fix(auth): handle revocation and file removal errors properly

gerfalcon · gerfalcon · commit 14a2dfebbc4c · 2026-03-18T11:00:35.000+04:00
Warn the user when token revocation fails (network error or non-200
response) so they know the old token may still be valid server-side.

Return errors when credential/cache file removal fails (ignoring
NotFound) instead of silently continuing with stale files.
diff --git a/src/auth_commands.rs b/src/auth_commands.rs
@@ -331,22 +331,51 @@ async fn handle_login(args: &[String]) -> Result<(), GwsError> {
         let prev_set: HashSet<&str> = prev_scopes.iter().map(|s| s.as_str()).collect();
         let new_set: HashSet<&str> = scopes.iter().map(|s| s.as_str()).collect();
         if prev_set != new_set {
-            // Best-effort revocation: load the old refresh token and revoke it.
+            // Revoke the old refresh token so Google removes the prior consent grant.
             if let Ok(creds_str) = credential_store::load_encrypted() {
                 if let Ok(creds) = serde_json::from_str::<serde_json::Value>(&creds_str) {
                     if let Some(rt) = creds.get("refresh_token").and_then(|v| v.as_str()) {
                         let client = reqwest::Client::new();
-                        let _ = client
+                        match client
                             .post("https://oauth2.googleapis.com/revoke")
                             .form(&[("token", rt)])
                             .send()
-                            .await;
+                            .await
+                        {
+                            Ok(resp) if resp.status().is_success() => {}
+                            Ok(resp) => {
+                                eprintln!(
+                                    "Warning: token revocation returned HTTP {}. \
+                                     The old token may still be valid on Google's side.",
+                                    resp.status()
+                                );
+                            }
+                            Err(e) => {
+                                eprintln!(
+                                    "Warning: could not revoke old token ({e}). \
+                                     The old token may still be valid on Google's side."
+                                );
+                            }
+                        }
                     }
                 }
             }
-            // Clear local credential and cache files regardless of revocation result.
-            let _ = std::fs::remove_file(credential_store::encrypted_credentials_path());
-            let _ = std::fs::remove_file(token_cache_path());
+            // Clear local credential and cache files to force a fresh login.
+            let enc_path = credential_store::encrypted_credentials_path();
+            if let Err(e) = std::fs::remove_file(&enc_path) {
+                if e.kind() != std::io::ErrorKind::NotFound {
+                    return Err(GwsError::Auth(format!(
+                        "Failed to remove old credentials file: {e}. Please remove it manually."
+                    )));
+                }
+            }
+            if let Err(e) = std::fs::remove_file(token_cache_path()) {
+                if e.kind() != std::io::ErrorKind::NotFound {
+                    return Err(GwsError::Auth(format!(
+                        "Failed to remove old token cache: {e}. Please remove it manually."
+                    )));
+                }
+            }
             eprintln!("Scopes changed — revoked previous credentials.");
         }
     }
