Unhelpful error message when credentials misssing

[ofrobots]

I was trying to use a Node.js client library (any, doesn't matter) in a Node.js express server. I started the app without providing credentials. I expected an error, but the error I got was less than useful.

Error: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

Problems:

1. I can follow the link by ⌘-clicking in the terminal. It would be good if there wasn't a trailing dot which leads to a 404.
2. The error page talks about 'Google Sign-In' and 'WebApp'. This was a Node.js server, not a WebApp, and I am not trying to use Google Sign In. The error page seems wrong. I expected to be taken to a page that talks about Service Accounts and OAuth2.

[JustinBeckwith]

👋 so I'm finally getting to look at this one. When I try it, I am getting this:

node listQueues.js 
/Users/beckwith/Code/nodejs-tasks/samples/node_modules/@google-cloud/tasks/src/v2/cloud_tasks_client.js:178
              throw err;
              ^

Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information.
    at GoogleAuth.<anonymous> (/Users/beckwith/Code/nodejs-tasks/samples/node_modules/google-auth-library/build/src/auth/googleauth.js:168:23)
    at Generator.next (<anonymous>)
    at fulfilled (/Users/beckwith/Code/nodejs-tasks/samples/node_modules/google-auth-library/build/src/auth/googleauth.js:19:58)
    at processTicksAndRejections (internal/process/task_queues.js:86:5)

I found that doc to be much more helpful :) Can you share the steps you're using to get that error? It's entirely possible this is something we accidentally fixed.

[ofrobots]

I don't remember the precise steps. I tried reproducing from scratch in the way I expect I would have done originally:

(node:73218) UnhandledPromiseRejectionWarning: Error: Sorry, we cannot connect to Cloud Services without a project
 ID. You may specify one with an environment variable named
 "GOOGLE_CLOUD_PROJECT".
    at replaceProjectIdToken (/Users/ofrobots/tmp/bunyan-test/node_modules/@google-cloud/projectify/build/src/index.js:45:19)
    at Object.replaceProjectIdToken (/Users/ofrobots/tmp/bunyan-test/node_modules/@google-cloud/projectify/build/src/index.js:38:30)
    at self.auth.getProjectId (/Users/ofrobots/tmp/bunyan-test/node_modules/@google-cloud/logging/build/src/index.js:719:40)
    at getProjectIdAsync.then.r (/Users/ofrobots/tmp/bunyan-test/node_modules/google-auth-library/build/src/auth/googleauth.js:73:48)
    at process.internalTickCallback (internal/process/next_tick.js:77:7)

This seems different / more reasonable.

Let me see if I can reproduce some other way.

[ofrobots]

Here's a repro, in a new dir, add @google-cloud/debug-agent a dependency and the following code:

require('@google-cloud/debug-agent').start({
  allowExpressions: true,
  projectId: 'ofrobots-test-19'   // <-- change this to your own project
});

setTimeout(() => {}, 10000);

Run gcloud auth revoke, and then:

❯ node index.js
@google-cloud/debug-agent Failed to re-register debuggee ofrobots-test-19: Error: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
@google-cloud/debug-agent Failed to re-register debuggee ofrobots-test-19: Error: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
@google-cloud/debug-agent Failed to re-register debuggee ofrobots-test-19: Error: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

[JustinBeckwith]

Ok - I finally tracked this one down. It's a bug on nodejs-common:
https://github.com/googleapis/nodejs-common/blob/master/src/util.ts#L607

Even if auth fails, it still decides "hell, maybe we won't need a token!" and sends the request to the backend anyway. The error message we're getting is part of the body from the 401 response that comes back from the debug API itself.

I can't imagine why we wouldn't fail in this scenario with the original call stack. Uh, @stephenplusplus ?

[stephenplusplus]

Original PR: googleapis/google-cloud-node#2712

Failing with the original call stack would make sense to me, too.

[stephenplusplus]

Just in case I misunderstood what you meant by fail, the first error message would be more helpful, but I believe we still need to attempt the API request, as they don't all require authentication.

It might not be so easy, though, to define the condition that we want to ignore the API failure message and use the auth lib's. Maybe only when it's a 401?

[JustinBeckwith]

If the API endpoint requires credentials, and we can't acquire them - the original callstack would be very nice here. The 401 approach is fine.

I am curious though ... what's the use case for this one? I'm sure we had a good reason, it's just not called out in the PR.

[stephenplusplus]

I believe Storage.File#download, but there might be others by now. My bad for not leaving a better trail in that PR.