#2657: fix: use TLS 1.2 for gemini-cli and google-antigravity OAuth requests via proxy
extensions: google-antigravity-auth
extensions: google-gemini-cli-auth
Cluster:
OAuth and CLI Fixes
Problem:
OAuth token exchange can fail behind certain local proxies because TLS 1.3 handshakes to oauth2.googleapis.com get reset (connection reset during handshake), causing the OAuth flow to fail.
Fix:
When proxy env vars are present (e.g. HTTP_PROXY / HTTPS_PROXY / ALL_PROXY), use undici ProxyAgent and cap TLS to TLSv1.2 via requestTls.maxVersion for:
- google-gemini-cli-auth
- google-antigravity-auth
Impact:
OAuth works reliably behind proxy setups that reset TLS 1.3 connections.
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR updates the Google OAuth flows in `extensions/google-antigravity-auth` and `extensions/google-gemini-cli-auth` to route requests through an undici `ProxyAgent` when proxy environment variables are present, and caps TLS to v1.2 via `requestTls.maxVersion`. The change is applied to the token exchange and follow-up Google API calls (userinfo + Code Assist endpoints) to improve reliability behind local proxies that reset TLS 1.3 handshakes.
Main issues found: (1) `oauth.ts` contains a mis-indented `const response = await fetchWithProxy(...)` line inside `discoverProject`, likely failing formatting/lint checks, and (2) `ProxyAgent` is constructed at module load from unvalidated env vars, which can throw and prevent the extension from loading if the proxy URL is malformed.
<h3>Confidence Score: 3/5</h3>
- This PR is mostly safe to merge, but has one formatting regression and a potential module-load crash if proxy env vars are malformed.
- The behavioral change is scoped to OAuth HTTP requests and only activates when proxy env vars are set, but ProxyAgent is constructed at import time from unvalidated env input (can throw), and `oauth.ts` has a mis-indented line that could break lint/format checks.
- extensions/google-gemini-cli-auth/oauth.ts, extensions/google-antigravity-auth/index.ts
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#7781: fix: resolve Google Gemini CLI auth credential extraction #4585
by ManojPanda3 · 2026-02-03
81.4%
#5027: fix(auth): use correct OAuth credentials for google-gemini-cli refresh
by shayan919293 · 2026-01-30
81.3%
#2535: fix(google-antigravity): use 127.0.0.1 instead of localhost for OAu...
by brian033 · 2026-01-27
80.7%
#5064: fix(auth): update deprecated User-Agent headers
by mfortin014 · 2026-01-31
80.5%
#10372: Fix google-gemini-cli-auth to work on Windows
by omribahumi · 2026-02-06
77.8%
#4550: fix: sync google-gemini-cli-auth tokens from external CLI (#3803)
by SalimBinYousuf1 · 2026-01-30
77.8%
#16786: fix: support google-antigravity OAuth for Gemini embeddings
by outsourc-e · 2026-02-15
77.6%
#3521: fix(gemini-auth): handle mise shims and nested node_modules paths
by sebslight · 2026-01-28
76.8%
#3909: fix(auth): refresh all OAuth profiles per provider
by Daviey · 2026-01-29
76.7%
#16684: fix:(antigravity): align Antigravity OAuth project discovery header...
by vincentkoc · 2026-02-15
76.2%