fix(google-scopes): added forms and different drive scope

[aadamgough]

Summary

Added more scopes. Must merge to see it on consent screen and get verified.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
sim	Ready	Preview	Comment	Oct 25, 2025 7:49am

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Skipped			Oct 25, 2025 7:49am

[greptile-apps]

Greptile Overview

Summary

This PR attempts to refine Google OAuth scopes across the Sim platform by replacing the broader `https://www.googleapis.com/auth/drive.file` scope with the more restrictive `https://www.googleapis.com/auth/drive.readonly` scope. The changes affect multiple components including OAuth providers, tool configurations, block definitions, and UI components. The PR also introduces support for Google Forms by adding the `https://www.googleapis.com/auth/forms.responses.readonly` scope.

The changes span across 11 files and touch three main areas of the codebase:

1. OAuth Configuration: Updates to apps/sim/lib/auth.ts and apps/sim/lib/oauth/oauth.ts that modify the base OAuth provider configurations for Google Drive, Docs, and Sheets
2. Tool Definitions: Changes to individual tool files in /tools/google_drive/ and /tools/google_docs/ directories that specify OAuth scopes for specific operations
3. UI Components: Updates to blocks and modal components that handle OAuth scope descriptions and requirements

The intent appears to be implementing a principle of least privilege by reducing OAuth permissions to read-only access where possible. However, the implementation creates fundamental mismatches between tool capabilities and granted permissions. The PR description includes "DON'T MERGE YET" indicating the author recognizes this is work in progress.

Important Files Changed

Changed Files

Filename	Score	Overview
apps/sim/tools/google_drive/upload.ts	0/5	Changed upload tool to use readonly scope, breaking file upload functionality
apps/sim/tools/google_drive/create_folder.ts	0/5	Applied readonly scope to folder creation tool, preventing write operations
apps/sim/tools/google_docs/create.ts	0/5	Updated document creation tool with readonly scope, breaking document creation
apps/sim/tools/google_docs/write.ts	1/5	Changed document editing tool to readonly scope, preventing content updates
apps/sim/blocks/blocks/google_drive.ts	1/5	Updated block OAuth requirements to readonly, conflicting with upload/create operations
apps/sim/blocks/blocks/google_docs.ts	1/5	Modified block scopes to readonly, incompatible with write/create tools
apps/sim/lib/auth.ts	2/5	Changed base OAuth provider scopes to readonly, breaking write operations
apps/sim/lib/oauth/oauth.ts	1/5	Updated core OAuth service configurations with readonly scopes
apps/sim/tools/google_drive/list.ts	2/5	Correctly applied readonly scope for list operation, but creates inconsistency
apps/sim/tools/google_drive/get_content.ts	2/5	Appropriate readonly scope for read operation, but part of broader problematic pattern
apps/sim/tools/google_docs/read.ts	5/5	Correctly updated read operation to use readonly scope
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx	5/5	Updated scope descriptions and added Google Forms support

Confidence score: 0/5

• This PR will definitely break critical functionality and should not be merged in its current state
• Score reflects fundamental scope mismatches where write operations are configured with read-only permissions
• Pay close attention to all Google Drive and Google Docs tools - most require immediate scope corrections before this can be considered for merge

Sequence Diagram

sequenceDiagram
    participant User
    participant OAuthRequiredModal
    participant AuthClient
    participant GoogleOAuth
    participant GoogleFormsBlock
    participant GoogleFormsTool

    User->>GoogleFormsBlock: "Selects Google Forms block"
    GoogleFormsBlock->>OAuthRequiredModal: "Shows modal with required scopes"
    Note over OAuthRequiredModal: requiredScopes: ['https://www.googleapis.com/auth/forms.responses.readonly']
    OAuthRequiredModal->>User: "Displays permissions request"
    User->>OAuthRequiredModal: "Clicks 'Connect Now'"
    OAuthRequiredModal->>AuthClient: "oauth2.link() with google-forms provider"
    AuthClient->>GoogleOAuth: "Redirects to Google OAuth consent"
    GoogleOAuth->>User: "Shows consent screen for Forms access"
    User->>GoogleOAuth: "Grants permissions"
    GoogleOAuth->>AuthClient: "Returns with authorization code"
    AuthClient->>AuthClient: "Exchanges code for access token"
    AuthClient->>GoogleFormsBlock: "Returns successful authentication"
    GoogleFormsBlock->>GoogleFormsTool: "Executes with access token"
    GoogleFormsTool->>User: "Returns form responses data"

Loading

_{12 files reviewed, 9 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: Critical issue: Upload tool cannot function with readonly scope. This scope only allows reading files, but upload requires write permissions. Should use drive.file or drive scope instead.

