salmonumbrella
diff --git a/‎internal/cmd/auth.go‎
Lines changed: 3 additions & 3 deletions b/‎internal/cmd/auth.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎internal/googleauth/manual_state.go‎
Lines changed: 28 additions & 4 deletions b/‎internal/googleauth/manual_state.go‎
Lines changed: 28 additions & 4 deletions
diff --git a/‎internal/googleauth/manual_state_test.go‎
Lines changed: 9 additions & 0 deletions b/‎internal/googleauth/manual_state_test.go‎
Lines changed: 9 additions & 0 deletions
@@ -549,15 +549,15 @@ func (c *AuthAddCmd) Run(ctx context.Context) error {
 			if authURL != "" || authCode != "" {
 				return usage("remote step 1 does not accept --auth-url or --auth-code")
 			}
-			result, err := manualAuthURL(ctx, googleauth.AuthorizeOptions{
+			result, manualErr := manualAuthURL(ctx, googleauth.AuthorizeOptions{
 				Services:     services,
 				Scopes:       scopes,
 				Manual:       true,
 				ForceConsent: c.ForceConsent,
 				Client:       client,
 			})
-			if err != nil {
-				return err
+			if manualErr != nil {
+				return manualErr
 			}
 			if outfmt.IsJSON(ctx) {
 				return outfmt.WriteJSON(os.Stdout, map[string]any{
 
@@ -33,7 +33,7 @@ var (
 func manualStatePath() (string, error) {
 	dir, err := config.EnsureDir()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("ensure config dir: %w", err)
 	}
 
 	return filepath.Join(dir, manualStateFilename), nil
@@ -48,24 +48,35 @@ func loadManualState(client string, scopes []string, forceConsent bool) (string,
 	data, err := os.ReadFile(path) //nolint:gosec // config path
 	if err != nil {
 		if os.IsNotExist(err) {
-			return "", false, nil
+			err = nil
+			return "", false, err
 		}
+
 		return "", false, fmt.Errorf("read manual auth state: %w", err)
 	}
 
 	var st manualState
-	if err := json.Unmarshal(data, &st); err != nil {
+
+	unmarshalErr := json.Unmarshal(data, &st)
+	if unmarshalErr != nil {
 		_ = os.Remove(path)
-		return "", false, nil
+		unmarshalErr = nil
+
+		return "", false, unmarshalErr //nolint:nilerr // invalid state should be treated as a cache miss
 	}
+
 	if st.State == "" {
 		_ = os.Remove(path)
+
 		return "", false, nil
 	}
+
 	if manualStateNowFn().Sub(st.CreatedAt) > manualStateTTL {
 		_ = os.Remove(path)
+
 		return "", false, nil
 	}
+
 	if st.Client != client || st.ForceConsent != forceConsent || !scopesEqual(st.Scopes, scopes) {
 		return "", false, nil
 	}
@@ -84,22 +95,29 @@ func loadManualStateStrict(client string, scopes []string, forceConsent bool) (s
 		if os.IsNotExist(err) {
 			return "", errManualStateMissing
 		}
+
 		return "", fmt.Errorf("read manual auth state: %w", err)
 	}
 
 	var st manualState
 	if err := json.Unmarshal(data, &st); err != nil {
 		_ = os.Remove(path)
+
 		return "", errManualStateMissing
 	}
+
 	if st.State == "" {
 		_ = os.Remove(path)
+
 		return "", errManualStateMissing
 	}
+
 	if manualStateNowFn().Sub(st.CreatedAt) > manualStateTTL {
 		_ = os.Remove(path)
+
 		return "", errManualStateMissing
 	}
+
 	if st.Client != client || st.ForceConsent != forceConsent || !scopesEqual(st.Scopes, scopes) {
 		return "", errManualStateMismatch
 	}
@@ -125,12 +143,14 @@ func saveManualState(client string, scopes []string, forceConsent bool, state st
 	if err != nil {
 		return fmt.Errorf("encode manual auth state: %w", err)
 	}
+
 	data = append(data, '\n')
 
 	tmp := path + ".tmp"
 	if err := os.WriteFile(tmp, data, 0o600); err != nil {
 		return fmt.Errorf("write manual auth state: %w", err)
 	}
+
 	if err := os.Rename(tmp, path); err != nil {
 		return fmt.Errorf("commit manual auth state: %w", err)
 	}
@@ -148,6 +168,7 @@ func clearManualState() error {
 		if os.IsNotExist(err) {
 			return nil
 		}
+
 		return fmt.Errorf("remove manual auth state: %w", err)
 	}
 
