fix(cloud_function): return full base64 state for v0.0.9+ compatibility

[bs-nubank]

Problem

Starting with workspace-server v0.0.9, the OAuth callback state validation was updated to decode the full base64 JSON payload returned by the cloud function, then extract the csrf field from it:

// v0.0.9 — extension/server/index.js
const i = searchParams.get('state');
const A = JSON.parse(Buffer.from(i, 'base64').toString('utf8'));
const g = A?.csrf ?? null;
if (!i || g !== localCsrfToken) {
  res.end('State mismatch. Possible CSRF attack.');
}

However, the cloud function still returns only the raw csrf hex string in the state parameter:

// cloud_function/index.js (before this fix)
if (payload.csrf) {
  finalUrl.searchParams.append('state', payload.csrf); // e.g. "daf5b690a71e..."
}

When the extension receives this raw hex value and tries to Buffer.from(hex, 'base64') → JSON.parse, it fails silently, sets csrf to null, and the validation always returns:

State mismatch. Possible CSRF attack.

This makes every browser-based auth attempt on v0.0.9 fail. Users are stuck in a broken auth loop — the only workaround is the headless login (node index.js login).

Root cause

The extension code was updated in v0.0.9 to a new validation protocol (decode the full state, extract csrf) but the cloud function was not updated to match — it still uses the old protocol (return only the raw csrf hex).

Fix — 3 commits

1. fix(cloud_function): Return original state parameter unchanged

// After this fix
if (state) {
  finalUrl.searchParams.append('state', state); // full base64 JSON, as sent originally
}

2. fix(auth): Support both state formats in AuthManager for backward compatibility

⚠️ Backward compatibility issue discovered after the initial commit.

The cloud function fix changes the state value from raw hex to full base64 JSON. workspace-server ≤v0.0.7 compares the returned state directly against the local csrfToken (raw hex) — so after the cloud function is updated, those users would break.

AuthManager.authWithWeb now handles both formats:

// Try base64 JSON first (v0.0.9+ cloud function)
const decoded = JSON.parse(Buffer.from(returnedState, 'base64').toString('utf8'));
if (typeof decoded?.csrf === 'string') {
  csrfFromState = decoded.csrf;
}
// Fallback: treat as raw hex token (≤v0.0.7 cloud function)
if (!csrfFromState) csrfFromState = returnedState;

if (!csrfFromState || csrfFromState !== csrfToken) {
  res.end('State mismatch. Possible CSRF attack.');
}

This means both old and new cloud function versions work without a coordinated rollout.

3. Tests

• cloud_function/index.test.js — 6 tests for state passthrough logic (verifies fix is correct, verifies old behaviour is gone)
• workspace-server/src/__tests__/auth/AuthManager.test.ts — 6 tests for CSRF extraction covering both format variants, null/empty state, and edge cases

How to reproduce

1. Install the Google Workspace extension v0.0.9 in Claude Desktop / Cowork
2. Trigger any Google Workspace tool — the auth flow opens a browser
3. Authorize in Google
4. Observe: State mismatch. Possible CSRF attack. in the browser

Workaround (until this is deployed)

node "/path/to/Claude Extensions/ant.dir.ant.0x55979e1.google-workspace/server/index.js" login

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Code Review

This pull request updates the handleCallback function in cloud_function/index.js to return the original base64-encoded state parameter instead of the extracted hex CSRF token, aiming to support newer workspace-server versions. Feedback indicates that this change is currently incompatible with the existing server-side validation logic in AuthManager.ts, which expects the raw hex token, and suggests that a coordinated update is necessary to avoid breaking the authentication flow.

[gemini-code-assist]

The change to return the full base64-encoded state string is incompatible with the current implementation of the callback validation in workspace-server/src/auth/AuthManager.ts.

In AuthManager.ts (lines 356-361), the server expects the state parameter to be the raw hex CSRF token and performs a direct comparison:

const returnedState = qs.get('state');
if (returnedState !== csrfToken) {
  res.end('State mismatch. Possible CSRF attack.');
  // ...
}

If the cloud function is updated to return the base64-encoded JSON string, this comparison will fail because returnedState (base64) will not match csrfToken (hex). This will break the authentication flow for all users of the current server implementation.

To resolve this, the server-side logic in AuthManager.ts must be updated to decode the base64 state and extract the csrf field before validation, as mentioned in the PR description. Please ensure that the server-side changes are included in this PR or a coordinated update.