Suggested change

	additionalScopes: ['https://www.googleapis.com/auth/drive.readonly'],
	additionalScopes: ['https://www.googleapis.com/auth/drive.file'],

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/tools/google_drive/upload.ts
Line: 21:21

Comment:
**logic:** Critical issue: Upload tool cannot function with readonly scope. This scope only allows reading files, but upload requires write permissions. Should use `drive.file` or `drive` scope instead.

```suggestion
    additionalScopes: ['https://www.googleapis.com/auth/drive.file'],
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: This scope change breaks write functionality. 'drive.readonly' only allows reading files, but many tools likely need to create/modify files. Consider 'drive.file' for read-write access to app-created files or 'drive' for full access if needed.

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/lib/auth.ts
Line: 428:428

Comment:
**logic:** This scope change breaks write functionality. 'drive.readonly' only allows reading files, but many tools likely need to create/modify files. Consider 'drive.file' for read-write access to app-created files or 'drive' for full access if needed.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: Scope change is correct for list operation, but upload and create_folder tools also use 'drive.readonly' which will cause failures since they need write permissions

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/tools/google_drive/list.ts
Line: 13:13

Comment:
**logic:** Scope change is correct for list operation, but upload and create_folder tools also use 'drive.readonly' which will cause failures since they need write permissions

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: Critical scope mismatch: Using readonly scope for a block that performs upload and create folder operations. This will cause authentication failures for write operations.

Suggested change

	requiredScopes: ['https://www.googleapis.com/auth/drive.readonly'],
	requiredScopes: ['https://www.googleapis.com/auth/drive'],

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/blocks/blocks/google_drive.ts
Line: 39:39

Comment:
**logic:** Critical scope mismatch: Using readonly scope for a block that performs upload and create folder operations. This will cause authentication failures for write operations.

```suggestion
      requiredScopes: ['https://www.googleapis.com/auth/drive'],
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: Using readonly scope will break write and create operations. Google Docs write/create requires 'https://www.googleapis.com/auth/drive.file' or broader write permissions.

Suggested change

	requiredScopes: ['https://www.googleapis.com/auth/drive.readonly'],
	requiredScopes: ['https://www.googleapis.com/auth/drive.file'],

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/blocks/blocks/google_docs.ts
Line: 40:40

Comment:
**logic:** Using readonly scope will break write and create operations. Google Docs write/create requires 'https://www.googleapis.com/auth/drive.file' or broader write permissions.

```suggestion
      requiredScopes: ['https://www.googleapis.com/auth/drive.file'],
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: This scope is incompatible with write operations. The tool performs document updates via batchUpdate API which requires write permissions, not readonly. This will cause authentication failures at runtime.

Suggested change

	additionalScopes: ['https://www.googleapis.com/auth/drive.readonly'],
	additionalScopes: ['https://www.googleapis.com/auth/drive.file'],

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/tools/google_docs/write.ts
Line: 12:12

Comment:
**logic:** This scope is incompatible with write operations. The tool performs document updates via batchUpdate API which requires write permissions, not readonly. This will cause authentication failures at runtime.

```suggestion
    additionalScopes: ['https://www.googleapis.com/auth/drive.file'],
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: Changing to read-only scope will break upload functionality. Upload tools require write permissions.

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/lib/oauth/oauth.ts
Line: 124:124

Comment:
**logic:** Changing to read-only scope will break upload functionality. Upload tools require write permissions.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: Critical scope mismatch: 'drive.readonly' cannot create documents. This tool POSTs to Drive API which requires write permissions, but readonly scope only allows read access.

Suggested change

	additionalScopes: ['https://www.googleapis.com/auth/drive.readonly'],
	additionalScopes: ['https://www.googleapis.com/auth/drive.file'],

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/tools/google_docs/create.ts
Line: 16:16

Comment:
**logic:** Critical scope mismatch: 'drive.readonly' cannot create documents. This tool POSTs to Drive API which requires write permissions, but readonly scope only allows read access.

```suggestion
    additionalScopes: ['https://www.googleapis.com/auth/drive.file'],
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: Using 'drive.readonly' scope for creating folders will fail - this operation requires write permissions. Should use 'https://www.googleapis.com/auth/drive.file' or 'https://www.googleapis.com/auth/drive'

Suggested change

	additionalScopes: ['https://www.googleapis.com/auth/drive.readonly'],
	additionalScopes: ['https://www.googleapis.com/auth/drive.file'],

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/tools/google_drive/create_folder.ts
Line: 13:13

Comment:
**logic:** Using 'drive.readonly' scope for creating folders will fail - this operation requires write permissions. Should use 'https://www.googleapis.com/auth/drive.file' or 'https://www.googleapis.com/auth/drive'

```suggestion
    additionalScopes: ['https://www.googleapis.com/auth/drive.file'],
```

How can I resolve this? If you propose a fix, please make it concise.