Lines 1-44javascript
4 * Runs Google's OAuth 2.0 installed-app flow against the configured
5 * GOOGLE_ADS_CLIENT_ID / GOOGLE_ADS_CLIENT_SECRET, opens the consent URL in
6 * the user's default browser, captures the authorization code on a loopback
7 * redirect (http://127.0.0.1:<random-port>), exchanges it for a refresh
8 * token, and prints the refresh token to stdout.
10 * `--login --save` additionally persists `{ refresh_token, obtained_at }`
11 * to `${LOCALAPPDATA}\google-ads-full-readwrite-mcp\auth.json` (or
12 * `~/.config/google-ads-full-readwrite-mcp/auth.json`) with mode 0o600.
15import { createServer } from "node:http";
16import { writeFileSync, mkdirSync, existsSync } from "node:fs";
17import { dirname } from "node:path";
18import { exec } from "node:child_process";
19import { promisify } from "node:util";
21import { OAuth2Client } from "google-auth-library";
23import { defaultAuthCachePath } from "./config.js";
25const execAsync = promisify(exec);
27// Google Ads API scope. This single scope is enough for every read and
28// write operation we expose.
29const SCOPES = ["https://www.googleapis.com/auth/adwords"];
31function requireLoginEnv() {
32 const clientId = process.env.GOOGLE_ADS_CLIENT_ID;
33 const clientSecret = process.env.GOOGLE_ADS_CLIENT_SECRET;
HighSame File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/login.jsView on unpkg · L17 HighSandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
lib/login.jsView on unpkg · L6 34 if (!clientId || !clientSecret) {
36 "GOOGLE_ADS_CLIENT_ID and GOOGLE_ADS_CLIENT_SECRET must be set to run --login. " +
37 "Create an OAuth 2.0 Desktop client in Google Cloud Console and export both values."
40 return { clientId, clientSecret };
43function openInBrowser(url) {
44 // Best-effort cross-platform "open URL in default browser". If it fails