Replace deprecated OOB auth flow with headless-compatible redirect flow

Google deprecated the OAuth out-of-band (OOB) flow in October 2022, causing
"Error 400: invalid_request" when using authorize_using_code=true. Replace
with a hybrid localhost redirect flow that supports both automatic browser
redirect and manual URL paste for remote/SSH scenarios.

Changes:
- Add auth module with headless_login() supporting stdin URL paste
- Always use HTTPPortRedirect instead of broken Interactive (OOB) method
- Add configurable auth_port option (default: 8081) for redirect server
- Add url, urlencoding, reqwest dependencies for OAuth token exchange

Author: harababurel

Cargo.lock

@@ -1,7 +1,7 @@
 [package]
 name = "gcsf"
 description = "Filesystem based on Google Drive"
-version = "0.3.3"
+version = "0.3.4"
 repository = "https://github.com/harababurel/gcsf"
 authors = ["Sergiu Puscas <srg.pscs@gmail.com>"]
 license = "MIT"
@@ -34,6 +34,9 @@ serde_derive = "1.0.228"
 serde_json = "1.0.145"
 time = "0.3"
 tokio = { version = "1.48", features = ["full"] }
+url = "2"
+urlencoding = "2"
+reqwest = { version = "0.12", features = ["blocking", "json"] }
 xdg = "3.0.0"
 
