feat(js-client): Add Google Cloud authentication support#7
Merged
steren merged 1 commit intoGoogleCloudPlatform:mainfrom Jan 12, 2026
Merged
feat(js-client): Add Google Cloud authentication support#7steren merged 1 commit intoGoogleCloudPlatform:mainfrom
steren merged 1 commit intoGoogleCloudPlatform:mainfrom
Conversation
wietsevenema
force-pushed
the
pr-js-auth
branch
20 times, most recently
from
982e29a to
8838a30
Compare
wietsevenema
force-pushed
the
pr-js-auth
branch
from
8838a30 to
2e64d33
Compare
This PR introduces built-in authentication support for the JavaScript client, enabling secure connections to Cloud Run services protected by IAM.
### Key Changes
**1. Public API Update**
- Added 'useGoogleAuth' (boolean) parameter to 'Sandbox.create' and 'Sandbox.attach' to enable automatic OIDC authentication.
**2. Authentication Logic**
- **Automatic OIDC:** Integrated 'google-auth-library' to fetch OIDC ID tokens automatically when 'useGoogleAuth' is enabled.
- **Fail-Fast & Refresh:** Implemented an internal 'tokenProvider' mechanism that fetches a fresh ID token before every connection attempt.
- **Audience Derivation:** Automatically derives the correct OIDC audience from the connection URL, forcing the https:// scheme to match Cloud Run requirements.
**3. Enhanced Error Reporting**
- **Actionable Hints:** Errors occurring during creation, restoration, or reconnection now include unified hints for 401/403 status codes, explicitly guiding users to enable 'useGoogleAuth' or check permissions.
- **Troubleshooting:** Failures include a link to official Cloud Run troubleshooting documentation.
**4. Testing & Examples**
- **Unit Tests:** Added comprehensive tests in 'sandbox.test.ts' and 'connection.test.ts' covering auth flows, audience derivation, token freshness, session affinity, and error hints.
- **Examples:** Updated all JavaScript examples to use secure authentication ('useGoogleAuth: true') by default.
wietsevenema
force-pushed
the
pr-js-auth
branch
from
2e64d33 to
895ee95
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces built-in authentication support for the JavaScript client, enabling secure connections to Cloud Run services protected by IAM.
Key Changes
1. Public API Update
useGoogleAuth(boolean) parameter toSandbox.createandSandbox.attachto enable automatic OIDC authentication.2. Authentication Logic
google-auth-libraryto fetch OIDC ID tokens automatically whenuseGoogleAuthis enabled.tokenProvidermechanism that fetches a fresh ID token before every connection attempt.3. Enhanced Error Reporting
useGoogleAuthor check permissions.4. Testing & Examples
sandbox.test.tsandconnection.test.tscovering auth flows and error hints.useGoogleAuth: true) by default.