fix(auth): restrict Keep service account to Keep API calls only (#414)

jgwesterlund · claude · web-flow · commit fae24e3b1d1c · 2026-03-07T16:47:39.000Z
When a Keep-specific service account file (keep-sa-*.json) exists,
tokenSourceForServiceAccountScopes falls back to it for all API calls,
not just Keep. This causes 401 errors on Calendar, Gmail, Drive, and
other services that should use OAuth.

Only use keep-sa and legacy Keep SA files when serviceLabel is "keep",
allowing other services to fall through to OAuth authentication.

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/internal/googleapi/client.go b/internal/googleapi/client.go
@@ -111,7 +111,7 @@ func optionsForAccountScopes(ctx context.Context, serviceLabel string, email str
 
 	var ts oauth2.TokenSource
 
-	if serviceAccountTS, saPath, ok, err := tokenSourceForServiceAccountScopes(ctx, email, scopes); err != nil {
+	if serviceAccountTS, saPath, ok, err := tokenSourceForServiceAccountScopes(ctx, serviceLabel, email, scopes); err != nil {
 		return nil, fmt.Errorf("service account token source: %w", err)
 	} else if ok {
 		slog.Debug("using service account credentials", "email", email, "path", saPath)
diff --git a/internal/googleapi/service_account.go b/internal/googleapi/service_account.go
@@ -25,7 +25,7 @@ var newServiceAccountTokenSource = func(ctx context.Context, keyJSON []byte, sub
 	return cfg.TokenSource(ctx), nil
 }
 
-func tokenSourceForServiceAccountScopes(ctx context.Context, email string, scopes []string) (oauth2.TokenSource, string, bool, error) {
+func tokenSourceForServiceAccountScopes(ctx context.Context, serviceLabel string, email string, scopes []string) (oauth2.TokenSource, string, bool, error) {
 	saPath, err := config.ServiceAccountPath(email)
 	if err != nil {
 		return nil, "", false, fmt.Errorf("service account path: %w", err)
@@ -45,6 +45,11 @@ func tokenSourceForServiceAccountScopes(ctx context.Context, email string, scope
 		return nil, "", false, fmt.Errorf("read service account key: %w", readErr)
 	}
 
+	// Keep-specific service account files should only be used for Keep.
+	if serviceLabel != "keep" {
+		return nil, "", false, nil
+	}
+
 	// Backwards compatibility: Keep used a dedicated stored service account file.
 	keepSAPath, keepErr := config.KeepServiceAccountPath(email)
 	if keepErr == nil {
