review

patelspratik · patelspratik · commit 2a100c941a35 · 2026-05-05T11:49:51.000-07:00
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
@@ -103,37 +103,38 @@ type Auth struct {
 
 const BrevAPIKeyPrefix = "bak-"
 
-type TokenProvider interface {
-	GetAccessToken() (string, error)
-}
+const MissingAPIKeyOrgIDMessage = "api key auth requires an org id; run brev login --api-key <api-key> --org-id <org-id>"
 
-type APIKeyOrgProvider interface {
+type APIKeyAuthStore interface {
 	GetAuthTokens() (*entity.AuthTokens, error)
 }
 
 func IsBrevAPIKey(token string) bool {
 	return strings.HasPrefix(strings.TrimSpace(token), BrevAPIKeyPrefix)
 }
 
-func IsAPIKeyAuthStore(tokenProvider TokenProvider) bool {
-	token, err := tokenProvider.GetAccessToken()
+func IsAPIKeyAuthStore(authTokensProvider APIKeyAuthStore) bool {
+	tokens, err := authTokensProvider.GetAuthTokens()
 	if err != nil {
 		return false
 	}
-	return IsBrevAPIKey(token)
+	if tokens == nil {
+		return false
+	}
+	return IsBrevAPIKey(tokens.APIKey)
 }
 
-func GetAPIKeyOrgID(authTokensProvider APIKeyOrgProvider) (string, error) {
+func GetAPIKeyOrgID(authTokensProvider APIKeyAuthStore) (string, error) {
 	tokens, err := authTokensProvider.GetAuthTokens()
 	if err != nil {
 		return "", breverrors.WrapAndTrace(err)
 	}
 	if tokens == nil {
-		return "", breverrors.NewValidationError("api key auth requires an org id; run brev login --api-key <api-key> --org-id <org-id>")
+		return "", breverrors.NewValidationError(MissingAPIKeyOrgIDMessage)
 	}
 	orgID := strings.TrimSpace(tokens.APIKeyOrgID)
 	if orgID == "" {
-		return "", breverrors.NewValidationError("api key auth requires an org id; run brev login --api-key <api-key> --org-id <org-id>")
+		return "", breverrors.NewValidationError(MissingAPIKeyOrgIDMessage)
 	}
 	return orgID, nil
 }
@@ -183,13 +184,13 @@ func (t Auth) GetFreshAccessTokenOrNil() (string, error) {
 		return "", nil
 	}
 
-	if tokens.APIKey != "" {
-		apiKey := strings.TrimSpace(tokens.APIKey)
-		if apiKey == "" {
-			return "", breverrors.NewValidationError("api key is empty")
-		}
+	apiKey := strings.TrimSpace(tokens.APIKey)
+	if apiKey != "" {
 		return apiKey, nil
 	}
+	if tokens.APIKey != "" {
+		return "", breverrors.NewValidationError("api key is empty")
+	}
 
 	// should always at least have access token?
 	if tokens.AccessToken == "" {
@@ -277,7 +278,7 @@ func (t Auth) LoginWithAPIKey(apiKey string, orgID string) error {
 	}
 	orgID = strings.TrimSpace(orgID)
 	if orgID == "" {
-		return breverrors.NewValidationError("org-id is required with api-key")
+		return breverrors.NewValidationError(MissingAPIKeyOrgIDMessage)
 	}
 
 	tokens, err := t.getSavedTokensOrNil()
diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go
@@ -8,6 +8,7 @@ import (
 	"github.com/brevdev/brev-cli/pkg/entity"
 	breverrors "github.com/brevdev/brev-cli/pkg/errors"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 )
 
@@ -94,6 +95,41 @@ func TestIsBrevAPIKey(t *testing.T) {
 	assert.False(t, IsBrevAPIKey(""))
 }
 
+type sideEffectingTokenStore struct {
+	tokens               *entity.AuthTokens
+	getAccessTokenCalled bool
+}
+
+func (s *sideEffectingTokenStore) GetAuthTokens() (*entity.AuthTokens, error) {
+	return s.tokens, nil
+}
+
+func (s *sideEffectingTokenStore) GetAccessToken() (string, error) {
+	s.getAccessTokenCalled = true
+	return testAPIKey, nil
+}
+
+func TestIsAPIKeyAuthStore_ReadsSavedTokensWithoutAccessTokenSideEffects(t *testing.T) {
+	s := &sideEffectingTokenStore{
+		tokens: &entity.AuthTokens{APIKey: testAPIKey},
+	}
+
+	assert.True(t, IsAPIKeyAuthStore(s))
+	assert.False(t, s.getAccessTokenCalled)
+}
+
+func TestIsAPIKeyAuthStore_LegacyCredentialsAreNotAPIKeyAuth(t *testing.T) {
+	s := &sideEffectingTokenStore{
+		tokens: &entity.AuthTokens{
+			AccessToken:  validToken,
+			RefreshToken: "refresh",
+		},
+	}
+
+	assert.False(t, IsAPIKeyAuthStore(s))
+	assert.False(t, s.getAccessTokenCalled)
+}
+
 func TestGetFreshAccessTokenOrNil_APIKeySkipsJWTValidationAndRefresh(t *testing.T) {
 	s := MockAuthStore{authTokens: &entity.AuthTokens{
 		AccessToken:  "expired-jwt",
@@ -202,8 +238,11 @@ func TestLoginWithAPIKey_EmptyOrgIDReturnsError(t *testing.T) {
 
 func TestStandardLogin_APIKeyCredentialDoesNotProbeOAuthProviders(t *testing.T) {
 	oldStdout := os.Stdout
+	t.Cleanup(func() {
+		os.Stdout = oldStdout
+	})
 	readPipe, writePipe, err := os.Pipe()
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	os.Stdout = writePipe
 
