refactor: Simplify Google Drive OAuth scopes management and add test for missing optional group scopes

[ricofurtado]

Google Drive OAuth was requesting Drive scopes plus optional Google Workspace group/admin scopes, then treating all of them as required. If Google withheld either optional scope, the OAuth callback could succeed, but the next connector status check would reject/delete the token and show Google Drive as not connected. That matches your symptom: consent flow completes, but ingestion/file selection never becomes enabled.

Summary by CodeRabbit

• Bug Fixes
  • Google Drive authentication now treats saved credentials with required permissions as valid even if some optional scopes are missing, reducing unnecessary re-authentication prompts.
• Refactor
  • Minor client request-building code adjusted for more explicit property assignment.
• Tests
  • Added a unit test covering missing optional scopes and increased an integration test timeout to allow longer runs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a0ddeaa6-1710-45dd-9286-6a171941cdd6

📥 Commits

Reviewing files that changed from the base of the PR and between c0d1f1c and d7c1491.

📒 Files selected for processing (2)

• sdks/typescript/src/documents.ts
• sdks/typescript/tests/integration.test.ts

✅ Files skipped from review due to trivial changes (2)

• sdks/typescript/src/documents.ts
• sdks/typescript/tests/integration.test.ts

---

Walkthrough

GoogleDriveOAuth now separates required Drive read scopes into a REQUIRED_SCOPES class attribute and reconstructs SCOPES by unpacking REQUIRED_SCOPES alongside OIDC profile scopes. Token validation now checks only REQUIRED_SCOPES. A unit test verifies credentials load when only required scopes exist. Minor TypeScript SDK tweaks included.

Changes

Google Drive OAuth Scope Validation

Layer / File(s)	Summary
Required scopes separation and validation src/connectors/google_drive/oauth.py	REQUIRED_SCOPES constant is introduced for Drive read scopes; SCOPES now unpacks REQUIRED_SCOPES with OIDC profile scopes; _missing_required_scopes() validates against REQUIRED_SCOPES instead of full SCOPES.
Test for optional scope tolerance tests/unit/test_oauth_encryption.py	New async test test_google_drive_auth_allows_missing_optional_group_scopes verifies credentials load successfully when a token contains only required scopes.

TypeScript SDK tweaks

Layer / File(s)	Summary
Documents.delete body keys and integration timeout sdks/typescript/src/documents.ts, sdks/typescript/tests/integration.test.ts	DocumentsClient.delete now assigns body["filename"] and body["filter_id"] using bracket notation; an integration test timeout was increased from 60_000 to 120_000.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• lucaseduoli

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: refactoring Google Drive OAuth scopes management and adding a test for missing optional scopes, which aligns with the core changes in the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch retrieving-only-the-required-scopes-for-google-drive-connector

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/connectors/google_drive/oauth.py (1)

21-33: 💤 Low value

Consider adding a docstring or comment to clarify the required vs. optional scope distinction.

The separation of REQUIRED_SCOPES from the full SCOPES list is clear in structure, but a brief comment explaining that group/admin scopes are optional (for workspace features) while Drive scopes are required (for core connector functionality) would help future maintainers understand the design intent.

📝 Suggested documentation addition

+    # Core Drive scopes required for all connector operations
     REQUIRED_SCOPES = [
         "https://www.googleapis.com/auth/drive.readonly",
         "https://www.googleapis.com/auth/drive.metadata.readonly",
     ]
 
+    # Full scope list: OIDC + required Drive scopes + optional Workspace group scopes
     SCOPES = [
         "openid",
         "email",
         "profile",
         *REQUIRED_SCOPES,
+        # Optional: group/admin scopes enable workspace group filtering but are not required
         "https://www.googleapis.com/auth/cloud-identity.groups.readonly",
         "https://www.googleapis.com/auth/admin.directory.group.readonly",
     ]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/connectors/google_drive/oauth.py` around lines 21 - 33, Add a short
docstring or inline comment above the REQUIRED_SCOPES and SCOPES definitions
clarifying that REQUIRED_SCOPES (e.g.,
"https://www.googleapis.com/auth/drive.readonly",
"https://www.googleapis.com/auth/drive.metadata.readonly") are mandatory for
core Google Drive connector functionality, while the additional scopes included
in SCOPES (the group/admin scopes such as
"https://www.googleapis.com/auth/cloud-identity.groups.readonly" and
"https://www.googleapis.com/auth/admin.directory.group.readonly") are optional
and used only for workspace/group-related features; place this comment
immediately above the REQUIRED_SCOPES/SCOPES symbols so future maintainers see
the design intent.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/connectors/google_drive/oauth.py`:
- Around line 21-33: Add a short docstring or inline comment above the
REQUIRED_SCOPES and SCOPES definitions clarifying that REQUIRED_SCOPES (e.g.,
"https://www.googleapis.com/auth/drive.readonly",
"https://www.googleapis.com/auth/drive.metadata.readonly") are mandatory for
core Google Drive connector functionality, while the additional scopes included
in SCOPES (the group/admin scopes such as
"https://www.googleapis.com/auth/cloud-identity.groups.readonly" and
"https://www.googleapis.com/auth/admin.directory.group.readonly") are optional
and used only for workspace/group-related features; place this comment
immediately above the REQUIRED_SCOPES/SCOPES symbols so future maintainers see
the design intent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8a4357e4-161b-42c4-94b5-b5400df7a257

📥 Commits

Reviewing files that changed from the base of the PR and between 525e68b and c0d1f1c.

📒 Files selected for processing (2)

• src/connectors/google_drive/oauth.py
• tests/unit/test_oauth_encryption.py