fix(auth): enforce remote manual auth state

Author: salmonumbrella

internal/cmd/auth.go

@@ -484,8 +484,8 @@ type AuthAddCmd struct {
 	Manual       bool          `name:"manual" help:"Browserless auth flow (paste redirect URL)"`
 	Remote       bool          `name:"remote" help:"Remote/server-friendly manual flow (print URL, then exchange code)"`
 	Step         int           `name:"step" help:"Remote auth step: 1=print URL, 2=exchange code"`
-	AuthURL      string        `name:"auth-url" help:"Redirect URL from browser (manual flow)"`
-	AuthCode     string        `name:"auth-code" help:"Authorization code from browser (manual flow; skips state check)"`
+	AuthURL      string        `name:"auth-url" help:"Redirect URL from browser (manual flow; required for --remote --step 2)"`
+	AuthCode     string        `name:"auth-code" help:"Authorization code from browser (manual flow; skips state check; not valid with --remote)"`
 	Timeout      time.Duration `name:"timeout" help:"Authorization timeout (manual flows default to 5m)"`
 	ForceConsent bool          `name:"force-consent" help:"Force consent screen to obtain a refresh token"`
 	ServicesCSV  string        `name:"services" help:"Services to authorize: user|all or comma-separated ${auth_services} (Keep uses service account: gog auth service-account set)" default:"user"`
@@ -567,12 +567,15 @@ func (c *AuthAddCmd) Run(ctx context.Context) error {
 			}
 			u.Out().Printf("auth_url\t%s", result.URL)
 			u.Out().Printf("state_reused\t%t", result.StateReused)
-			u.Err().Println("Run again with --remote --step 2 --auth-url <redirect-url> (or --auth-code <code>)")
+			u.Err().Println("Run again with --remote --step 2 --auth-url <redirect-url>")
 			return nil
 		case 2:
 			if authURL == "" && authCode == "" {
 				return usage("remote step 2 requires --auth-url or --auth-code")
 			}
+			if authCode != "" {
+				return usage("remote step 2 requires --auth-url (state check is mandatory)")
+			}
 		}
 	}
 
@@ -595,6 +598,7 @@ func (c *AuthAddCmd) Run(ctx context.Context) error {
 		Client:       client,
 		AuthURL:      authURL,
 		AuthCode:     authCode,
+		RequireState: c.Remote,
 	})
 	if err != nil {
 		return err

internal/cmd/auth_add_test.go

@@ -528,6 +528,81 @@ func TestAuthAddCmd_RemoteStep1_PrintsAuthURL(t *testing.T) {
 	}
 }
 
+func TestAuthAddCmd_RemoteStep2_RejectsAuthCode(t *testing.T) {
+	err := Execute([]string{
+		"auth",
+		"add",
+		"user@example.com",
+		"--services",
+		"gmail",
+		"--remote",
+		"--step",
+		"2",
+		"--auth-code",
+		"abc123",
+	})
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+	var ee *ExitError
+	if !errors.As(err, &ee) || ee.Code != 2 {
+		t.Fatalf("expected exit code 2, got %T %#v", err, err)
+	}
+	if !strings.Contains(err.Error(), "remote step 2 requires --auth-url") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestAuthAddCmd_RemoteStep2_PassesAuthURL(t *testing.T) {
+	origAuth := authorizeGoogle
+	origOpen := openSecretsStore
+	origKeychain := ensureKeychainAccess
+	origFetch := fetchAuthorizedEmail
+	t.Cleanup(func() {
+		authorizeGoogle = origAuth
+		openSecretsStore = origOpen
+		ensureKeychainAccess = origKeychain
+		fetchAuthorizedEmail = origFetch
+	})
+
+	ensureKeychainAccess = func() error { return nil }
+	openSecretsStore = func() (secrets.Store, error) { return newMemSecretsStore(), nil }
+
+	var gotOpts googleauth.AuthorizeOptions
+	authorizeGoogle = func(ctx context.Context, opts googleauth.AuthorizeOptions) (string, error) {
+		gotOpts = opts
+		return "rt", nil
+	}
+	fetchAuthorizedEmail = func(context.Context, string, string, []string, time.Duration) (string, error) {
+		return "user@example.com", nil
+	}
+
+	if err := Execute([]string{
+		"auth",
+		"add",
+		"user@example.com",
+		"--services",
+		"gmail",
+		"--remote",
+		"--step",
+		"2",
+		"--auth-url",
+		"http://localhost:1/?code=abc&state=state123",
+	}); err != nil {
+		t.Fatalf("Execute: %v", err)
+	}
+
+	if !gotOpts.Manual {
+		t.Fatalf("expected manual auth in remote step 2")
+	}
+	if !gotOpts.RequireState {
+		t.Fatalf("expected require state in remote step 2")
+	}
+	if gotOpts.AuthURL == "" {
+		t.Fatalf("expected auth URL to be passed through")
+	}
+}
+
 func TestAuthAddCmd_AuthCode_PassesThrough(t *testing.T) {
 	origAuth := authorizeGoogle
 	origOpen := openSecretsStore

internal/googleauth/manual_state.go

@@ -73,6 +73,40 @@ func loadManualState(client string, scopes []string, forceConsent bool) (string,
 	return st.State, true, nil
 }
 
+func loadManualStateStrict(client string, scopes []string, forceConsent bool) (string, error) {
+	path, err := manualStatePathFn()
+	if err != nil {
+		return "", err
+	}
+
+	data, err := os.ReadFile(path) //nolint:gosec // config path
+	if err != nil {
+		if os.IsNotExist(err) {
+			return "", errManualStateMissing
+		}
+		return "", fmt.Errorf("read manual auth state: %w", err)
+	}
+
+	var st manualState
+	if err := json.Unmarshal(data, &st); err != nil {
+		_ = os.Remove(path)
+		return "", errManualStateMissing
+	}
+	if st.State == "" {
+		_ = os.Remove(path)
+		return "", errManualStateMissing
+	}
+	if manualStateNowFn().Sub(st.CreatedAt) > manualStateTTL {
+		_ = os.Remove(path)
+		return "", errManualStateMissing
+	}
+	if st.Client != client || st.ForceConsent != forceConsent || !scopesEqual(st.Scopes, scopes) {
+		return "", errManualStateMismatch
+	}
+
+	return st.State, nil
+}
+
 func saveManualState(client string, scopes []string, forceConsent bool, state string) error {
 	path, err := manualStatePathFn()
 	if err != nil {

internal/googleauth/oauth_flow.go

@@ -31,6 +31,7 @@ type AuthorizeOptions struct {
 	Client       string
 	AuthCode     string
 	AuthURL      string
+	RequireState bool
 }
 
 type ManualAuthURLResult struct {
@@ -58,12 +59,15 @@ var (
 )
 
 var (
-	errAuthorization  = errors.New("authorization error")
-	errMissingCode    = errors.New("missing code")
-	errMissingScopes  = errors.New("missing scopes")
-	errNoCodeInURL    = errors.New("no code found in URL")
-	errNoRefreshToken = errors.New("no refresh token received; try again with --force-consent")
-	errStateMismatch  = errors.New("state mismatch")
+	errAuthorization       = errors.New("authorization error")
+	errMissingCode         = errors.New("missing code")
+	errMissingState        = errors.New("missing state in redirect URL")
+	errMissingScopes       = errors.New("missing scopes")
+	errNoCodeInURL         = errors.New("no code found in URL")
+	errNoRefreshToken      = errors.New("no refresh token received; try again with --force-consent")
+	errManualStateMissing  = errors.New("manual auth state missing; run remote step 1 again")
+	errManualStateMismatch = errors.New("manual auth state mismatch; run remote step 1 again")
+	errStateMismatch       = errors.New("state mismatch")
 )
 
 func Authorize(ctx context.Context, opts AuthorizeOptions) (string, error) {
@@ -106,16 +110,29 @@ func Authorize(ctx context.Context, opts AuthorizeOptions) (string, error) {
 				if parseErr != nil {
 					return "", parseErr
 				}
+				if opts.RequireState && gotState == "" {
+					return "", errMissingState
+				}
 			}
 			if strings.TrimSpace(code) == "" {
 				return "", errMissingCode
 			}
 
 			if gotState != "" {
-				if cachedState, ok, cacheErr := loadManualState(opts.Client, opts.Scopes, opts.ForceConsent); cacheErr != nil {
-					return "", cacheErr
-				} else if ok && gotState != cachedState {
-					return "", errStateMismatch
+				if opts.RequireState {
+					cachedState, cacheErr := loadManualStateStrict(opts.Client, opts.Scopes, opts.ForceConsent)
+					if cacheErr != nil {
+						return "", cacheErr
+					}
+					if gotState != cachedState {
+						return "", errManualStateMismatch
+					}
+				} else {
+					if cachedState, ok, cacheErr := loadManualState(opts.Client, opts.Scopes, opts.ForceConsent); cacheErr != nil {
+						return "", cacheErr
+					} else if ok && gotState != cachedState {
+						return "", errStateMismatch
+					}
 				}
 			}
 

internal/googleauth/oauth_flow_authorize_test.go

@@ -314,6 +314,103 @@ func TestAuthorize_Manual_AuthCode(t *testing.T) {
 	}
 }
 
+func TestAuthorize_Manual_AuthURL_RequireStateMissing(t *testing.T) {
+	origRead := readClientCredentials
+	origEndpoint := oauthEndpoint
+
+	t.Cleanup(func() {
+		readClientCredentials = origRead
+		oauthEndpoint = origEndpoint
+	})
+	useTempManualStatePath(t)
+
+	readClientCredentials = func(string) (config.ClientCredentials, error) {
+		return config.ClientCredentials{ClientID: "id", ClientSecret: "secret"}, nil
+	}
+	oauthEndpoint = oauth2EndpointForTest("http://example.com")
+
+	_, err := Authorize(context.Background(), AuthorizeOptions{
+		Scopes:       []string{"s1"},
+		Manual:       true,
+		AuthURL:      "http://localhost:1/?code=abc",
+		RequireState: true,
+		Client:       "default",
+		Timeout:      2 * time.Second,
+	})
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+	if !errors.Is(err, errMissingState) {
+		t.Fatalf("expected missing state error, got: %v", err)
+	}
+}
+
+func TestAuthorize_Manual_AuthURL_RequireStateMissingCache(t *testing.T) {
+	origRead := readClientCredentials
+	origEndpoint := oauthEndpoint
+
+	t.Cleanup(func() {
+		readClientCredentials = origRead
+		oauthEndpoint = origEndpoint
+	})
+	useTempManualStatePath(t)
+
+	readClientCredentials = func(string) (config.ClientCredentials, error) {
+		return config.ClientCredentials{ClientID: "id", ClientSecret: "secret"}, nil
+	}
+	oauthEndpoint = oauth2EndpointForTest("http://example.com")
+
+	_, err := Authorize(context.Background(), AuthorizeOptions{
+		Scopes:       []string{"s1"},
+		Manual:       true,
+		AuthURL:      "http://localhost:1/?code=abc&state=state123",
+		RequireState: true,
+		Client:       "default",
+		Timeout:      2 * time.Second,
+	})
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+	if !errors.Is(err, errManualStateMissing) {
+		t.Fatalf("expected manual state missing error, got: %v", err)
+	}
+}
+
+func TestAuthorize_Manual_AuthURL_RequireStateMismatch(t *testing.T) {
+	origRead := readClientCredentials
+	origEndpoint := oauthEndpoint
+
+	t.Cleanup(func() {
+		readClientCredentials = origRead
+		oauthEndpoint = origEndpoint
+	})
+	useTempManualStatePath(t)
+
+	readClientCredentials = func(string) (config.ClientCredentials, error) {
+		return config.ClientCredentials{ClientID: "id", ClientSecret: "secret"}, nil
+	}
+	oauthEndpoint = oauth2EndpointForTest("http://example.com")
+
+	if err := saveManualState("default", []string{"s1"}, false, "state123"); err != nil {
+		t.Fatalf("save manual state: %v", err)
+	}
+
+	_, err := Authorize(context.Background(), AuthorizeOptions{
+		Scopes:       []string{"s1"},
+		Manual:       true,
+		AuthURL:      "http://localhost:1/?code=abc&state=DIFFERENT",
+		RequireState: true,
+		Client:       "default",
+		Timeout:      2 * time.Second,
+	})
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+	if !errors.Is(err, errManualStateMismatch) {
+		t.Fatalf("expected manual state mismatch error, got: %v", err)
+	}
+}
+
 func TestAuthorize_ServerFlow_Success(t *testing.T) {
 	origRead := readClientCredentials
 	origEndpoint := oauthEndpoint