Skip to content

Commit 07412de

Browse files
code-yeongyucode-yeongyu
committed
fix(antigravity): sync plugin.ts with PKCE-removed oauth.ts API
Remove decodeState import and update OAuth flow to use simple state string comparison for CSRF protection instead of PKCE verifier. Update exchangeCode calls to match new signature (code, redirectUri, clientId, clientSecret).
1 parent 1e239e6 commit 07412de

File tree

1 file changed

+11
-13
lines changed

1 file changed

+11
-13
lines changed

src/auth/antigravity/plugin.ts

Lines changed: 11 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,6 @@ import {
3333
exchangeCode,
3434
startCallbackServer,
3535
fetchUserInfo,
36-
decodeState,
3736
} from "./oauth"
3837
import { createAntigravityFetch } from "./fetch"
3938
import { fetchProjectContext } from "./project"
@@ -248,7 +247,7 @@ export async function createGoogleAntigravityAuthPlugin({
248247
*/
249248
authorize: async (): Promise<AuthOuathResult> => {
250249
const serverHandle = startCallbackServer()
251-
const { url, verifier } = await buildAuthURL(undefined, cachedClientId, serverHandle.port)
250+
const { url, state: expectedState } = await buildAuthURL(undefined, cachedClientId, serverHandle.port)
252251

253252
const browserOpened = await openBrowserURL(url)
254253

@@ -277,15 +276,15 @@ export async function createGoogleAntigravityAuthPlugin({
277276
return { type: "failed" as const }
278277
}
279278

280-
const state = decodeState(result.state)
281-
if (state.verifier !== verifier) {
279+
if (result.state !== expectedState) {
282280
if (process.env.ANTIGRAVITY_DEBUG === "1") {
283-
console.error("[antigravity-plugin] PKCE verifier mismatch")
281+
console.error("[antigravity-plugin] State mismatch - possible CSRF attack")
284282
}
285283
return { type: "failed" as const }
286284
}
287285

288-
const tokens = await exchangeCode(result.code, verifier, cachedClientId, cachedClientSecret, serverHandle.port)
286+
const redirectUri = `http://localhost:${serverHandle.port}/oauth-callback`
287+
const tokens = await exchangeCode(result.code, redirectUri, cachedClientId, cachedClientSecret)
289288

290289
if (!tokens.refresh_token) {
291290
serverHandle.close()
@@ -343,7 +342,7 @@ export async function createGoogleAntigravityAuthPlugin({
343342
if (!addAnother) break
344343

345344
const additionalServerHandle = startCallbackServer()
346-
const { url: additionalUrl, verifier: additionalVerifier } = await buildAuthURL(
345+
const { url: additionalUrl, state: expectedAdditionalState } = await buildAuthURL(
347346
undefined,
348347
cachedClientId,
349348
additionalServerHandle.port
@@ -373,24 +372,23 @@ export async function createGoogleAntigravityAuthPlugin({
373372
continue
374373
}
375374

376-
const additionalState = decodeState(additionalResult.state)
377-
if (additionalState.verifier !== additionalVerifier) {
375+
if (additionalResult.state !== expectedAdditionalState) {
378376
additionalServerHandle.close()
379377
await client.tui.showToast({
380378
body: {
381-
message: "Verification failed, skipping...",
379+
message: "State mismatch, skipping...",
382380
variant: "warning",
383381
},
384382
})
385383
continue
386384
}
387385

386+
const additionalRedirectUri = `http://localhost:${additionalServerHandle.port}/oauth-callback`
388387
const additionalTokens = await exchangeCode(
389388
additionalResult.code,
390-
additionalVerifier,
389+
additionalRedirectUri,
391390
cachedClientId,
392-
cachedClientSecret,
393-
additionalServerHandle.port
391+
cachedClientSecret
394392
)
395393

396394
if (!additionalTokens.refresh_token) {

0 commit comments

Comments
 (0)