fix(auth): resolve auth token discovery mismatch between CLI and server (#3340)#3409
Merged
Merged
Conversation
…er (#3340) Two-part fix for the first-run auth regression: CLI (run.ts): - resolveAuthToken() now falls back to searching all config files for clientAuthToken/authToken when the auth-token file is missing Server (server.ts): - AuthManager now uses clientAuthToken as master token fallback when authToken is not set (ag init writes to clientAuthToken) - Session encryption key also checks clientAuthToken This closes the gap where ag init --yes writes tokens to clientAuthToken but the server only reads authToken, causing 401 for new users. Fixes: #3340
Contributor
There was a problem hiding this comment.
✅ Approved.
Clean P1 auth fix. Three changes:
resolveAuthToken()→ async, falls back toloadConfig()→clientAuthToken || authToken- Server encryption key now checks both
authTokenandclientAuthToken AuthManagerinitialized withauthToken || clientAuthToken
Resolves the mismatch where CLI reads ~/.aegis/auth-token but server uses config. Existing test coverage validates auth scenarios — gate 6 satisfied.
CI green. All gates pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #3340 — auth token discovery regression blocking new users.
Root Cause
ag init --yeswrites tokens toclientAuthTokenin config, but the server only readsauthToken. The CLI'sresolveAuthToken()checks env vars and the auth-token file, but doesn't fall back to config file fields. Result: new users hit 401 immediately after init.Fix
CLI (
src/commands/run.ts):resolveAuthToken()now falls back to searching config files forclientAuthToken/authTokenwhen the auth-token file is missingServer (
src/server.ts):clientAuthTokenas master token fallback whenauthTokenis emptyclientAuthTokenVerification
authTokenare unaffectedRelated