@@ -161,6 +182,7 @@ func normalizeScopes(scopes []string) []string {
 
 	out := append([]string(nil), scopes...)
 	sort.Strings(out)
+
 	return out
 }
 
@@ -170,10 +192,12 @@ func scopesEqual(a, b []string) bool {
 	}
 	na := normalizeScopes(a)
 	nb := normalizeScopes(b)
+
 	for i := range na {
 		if na[i] != nb[i] {
 			return false
 		}
 	}
+
 	return true
 }
@@ -12,11 +12,13 @@ func TestManualAuthURL_ReusesState(t *testing.T) {
 	origRead := readClientCredentials
 	origEndpoint := oauthEndpoint
 	origState := randomStateFn
+
 	t.Cleanup(func() {
 		readClientCredentials = origRead
 		oauthEndpoint = origEndpoint
 		randomStateFn = origState
 	})
+
 	useTempManualStatePath(t)
 
 	readClientCredentials = func(string) (config.ClientCredentials, error) {
@@ -29,6 +31,7 @@ func TestManualAuthURL_ReusesState(t *testing.T) {
 		if stateCalls == 1 {
 			return "state1", nil
 		}
+
 		return "state2", nil
 	}
 
@@ -39,6 +42,7 @@ func TestManualAuthURL_ReusesState(t *testing.T) {
 	if err != nil {
 		t.Fatalf("ManualAuthURL: %v", err)
 	}
+
 	res2, err := ManualAuthURL(context.Background(), AuthorizeOptions{
 		Scopes: []string{"s1"},
 		Manual: true,
@@ -48,23 +52,28 @@ func TestManualAuthURL_ReusesState(t *testing.T) {
 	}
 
 	state1 := authURLState(t, res1.URL)
+
 	state2 := authURLState(t, res2.URL)
 	if state1 != "state1" || state2 != "state1" {
 		t.Fatalf("expected reused state, got state1=%q state2=%q", state1, state2)
 	}
+
 	if !res2.StateReused {
 		t.Fatalf("expected state_reused true on second call")
 	}
+
 	if stateCalls != 1 {
 		t.Fatalf("expected randomStateFn called once, got %d", stateCalls)
 	}
 }
 
