Skip to content

fix(cli): OAuth login dry-run/verify short-circuit runs after credential validation — sterile-env probes fail #3491

Description

@rob-coco

Summary

auth.go.tmpl's OAuth authorization-code login resolves credentials (resolveOAuthCredentials) before its cliutil.IsVerifyEnv() short-circuit. In a sterile environment (no flags, no env vars, no saved config — exactly how the verify harness probes commands), --no-input login --dry-run errors with OAuth2 client ID is required before the short-circuit is reached, so every freshly-printed OAuth CLI scores login 1/3 (help only) in the verify matrix.

Evidence

Re-printing spotify-pp-cli off current main: verify matrix verdict PASS at 34/35, with login the sole failure (help: true, dry_run: false, execute: false). The previously published spotify-pp-cli carried a hand-patch (fix-auth-loopback-and-dry-run in its .printing-press-patches.json) for exactly this: "Short-circuit dry-run / verify-env BEFORE arg validation so shipcheck can probe the command shape without credentials." The 127.0.0.1-loopback part of that patch was absorbed into the machine via #3457/#3460; the short-circuit-ordering part was not.

Suggested fix

In runOAuthLogin (auth.go.tmpl), before config.Load/resolveOAuthCredentials:

if (dryRunOK(flags) || cliutil.IsVerifyEnv()) && clientID == "" {
    fmt.Fprintln(w, `{"status":"dry_run","action":"auth login","would":"start OAuth2 authorization-code flow (PKCE without client secret), open browser, capture loopback callback"}`)
    return nil
}

Keeping the existing later verify-env branch intact preserves the full authorize-URL output (with PKCE params) when a client ID is available — generator tests rely on that URL. Needs a generated-output test asserting --no-input login --dry-run exits 0 in a credential-free environment, plus the oauth2-authcode golden update.

Discovered while regenerating spotify-pp-cli (refs mvanhorn/printing-press-library#1287); the re-printed CLI carries this as a recorded patch (carry-dry-run-before-credential-validation) until the machine owns it.

Metadata

Metadata

Assignees

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions