google auth flows

[Light2Dark]

📝 Summary

Supports authentication with google drive / other google auth services in remote sandbox runtimes like molab.
Shim for pydata-google-auth

📋 Pre-Review Checklist

• For large changes, or changes that affect the public API: this change was discussed or approved through an issue, on Discord, or the community discussions (Please provide a link if applicable).
• Any AI generated code has been reviewed line-by-line by the human PR author, who stands by it.
• Video or media evidence is provided for any visual changes (optional).

✅ Merge Checklist

• I have read the contributor guidelines.
• Documentation has been updated where applicable, including docstrings for API changes.
• Tests have been added for the changes made.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
marimo-docs	Ready	Preview, Comment	May 26, 2026 9:25am

[codecov]

Bundle Report

Changes will increase total bundle size by 13.54kB (0.05%) ⬆️. This is within the configured threshold ✅

Detailed changes

Bundle name	Size	Change
marimo-esm	25.28MB	13.54kB (0.05%) ⬆️

Affected Assets, Files, and Routes:

view changes for bundle: marimo-esm

Assets Changed:

Asset Name	Size Change	Total Size	Change (%)
assets/cells-*.js	3 bytes	709.93kB	0.0%
assets/JsonOutput-*.js	52 bytes	556.7kB	0.01%
assets/index-*.js	-8 bytes	431.37kB	-0.0%
assets/index-*.css	50 bytes	366.96kB	0.01%
assets/edit-*.js	15 bytes	325.19kB	0.0%
assets/layout-*.js	13.42kB	212.16kB	6.75% ⚠️
assets/add-*.js	2 bytes	201.99kB	0.0%
assets/cell-*.js	-1 bytes	184.14kB	-0.0%
assets/panels-*.js	-1 bytes	47.89kB	-0.0%
assets/session-*.js	1 bytes	25.04kB	0.0%

Files in assets/JsonOutput-*.js:

• ./src/components/editor/Output.tsx → Total Size: 19.33kB

Files in assets/layout-*.js:

• ./src/core/google-auth/types.ts → Total Size: 3.11kB

• ./src/components/editor/output/console/AuthRequest.tsx → Total Size: 19.38kB

• ./src/components/editor/output/console/ConsoleOutput.tsx → Total Size: 14.82kB

• ./src/core/google-auth/parent-bridge.ts → Total Size: 4.57kB

[cubic-dev-ai]

2 issues found across 25 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="frontend/src/core/google-auth/types.ts">

<violation number="1" location="frontend/src/core/google-auth/types.ts:108">
P1: `isMarimoGauthResult` is an unsound type guard: it accepts `ok`/`error` messages without validating their required status-specific fields.</violation>
</file>

<file name="frontend/src/core/google-auth/parent-bridge.ts">

<violation number="1" location="frontend/src/core/google-auth/parent-bridge.ts:120">
P1: The `onMessage` handler does not validate `event.source === window.parent`, allowing any window (not just the parent frame) to inject forged `MARIMO_GAUTH_RESULT` messages containing a fake `access_token`. Add a source check at the top of the handler to restrict processing to messages from the expected parent frame.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant UserCode as User Notebook Code
    participant PatchedLib as pydata-google-auth
    participant ColabAuth as google.colab.auth
    participant Bridge as _bridge (marimo-google-auth)
    participant KernelStdin as marimo Kernel (stdin)
    participant Console as marimo Console Channel
    participant FEConsole as Frontend Console
    participant AuthUI as AuthRequest.tsx Component
    participant ParentBridge as parent-bridge.ts
    participant ParentFrame as Parent Frame / Molab

    Note over UserCode,ParentFrame: NEW: Google Auth Round-Trip (Happy Path)

    alt Direct authentication_user() call
        UserCode->>ColabAuth: authenticate_user(scopes=["drive"])
    else pydata-google-auth library call
        UserCode->>PatchedLib: get_user_credentials(scopes=["drive"])
        PatchedLib->>ColabAuth: CHANGED: _patched_get_colab_default_credentials(scopes)
        Note over ColabAuth: NEW: forwards scopes via _marimo_scopes
    end

