feat: add console warnings for mitigating file based credential load … (#2143)

* feat: add console warnings for mitigating file based credential load related auth methods, options, and types * fix npm run lint trailing commas

Author: GautamSharda

src/auth/externalclient.ts

@@ -73,6 +73,9 @@ export class ExternalAccountClient {
  static fromJSON(
  options: ExternalAccountClientOptions,
  ): BaseExternalAccountClient | null {
+ console.warn(
+ 'The `fromJSON` method does not validate the credential configuration. A security risk occurs when a credential configuration configured with malicious URLs is used. When the credential configuration is accepted from an untrusted source, you should validate it before using it with this method. For more details, see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials.',
+ );
  if (options && options.type === EXTERNAL_ACCOUNT_TYPE) {
  if ((options as AwsClientOptions).credential_source?.environment_id) {
  return new AwsClient(options as AwsClientOptions);

src/auth/googleauth.ts

@@ -275,9 +275,19 @@ export class GoogleAuth<T extends AuthClient = AuthClient> {
  this._cachedProjectId = opts.projectId || null;
  this.cachedCredential = opts.authClient || null;
  this.keyFilename = opts.keyFilename || opts.keyFile;
+ if (this.keyFilename) {
+ console.warn(
+ 'The `keyFilename` option is deprecated. Please use the `credentials` option instead. For more details, see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials.',
+ );
+ }
  this.scopes = opts.scopes;
  this.clientOptions = opts.clientOptions || {};
  this.jsonContent = opts.credentials || null;
+ if (this.jsonContent) {
+ console.warn(
+ 'The `credentials` option is deprecated. Please use the `auth` object constructor instead. For more details, see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials.',
+ );
+ }
  this.apiKey = opts.apiKey || this.clientOptions.apiKey || null;
 
  // Cannot use both API Key + Credentials
@@ -766,6 +776,9 @@ export class GoogleAuth<T extends AuthClient = AuthClient> {
  json: JWTInput | ImpersonatedJWTInput,
  options: AuthClientOptions = {},
  ): JSONClient {
+ console.warn(
+ 'The `fromJSON` method is deprecated. Please use the `JWT` constructor instead. For more details, see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials.',
+ );
  let client: JSONClient;
 
  // user's preferred universe domain
@@ -882,6 +895,9 @@ export class GoogleAuth<T extends AuthClient = AuthClient> {
  optionsOrCallback: AuthClientOptions | CredentialCallback = {},
  callback?: CredentialCallback,
  ): Promise<JSONClient> | void {
+ console.warn(
+ 'The `fromStream` method is deprecated. Please use the `JWT` constructor with a parsed stream instead. For more details, see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials.',
+ );
  let options: AuthClientOptions = {};
  if (typeof optionsOrCallback === 'function') {
  callback = optionsOrCallback;

src/auth/impersonated.ts

@@ -121,6 +121,9 @@ export class Impersonated extends OAuth2Client implements IdTokenProvider {
  */
  constructor(options: ImpersonatedOptions = {}) {
  super(options);
+ console.warn(
+ 'The `Impersonated` constructor does not validate the credential configuration. A security risk occurs when a credential configuration configured with malicious URLs is used. When the credential configuration is accepted from an untrusted source, you should validate it before using it with this method. For more details, see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials.',
+ );
  // Start with an expired refresh token, which will automatically be
  // refreshed before the first API call is made.
  this.credentials = {