Merge tag 'v0.1.18' of https://github.com/google-gemini/gemini-cli into chore/sync-gemini-cli-v0.1.18

2025-12-20 16:57:46 +00:00 · 2025-08-13 15:11:10 +08:00
parent 0bc45aeefe ea96293e16
commit bc92da04e9
94 changed files with 5258 additions and 4724 deletions
--- a/packages/core/src/mcp/oauth-provider.test.ts
+++ b/packages/core/src/mcp/oauth-provider.test.ts
@@ -4,7 +4,17 @@
 * SPDX-License-Identifier: Apache-2.0
 */

-import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { vi } from 'vitest';
+
+// Mock dependencies AT THE TOP
+const mockOpenBrowserSecurely = vi.hoisted(() => vi.fn());
+vi.mock('../utils/secure-browser-launcher.js', () => ({
+  openBrowserSecurely: mockOpenBrowserSecurely,
+}));
+vi.mock('node:crypto');
+vi.mock('./oauth-token-storage.js');
+
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import * as http from 'node:http';
 import * as crypto from 'node:crypto';
 import {
@@ -15,14 +25,6 @@ import {
 } from './oauth-provider.js';
 import { MCPOAuthTokenStorage, MCPOAuthToken } from './oauth-token-storage.js';

-// Mock dependencies
-const mockOpenBrowserSecurely = vi.hoisted(() => vi.fn());
-vi.mock('../utils/secure-browser-launcher.js', () => ({
-  openBrowserSecurely: mockOpenBrowserSecurely,
-}));
-vi.mock('node:crypto');
-vi.mock('./oauth-token-storage.js');
-
 // Mock fetch globally
 const mockFetch = vi.fn();
 global.fetch = mockFetch;
@@ -46,6 +48,7 @@ describe('MCPOAuthProvider', () => {
    tokenUrl: 'https://auth.example.com/token',
    scopes: ['read', 'write'],
    redirectUri: 'http://localhost:7777/oauth/callback',
+    audiences: ['https://api.example.com'],
  };