 	_ = StandardLogin("", "", &entity.AuthTokens{
diff --git a/pkg/cmd/completions/completions.go b/pkg/cmd/completions/completions.go
@@ -9,6 +9,7 @@ import (
 )
 
 type CompletionStore interface {
+	auth.APIKeyAuthStore
 	GetWorkspaces(organizationID string, options *store.GetWorkspacesOptions) ([]entity.Workspace, error)
 	GetActiveOrganizationOrDefault() (*entity.Organization, error)
 	GetCurrentUser() (*entity.User, error)
@@ -29,7 +30,7 @@ func GetAllWorkspaceNameCompletionHandler(completionStore CompletionStore, t *te
 		}
 
 		var options *store.GetWorkspacesOptions
-		if tokenProvider, ok := completionStore.(auth.TokenProvider); !ok || !auth.IsAPIKeyAuthStore(tokenProvider) {
+		if !auth.IsAPIKeyAuthStore(completionStore) {
 			user, err := completionStore.GetCurrentUser()
 			if err != nil {
 				t.Errprint(err, "")
@@ -55,7 +56,7 @@ func GetAllWorkspaceNameCompletionHandler(completionStore CompletionStore, t *te
 
 func GetOrgsNameCompletionHandler(completionStore CompletionStore, t *terminal.Terminal) CompletionHandler {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		if tokenProvider, ok := completionStore.(auth.TokenProvider); ok && auth.IsAPIKeyAuthStore(tokenProvider) {
+		if auth.IsAPIKeyAuthStore(completionStore) {
 			return []string{}, cobra.ShellCompDirectiveNoFileComp
 		}
 
diff --git a/pkg/cmd/delete/delete.go b/pkg/cmd/delete/delete.go
@@ -100,7 +100,7 @@ func deleteWorkspace(workspaceName string, t *terminal.Terminal, deleteStore Del
 
 func handleAdminUser(err error, deleteStore DeleteStore, piped bool) error {
 	if strings.Contains(err.Error(), "not found") {
-		if tokenProvider, ok := deleteStore.(auth.TokenProvider); ok && auth.IsAPIKeyAuthStore(tokenProvider) {
+		if auth.IsAPIKeyAuthStore(deleteStore) {
 			return breverrors.WrapAndTrace(err)
 		}
 		user, err1 := deleteStore.GetCurrentUser()
diff --git a/pkg/cmd/gpucreate/gpucreate.go b/pkg/cmd/gpucreate/gpucreate.go
@@ -98,7 +98,7 @@ type GPUCreateStore interface {
 	util.GetWorkspaceByNameOrIDErrStore
 	gpusearch.GPUSearchStore
 	GetActiveOrganizationOrDefault() (*entity.Organization, error)
-	GetAccessToken() (string, error)
+	GetAuthTokens() (*entity.AuthTokens, error)
 	GetCurrentUser() (*entity.User, error)
 	GetWorkspace(workspaceID string) (*entity.Workspace, error)
 	CreateWorkspace(organizationID string, options *store.CreateWorkspacesOptions) (*entity.Workspace, error)
diff --git a/pkg/cmd/gpucreate/gpucreate_test.go b/pkg/cmd/gpucreate/gpucreate_test.go
@@ -45,8 +45,8 @@ func (m *MockGPUCreateStore) GetCurrentUser() (*entity.User, error) {
 	return m.User, nil
 }
 
-func (m *MockGPUCreateStore) GetAccessToken() (string, error) {
-	return "", nil
+func (m *MockGPUCreateStore) GetAuthTokens() (*entity.AuthTokens, error) {
+	return nil, nil
 }
 
 func (m *MockGPUCreateStore) GetActiveOrganizationOrDefault() (*entity.Organization, error) {
diff --git a/pkg/cmd/invite/invite.go b/pkg/cmd/invite/invite.go
@@ -17,12 +17,9 @@ import (
 )
 
 type InviteStore interface {
-	GetWorkspaces(organizationID string, options *store.GetWorkspacesOptions) ([]entity.Workspace, error)
-	GetActiveOrganizationOrDefault() (*entity.Organization, error)
-	GetCurrentUser() (*entity.User, error)
+	completions.CompletionStore
 	GetUsers(queryParams map[string]string) ([]entity.User, error)
 	GetWorkspace(workspaceID string) (*entity.Workspace, error)
-	GetOrganizations(options *store.GetOrganizationsOptions) ([]entity.Organization, error)
 	CreateInviteLink(organizationID string) (string, error)
 }
 
