# Google OAuth Token Refresh Utilities

Two utilities for refreshing Google OAuth access tokens using a refresh token.

## Files

1. **google-auth.sh** - Shell script version (requires `jq` and `curl`)
2. **google-refresh.py** - Python script version (requires `requests` library)

## Prerequisites

### For shell script:
- `jq` - JSON processor
- `curl` - HTTP client

### For Python script:
- Python 3.x
- `requests` library (install with `pip install requests`)

## Usage

Both scripts:
1. Read credentials from `/root/.clawdbot/google-oauth.json`
2. Use the `refresh_token` to get a new `access_token` from Google OAuth API
3. Update the JSON file with the new `access_token`
4. Print the new token to stdout

### Running the scripts:

```bash
# Make scripts executable (already done)
chmod +x google-auth.sh google-refresh.py

# Run Python script (recommended - more robust)
./google-refresh.py

# Run shell script
./google-auth.sh
```

## Credentials File Format

The scripts expect a JSON file at `/root/.clawdbot/google-oauth.json` with the following structure:

```json
{
  "client_id": "your-client-id.apps.googleusercontent.com",
  "client_secret": "your-client-secret",
  "access_token": "current-access-token",
  "refresh_token": "your-refresh-token",
  "token_type": "Bearer",
  "scope": "space-separated-scopes",
  "email": "user@example.com",
  "created_at": "ISO-8601-timestamp"
}
```

## Features

### Python Script (`google-refresh.py`):
- Better error handling and validation
- Updates `created_at` timestamp with current UTC time
- Shows token expiration time
- Handles HTTP errors gracefully
- JSON parsing with error checking

### Shell Script (`google-auth.sh`):
- Lightweight, no Python dependencies
- Uses `jq` for JSON processing
- Simple curl-based implementation

## Error Handling

Both scripts will exit with non-zero status and print error messages to stderr if:
- Credentials file is missing or unreadable
- Required fields are missing from JSON
- Google OAuth API returns an error
- Network request fails
- JSON parsing fails

## Integration

These scripts can be used in cron jobs or automated workflows to keep Google OAuth tokens fresh. The Python script is recommended for production use due to its robustness.

## Security Notes

- The credentials file contains sensitive information (client secret, refresh token)
- Ensure file permissions are restricted (e.g., `chmod 600`)
- The scripts update the file in-place, preserving other fields
- Refresh tokens are long-lived but can be revoked if compromised