revert: keep Google Chat OAuth secret + active_provider profile-scoped (#39398)
* Revert "fix(gateway): anchor Google Chat OAuth client secret to default Hermes root" This reverts commitfff0561441. * Revert "fix(cli): honor global-root active_provider fallback for named profiles" This reverts commit3858cf4307. * docs(google_chat): describe OAuth client secret as profile-scoped, not host-wide The setup docs, oauth docstring, and the adapter's 'no credentials' error message all described the Google Chat OAuth client secret as host-wide shared infrastructure. That contradicts profile isolation: profiles are separate auth boundaries, so two profiles can point at different Google OAuth apps / accounts. Reword all three to say the secret is profile-scoped and each profile registers its own.
This commit is contained in:
Teknium
@ -1322,38 +1322,10 @@ def get_provider_auth_state(provider_id: str) -> Optional[Dict[str, Any]]:
|
||||
return _load_provider_state(auth_store, provider_id)
|
||||
|
||||
|
||||
def _active_provider_from_store(auth_store: Dict[str, Any]) -> Optional[str]:
|
||||
"""Return the active provider for a loaded auth store.
|
||||
|
||||
In profile mode, falls back to the global-root ``auth.json`` when the
|
||||
profile store has no ``active_provider`` set. This mirrors the per-provider
|
||||
shadowing already used by ``_load_provider_state`` and
|
||||
``read_credential_pool``: a named profile that never selected its own
|
||||
provider still resolves the provider the user authenticated at the global
|
||||
root (e.g. a Nous OAuth login), so ``model.provider: auto`` works under a
|
||||
profile. A profile that has its own ``active_provider`` always wins; the
|
||||
fallback only fires when the profile has none. Returns ``None`` when
|
||||
neither scope has one. In classic mode ``_load_global_auth_store`` returns
|
||||
an empty dict, so this is a no-op. See issue #18594 follow-up.
|
||||
"""
|
||||
active = auth_store.get("active_provider")
|
||||
if active:
|
||||
return active
|
||||
global_store = _load_global_auth_store()
|
||||
if global_store:
|
||||
return global_store.get("active_provider")
|
||||
return None
|
||||
|
||||
|
||||
def get_active_provider() -> Optional[str]:
|
||||
"""Return the currently active provider ID from auth store.
|
||||
|
||||
In profile mode this falls back to the global-root ``active_provider``
|
||||
when the profile has not selected one of its own — see
|
||||
``_active_provider_from_store``.
|
||||
"""
|
||||
"""Return the currently active provider ID from auth store."""
|
||||
auth_store = _load_auth_store()
|
||||
return _active_provider_from_store(auth_store)
|
||||
return auth_store.get("active_provider")
|
||||
|
||||
|
||||
def is_provider_explicitly_configured(provider_id: str) -> bool:
|
||||
@ -1575,14 +1547,10 @@ def resolve_provider(
|
||||
if explicit_api_key or explicit_base_url:
|
||||
return "openrouter"
|
||||
|
||||
# Check auth store for an active OAuth provider. In profile mode this
|
||||
# honors the global-root active_provider when the profile has none of its
|
||||
# own, mirroring the credential-pool / provider-state fallbacks so a
|
||||
# named profile running model.provider: auto can use a globally
|
||||
# authenticated provider. See issue #18594 follow-up.
|
||||
# Check auth store for an active OAuth provider
|
||||
try:
|
||||
auth_store = _load_auth_store()
|
||||
active = _active_provider_from_store(auth_store)
|
||||
active = auth_store.get("active_provider")
|
||||
if active and active in PROVIDER_REGISTRY:
|
||||
status = get_auth_status(active)
|
||||
if status.get("logged_in"):
|
||||
|
||||
Reference in New Issue
Block a user