 # The profile that 'dist' will build with

Cargo.toml

@@ -0,0 +1,241 @@
+//! Headless OAuth authentication for remote/SSH scenarios.
+//!
+//! This module provides authentication for users running GCSF on remote servers
+//! where the browser is on a different machine. It supports both automatic localhost
+//! redirect (when browser and GCSF are on the same machine) and manual URL paste
+//! (when they're on different machines).
+
+use failure::{err_msg, Error};
+use serde::{Deserialize, Serialize};
+use std::io::{BufRead, BufReader, Write};
+use std::net::TcpListener;
+use std::path::Path;
+use std::sync::mpsc;
+use std::thread;
+use std::time::Duration;
+use time::OffsetDateTime;
+use url::Url;
+
+/// Token structure compatible with yup_oauth2's storage format.
+#[derive(Serialize)]
+struct StoredTokenEntry {
+    scopes: Vec<String>,
+    token: StoredToken,
+}
+
+#[derive(Serialize)]
+struct StoredToken {
+    access_token: String,
+    refresh_token: String,
+    /// Time tuple: (year, day_of_year, hour, minute, second, nanosecond, 0, 0, 0)
+    expires_at: (i32, u16, u8, u8, u8, u32, u8, u8, u8),
+    id_token: Option<String>,
+}
+
+#[derive(Deserialize)]
+struct TokenResponse {
+    access_token: String,
+    refresh_token: Option<String>,
+    expires_in: Option<u64>,
+    #[allow(dead_code)]
+    token_type: String,
+}
+
+/// Performs headless OAuth login.
+///
+/// Starts a server on the specified port and also accepts pasted redirect URLs.
+/// Returns the authorization code from whichever method succeeds first.
+pub fn headless_login(
+    client_id: &str,
+    client_secret: &str,
+    token_file: &Path,
+    port: u16,
+) -> Result<(), Error> {
+    let redirect_uri = format!("http://127.0.0.1:{}", port);
+
+    // Build the authorization URL
+    let auth_url = format!(
+        "https://accounts.google.com/o/oauth2/auth?\
+         client_id={}&\
+         redirect_uri={}&\
+         response_type=code&\
+         scope=https://www.googleapis.com/auth/drive&\
+         access_type=offline&\
+         prompt=consent",
+        urlencoding::encode(client_id),
+        urlencoding::encode(&redirect_uri)
+    );
+
+    println!("\n=== GCSF Authentication ===\n");
+    println!("Please visit this URL to authorize GCSF:\n");
+    println!("{}\n", auth_url);
+    println!("After authorizing:");
+    println!("  - If running locally: authentication completes automatically");
+    println!("  - If on a remote server: copy the FULL URL from your browser");
+    println!("    (it will show 'connection refused') and paste it below\n");
+
+    // Get code via redirect server or manual paste
+    let code = get_auth_code(port)?;
+
+    // Exchange code for tokens
+    let tokens = exchange_code_for_tokens(client_id, client_secret, &code, &redirect_uri)?;
+
+    // Save tokens in yup_oauth2 format
+    save_tokens(token_file, &tokens)?;
+
+    Ok(())
+}
+
+/// Waits for auth code from either localhost redirect or stdin paste.
+fn get_auth_code(port: u16) -> Result<String, Error> {
+    let (tx, rx) = mpsc::channel::<Result<String, String>>();
+
+    // Spawn thread to listen for HTTP redirect
+    let tx_http = tx.clone();
+    thread::spawn(move || {
+        if let Ok(listener) = TcpListener::bind(format!("127.0.0.1:{}", port)) {
+            listener.set_nonblocking(false).ok();
+            if let Ok((mut stream, _)) = listener.accept() {
+                let mut reader = BufReader::new(&stream);
+                let mut request_line = String::new();
+                if reader.read_line(&mut request_line).is_ok() {
+                    // Parse: GET /?code=xxx&scope=... HTTP/1.1
+                    if let Some(code) = extract_code_from_request(&request_line) {
+                        // Send success response to browser
+                        let response = "HTTP/1.1 200 OK\r\n\
+                            Content-Type: text/html\r\n\r\n\
+                            <html><body><h1>Success!</h1>\
+                            <p>You can close this window and return to GCSF.</p>\
+                            </body></html>";
+                        stream.write_all(response.as_bytes()).ok();
+                        tx_http.send(Ok(code)).ok();
+                        return;
+                    }
+                }
+            }
+        }
+        tx_http.send(Err("HTTP listener failed".to_string())).ok();
+    });
+
+    // Spawn thread to read from stdin
+    let tx_stdin = tx;
+    thread::spawn(move || {
+        print!("Paste redirect URL here (or wait for automatic redirect): ");
+        std::io::stdout().flush().ok();
+
+        let stdin = std::io::stdin();
+        for line in stdin.lock().lines().map_while(Result::ok) {
+            let trimmed = line.trim();
+            if trimmed.is_empty() {
+                continue;
+            }
+            if let Some(code) = extract_code_from_url(trimmed) {
+                tx_stdin.send(Ok(code)).ok();
+                return;
+            } else {
+                println!("Could not find 'code' parameter in URL. Please try again.");
+                print!("Paste redirect URL: ");
+                std::io::stdout().flush().ok();
+            }
+        }
+    });
+
+    // Wait for either method (with timeout)
+    match rx.recv_timeout(Duration::from_secs(300)) {
+        Ok(Ok(code)) => {
+            println!("\nAuthorization code received!");
+            Ok(code)
+        }
+        Ok(Err(e)) => Err(err_msg(e)),
+        Err(_) => Err(err_msg("Authentication timed out after 5 minutes")),
+    }
+}
+
+/// Extract code from HTTP request line: "GET /?code=xxx&scope=... HTTP/1.1"
+fn extract_code_from_request(request_line: &str) -> Option<String> {
+    let parts: Vec<&str> = request_line.split_whitespace().collect();
+    if parts.len() >= 2 {
+        let path = parts[1];
+        let full_url = format!("http://localhost{}", path);
+        extract_code_from_url(&full_url)
+    } else {
+        None
+    }
+}
+
+/// Extract code from full URL or path with query string
+fn extract_code_from_url(url_str: &str) -> Option<String> {
+    Url::parse(url_str).ok().and_then(|url| {
+        url.query_pairs()
+            .find(|(key, _)| key == "code")
+            .map(|(_, value)| value.to_string())
+    })
+}
+
+/// Exchange authorization code for access/refresh tokens
+fn exchange_code_for_tokens(
+    client_id: &str,
+    client_secret: &str,
+    code: &str,
+    redirect_uri: &str,
+) -> Result<TokenResponse, Error> {
+    let client = reqwest::blocking::Client::new();
+
+    let response = client
+        .post("https://oauth2.googleapis.com/token")
+        .form(&[
+            ("client_id", client_id),
+            ("client_secret", client_secret),
+            ("code", code),
+            ("grant_type", "authorization_code"),
+            ("redirect_uri", redirect_uri),
+        ])
+        .send()
+        .map_err(|e| err_msg(format!("Token request failed: {}", e)))?;
+
+    if response.status().is_success() {
+        response
+            .json::<TokenResponse>()
+            .map_err(|e| err_msg(format!("Failed to parse token response: {}", e)))
+    } else {
+        let error_text = response.text().unwrap_or_default();
+        Err(err_msg(format!("Token exchange failed: {}", error_text)))
+    }
+}
+
+/// Save tokens in yup_oauth2 compatible JSON format
+fn save_tokens(path: &Path, tokens: &TokenResponse) -> Result<(), Error> {
+    // Calculate expiration time
+    let now = OffsetDateTime::now_utc();
+    let expires_in_secs = tokens.expires_in.unwrap_or(3600) as i64;
+    let expires_at = now + time::Duration::seconds(expires_in_secs);
+
+    let entry = StoredTokenEntry {
+        scopes: vec!["https://www.googleapis.com/auth/drive".to_string()],
+        token: StoredToken {
+            access_token: tokens.access_token.clone(),
+            refresh_token: tokens.refresh_token.clone().unwrap_or_default(),
+            expires_at: (
+                expires_at.year(),
+                expires_at.ordinal(),
+                expires_at.hour(),
+                expires_at.minute(),
+                expires_at.second(),
+                expires_at.nanosecond(),
+                0,
+                0,
+                0,
+            ),
+            id_token: None,
+        },
+    };
+
+    // yup_oauth2 expects an array of token entries
+    let json = serde_json::to_string(&vec![entry])
+        .map_err(|e| err_msg(format!("Failed to serialize tokens: {}", e)))?;
+
+    std::fs::write(path, json)
+        .map_err(|e| err_msg(format!("Failed to write token file: {}", e)))?;
+
+    Ok(())
+}

