feat(auth): add Gemini CLI OAuth authentication support

konard · claude · konard · commit e555e6d28274 · 2026-03-16T17:12:15.000Z
Add OAuth login flow for Gemini CLI in headless/Docker environments: - Users can now authenticate via "Gemini CLI: login via OAuth (Google account)" - OAuth flow runs Gemini CLI with NO_BROWSER=true inside Docker container - User visits auth URL, copies authorization code, and pastes it back - Credentials stored in account-specific .gemini directory This addresses user feedback about needing to paste OAuth callback URLs when browser redirect to localhost doesn't work in Docker. Fixes #146 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/packages/app/src/docker-git/menu-auth-data.ts b/packages/app/src/docker-git/menu-auth-data.ts
@@ -34,8 +34,9 @@ const authMenuItems: ReadonlyArray<AuthMenuItem> = [
   { action: "GitRemove", label: "Git: remove credentials" },
   { action: "ClaudeOauth", label: "Claude Code: login via OAuth (web)" },
   { action: "ClaudeLogout", label: "Claude Code: logout (clear cache)" },
+  { action: "GeminiOauth", label: "Gemini CLI: login via OAuth (Google account)" },
   { action: "GeminiApiKey", label: "Gemini CLI: set API key" },
-  { action: "GeminiLogout", label: "Gemini CLI: logout (clear API key)" },
+  { action: "GeminiLogout", label: "Gemini CLI: logout (clear credentials)" },
   { action: "Refresh", label: "Refresh snapshot" },
   { action: "Back", label: "Back to main menu" }
 ]
@@ -61,6 +62,9 @@ const flowSteps: Readonly<Record<AuthFlow, ReadonlyArray<AuthPromptStep>>> = {
   ClaudeLogout: [
     { key: "label", label: "Label to logout (empty = default)", required: false, secret: false }
   ],
+  GeminiOauth: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false }
+  ],
   GeminiApiKey: [
     { key: "label", label: "Label (empty = default)", required: false, secret: false },
     { key: "apiKey", label: "Gemini API key (from ai.google.dev)", required: true, secret: true }
@@ -78,6 +82,7 @@ const flowTitle = (flow: AuthFlow): string =>
     Match.when("GitRemove", () => "Git remove"),
     Match.when("ClaudeOauth", () => "Claude Code OAuth"),
     Match.when("ClaudeLogout", () => "Claude Code logout"),
+    Match.when("GeminiOauth", () => "Gemini CLI OAuth"),
     Match.when("GeminiApiKey", () => "Gemini CLI API key"),
     Match.when("GeminiLogout", () => "Gemini CLI logout"),
     Match.exhaustive
@@ -91,6 +96,7 @@ export const successMessage = (flow: AuthFlow, label: string): string =>
     Match.when("GitRemove", () => `Removed Git credentials (${label}).`),
     Match.when("ClaudeOauth", () => `Saved Claude Code login (${label}).`),
     Match.when("ClaudeLogout", () => `Logged out Claude Code (${label}).`),
+    Match.when("GeminiOauth", () => `Saved Gemini CLI OAuth login (${label}).`),
     Match.when("GeminiApiKey", () => `Saved Gemini API key (${label}).`),
     Match.when("GeminiLogout", () => `Logged out Gemini CLI (${label}).`),
     Match.exhaustive
diff --git a/packages/app/src/docker-git/menu-auth-effects.ts b/packages/app/src/docker-git/menu-auth-effects.ts
@@ -4,6 +4,7 @@ import {
   authClaudeLogin,
   authClaudeLogout,
   authGeminiLogin,
+  authGeminiLoginOauth,
   authGeminiLogout,
   authGithubLogin,
   claudeAuthRoot,
@@ -30,47 +31,43 @@ const resolveLabelOption = (values: Readonly<Record<string, string>>): string |
   return labelValue.length > 0 ? labelValue : null
 }
 