    ColabAuth->>ColabAuth: Check in-memory token cache
    alt Cache valid and scopes satisfied
        ColabAuth-->>UserCode: Return cached Credentials
    else Cache miss or expired
        ColabAuth->>Bridge: NEW: request_auth(scopes)
        Bridge->>Bridge: Build JSON envelope (protocol_version, request_id, scopes)
        Bridge->>KernelStdin: NEW: sys.stdin._request_auth(payload)
        Note over KernelStdin: NEW: Enqueue to STDIN channel
        KernelStdin->>Console: ConsoleMsg(mimetype="application/x-marimo-auth-request")
        Console-->>FEConsole: CellOutput with AUTH_REQUEST_MIMETYPE

        alt Parent frame available (molab environment)
            FEConsole->>AuthUI: Render AuthRequest component
            AuthUI->>ParentBridge: NEW: startGoogleAuthFromParent({requestId, scopes})
            ParentBridge-->>ParentFrame: postMessage MARIMO_GAUTH_REQUEST
            ParentFrame-->>ParentFrame: Drive Clerk OAuth / token polling
            alt User needs to grant scopes
                ParentFrame-->>ParentBridge: postMessage MARIMO_GAUTH_NEEDS_LINK
                ParentBridge-->>AuthUI: Fire onNeedsLink callback
                AuthUI->>AuthUI: Render "Sign in" button
                User clicks button ->>AuthUI: onClick handler
                Note over AuthUI: Synchronous call for user-activation
                AuthUI->>ParentBridge: sendOpenLink()
                ParentBridge-->>ParentFrame: postMessage MARIMO_GAUTH_OPEN_LINK
                ParentFrame-->>ParentFrame: Open popup, run OAuth flow
            else Token already valid
                Note over ParentFrame: Skips NEEDS_LINK
            end
            ParentFrame-->>ParentBridge: postMessage MARIMO_GAUTH_RESULT (access_token)
            ParentBridge-->>AuthUI: Resolve promise with result
            AuthUI->>AuthUI: Submit response to kernel via onSubmit()
            AuthUI->>FEConsole: Callback with JSON response envelope
            FEConsole->>Console: POST /api/kernel/stdin
            Console->>KernelStdin: Write response to input_queue
        else No parent frame (self-hosted)
            AuthUI->>AuthUI: Show error: "Parent frame unavailable"
            Note over AuthUI: FUTURE: Could wire GIS popup fallback here
        end

        KernelStdin-->>Bridge: Return raw JSON response
        Bridge->>Bridge: NEW: Validate response (schema, request_id, protocol_version)
        alt Valid response
            Bridge-->>ColabAuth: Parsed response dict
            ColabAuth->>ColabAuth: Write ADC file & sidecar scopes
            ColabAuth->>ColabAuth: Build google.oauth2.credentials.Credentials
            ColabAuth-->>UserCode: Return Credentials with .token populated
        else Invalid or error response
            Bridge-->>ColabAuth: Raise AuthRequestRejectedError / AuthResponseValidationError
            ColabAuth-->>UserCode: Raise AuthError
        end
    end

    Note over KernelStdin,ParentFrame: Opt-in debug logging (MARIMO_AUTH_DEBUG_LOG)
    KernelStdin->>KernelStdin: NEW: Write timestamped log to file
    Bridge->>Bridge: NEW: Mirror write to same file (metadata only)

Loading

_{Tip: cubic used a learning from your PR history. Let your coding agent read cubic learnings directly with the cubic MCP.}

[Copilot]

Pull request overview

Adds a kernel↔frontend auth-request stdin channel and a marimo-google-auth shim that emulates Colab’s google.colab.auth.authenticate_user() so libraries using pydata-google-auth can work in remote/sandboxed runtimes (e.g., molab) without the localhost OAuth flow.

Changes:

• Introduces a new stdin mimetype (application/x-marimo-auth-request) and kernel plumbing (sys.stdin._request_auth) with optional round-trip tracing.
• Adds marimo-google-auth (Google Colab shim + pydata-google-auth patch + ADC writer) plus unit tests.
• Adds frontend UI + parent-frame bridge for interactive Google auth in embedded deployments.

