From 07412deca45d46f7fc6b6076688693be0f51bceb Mon Sep 17 00:00:00 2001 From: YeonGyu-Kim Date: Thu, 8 Jan 2026 23:31:47 +0900 Subject: [PATCH] fix(antigravity): sync plugin.ts with PKCE-removed oauth.ts API Remove decodeState import and update OAuth flow to use simple state string comparison for CSRF protection instead of PKCE verifier. Update exchangeCode calls to match new signature (code, redirectUri, clientId, clientSecret). --- src/auth/antigravity/plugin.ts | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/src/auth/antigravity/plugin.ts b/src/auth/antigravity/plugin.ts index 3554e1f3..182fcc47 100644 --- a/src/auth/antigravity/plugin.ts +++ b/src/auth/antigravity/plugin.ts @@ -33,7 +33,6 @@ import { exchangeCode, startCallbackServer, fetchUserInfo, - decodeState, } from "./oauth" import { createAntigravityFetch } from "./fetch" import { fetchProjectContext } from "./project" @@ -248,7 +247,7 @@ export async function createGoogleAntigravityAuthPlugin({ */ authorize: async (): Promise => { const serverHandle = startCallbackServer() - const { url, verifier } = await buildAuthURL(undefined, cachedClientId, serverHandle.port) + const { url, state: expectedState } = await buildAuthURL(undefined, cachedClientId, serverHandle.port) const browserOpened = await openBrowserURL(url) @@ -277,15 +276,15 @@ export async function createGoogleAntigravityAuthPlugin({ return { type: "failed" as const } } - const state = decodeState(result.state) - if (state.verifier !== verifier) { + if (result.state !== expectedState) { if (process.env.ANTIGRAVITY_DEBUG === "1") { - console.error("[antigravity-plugin] PKCE verifier mismatch") + console.error("[antigravity-plugin] State mismatch - possible CSRF attack") } return { type: "failed" as const } } - const tokens = await exchangeCode(result.code, verifier, cachedClientId, cachedClientSecret, serverHandle.port) + const redirectUri = `http://localhost:${serverHandle.port}/oauth-callback` + const tokens = await exchangeCode(result.code, redirectUri, cachedClientId, cachedClientSecret) if (!tokens.refresh_token) { serverHandle.close() @@ -343,7 +342,7 @@ export async function createGoogleAntigravityAuthPlugin({ if (!addAnother) break const additionalServerHandle = startCallbackServer() - const { url: additionalUrl, verifier: additionalVerifier } = await buildAuthURL( + const { url: additionalUrl, state: expectedAdditionalState } = await buildAuthURL( undefined, cachedClientId, additionalServerHandle.port @@ -373,24 +372,23 @@ export async function createGoogleAntigravityAuthPlugin({ continue } - const additionalState = decodeState(additionalResult.state) - if (additionalState.verifier !== additionalVerifier) { + if (additionalResult.state !== expectedAdditionalState) { additionalServerHandle.close() await client.tui.showToast({ body: { - message: "Verification failed, skipping...", + message: "State mismatch, skipping...", variant: "warning", }, }) continue } + const additionalRedirectUri = `http://localhost:${additionalServerHandle.port}/oauth-callback` const additionalTokens = await exchangeCode( additionalResult.code, - additionalVerifier, + additionalRedirectUri, cachedClientId, - cachedClientSecret, - additionalServerHandle.port + cachedClientSecret ) if (!additionalTokens.refresh_token) {