+const resolveGithubOauthEffect = (labelOption: string | null, globalEnvPath: string) =>
+  authGithubLogin({
+    _tag: "AuthGithubLogin",
+    label: labelOption,
+    token: null,
+    scopes: null,
+    envGlobalPath: globalEnvPath
+  })
+
+const resolveClaudeOauthEffect = (labelOption: string | null) =>
+  authClaudeLogin({ _tag: "AuthClaudeLogin", label: labelOption, claudeAuthPath: claudeAuthRoot })
+
+const resolveClaudeLogoutEffect = (labelOption: string | null) =>
+  authClaudeLogout({ _tag: "AuthClaudeLogout", label: labelOption, claudeAuthPath: claudeAuthRoot })
+
+const resolveGeminiOauthEffect = (labelOption: string | null) =>
+  authGeminiLoginOauth({ _tag: "AuthGeminiLogin", label: labelOption, geminiAuthPath: geminiAuthRoot })
+
+const resolveGeminiApiKeyEffect = (labelOption: string | null, apiKey: string) =>
+  authGeminiLogin({ _tag: "AuthGeminiLogin", label: labelOption, geminiAuthPath: geminiAuthRoot }, apiKey)
+
+const resolveGeminiLogoutEffect = (labelOption: string | null) =>
+  authGeminiLogout({ _tag: "AuthGeminiLogout", label: labelOption, geminiAuthPath: geminiAuthRoot })
+
 export const resolveAuthPromptEffect = (
   view: AuthPromptView,
   cwd: string,
   values: Readonly<Record<string, string>>
 ): Effect.Effect<void, AppError, MenuEnv> => {
   const labelOption = resolveLabelOption(values)
   return Match.value(view.flow).pipe(
-    Match.when("GithubOauth", () =>
-      authGithubLogin({
-        _tag: "AuthGithubLogin",
-        label: labelOption,
-        token: null,
-        scopes: null,
-        envGlobalPath: view.snapshot.globalEnvPath
-      })),
-    Match.when("ClaudeOauth", () =>
-      authClaudeLogin({
-        _tag: "AuthClaudeLogin",
-        label: labelOption,
-        claudeAuthPath: claudeAuthRoot
-      })),
-    Match.when("ClaudeLogout", () =>
-      authClaudeLogout({
-        _tag: "AuthClaudeLogout",
-        label: labelOption,
-        claudeAuthPath: claudeAuthRoot
-      })),
-    Match.when("GeminiApiKey", () => {
-      const apiKey = (values["apiKey"] ?? "").trim()
-      return authGeminiLogin({
-        _tag: "AuthGeminiLogin",
-        label: labelOption,
-        geminiAuthPath: geminiAuthRoot
-      }, apiKey)
-    }),
-    Match.when("GeminiLogout", () =>
-      authGeminiLogout({
-        _tag: "AuthGeminiLogout",
-        label: labelOption,
-        geminiAuthPath: geminiAuthRoot
-      })),
+    Match.when("GithubOauth", () => resolveGithubOauthEffect(labelOption, view.snapshot.globalEnvPath)),
+    Match.when("ClaudeOauth", () => resolveClaudeOauthEffect(labelOption)),
+    Match.when("ClaudeLogout", () => resolveClaudeLogoutEffect(labelOption)),
+    Match.when("GeminiOauth", () => resolveGeminiOauthEffect(labelOption)),
+    Match.when("GeminiApiKey", () => resolveGeminiApiKeyEffect(labelOption, (values["apiKey"] ?? "").trim())),
+    Match.when("GeminiLogout", () => resolveGeminiLogoutEffect(labelOption)),
     Match.when("GithubRemove", (flow) => writeAuthFlow(cwd, flow, values)),
     Match.when("GitSet", (flow) => writeAuthFlow(cwd, flow, values)),
     Match.when("GitRemove", (flow) => writeAuthFlow(cwd, flow, values)),
diff --git a/packages/app/src/docker-git/menu-auth.ts b/packages/app/src/docker-git/menu-auth.ts
@@ -100,7 +100,8 @@ const submitAuthPrompt = (view: AuthPromptView, context: AuthInputContext) => {
       const label = defaultLabel(nextValues["label"] ?? "")
       const effect = resolveAuthPromptEffect(view, context.state.cwd, nextValues)
       runAuthPromptEffect(effect, view, label, { ...context, cwd: context.state.cwd }, {
-        suspendTui: view.flow === "GithubOauth" || view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout"
+        suspendTui: view.flow === "GithubOauth" || view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout" ||
+          view.flow === "GeminiOauth"
       })
     }
   )
diff --git a/packages/app/src/docker-git/menu-project-auth-gemini.ts b/packages/app/src/docker-git/menu-project-auth-gemini.ts
@@ -5,18 +5,19 @@ import { Effect } from "effect"
 import { hasFileAtPath } from "./menu-project-auth-helpers.js"
 
