1 files changed, 54 insertions, 10 deletions

diff --git a/packages/core/src/mcp/google-auth-provider.test.ts b/packages/core/src/mcp/google-auth-provider.test.ts
index f481b9e2..65daa74f 100644
--- a/packages/core/src/mcp/google-auth-provider.test.ts
+++ b/packages/core/src/mcp/google-auth-provider.test.ts
@@ -12,34 +12,78 @@ import { MCPServerConfig } from '../config/config.js';
 vi.mock('google-auth-library');
 
 describe('GoogleCredentialProvider', () => {
+  const validConfig = {
+    url: 'https://test.googleapis.com',
+    oauth: {
+      scopes: ['scope1', 'scope2'],
+    },
+  } as MCPServerConfig;
+
   it('should throw an error if no scopes are provided', () => {
-    expect(() => new GoogleCredentialProvider()).toThrow(
+    const config = {
+      url: 'https://test.googleapis.com',
+    } as MCPServerConfig;
+    expect(() => new GoogleCredentialProvider(config)).toThrow(
       'Scopes must be provided in the oauth config for Google Credentials provider',
     );
   });
 
   it('should use scopes from the config if provided', () => {
+    new GoogleCredentialProvider(validConfig);
+    expect(GoogleAuth).toHaveBeenCalledWith({
+      scopes: ['scope1', 'scope2'],
+    });
+  });
+
+  it('should throw an error for a non-allowlisted host', () => {
     const config = {
+      url: 'https://example.com',
+      oauth: {
+        scopes: ['scope1', 'scope2'],
+      },
+    } as MCPServerConfig;
+    expect(() => new GoogleCredentialProvider(config)).toThrow(
+      'Host "example.com" is not an allowed host for Google Credential provider.',
+    );
+  });
+
+  it('should allow luci.app', () => {
+    const config = {
+      url: 'https://luci.app',
       oauth: {
         scopes: ['scope1', 'scope2'],
       },
     } as MCPServerConfig;
     new GoogleCredentialProvider(config);
-    expect(GoogleAuth).toHaveBeenCalledWith({
-      scopes: ['scope1', 'scope2'],
-    });
+  });
+
+  it('should allow sub.luci.app', () => {
+    const config = {
+      url: 'https://sub.luci.app',
+      oauth: {
+        scopes: ['scope1', 'scope2'],
+      },
+    } as MCPServerConfig;
+    new GoogleCredentialProvider(config);
+  });
+
+  it('should not allow googleapis.com without a subdomain', () => {
+    const config = {
+      url: 'https://googleapis.com',
+      oauth: {
+        scopes: ['scope1', 'scope2'],
+      },
+    } as MCPServerConfig;
+    expect(() => new GoogleCredentialProvider(config)).toThrow(
+      'Host "googleapis.com" is not an allowed host for Google Credential provider.',
+    );
   });
 
   describe('with provider instance', () => {
     let provider: GoogleCredentialProvider;
 
     beforeEach(() => {
-      const config = {
-        oauth: {
-          scopes: ['scope1', 'scope2'],
-        },
-      } as MCPServerConfig;
-      provider = new GoogleCredentialProvider(config);
+      provider = new GoogleCredentialProvider(validConfig);
       vi.clearAllMocks();
     });