Merge branch 'main' into owl-bot-update-lock-54d3915b7c06c51f4339072d9ae9ddec43fe3197d5dd45122ca6ab7a02168765

Author: d-goog

Diff for: package.json

@@ -34,7 +34,7 @@
     "@types/node": "^22.0.0",
     "@types/sinon": "^17.0.0",
     "assert-rejects": "^1.0.0",
-    "c8": "^8.0.0",
+    "c8": "^10.0.0",
     "chai": "^4.2.0",
     "codecov": "^3.0.2",
     "gts": "^5.0.0",
@@ -56,7 +56,7 @@
     "ncp": "^2.0.0",
     "nock": "^13.0.0",
     "null-loader": "^4.0.0",
-    "puppeteer": "^21.0.0",
+    "puppeteer": "^24.0.0",
     "sinon": "^18.0.0",
     "ts-loader": "^8.0.0",
     "typescript": "^5.1.6",

Diff for: samples/puppeteer/package.json

@@ -12,6 +12,6 @@
   "license": "Apache-2.0",
   "dependencies": {
     "google-auth-library": "^9.0.0",
-    "puppeteer": "^21.0.0"
+    "puppeteer": "^24.0.0"
   }
 }

Diff for: samples/test/externalclient.test.js

@@ -72,11 +72,7 @@ const {assert} = require('chai');
 const {describe, it, before, afterEach} = require('mocha');
 const fs = require('fs');
 const {promisify} = require('util');
-const {
-  GoogleAuth,
-  DefaultTransporter,
-  IdentityPoolClient,
-} = require('google-auth-library');
+const {GoogleAuth, IdentityPoolClient, gaxios} = require('google-auth-library');
 const os = require('os');
 const path = require('path');
 const http = require('http');
@@ -158,11 +154,16 @@ const assumeRoleWithWebIdentity = async (
   // been configured:
   // https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html
   const oidcToken = await generateGoogleIdToken(auth, aud, clientEmail);
-  const transporter = new DefaultTransporter();
-  const url =
-    'https://sts.amazonaws.com/?Action=AssumeRoleWithWebIdentity' +
-    '&Version=2011-06-15&DurationSeconds=3600&RoleSessionName=nodejs-test' +
-    `&RoleArn=${awsRoleArn}&WebIdentityToken=${oidcToken}`;
+  const transporter = new gaxios.Gaxios();
+
+  const url = new URL('https://sts.amazonaws.com/');
+  url.searchParams.append('Action', 'AssumeRoleWithWebIdentity');
+  url.searchParams.append('Version', '2011-06-15');
+  url.searchParams.append('DurationSeconds', '3600');
+  url.searchParams.append('RoleSessionName', 'nodejs-test');
+  url.searchParams.append('RoleArn', awsRoleArn);
+  url.searchParams.append('WebIdentityToken', oidcToken);
+
   // The response is in XML format but we will parse it as text.
   const response = await transporter.request({url, responseType: 'text'});
   const rawXml = response.data;

Diff for: src/auth/authclient.ts

@@ -15,10 +15,11 @@
 import {EventEmitter} from 'events';
 import {Gaxios, GaxiosOptions, GaxiosPromise, GaxiosResponse} from 'gaxios';
 
-import {DefaultTransporter, Transporter} from '../transporters';
 import {Credentials} from './credentials';
 import {OriginalAndCamel, originalOrCamelOptions} from '../util';
 
+import {PRODUCT_NAME, USER_AGENT} from '../shared.cjs';
+
 /**
  * Base auth configurations (e.g. from JWT or `.json` files) with conventional
  * camelCased options.
@@ -81,13 +82,17 @@ export interface AuthClientOptions
   credentials?: Credentials;
 
   /**
-   * A `Gaxios` or `Transporter` instance to use for `AuthClient` requests.
+   * The {@link Gaxios `Gaxios`} instance used for making requests.
+   *
+   * @see {@link AuthClientOptions.useAuthRequestParameters}
    */
-  transporter?: Gaxios | Transporter;
+  transporter?: Gaxios;
 
   /**
    * Provides default options to the transporter, such as {@link GaxiosOptions.agent `agent`} or
    *  {@link GaxiosOptions.retryConfig `retryConfig`}.
+   *
+   * This option is ignored if {@link AuthClientOptions.transporter `gaxios`} has been provided
    */
   transporterOptions?: GaxiosOptions;
 
@@ -103,6 +108,19 @@ export interface AuthClientOptions
    * on the expiry_date.
    */
   forceRefreshOnFailure?: boolean;
+
+  /**
+   * Enables/disables the adding of the AuthClient's default interceptor.
+   *
+   * @see {@link AuthClientOptions.transporter}
+   *
+   * @remarks
+   *
+   * Disabling is useful for debugging and experimentation.
+   *
+   * @default true
+   */
+  useAuthRequestParameters?: boolean;
 }
 