 // CHANGE: add Gemini CLI account credentials check for project auth
-// WHY: enable Gemini CLI authentication verification at project level
-// QUOTE(ТЗ): "Добавь поддержку gemini CLI"
-// REF: issue-146
+// WHY: enable Gemini CLI authentication verification at project level (API key or OAuth)
+// QUOTE(ТЗ): "Добавь поддержку gemini CLI", "Типо ждал пока мы вставим ссылку"
+// REF: issue-146, PR-147 comment from skulidropek
 // SOURCE: https://geminicli.com/docs/get-started/authentication/
 // FORMAT THEOREM: forall accountPath: hasGeminiAccountCredentials(fs, accountPath) = boolean | PlatformError
 // PURITY: SHELL
 // EFFECT: Effect<boolean, PlatformError>
-// INVARIANT: returns true only if valid API key exists
+// INVARIANT: returns true only if valid API key or OAuth credentials exist
 // COMPLEXITY: O(1)
 
 const apiKeyFileName = ".api-key"
 const envFileName = ".env"
+const geminiCredentialsDir = ".gemini"
 
 const hasNonEmptyApiKey = (
   fs: FileSystem.FileSystem,
@@ -54,6 +55,39 @@ const hasApiKeyInEnvFile = (
     return false
   })
 
+// CHANGE: check for OAuth credentials in .gemini directory
+// WHY: Gemini CLI stores OAuth tokens in ~/.gemini after successful OAuth flow
+// QUOTE(ТЗ): "Типо ждал пока мы вставим ссылку"
+// REF: issue-146, PR-147 comment
+// FORMAT THEOREM: hasOauthCredentials(fs, accountPath) -> boolean
+// PURITY: SHELL
+// INVARIANT: checks for existence of OAuth credential files
+// COMPLEXITY: O(1)
+const hasOauthCredentials = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const credentialsDir = `${accountPath}/${geminiCredentialsDir}`
+    const dirExists = yield* _(hasFileAtPath(fs, credentialsDir))
+    if (!dirExists) {
+      return false
+    }
+    // Check for various possible credential files Gemini CLI might create
+    const possibleFiles = [
+      `${credentialsDir}/oauth-tokens.json`,
+      `${credentialsDir}/credentials.json`,
+      `${credentialsDir}/application_default_credentials.json`
+    ]
+    for (const filePath of possibleFiles) {
+      const fileExists = yield* _(hasFileAtPath(fs, filePath))
+      if (fileExists) {
+        return true
+      }
+    }
+    return false
+  })
+
 export const hasGeminiAccountCredentials = (
   fs: FileSystem.FileSystem,
   accountPath: string
@@ -63,6 +97,13 @@ export const hasGeminiAccountCredentials = (
       if (hasApiKey) {
         return Effect.succeed(true)
       }
-      return hasApiKeyInEnvFile(fs, `${accountPath}/${envFileName}`)
+      return hasApiKeyInEnvFile(fs, `${accountPath}/${envFileName}`).pipe(
+        Effect.flatMap((hasEnvApiKey) => {
+          if (hasEnvApiKey) {
+            return Effect.succeed(true)
+          }
+          return hasOauthCredentials(fs, accountPath)
+        })
+      )
     })
   )
diff --git a/packages/app/src/docker-git/menu-types.ts b/packages/app/src/docker-git/menu-types.ts
@@ -84,6 +84,7 @@ export type AuthFlow =
   | "GitRemove"
   | "ClaudeOauth"
   | "ClaudeLogout"
+  | "GeminiOauth"
   | "GeminiApiKey"
   | "GeminiLogout"
 
diff --git a/packages/lib/src/usecases/auth-gemini-oauth.ts b/packages/lib/src/usecases/auth-gemini-oauth.ts
diff --git a/packages/lib/src/usecases/auth-gemini.ts b/packages/lib/src/usecases/auth-gemini.ts

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,8 @@ const submitAuthPrompt = (view: AuthPromptView, context: AuthInputContext) => {`
`100`	`100`	`const label = defaultLabel(nextValues["label"] ?? "")`
`101`	`101`	`const effect = resolveAuthPromptEffect(view, context.state.cwd, nextValues)`
`102`	`102`	`runAuthPromptEffect(effect, view, label, { ...context, cwd: context.state.cwd }, {`
`103`		`- suspendTui: view.flow === "GithubOauth" \|\| view.flow === "ClaudeOauth" \|\| view.flow === "ClaudeLogout"`
	`103`	`+ suspendTui: view.flow === "GithubOauth" \|\| view.flow === "ClaudeOauth" \|\| view.flow === "ClaudeLogout" \|\|`
	`104`	`+ view.flow === "GeminiOauth"`
`104`	`105`	`})`
`105`	`106`	`}`
`106`	`107`	`)`