Fix: Convert scopes set to list in Credentials.__init__ (#1898)

This PR addresses an issue where passing a `set` of scopes to
`Credentials` causes `to_json` to fail and introduces inconsistent
mutability behavior if handled via a property accessor.

Changes:
- Modified `google.oauth2.credentials.Credentials.__init__` to convert
`scopes` to a `list` if it is a `set`.
- Updated `google.oauth2.credentials.Credentials.scopes` property
docstring to `Optional[Sequence[str]]`.
- Added a regression test `test_init_with_set_scopes` in
`tests/oauth2/test_credentials.py` to verify the fix, ensuring type
conversion, object stability, and serialization support.
- Updated `tests/test__oauth2client.py` to relax strict equality checks
on `scopes` (comparing as `sets`) to accommodate the new behavior where
internal storage is enforced as a `list`.

This PR supercedes PR #1145 which potentially introduced a mutability
inconsistency and failed to address a type correctness issue. This PR
avoids both of those concerns.

1. Mutability Inconsistency: If `._scopes` is a `set`, the `scopes`
property returns a new `list` every time it is accessed.

* If the user modifies this list (e.g.
`creds.scopes.append("new_scope")`), the modification is lost because
the next access returns a fresh list **from the underlying set**.
* If `_scopes` was originally a list (passed in `__init__`),
`creds.scopes` returns the same list reference, so modifications are
preserved. This inconsistent behavior between "set-initialized" and
"list-initialized" credentials is a potential bug trap.

2. Type correctness: The scopes argument in `__init__` is documented as
`Sequence[str]`. A set is not a `Sequence` (it's not indexable/ordered).
While Python is lenient, it is better to normalize the input at the
boundary (`__init__`) rather than in the accessor.

Moving the conversion logic to `__init__` ensures:

* _scopes is always a list (or `None`).
* Access to .scopes always returns the stored list (consistent
mutability).
* `to_json` works correctly because it accesses `self.scopes` (or
self._scopes).

---
*PR created automatically by Jules for task
[15605314498929918698](https://jules.google.com/task/15605314498929918698)
started by @chalmerlowe*

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Chalmer Lowe <[email protected]>

Author: google-labs-jules[bot]

google/auth/transport/_aiohttp_requests.py

@@ -79,7 +79,7 @@ def data(self):
 
     async def raw_content(self):
         if self._raw_content is None:
-            self._raw_content = await self._response.read()
+            self._raw_content = await self._response.content.read()
         return self._raw_content
 
     async def content(self):

google/oauth2/credentials.py

@@ -141,7 +141,10 @@ def __init__(
         self.expiry = expiry
         self._refresh_token = refresh_token
         self._id_token = id_token
-        self._scopes = scopes
+        if scopes is not None and isinstance(scopes, set):
+            self._scopes = list(scopes)
+        else:
+            self._scopes = scopes
         self._default_scopes = default_scopes
         self._granted_scopes = granted_scopes
         self._token_uri = token_uri
@@ -207,7 +210,7 @@ def refresh_token(self):
 
     @property
     def scopes(self):
-        """Optional[str]: The OAuth 2.0 permission scopes."""
+        """Optional[Sequence[str]]: The OAuth 2.0 permission scopes."""
         return self._scopes
 
     @property

tests/oauth2/test_credentials.py

@@ -55,6 +55,31 @@ def make_credentials(cls):
             enable_reauth_refresh=True,
         )
 
+    def test_init_with_set_scopes(self):
+        # Regression test for https://github.com/googleapis/google-auth-library-python/issues/1145
+        scopes_set = {"a", "b"}
+        creds = credentials.Credentials(token="token", scopes=scopes_set)
+
+        # Verify scopes are converted to a list
+        assert isinstance(creds.scopes, list)
+        assert set(creds.scopes) == scopes_set
+
+        # Verify internal storage is a list (ensure consistent mutability)
+        assert isinstance(creds._scopes, list)
+
+        # Verify consistency (property returns the same object)
+        assert creds.scopes is creds.scopes
+
+        # Verify modifications persist
+        creds.scopes.append("c")
+        assert "c" in creds.scopes
+        assert len(creds.scopes) == 3
+
+        # Verify to_json works
+        json_output = creds.to_json()
+        data = json.loads(json_output)
+        assert set(data["scopes"]) == {"a", "b", "c"}
+
     def test_default_state(self):
         credentials = self.make_credentials()
         assert not credentials.valid

tests/test__oauth2client.py

@@ -56,7 +56,7 @@ def test__convert_oauth2_credentials():
     assert new_credentials._client_id == old_credentials.client_id
     assert new_credentials._client_secret == old_credentials.client_secret
     assert new_credentials._token_uri == old_credentials.token_uri
-    assert new_credentials.scopes == old_credentials.scopes
+    assert set(new_credentials.scopes) == set(old_credentials.scopes)
 
 
 def test__convert_service_account_credentials():

tests_async/transport/test_aiohttp_requests.py

@@ -40,7 +40,7 @@ def test__is_compressed_not(self):
     @pytest.mark.asyncio
     async def test_raw_content(self):
         mock_response = mock.AsyncMock()
-        mock_response.read.return_value = mock.sentinel.read
+        mock_response.content.read.return_value = mock.sentinel.read
         combined_response = aiohttp_requests._CombinedResponse(response=mock_response)
         raw_content = await combined_response.raw_content()
         assert raw_content == mock.sentinel.read
@@ -53,7 +53,7 @@ async def test_raw_content(self):
     @pytest.mark.asyncio
     async def test_content(self):
         mock_response = mock.AsyncMock()
-        mock_response.read.return_value = mock.sentinel.read
+        mock_response.content.read.return_value = mock.sentinel.read
         combined_response = aiohttp_requests._CombinedResponse(response=mock_response)
         content = await combined_response.content()
         assert content == mock.sentinel.read