Auth First Run (#1207)

Co-authored-by: Tommaso Sciortino <[email protected]> Co-authored-by: N. Taylor Mullen <[email protected]>
author: matt korwel <[email protected]> 2025-06-19 16:52:22 -0700
committer: GitHub <[email protected]> 2025-06-19 16:52:22 -0700
commit: 04518b52c0ddcd5ae1192763c55e472add218b3c (patch)
tree: 2587b0ccc5460e9e94eb8b715956cb713950f7c8 /packages/cli/src/gemini.tsx
parent: c48fcaa8c3fe8175718b1bbfc7770a958012173c (diff)
1 files changed, 61 insertions, 24 deletions
diff --git a/packages/cli/src/gemini.tsx b/packages/cli/src/gemini.tsx
index 7be84649..8dd52117 100644
--- a/packages/cli/src/gemini.tsx
+++ b/packages/cli/src/gemini.tsx
@@ -25,7 +25,9 @@ import {
   WriteFileTool,
   sessionId,
   logUserPrompt,
+  AuthType,
 } from '@gemini-cli/core';
+import { validateAuthMethod } from './config/auth.js';
 
 export async function main() {
   const workspaceRoot = process.cwd();
@@ -47,10 +49,6 @@ export async function main() {
   const extensions = loadExtensions(workspaceRoot);
   const config = await loadCliConfig(settings.merged, extensions, sessionId);
 
-  // When using Code Assist this triggers the Oauth login.
-  // Do this now, before sandboxing, so web redirect works.
-  await config.getGeminiClient().initialize();
-
   // Initialize centralized FileDiscoveryService
   config.getFileService();
   if (config.getCheckpointEnabled()) {
@@ -73,6 +71,15 @@ export async function main() {
   if (!process.env.SANDBOX) {
     const sandboxConfig = config.getSandbox();
     if (sandboxConfig) {
+      if (settings.merged.selectedAuthType) {
+        // Validate authentication here because the sandbox will interfere with the Oauth2 web redirect.
+        const err = validateAuthMethod(settings.merged.selectedAuthType);
+        if (err) {
+          console.error(err);
+          process.exit(1);
+        }
+        await config.refreshAuth(settings.merged.selectedAuthType);
+      }
       await start_sandbox(sandboxConfig);
       process.exit(0);
     }
@@ -152,28 +159,58 @@ async function loadNonInteractiveConfig(
   extensions: Extension[],
   settings: LoadedSettings,
 ) {
-  if (config.getApprovalMode() === ApprovalMode.YOLO) {
-    // Since everything is being allowed we can use normal yolo behavior.
-    return config;
-  }
+  let finalConfig = config;
+  if (config.getApprovalMode() !== ApprovalMode.YOLO) {
+    // Everything is not allowed, ensure that only read-only tools are configured.
+    const existingExcludeTools = settings.merged.excludeTools || [];
+    const interactiveTools = [
+      ShellTool.Name,
+      EditTool.Name,
+      WriteFileTool.Name,
+    ];
 
-  // Everything is not allowed, ensure that only read-only tools are configured.
-  const existingExcludeTools = settings.merged.excludeTools || [];
-  const interactiveTools = [ShellTool.Name, EditTool.Name, WriteFileTool.Name];
+    const newExcludeTools = [
+      ...new Set([...existingExcludeTools, ...interactiveTools]),
+    ];
 
-  const newExcludeTools = [
-    ...new Set([...existingExcludeTools, ...interactiveTools]),
-  ];
+    const nonInteractiveSettings = {
+      ...settings.merged,
+      excludeTools: newExcludeTools,
+    };
+    finalConfig = await loadCliConfig(
+      nonInteractiveSettings,
+      extensions,
+      config.getSessionId(),
+    );
+  }
 
-  const nonInteractiveSettings = {
-    ...settings.merged,
-    excludeTools: newExcludeTools,
-  };
-  const newConfig = await loadCliConfig(
-    nonInteractiveSettings,
-    extensions,
-    config.getSessionId(),
+  return await validateNonInterActiveAuth(
+    settings.merged.selectedAuthType,
+    finalConfig,
   );
-  await newConfig.getGeminiClient().initialize();
-  return newConfig;
+}
+
+async function validateNonInterActiveAuth(
+  selectedAuthType: AuthType | undefined,
+  nonInteractiveConfig: Config,
+) {
+  // making a special case for the cli. many headless environments might not have a settings.json set
+  // so if GEMINI_API_KEY is set, we'll use that. However since the oauth things are interactive anyway, we'll
+  // still expect that exists
+  if (!selectedAuthType && !process.env.GEMINI_API_KEY) {
+    console.error(
+      'Please set an Auth method in your .gemini/settings.json OR specify GEMINI_API_KEY env variable file before running',
+    );
+    process.exit(1);
+  }
+
+  selectedAuthType = selectedAuthType || AuthType.USE_GEMINI;
+  const err = validateAuthMethod(selectedAuthType);
+  if (err != null) {
+    console.error(err);
+    process.exit(1);
+  }
+
+  await nonInteractiveConfig.refreshAuth(selectedAuthType);
+  return nonInteractiveConfig;
 }
author	matt korwel <[email protected]>	2025-06-19 16:52:22 -0700
committer	GitHub <[email protected]>	2025-06-19 16:52:22 -0700
commit	04518b52c0ddcd5ae1192763c55e472add218b3c (patch)
tree	2587b0ccc5460e9e94eb8b715956cb713950f7c8 /packages/cli/src/gemini.tsx
parent	c48fcaa8c3fe8175718b1bbfc7770a958012173c (diff)