Reviewed changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
packages/openapi/src/api.ts	Extends OpenAPI-generated TS types to include the new auth-request mimetype.
packages/openapi/api.yaml	Extends OpenAPI spec to include the new auth-request mimetype.
packages/marimo-google-auth/tests/test_patch.py	Tests idempotent install/uninstall behavior for the pydata-google-auth monkey patch.
packages/marimo-google-auth/tests/test_bridge.py	Tests request/response validation and error cases for the stdin auth bridge.
packages/marimo-google-auth/tests/test_auth.py	Tests google.colab.auth.authenticate_user caching and error behavior.
packages/marimo-google-auth/tests/test_adc.py	Tests ADC + sidecar writing behavior and restrictive permissions.
packages/marimo-google-auth/tests/conftest.py	Shared fixtures (fake stdin bridge, tmp ADC paths, cache reset).
packages/marimo-google-auth/src/google/colab/auth.py	Implements Colab-like authenticate_user() backed by stdin bridge + ADC write + in-process cache.
packages/marimo-google-auth/src/google/colab/_patch.py	Monkey-patches pydata_google_auth to route credentials through the shim and avoid ADC refresh pitfalls.
packages/marimo-google-auth/src/google/colab/_bridge.py	Implements the JSON envelope round-trip over sys.stdin._request_auth.
packages/marimo-google-auth/src/google/colab/_adc.py	Writes authorized_user-style ADC + a granted-scopes sidecar with sentinel refresh/client secrets.
packages/marimo-google-auth/src/google/colab/init.py	Auto-installs the pydata patch on import (with env-var escape hatch).
packages/marimo-google-auth/README.md	Documents purpose, deployer contract, and local dev workflow for the shim.
packages/marimo-google-auth/pyproject.toml	Defines the new distribution and its dependencies/extras.
packages/marimo-google-auth/LICENSE	Adds the package license file.
marimo/_smoke_tests/google_colab_auth_round_trip.py	Developer-facing interactive notebook to exercise the full colab shim chain.
marimo/_smoke_tests/google_auth_round_trip.py	Developer-facing interactive notebook to exercise the raw _request_auth round trip.
marimo/_messaging/streams.py	Adds _auth_debug_log and implements ThreadSafeStdin._request_auth.
marimo/_messaging/mimetypes.py	Adds the new auth-request mimetype to known/console mimetype literals.
frontend/src/core/google-auth/types.ts	Defines TS wire types/type guards for the google-auth parent bridge protocol.
frontend/src/core/google-auth/parent-bridge.ts	Implements iframe↔parent postMessage flow to obtain tokens.
frontend/src/core/google-auth/tests/parent-bridge.test.ts	Adds vitest coverage for the parent-bridge request lifecycle.
frontend/src/components/editor/output/console/ConsoleOutput.tsx	Routes stdin auth-request outputs to the new <AuthRequest> UI.
frontend/src/components/editor/output/console/AuthRequest.tsx	Implements the inline auth consent card + retry + kernel response submission.
frontend/src/components/editor/Output.tsx	Explicitly ignores auth-request mimetype in non-stdin rendering paths.

[cubic-dev-ai]

1 issue found across 9 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/marimo-google-auth/src/google/colab/_adc.py">

<violation number="1" location="packages/marimo-google-auth/src/google/colab/_adc.py:149">
P2: The owned-path tracker keeps stale historical paths, so a later default-path write can clear a user-set `GOOGLE_APPLICATION_CREDENTIALS` if it matches any old path previously written by this process.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 11 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/marimo-google-auth/src/google/colab/_adc.py">

<violation number="1" location="packages/marimo-google-auth/src/google/colab/_adc.py:38">
P1: `datetime.UTC` is not available on Python 3.10, but this package supports 3.10. This import will crash module import on supported runtimes.</violation>
</file>

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

[cubic-dev-ai]

P1: datetime.UTC is not available on Python 3.10, but this package supports 3.10. This import will crash module import on supported runtimes.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/marimo-google-auth/src/google/colab/_adc.py, line 38:

<comment>`datetime.UTC` is not available on Python 3.10, but this package supports 3.10. This import will crash module import on supported runtimes.</comment>

<file context>
@@ -35,6 +35,7 @@
 import logging
 import os
 import time
+from datetime import UTC, datetime
 from pathlib import Path
 from typing import TYPE_CHECKING
</file context>