macOS Keychain write silently fails: credentials.enc written but decryption key never saved (v0.9.1) #367
Description
Environment
- gws version: 0.9.1
- OS: macOS (Apple Silicon)
- Installed via:
npm install -g @googleworkspace/cli(without sudo, after fixing/usr/localpermissions)
Problem
After a successful gws auth login (returns success JSON with credentials.enc saved), all API calls fail with:
{
"error": {
"code": 401,
"message": "Authentication failed: Failed to decrypt credentials: Decryption failed. Credentials may have been created on a different machine.",
"reason": "authError"
}
}Root Cause
The encryption key is never saved to macOS Keychain. Verified with:
$ security find-generic-password -s "gws" 2>&1
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.credentials.enc is written successfully, but the decryption key doesn't exist in Keychain — making it permanently unreadable. No error or warning is shown during gws auth login.
Steps to Reproduce
npm install -g @googleworkspace/cli(without sudo)rm -rf ~/.config/gws/gws auth setup→ successgws auth login→ OAuth completes, returns success JSON withcredentials.encsecurity find-generic-password -s "gws"→ not foundgws drive files list --params '{"pageSize": 5}'→ 401 decryption failed
Additional Context
Initially installed with sudo npm install -g, which may have triggered the first occurrence (sudo runs as root, which cannot write to the user Keychain). After reinstalling without sudo and doing a full rm -rf ~/.config/gws/, the bug persists — Keychain write still silently fails with no error output.
gws auth export --unmasked also fails (outputs the error JSON instead of credentials), confirming the key is truly missing from Keychain.
Suggested Fix
- Log an explicit error/warning when Keychain write fails
- Automatically fall back to
.encryption_keyfile if Keychain is unavailable - Consider making a
--no-keyringflag available as a workaround option
Related: #151