Problem
SheetsService, DocsService, and SlidesService do not verify that the OAuth token matches the --account flag. A mismatched token silently queries the wrong user's data, returning 404 or accessing the wrong account's files.
Location: src/services/sheets-service.ts:49, src/services/docs-service.ts:39, src/services/slides-service.ts:42
Found in: codebase scan (pattern gap identified during #113 fix)
Type: bug — same class as #113
Context
DriveService and MailService both verify the token matches --account during initialize():
The three new services added in #111 and #112 are missing this verification.
Recommended Approach
For each service, add account verification in initialize() after creating the API client:
- SheetsService: Use
drive.about.get({ fields: "user" }) (requires adding Drive scope or using a separate Drive client) — OR use the Sheets API's own method if available. Alternatively, since Sheets files are also Drive files, the DriveService pattern works.
- DocsService: Same approach — verify via Drive API
about.get.
- SlidesService: Same approach.
Alternatively, extract the verification logic into BaseService to avoid duplication across all services.
Acceptance Criteria
Problem
SheetsService,DocsService, andSlidesServicedo not verify that the OAuth token matches the--accountflag. A mismatched token silently queries the wrong user's data, returning 404 or accessing the wrong account's files.Location:
src/services/sheets-service.ts:49,src/services/docs-service.ts:39,src/services/slides-service.ts:42Found in: codebase scan (pattern gap identified during #113 fix)
Type: bug — same class as #113
Context
DriveServiceandMailServiceboth verify the token matches--accountduringinitialize():MailServiceusesgmail.users.getProfile({ userId: "me" })DriveService(as of fix(drive): resolve shared file access failures #114) usesdrive.about.get({ fields: "user" })The three new services added in #111 and #112 are missing this verification.
Recommended Approach
For each service, add account verification in
initialize()after creating the API client:drive.about.get({ fields: "user" })(requires adding Drive scope or using a separate Drive client) — OR use the Sheets API's own method if available. Alternatively, since Sheets files are also Drive files, the DriveService pattern works.about.get.Alternatively, extract the verification logic into
BaseServiceto avoid duplication across all services.Acceptance Criteria
SheetsService.initialize()verifies token email matches--accountDocsService.initialize()verifies token email matches--accountSlidesService.initialize()verifies token email matches--account