  const mockToken: MCPOAuthToken = {
@@ -720,6 +723,105 @@ describe('MCPOAuthProvider', () => {
      expect(capturedUrl!).toContain('code_challenge_method=S256');
      expect(capturedUrl!).toContain('scope=read+write');
      expect(capturedUrl!).toContain('resource=https%3A%2F%2Fauth.example.com');
+      expect(capturedUrl!).toContain('audience=https%3A%2F%2Fapi.example.com');
+    });
+
+    it('should correctly append parameters to an authorization URL that already has query params', async () => {
+      // Mock to capture the URL that would be opened
+      let capturedUrl: string;
+      mockOpenBrowserSecurely.mockImplementation((url: string) => {
+        capturedUrl = url;
+        return Promise.resolve();
+      });
+
+      let callbackHandler: unknown;
+      vi.mocked(http.createServer).mockImplementation((handler) => {
+        callbackHandler = handler;
+        return mockHttpServer as unknown as http.Server;
+      });
+
+      mockHttpServer.listen.mockImplementation((port, callback) => {
+        callback?.();
+        setTimeout(() => {
+          const mockReq = {
+            url: '/oauth/callback?code=auth_code_123&state=bW9ja19zdGF0ZV8xNl9ieXRlcw',
+          };
+          const mockRes = {
+            writeHead: vi.fn(),
+            end: vi.fn(),
+          };
+          (callbackHandler as (req: unknown, res: unknown) => void)(
+            mockReq,
+            mockRes,
+          );
+        }, 10);
+      });
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve(mockTokenResponse),
+      });
+
+      const configWithParamsInUrl = {
+        ...mockConfig,
+        authorizationUrl: 'https://auth.example.com/authorize?audience=1234',
+      };
+
+      await MCPOAuthProvider.authenticate('test-server', configWithParamsInUrl);
+
+      const url = new URL(capturedUrl!);
+      expect(url.searchParams.get('audience')).toBe('1234');
+      expect(url.searchParams.get('client_id')).toBe('test-client-id');
+      expect(url.search.startsWith('?audience=1234&')).toBe(true);
+    });
+
+    it('should correctly append parameters to a URL with a fragment', async () => {
+      // Mock to capture the URL that would be opened
+      let capturedUrl: string;
+      mockOpenBrowserSecurely.mockImplementation((url: string) => {
+        capturedUrl = url;
+        return Promise.resolve();
+      });
+
+      let callbackHandler: unknown;
+      vi.mocked(http.createServer).mockImplementation((handler) => {
+        callbackHandler = handler;
+        return mockHttpServer as unknown as http.Server;
+      });
+
+      mockHttpServer.listen.mockImplementation((port, callback) => {
+        callback?.();
+        setTimeout(() => {
+          const mockReq = {
+            url: '/oauth/callback?code=auth_code_123&state=bW9ja19zdGF0ZV8xNl9ieXRlcw',
+          };
+          const mockRes = {
+            writeHead: vi.fn(),
+            end: vi.fn(),
+          };
+          (callbackHandler as (req: unknown, res: unknown) => void)(
+            mockReq,
+            mockRes,
+          );
+        }, 10);
+      });
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve(mockTokenResponse),
+      });
+
+      const configWithFragment = {
+        ...mockConfig,
+        authorizationUrl: 'https://auth.example.com/authorize#login',
+      };
+
+      await MCPOAuthProvider.authenticate('test-server', configWithFragment);
+
+      const url = new URL(capturedUrl!);
+      expect(url.searchParams.get('client_id')).toBe('test-client-id');
+      expect(url.hash).toBe('#login');
+      expect(url.pathname).toBe('/authorize');
    });
  });
 });
--- a/packages/core/src/mcp/oauth-provider.ts
+++ b/packages/core/src/mcp/oauth-provider.ts
@@ -22,6 +22,7 @@ export interface MCPOAuthConfig {
  authorizationUrl?: string;
  tokenUrl?: string;
  scopes?: string[];
+  audiences?: string[];
  redirectUri?: string;
  tokenParamName?: string; // For SSE connections, specifies the query parameter name for the token
 }
@@ -297,6 +298,10 @@ export class MCPOAuthProvider {
      params.append('scope', config.scopes.join(' '));
    }

+    if (config.audiences && config.audiences.length > 0) {
+      params.append('audience', config.audiences.join(' '));
+    }
+
    // Add resource parameter for MCP OAuth spec compliance
    // Use the MCP server URL if provided, otherwise fall back to authorization URL
    const resourceUrl = mcpServerUrl || config.authorizationUrl!;
@@ -308,7 +313,11 @@ export class MCPOAuthProvider {
      );
    }

-    return `${config.authorizationUrl}?${params.toString()}`;
+    const url = new URL(config.authorizationUrl!);
+    params.forEach((value, key) => {
+      url.searchParams.append(key, value);
+    });
+    return url.toString();
  }

  /**
@@ -342,6 +351,10 @@ export class MCPOAuthProvider {
      params.append('client_secret', config.clientSecret);
    }

+    if (config.audiences && config.audiences.length > 0) {
+      params.append('audience', config.audiences.join(' '));
+    }
+
    // Add resource parameter for MCP OAuth spec compliance
    // Use the MCP server URL if provided, otherwise fall back to token URL
    const resourceUrl = mcpServerUrl || config.tokenUrl!;
@@ -400,6 +413,10 @@ export class MCPOAuthProvider {
      params.append('scope', config.scopes.join(' '));
    }

+    if (config.audiences && config.audiences.length > 0) {
+      params.append('audience', config.audiences.join(' '));
+    }
+
    // Add resource parameter for MCP OAuth spec compliance
    // Use the MCP server URL if provided, otherwise fall back to token URL
    const resourceUrl = mcpServerUrl || tokenUrl;