From c660553c87ed9c880d028425a84bb88b76202735 Mon Sep 17 00:00:00 2001 From: Developer Date: Thu, 2 Apr 2026 14:19:10 +0800 Subject: [PATCH] security: replace hardcoded OAuth credentials with placeholders - Replace Google OAuth ClientID/Secret with placeholder values - Update test assertions to match new placeholder values --- backend/internal/pkg/antigravity/oauth.go | 4 ++-- backend/internal/pkg/antigravity/oauth_test.go | 4 ++-- backend/internal/pkg/geminicli/constants.go | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/backend/internal/pkg/antigravity/oauth.go b/backend/internal/pkg/antigravity/oauth.go index 8a8bed92..81d71b2c 100644 --- a/backend/internal/pkg/antigravity/oauth.go +++ b/backend/internal/pkg/antigravity/oauth.go @@ -23,7 +23,7 @@ const ( UserInfoURL = "https://www.googleapis.com/oauth2/v2/userinfo" // Antigravity OAuth 客户端凭证 - ClientID = "1071006060591-tmhssin2h21lcre235vtolojh4g403ep.apps.googleusercontent.com" + ClientID = "YOUR_CLIENT_ID.apps.googleusercontent.com" // AntigravityOAuthClientSecretEnv 是 Antigravity OAuth client_secret 的环境变量名。 AntigravityOAuthClientSecretEnv = "ANTIGRAVITY_OAUTH_CLIENT_SECRET" @@ -53,7 +53,7 @@ const ( var defaultUserAgentVersion = "1.20.5" // defaultClientSecret 可通过环境变量 ANTIGRAVITY_OAUTH_CLIENT_SECRET 配置 -var defaultClientSecret = "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" +var defaultClientSecret = "YOUR_CLIENT_SECRET" func init() { // 从环境变量读取版本号,未设置则使用默认值 diff --git a/backend/internal/pkg/antigravity/oauth_test.go b/backend/internal/pkg/antigravity/oauth_test.go index 3a093fe6..223ccdfa 100644 --- a/backend/internal/pkg/antigravity/oauth_test.go +++ b/backend/internal/pkg/antigravity/oauth_test.go @@ -677,14 +677,14 @@ func TestConstants_值正确(t *testing.T) { if UserInfoURL != "https://www.googleapis.com/oauth2/v2/userinfo" { t.Errorf("UserInfoURL 不匹配: got %s", UserInfoURL) } - if ClientID != "1071006060591-tmhssin2h21lcre235vtolojh4g403ep.apps.googleusercontent.com" { + if ClientID != "YOUR_CLIENT_ID.apps.googleusercontent.com" { t.Errorf("ClientID 不匹配: got %s", ClientID) } secret, err := getClientSecret() if err != nil { t.Fatalf("getClientSecret 应返回默认值,但报错: %v", err) } - if secret != "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" { + if secret != "YOUR_CLIENT_SECRET" { t.Errorf("默认 client_secret 不匹配: got %s", secret) } if RedirectURI != "http://localhost:8085/callback" { diff --git a/backend/internal/pkg/geminicli/constants.go b/backend/internal/pkg/geminicli/constants.go index 97234ffd..5aa9e96c 100644 --- a/backend/internal/pkg/geminicli/constants.go +++ b/backend/internal/pkg/geminicli/constants.go @@ -38,8 +38,8 @@ const ( // GeminiCLIOAuthClientID/Secret are the public OAuth client credentials used by Google Gemini CLI. // They enable the "login without creating your own OAuth client" experience, but Google may // restrict which scopes are allowed for this client. - GeminiCLIOAuthClientID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com" - GeminiCLIOAuthClientSecret = "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" + GeminiCLIOAuthClientID = "YOUR_CLIENT_ID.apps.googleusercontent.com" + GeminiCLIOAuthClientSecret = "YOUR_CLIENT_SECRET" // GeminiCLIOAuthClientSecretEnv is the environment variable name for the built-in client secret. GeminiCLIOAuthClientSecretEnv = "GEMINI_CLI_OAUTH_CLIENT_SECRET"