src/gcsf/auth.rs

@@ -33,6 +33,8 @@ pub struct Config {
     pub skip_trash: Option<bool>,
     /// The Google OAuth client secret for Google Drive APIs (see <https://console.developers.google.com>)
     pub client_secret: Option<String>,
+    /// Port for OAuth redirect during authentication.
+    pub auth_port: Option<u16>,
 }
 
 impl Config {
@@ -120,4 +122,9 @@ impl Config {
     pub fn client_secret(&self) -> &String {
         self.client_secret.as_ref().unwrap()
     }
+
+    /// Port for OAuth redirect during authentication. Default is 8081.
+    pub fn auth_port(&self) -> u16 {
+        self.auth_port.unwrap_or(8081)
+    }
 }

src/gcsf/config.rs

@@ -103,11 +103,8 @@ impl DriveFacade {
         let auth = rt.block_on(
             oauth2::InstalledFlowAuthenticator::builder(
                 secret,
-                if config.authorize_using_code() {
-                    oauth2::InstalledFlowReturnMethod::Interactive
-                } else {
-                    oauth2::InstalledFlowReturnMethod::HTTPPortRedirect(8081)
-                },
+                // Always use HTTPPortRedirect - the OOB/Interactive flow is deprecated by Google
+                oauth2::InstalledFlowReturnMethod::HTTPPortRedirect(config.auth_port()),
             )
             .persist_tokens_to_disk(config.token_file())
             .build(),

src/gcsf/drive_facade.rs

@@ -3,6 +3,7 @@ pub use self::drive_facade::DriveFacade;
 pub use self::file::{File, FileId};
 pub use self::file_manager::FileManager;
 
+pub mod auth;
 mod config;
 mod drive_facade;
 mod file;

src/gcsf/mod.rs

@@ -124,6 +124,7 @@ mod gcsf;
 
 pub use crate::gcsf::filesystem::{Gcsf, NullFs};
 pub use crate::gcsf::{Config, DriveFacade, FileManager};
+pub use crate::gcsf::auth;
 
 #[cfg(test)]
 mod tests;

src/lib.rs

@@ -48,7 +48,7 @@ const INFO_LOG: &str =
 
 #[derive(Parser)]
 #[command(name = "GCSF")]
-#[command(version = "0.3.3")]
+#[command(version = "0.3.4")]
 #[command(author = "Sergiu Puscas <srg.pscs@gmail.com>")]
 #[command(about = "File system based on Google Drive")]
 #[command(after_help = "Note: this is a work in progress. It might cause data loss. Use with caution.")]
@@ -138,6 +138,10 @@ mount_options = [
 # This is usually faster and more convenient.
 authorize_using_code = false
 
+# Port for OAuth redirect during authentication. Change this if port 8081
+# is already in use by another application.
+auth_port = 8081
+
 # If set to true, all files with identical name will get an increasing number
 # attached to the suffix. This is most likely not necessary.
 rename_identical_files = false
@@ -280,7 +284,31 @@ fn main() {
         Commands::Login { session_name } => {
             config.session_name = Some(session_name);
 
-            match login(&mut config) {
+            if config.token_file().exists() {
+                error!("Token file {:?} already exists.", config.token_file());
+                return;
+            }
+
+            let result = if config.authorize_using_code() {
+                // Headless mode: use manual URL paste flow for remote servers
+                let secret: serde_json::Value =
+                    serde_json::from_str(config.client_secret()).expect("Invalid client_secret");
+                let installed = &secret["installed"];
+
+                gcsf::auth::headless_login(
+                    installed["client_id"].as_str().expect("Missing client_id"),
+                    installed["client_secret"]
+                        .as_str()
+                        .expect("Missing client_secret"),
+                    &config.token_file(),
+                    config.auth_port(),
+                )
+            } else {
+                // Standard mode: automatic localhost redirect
+                login(&mut config)
+            };
+
+            match result {
                 Ok(_) => {
                     println!(
                         "Successfully logged in. Saved credentials to {:?}",