 /**
@@ -183,7 +201,10 @@ export abstract class AuthClient
    * See {@link https://cloud.google.com/docs/quota Working with quotas}
    */
   quotaProjectId?: string;
-  transporter: Transporter;
+  /**
+   * The {@link Gaxios `Gaxios`} instance used for making requests.
+   */
+  transporter: Gaxios;
   credentials: Credentials = {};
   eagerRefreshThresholdMillis = DEFAULT_EAGER_REFRESH_THRESHOLD_MILLIS;
   forceRefreshOnFailure = false;
@@ -202,10 +223,12 @@ export abstract class AuthClient
     this.universeDomain = options.get('universe_domain') ?? DEFAULT_UNIVERSE;
 
     // Shared client options
-    this.transporter = opts.transporter ?? new DefaultTransporter();
+    this.transporter = opts.transporter ?? new Gaxios(opts.transporterOptions);
 
-    if (opts.transporterOptions) {
-      this.transporter.defaults = opts.transporterOptions;
+    if (options.get('useAuthRequestParameters') !== false) {
+      this.transporter.interceptors.request.add(
+        AuthClient.DEFAULT_REQUEST_INTERCEPTOR
+      );
     }
 
     if (opts.eagerRefreshThresholdMillis) {
@@ -216,29 +239,11 @@ export abstract class AuthClient
   }
 
   /**
-   * Return the {@link Gaxios `Gaxios`} instance from the {@link AuthClient.transporter}.
+   * The public request API in which credentials may be added to the request.
    *
-   * @expiremental
-   */
-  get gaxios(): Gaxios | null {
-    if (this.transporter instanceof Gaxios) {
-      return this.transporter;
-    } else if (this.transporter instanceof DefaultTransporter) {
-      return this.transporter.instance;
-    } else if (
-      'instance' in this.transporter &&
-      this.transporter.instance instanceof Gaxios
-    ) {
-      return this.transporter.instance;
-    }
-
-    return null;
-  }
-
-  /**
-   * Provides an alternative Gaxios request implementation with auth credentials
+   * @param options options for `gaxios`
    */
-  abstract request<T>(opts: GaxiosOptions): GaxiosPromise<T>;
+  abstract request<T>(options: GaxiosOptions): GaxiosPromise<T>;
 
   /**
    * The main authentication interface. It takes an optional url which when
@@ -288,6 +293,31 @@ export abstract class AuthClient
     return headers;
   }
 
+  static readonly DEFAULT_REQUEST_INTERCEPTOR: Parameters<
+    Gaxios['interceptors']['request']['add']
+  >[0] = {
+    resolved: async config => {
+      const headers = config.headers || {};
+
+      // Set `x-goog-api-client`, if not already set
+      if (!headers['x-goog-api-client']) {
+        const nodeVersion = process.version.replace(/^v/, '');
+        headers['x-goog-api-client'] = `gl-node/${nodeVersion}`;
+      }
+
+      // Set `User-Agent`
+      if (!headers['User-Agent']) {
+        headers['User-Agent'] = USER_AGENT;
+      } else if (!headers['User-Agent'].includes(`${PRODUCT_NAME}/`)) {
+        headers['User-Agent'] = `${headers['User-Agent']} ${USER_AGENT}`;
+      }
+
+      config.headers = headers;
+
+      return config;
+    },
+  };
+
   /**
    * Retry config for Auth-related requests.
    *
@@ -315,3 +345,10 @@ export interface GetAccessTokenResponse {
   token?: string | null;
   res?: GaxiosResponse | null;
 }
+
+/**
+ * @deprecated - use the Promise API instead
+ */
+export interface BodyResponseCallback<T> {
+  (err: Error | null, res?: GaxiosResponse<T> | null): void;
+}

Diff for: src/auth/baseexternalclient.ts

@@ -27,8 +27,8 @@ import {
   AuthClientOptions,
   GetAccessTokenResponse,
   Headers,
+  BodyResponseCallback,
 } from './authclient';
-import {BodyResponseCallback, Transporter} from '../transporters';
 import * as sts from './stscredentials';
 import {ClientAuthentication} from './oauth2common';
 import {SnakeToCamelObject, originalOrCamelOptions} from '../util';
@@ -110,10 +110,11 @@ export interface ExternalAccountSupplierContext {
    * * "urn:ietf:params:oauth:token-type:id_token"
    */
   subjectTokenType: string;
-  /** The {@link Gaxios} or {@link Transporter} instance from
-   * the calling external account to use for requests.
+  /**
+   * The {@link Gaxios} instance for calling external account
+   * to use for requests.
    */
-  transporter: Transporter | Gaxios;
+  transporter: Gaxios;
 }
 
