From 1ee52fe82392872a6b9a9ff16615ea86c02ae644 Mon Sep 17 00:00:00 2001 From: zerone0x Date: Sun, 8 Mar 2026 14:26:23 +0800 Subject: [PATCH] fix: use gmail.readonly scope in +triage to avoid metadata scope 403 The +triage helper uses the `q` query parameter when listing messages, but Gmail's metadata scope does not support `q` and returns 403. When a user's OAuth token includes both gmail.metadata and gmail.modify scopes, the API may resolve to the metadata code path and reject the query. Switch +triage from gmail.modify to gmail.readonly, which is the minimum scope that supports query filtering and aligns with the read-only nature of the triage command. Fixes #265 Co-Authored-By: Claude Opus 4.6 --- .changeset/fix-gmail-triage-scope.md | 5 +++++ src/helpers/gmail/mod.rs | 1 + src/helpers/gmail/triage.rs | 8 ++++++-- 3 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 .changeset/fix-gmail-triage-scope.md diff --git a/.changeset/fix-gmail-triage-scope.md b/.changeset/fix-gmail-triage-scope.md new file mode 100644 index 00000000..c14c6287 --- /dev/null +++ b/.changeset/fix-gmail-triage-scope.md @@ -0,0 +1,5 @@ +--- +"@googleworkspace/cli": patch +--- + +Fix gmail +triage 403 error by using gmail.readonly scope instead of gmail.modify to avoid conflict with gmail.metadata scope that does not support the q parameter diff --git a/src/helpers/gmail/mod.rs b/src/helpers/gmail/mod.rs index b7019d53..da82d1e6 100644 --- a/src/helpers/gmail/mod.rs +++ b/src/helpers/gmail/mod.rs @@ -34,6 +34,7 @@ use std::pin::Pin; pub struct GmailHelper; pub(super) const GMAIL_SCOPE: &str = "https://www.googleapis.com/auth/gmail.modify"; +pub(super) const GMAIL_READONLY_SCOPE: &str = "https://www.googleapis.com/auth/gmail.readonly"; pub(super) const PUBSUB_SCOPE: &str = "https://www.googleapis.com/auth/pubsub"; impl Helper for GmailHelper { diff --git a/src/helpers/gmail/triage.rs b/src/helpers/gmail/triage.rs index 6899d4a8..d8adffba 100644 --- a/src/helpers/gmail/triage.rs +++ b/src/helpers/gmail/triage.rs @@ -32,8 +32,12 @@ pub async fn handle_triage(matches: &ArgMatches) -> Result<(), GwsError> { .map(|s| crate::formatter::OutputFormat::from_str(s)) .unwrap_or(crate::formatter::OutputFormat::Table); - // Authenticate - let token = auth::get_token(&[GMAIL_SCOPE]) + // Authenticate — use gmail.readonly instead of gmail.modify because triage + // is read-only and the `q` query parameter is not supported under the + // gmail.metadata scope. When a token carries both metadata and modify + // scopes the API may resolve to the metadata path and reject `q` with 403. + // gmail.readonly always supports `q`. + let token = auth::get_token(&[GMAIL_READONLY_SCOPE]) .await .map_err(|e| GwsError::Auth(format!("Gmail auth failed: {e}")))?;