Skip to content

chore: revert "feat(auth): Regional access boundaries main merge (#8665)"#8747

Merged
feywind merged 1 commit into
mainfrom
feywind-revert-rab-for-now
Jun 24, 2026
Merged

chore: revert "feat(auth): Regional access boundaries main merge (#8665)"#8747
feywind merged 1 commit into
mainfrom
feywind-revert-rab-for-now

Conversation

@feywind

@feywind feywind commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

This one needs to be "un-released" for now at the request of the team.

@feywind feywind requested a review from a team as a code owner June 24, 2026 18:52
@feywind feywind added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 24, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 24, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 24, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request removes the Regional Access Boundary (RAB) feature and its associated manager, helper functions, and tests across the entire codebase. Feedback on these changes highlights a potential issue where the opts parameter is mutated directly by reassigning opts.headers in several client classes, which could lead to unexpected side effects; shallow-copying opts is recommended instead. Additionally, the removal of the isExpired method from AuthClient has introduced code duplication across multiple subclasses, and keeping it as a protected method in the base class is suggested to maintain DRY principles.

I am having trouble creating individual review comments. Click here to see my feedback.

core/packages/google-auth-library-nodejs/src/auth/baseexternalclient.ts (504)

high

Mutating the opts parameter directly by reassigning opts.headers can lead to unexpected side effects for callers who reuse the options object across multiple requests.

To prevent this, we should shallow-copy opts into a local requestOpts variable and perform all modifications on the copy. Additionally, when cloning or wrapping the request, ensure properties like adapter are stripped to prevent potential infinite recursion or memory leaks:

const {adapter, ...requestOpts} = opts;
try {
  const requestHeaders = await this.getRequestHeaders();
  requestOpts.headers = Gaxios.mergeHeaders(requestOpts.headers);

  this.addUserProjectAndAuthHeaders(requestOpts.headers, requestHeaders);

  response = await this.transporter.request<T>(requestOpts);
}
References
  1. When handling custom interceptors or headers in concurrent asynchronous requests, isolate them using a fresh, request-scoped HTTP client instance instead of a shared instance. If cloning or wrapping the request, ensure properties like adapter are stripped if they can cause infinite recursion or memory leaks.

core/packages/google-auth-library-nodejs/src/auth/externalAccountAuthorizedUserClient.ts (261)

high

Mutating the opts parameter directly by reassigning opts.headers can lead to unexpected side effects for callers who reuse the options object across multiple requests.

To prevent this, we should shallow-copy opts into a local requestOpts variable and perform all modifications on the copy. Additionally, when cloning or wrapping the request, ensure properties like adapter are stripped to prevent potential infinite recursion or memory leaks:

const {adapter, ...requestOpts} = opts;
try {
  const requestHeaders = await this.getRequestHeaders();
  requestOpts.headers = Gaxios.mergeHeaders(requestOpts.headers);

  this.addUserProjectAndAuthHeaders(requestOpts.headers, requestHeaders);

  response = await this.transporter.request<T>(requestOpts);
}
References
  1. When handling custom interceptors or headers in concurrent asynchronous requests, isolate them using a fresh, request-scoped HTTP client instance instead of a shared instance. If cloning or wrapping the request, ensure properties like adapter are stripped if they can cause infinite recursion or memory leaks.

core/packages/google-auth-library-nodejs/src/auth/oauth2client.ts (1123)

high

Mutating the opts parameter directly by reassigning opts.headers can lead to unexpected side effects for callers who reuse the options object across multiple requests.

To prevent this, we should shallow-copy opts into a local requestOpts variable and perform all modifications on the copy. Additionally, when cloning or wrapping the request, ensure properties like adapter are stripped to prevent potential infinite recursion or memory leaks:

const {adapter, ...requestOpts} = opts;
try {
  const r = await this.getRequestMetadataAsync();
  requestOpts.headers = Gaxios.mergeHeaders(requestOpts.headers);

  this.addUserProjectAndAuthHeaders(requestOpts.headers, r.headers);

  if (this.apiKey) {
    requestOpts.headers.set('X-Goog-Api-Key', this.apiKey);
  }

  return await this.transporter.request<T>(requestOpts);
}
References
  1. When handling custom interceptors or headers in concurrent asynchronous requests, isolate them using a fresh, request-scoped HTTP client instance instead of a shared instance. If cloning or wrapping the request, ensure properties like adapter are stripped if they can cause infinite recursion or memory leaks.

core/packages/google-auth-library-nodejs/src/auth/authclient.ts (630-635)

medium

Removing isExpired from AuthClient forces multiple subclasses (BaseExternalAccountClient, DownscopedClient, and ExternalAccountAuthorizedUserClient) to duplicate this exact logic as private methods.

To maintain DRY (Don't Repeat Yourself) principles and improve maintainability, consider keeping isExpired as a protected method in AuthClient.

@feywind feywind merged commit 5bd6b22 into main Jun 24, 2026
46 checks passed
@feywind feywind deleted the feywind-revert-rab-for-now branch June 24, 2026 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vverman vverman vverman approved these changes
+1 more reviewer
@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@feywind @vverman @yoshi-kokoro