 /**
@@ -312,7 +313,10 @@ export abstract class BaseExternalAccountClient extends AuthClient {
       };
     }
 
-    this.stsCredential = new sts.StsCredentials(tokenUrl, this.clientAuth);
+    this.stsCredential = new sts.StsCredentials({
+      tokenExchangeEndpoint: tokenUrl,
+      clientAuthentication: this.clientAuth,
+    });
     this.scopes = opts.get('scopes') || [DEFAULT_OAUTH_SCOPE];
     this.cachedAccessToken = null;
     this.audience = opts.get('audience');

Diff for: src/auth/defaultawssecuritycredentialssupplier.ts

@@ -14,7 +14,6 @@
 
 import {ExternalAccountSupplierContext} from './baseexternalclient';
 import {Gaxios, GaxiosOptions} from 'gaxios';
-import {Transporter} from '../transporters';
 import {AwsSecurityCredentialsSupplier} from './awsclient';
 import {AwsSecurityCredentials} from './awsrequestsigner';
 import {Headers} from './authclient';
@@ -183,9 +182,7 @@ export class DefaultAwsSecurityCredentialsSupplier
    * @param transporter The transporter to use for requests.
    * @return A promise that resolves with the IMDSv2 Session Token.
    */
-  async #getImdsV2SessionToken(
-    transporter: Transporter | Gaxios
-  ): Promise<string> {
+  async #getImdsV2SessionToken(transporter: Gaxios): Promise<string> {
     const opts: GaxiosOptions = {
       ...this.additionalGaxiosOptions,
       url: this.imdsV2SessionTokenUrl,
@@ -205,7 +202,7 @@ export class DefaultAwsSecurityCredentialsSupplier
    */
   async #getAwsRoleName(
     headers: Headers,
-    transporter: Transporter | Gaxios
+    transporter: Gaxios
   ): Promise<string> {
     if (!this.securityCredentialsUrl) {
       throw new Error(
@@ -236,7 +233,7 @@ export class DefaultAwsSecurityCredentialsSupplier
   async #retrieveAwsSecurityCredentials(
     roleName: string,
     headers: Headers,
-    transporter: Transporter | Gaxios
+    transporter: Gaxios
   ): Promise<AwsSecurityCredentialsResponse> {
     const response = await transporter.request<AwsSecurityCredentialsResponse>({
       ...this.additionalGaxiosOptions,

Diff for: src/auth/downscopedclient.ts

@@ -20,13 +20,13 @@ import {
 } from 'gaxios';
 import * as stream from 'stream';
 
-import {BodyResponseCallback} from '../transporters';
 import {Credentials} from './credentials';
 import {
   AuthClient,
   AuthClientOptions,
   GetAccessTokenResponse,
   Headers,
+  BodyResponseCallback,
 } from './authclient';
 
 import * as sts from './stscredentials';
@@ -164,11 +164,12 @@ export class DownscopedClient extends AuthClient {
     // Check 1-10 Access Boundary Rules are defined within Credential Access
     // Boundary.
     if (
-      credentialAccessBoundary.accessBoundary.accessBoundaryRules.length === 0
+      this.credentialAccessBoundary.accessBoundary.accessBoundaryRules
+        .length === 0
     ) {
       throw new Error('At least one access boundary rule needs to be defined.');
     } else if (
-      credentialAccessBoundary.accessBoundary.accessBoundaryRules.length >
+      this.credentialAccessBoundary.accessBoundary.accessBoundaryRules.length >
       MAX_ACCESS_BOUNDARY_RULES_COUNT
     ) {
       throw new Error(
@@ -179,7 +180,7 @@ export class DownscopedClient extends AuthClient {
 
     // Check at least one permission should be defined in each Access Boundary
     // Rule.
-    for (const rule of credentialAccessBoundary.accessBoundary
+    for (const rule of this.credentialAccessBoundary.accessBoundary
       .accessBoundaryRules) {
       if (rule.availablePermissions.length === 0) {
         throw new Error(
@@ -188,9 +189,9 @@ export class DownscopedClient extends AuthClient {
       }
     }
 
-    this.stsCredential = new sts.StsCredentials(
-      `https://sts.${this.universeDomain}/v1/token`
-    );
+    this.stsCredential = new sts.StsCredentials({
+      tokenExchangeEndpoint: `https://sts.${this.universeDomain}/v1/token`,
+    });
 
     this.cachedDownscopedAccessToken = null;
   }