.clearAllMocks();
    });