 func authURLState(t *testing.T, rawURL string) string {
 	t.Helper()
+
 	parsed, err := url.Parse(rawURL)
 	if err != nil {
 		t.Fatalf("parse auth URL: %v", err)
 	}
+
 	return parsed.Query().Get("state")
 }
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ var (`
`33`	`33`	`func manualStatePath() (string, error) {`
`34`	`34`	`dir, err := config.EnsureDir()`
`35`	`35`	`if err != nil {`
`36`		`- return "", err`
	`36`	`+ return "", fmt.Errorf("ensure config dir: %w", err)`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`return filepath.Join(dir, manualStateFilename), nil`
`@@ -48,24 +48,35 @@ func loadManualState(client string, scopes []string, forceConsent bool) (string,`
`48`	`48`	`data, err := os.ReadFile(path) //nolint:gosec // config path`
`49`	`49`	`if err != nil {`
`50`	`50`	`if os.IsNotExist(err) {`
`51`		`- return "", false, nil`
	`51`	`+ err = nil`
	`52`	`+ return "", false, err`
`52`	`53`	`}`
	`54`	`+`
`53`	`55`	`return "", false, fmt.Errorf("read manual auth state: %w", err)`
`54`	`56`	`}`
`55`	`57`
`56`	`58`	`var st manualState`
`57`		`- if err := json.Unmarshal(data, &st); err != nil {`
	`59`	`+`
	`60`	`+ unmarshalErr := json.Unmarshal(data, &st)`
	`61`	`+ if unmarshalErr != nil {`
`58`	`62`	`_ = os.Remove(path)`
`59`		`- return "", false, nil`
	`63`	`+ unmarshalErr = nil`
	`64`	`+`
	`65`	`+ return "", false, unmarshalErr //nolint:nilerr // invalid state should be treated as a cache miss`
`60`	`66`	`}`
	`67`	`+`
`61`	`68`	`if st.State == "" {`
`62`	`69`	`_ = os.Remove(path)`
	`70`	`+`
`63`	`71`	`return "", false, nil`
`64`	`72`	`}`
	`73`	`+`
`65`	`74`	`if manualStateNowFn().Sub(st.CreatedAt) > manualStateTTL {`
`66`	`75`	`_ = os.Remove(path)`
	`76`	`+`
`67`	`77`	`return "", false, nil`
`68`	`78`	`}`
	`79`	`+`
`69`	`80`	`if st.Client != client \|\| st.ForceConsent != forceConsent \|\| !scopesEqual(st.Scopes, scopes) {`
`70`	`81`	`return "", false, nil`
`71`	`82`	`}`
`@@ -84,22 +95,29 @@ func loadManualStateStrict(client string, scopes []string, forceConsent bool) (s`
`84`	`95`	`if os.IsNotExist(err) {`
`85`	`96`	`return "", errManualStateMissing`
`86`	`97`	`}`
	`98`	`+`
`87`	`99`	`return "", fmt.Errorf("read manual auth state: %w", err)`
`88`	`100`	`}`
`89`	`101`
`90`	`102`	`var st manualState`
`91`	`103`	`if err := json.Unmarshal(data, &st); err != nil {`
`92`	`104`	`_ = os.Remove(path)`
	`105`	`+`
`93`	`106`	`return "", errManualStateMissing`
`94`	`107`	`}`
	`108`	`+`
`95`	`109`	`if st.State == "" {`
`96`	`110`	`_ = os.Remove(path)`
	`111`	`+`
`97`	`112`	`return "", errManualStateMissing`
`98`	`113`	`}`
	`114`	`+`
`99`	`115`	`if manualStateNowFn().Sub(st.CreatedAt) > manualStateTTL {`
`100`	`116`	`_ = os.Remove(path)`
	`117`	`+`
`101`	`118`	`return "", errManualStateMissing`
`102`	`119`	`}`
	`120`	`+`
`103`	`121`	`if st.Client != client \|\| st.ForceConsent != forceConsent \|\| !scopesEqual(st.Scopes, scopes) {`
`104`	`122`	`return "", errManualStateMismatch`
`105`	`123`	`}`
`@@ -125,12 +143,14 @@ func saveManualState(client string, scopes []string, forceConsent bool, state st`
`125`	`143`	`if err != nil {`
`126`	`144`	`return fmt.Errorf("encode manual auth state: %w", err)`
`127`	`145`	`}`
	`146`	`+`
`128`	`147`	`data = append(data, '\n')`
`129`	`148`
`130`	`149`	`tmp := path + ".tmp"`
`131`	`150`	`if err := os.WriteFile(tmp, data, 0o600); err != nil {`
`132`	`151`	`return fmt.Errorf("write manual auth state: %w", err)`
`133`	`152`	`}`
	`153`	`+`
`134`	`154`	`if err := os.Rename(tmp, path); err != nil {`
`135`	`155`	`return fmt.Errorf("commit manual auth state: %w", err)`
`136`	`156`	`}`
`@@ -148,6 +168,7 @@ func clearManualState() error {`
`148`	`168`	`if os.IsNotExist(err) {`
`149`	`169`	`return nil`
`150`	`170`	`}`
	`171`	`+`
`151`	`172`	`return fmt.Errorf("remove manual auth state: %w", err)`
`152`	`173`	`}`
`153`	`174`
`@@ -161,6 +182,7 @@ func normalizeScopes(scopes []string) []string {`
`161`	`182`
`162`	`183`	`out := append([]string(nil), scopes...)`
`163`	`184`	`sort.Strings(out)`
	`185`	`+`
`164`	`186`	`return out`
`165`	`187`	`}`
`166`	`188`
`@@ -170,10 +192,12 @@ func scopesEqual(a, b []string) bool {`
`170`	`192`	`}`
`171`	`193`	`na := normalizeScopes(a)`
`172`	`194`	`nb := normalizeScopes(b)`
	`195`	`+`
`173`	`196`	`for i := range na {`
`174`	`197`	`if na[i] != nb[i] {`
`175`	`198`	`return false`
`176`	`199`	`}`
`177`	`200`	`}`
	`201`	`+`
`178`	`202`	`return true`
`179`	`203`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,11 +12,13 @@ func TestManualAuthURL_ReusesState(t *testing.T) {`
`12`	`12`	`origRead := readClientCredentials`
`13`	`13`	`origEndpoint := oauthEndpoint`
`14`	`14`	`origState := randomStateFn`
	`15`	`+`
`15`	`16`	`t.Cleanup(func() {`
`16`	`17`	`readClientCredentials = origRead`
`17`	`18`	`oauthEndpoint = origEndpoint`
`18`	`19`	`randomStateFn = origState`
`19`	`20`	`})`
	`21`	`+`
`20`	`22`	`useTempManualStatePath(t)`
`21`	`23`
`22`	`24`	`readClientCredentials = func(string) (config.ClientCredentials, error) {`
`@@ -29,6 +31,7 @@ func TestManualAuthURL_ReusesState(t *testing.T) {`
`29`	`31`	`if stateCalls == 1 {`
`30`	`32`	`return "state1", nil`
`31`	`33`	`}`
	`34`	`+`
`32`	`35`	`return "state2", nil`
`33`	`36`	`}`
`34`	`37`
`@@ -39,6 +42,7 @@ func TestManualAuthURL_ReusesState(t *testing.T) {`
`39`	`42`	`if err != nil {`
`40`	`43`	`t.Fatalf("ManualAuthURL: %v", err)`
`41`	`44`	`}`
	`45`	`+`
`42`	`46`	`res2, err := ManualAuthURL(context.Background(), AuthorizeOptions{`
`43`	`47`	`Scopes: []string{"s1"},`
`44`	`48`	`Manual: true,`
`@@ -48,23 +52,28 @@ func TestManualAuthURL_ReusesState(t *testing.T) {`
`48`	`52`	`}`
`49`	`53`
`50`	`54`	`state1 := authURLState(t, res1.URL)`
	`55`	`+`
`51`	`56`	`state2 := authURLState(t, res2.URL)`
`52`	`57`	`if state1 != "state1" \|\| state2 != "state1" {`
`53`	`58`	`t.Fatalf("expected reused state, got state1=%q state2=%q", state1, state2)`
`54`	`59`	`}`
	`60`	`+`
`55`	`61`	`if !res2.StateReused {`
`56`	`62`	`t.Fatalf("expected state_reused true on second call")`
`57`	`63`	`}`
	`64`	`+`
`58`	`65`	`if stateCalls != 1 {`
`59`	`66`	`t.Fatalf("expected randomStateFn called once, got %d", stateCalls)`
`60`	`67`	`}`
`61`	`68`	`}`
`62`	`69`
`63`	`70`	`func authURLState(t *testing.T, rawURL string) string {`
`64`	`71`	`t.Helper()`
	`72`	`+`
`65`	`73`	`parsed, err := url.Parse(rawURL)`
`66`	`74`	`if err != nil {`
`67`	`75`	`t.Fatalf("parse auth URL: %v", err)`
`68`	`76`	`}`
	`77`	`+`
`69`	`78`	`return parsed.Query().Get("state")`
`70`	`79`	`}`