From a1cbd31a830fcdeefd10c84e425c88788e0f3e6b Mon Sep 17 00:00:00 2001 From: lsirac Date: Sun, 14 Jun 2026 11:53:53 -0700 Subject: [PATCH] fix(auth): Fix UserCredentials serialization clientSecret leak and key mismatch --- .../java/com/google/auth/oauth2/UserCredentials.java | 2 +- .../com/google/auth/oauth2/DefaultCredentialsProviderTest.java | 1 + .../javatests/com/google/auth/oauth2/UserCredentialsTest.java | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java index 3670ac7a6804..5ec0920411d7 100644 --- a/google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java +++ b/google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java @@ -328,7 +328,7 @@ private InputStream getUserCredentialsStream() throws IOException { json.put("client_secret", clientSecret); } if (quotaProjectId != null) { - json.put("quota_project", clientSecret); + json.put("quota_project_id", quotaProjectId); } json.setFactory(JSON_FACTORY); String text = json.toPrettyString(); diff --git a/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/DefaultCredentialsProviderTest.java b/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/DefaultCredentialsProviderTest.java index d0447871b01a..2efb9bc92b87 100644 --- a/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/DefaultCredentialsProviderTest.java +++ b/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/DefaultCredentialsProviderTest.java @@ -387,6 +387,7 @@ void getDefaultCredentials_GdchServiceAccount() throws IOException { assertNotNull(((GdchCredentials) defaultCredentials).getApiAudience()); } + @Test void getDefaultCredentials_quota_project() throws IOException { InputStream userStream = UserCredentialsTest.writeUserStream( diff --git a/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java index aaabf4aeefec..b4b06743ee24 100644 --- a/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java +++ b/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java @@ -635,6 +635,7 @@ void saveAndRestoreUserCredential_saveAndRestored_doesNotThrow() throws IOExcept .setClientId(CLIENT_ID) .setClientSecret(CLIENT_SECRET) .setRefreshToken(REFRESH_TOKEN) + .setQuotaProjectId(QUOTA_PROJECT) .build(); File file = File.createTempFile("GOOGLE_APPLICATION_CREDENTIALS", null, null); @@ -649,6 +650,7 @@ void saveAndRestoreUserCredential_saveAndRestored_doesNotThrow() throws IOExcept assertEquals(userCredentials.getClientId(), restoredCredentials.getClientId()); assertEquals(userCredentials.getClientSecret(), restoredCredentials.getClientSecret()); assertEquals(userCredentials.getRefreshToken(), restoredCredentials.getRefreshToken()); + assertEquals(userCredentials.getQuotaProjectId(), restoredCredentials.getQuotaProjectId()); } }