fix(auth): validate --subscription in gmail +watch and deduplicate PUBSUB_API_BASE

[jpoehnelt]

Summary

Follow-up to #407 — addresses items identified during review:

1. Deduplicate PUBSUB_API_BASE — moved constant to helpers/mod.rs so both events/subscribe.rs and gmail/watch.rs share a single definition
2. Validate --subscription in gmail +watch — adds validate_resource_name() call in parse_watch_args, matching what events +subscribe already does (line 54)
3. Replace hardcoded URLs — setup-phase Pub/Sub and Gmail API URLs now use PUBSUB_API_BASE and GMAIL_API_BASE constants

Closes #408

Test Plan

• cargo clippy -- -D warnings — clean
• cargo test — 584 passed, 0 failed
• New test: test_parse_watch_args_rejects_traversal_subscription validates path traversal rejection

[changeset-bot]

🦋 Changeset detected

Latest commit: 44bd878

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the gmail +watch command by enhancing its robustness and maintainability. It introduces crucial validation for subscription arguments to prevent potential security vulnerabilities and centralizes API base URLs to eliminate duplication and simplify future updates. These changes contribute to a more secure and cleaner codebase without altering the core functionality.

Highlights

• Subscription Validation: Implemented validation for the --subscription argument in gmail +watch to prevent path traversal issues, mirroring existing validation in events +subscribe.
• API Base URL Deduplication: The PUBSUB_API_BASE constant was moved to a central helpers/mod.rs file, ensuring a single source of truth for the Pub/Sub API base URL across events/subscribe.rs and gmail/watch.rs.
• Hardcoded URL Replacement: Replaced hardcoded Pub/Sub and Gmail API URLs in gmail/watch.rs with the newly centralized PUBSUB_API_BASE and existing GMAIL_API_BASE constants for improved maintainability.
• New Test Case: Added a new test, test_parse_watch_args_rejects_traversal_subscription, to specifically verify that invalid subscription resource names are correctly rejected.

Changelog

• .changeset/validate-watch-subscription.md
  • Added a new changeset file documenting subscription validation and constant deduplication.
• src/helpers/events/subscribe.rs
  • Removed the local PUBSUB_API_BASE constant.
  • Updated the import to use the shared PUBSUB_API_BASE constant from src/helpers/mod.rs.
• src/helpers/gmail/watch.rs
  • Removed the local PUBSUB_API_BASE constant.
  • Updated the import to use the shared PUBSUB_API_BASE constant from src/helpers/mod.rs.
  • Replaced hardcoded Pub/Sub API URLs with the PUBSUB_API_BASE constant.
  • Replaced hardcoded Gmail API URLs with the GMAIL_API_BASE constant.
  • Implemented validate_resource_name() for the --subscription argument.
  • Added test_parse_watch_args_rejects_traversal_subscription to validate subscription input.
• src/helpers/mod.rs
  • Introduced a new PUBSUB_API_BASE constant for shared use across modules.

Activity

• This PR is a follow-up to fix(auth): refresh OAuth2 tokens in long-running watch/subscribe loops #407, addressing items identified during its review.
• The author confirmed that cargo clippy -- -D warnings runs clean.
• All cargo test cases passed (584 passed, 0 failed).
• A new test, test_parse_watch_args_rejects_traversal_subscription, was added to validate path traversal rejection.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.22%. Comparing base (3dcf818) to head (44bd878).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
src/helpers/gmail/watch.rs	73.68%	5 Missing ⚠️
src/helpers/events/subscribe.rs	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #441      +/-   ##
==========================================
+ Coverage   67.20%   67.22%   +0.02%     
==========================================
  Files          38       38              
  Lines       16666    16679      +13     
==========================================
+ Hits        11200    11213      +13     
  Misses       5466     5466              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gemini-code-assist]

Code Review

This pull request deduplicates the PUBSUB_API_BASE constant for better maintainability and adds security validation for the --subscription argument in gmail +watch. My review includes one comment to complete the replacement of all hardcoded URLs.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces several improvements focused on maintainability and security. The PUBSUB_API_BASE constant has been deduplicated into a shared module, src/helpers/mod.rs, removing redundant definitions. A critical security validation has been added for the --subscription argument in the gmail +watch command to prevent path traversal vulnerabilities, and this is backed by a new test case. Additionally, hardcoded Pub/Sub and Gmail API URLs have been replaced with their respective constants. The changes are correct and well-implemented. I have not found any issues requiring changes.