diff --git a/pkg/cmd/login/login.go b/pkg/cmd/login/login.go
@@ -64,7 +64,6 @@ func NewCmdLogin(t *terminal.Terminal, loginStore LoginStore, auth Auth) *cobra.
 	var skipBrowser bool
 	var emailFlag string
 	var authProviderFlag string
-	apiKeyLogin := false
 
 	cmd := &cobra.Command{
 		Annotations:           map[string]string{"configuration": ""},
@@ -75,7 +74,7 @@ func NewCmdLogin(t *terminal.Terminal, loginStore LoginStore, auth Auth) *cobra.
 		Example:               "brev login",
 		Args:                  cmderrors.TransformToValidationError(cobra.NoArgs),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			apiKeyLogin = strings.TrimSpace(apiKey) != ""
+			apiKeyLogin := strings.TrimSpace(apiKey) != ""
 			err := opts.RunLogin(t, loginToken, apiKey, apiKeyOrgID, skipBrowser, emailFlag, authProviderFlag)
 			if err != nil {
 				// if err is ImportIDEConfigError, log err with sentry but continue
@@ -216,7 +215,7 @@ func (o LoginOptions) doApiKeyLogin(t *terminal.Terminal, loginToken string, api
 	apiKey = strings.TrimSpace(apiKey)
 	orgID := strings.TrimSpace(apiKeyOrgID)
 	if orgID == "" {
-		return breverrors.NewValidationError("org-id is required with api-key")
+		return breverrors.NewValidationError(auth.MissingAPIKeyOrgIDMessage)
 	}
 	if err := o.Auth.LoginWithAPIKey(apiKey, orgID); err != nil {
 		return breverrors.WrapAndTrace(err)
diff --git a/pkg/cmd/ls/ls.go b/pkg/cmd/ls/ls.go
@@ -38,12 +38,11 @@ import (
 type LsStore interface {
 	GetWorkspaces(organizationID string, options *store.GetWorkspacesOptions) ([]entity.Workspace, error)
 	GetActiveOrganizationOrDefault() (*entity.Organization, error)
-	GetCachedActiveOrganizationOrNil() (*entity.Organization, error)
 	GetCurrentUser() (*entity.User, error)
 	GetUsers(queryParams map[string]string) ([]entity.User, error)
 	GetWorkspace(workspaceID string) (*entity.Workspace, error)
 	GetOrganizations(options *store.GetOrganizationsOptions) ([]entity.Organization, error)
-	GetAccessToken() (string, error)
+	externalnode.TokenProvider
 	GetAuthTokens() (*entity.AuthTokens, error)
 	GetInstanceTypes(includeCPU bool) (*gpusearch.InstanceTypesResponse, error)
 	hello.HelloStore
diff --git a/pkg/cmd/ls/ls_test.go b/pkg/cmd/ls/ls_test.go
@@ -24,7 +24,6 @@ type mockLsStore struct {
 	org                  *entity.Organization
 	orgs                 []entity.Organization
 	workspaces           []entity.Workspace
-	accessToken          string
 	authTokens           *entity.AuthTokens
 	workspaceOrgID       string
 	currentUserCalls     int
@@ -36,17 +35,14 @@ func (m *mockLsStore) GetCurrentUser() (*entity.User, error) {
 	return m.user, nil
 }
 
-func (m *mockLsStore) GetAccessToken() (string, error) {
-	if m.accessToken != "" {
-		return m.accessToken, nil
-	}
-	return "tok", nil
-}
-
 func (m *mockLsStore) GetAuthTokens() (*entity.AuthTokens, error) {
 	return m.authTokens, nil
 }
 
+func (m *mockLsStore) GetAccessToken() (string, error) {
+	return "tok", nil
+}
+
 func (m *mockLsStore) GetWorkspace(_ string) (*entity.Workspace, error) {
 	return nil, nil
 }
@@ -55,10 +51,6 @@ func (m *mockLsStore) GetActiveOrganizationOrDefault() (*entity.Organization, er
 	return m.org, nil
 }
 
-func (m *mockLsStore) GetCachedActiveOrganizationOrNil() (*entity.Organization, error) {
-	return m.org, nil
-}
-
 func (m *mockLsStore) GetWorkspaces(orgID string, _ *store.GetWorkspacesOptions) ([]entity.Workspace, error) {
 	m.workspaceOrgID = orgID
 	return m.workspaces, nil
@@ -99,7 +91,6 @@ func newTestStore() *mockLsStore {
 
 func TestRunLs_APIKeyJSONSkipsUserAndOrgList(t *testing.T) {
 	s := newTestStore()
-	s.accessToken = testAPIKey
 	s.authTokens = &entity.AuthTokens{APIKey: testAPIKey, APIKeyOrgID: "org1"}
 	s.workspaces = []entity.Workspace{
 		{
@@ -143,7 +134,6 @@ func TestRunLs_APIKeyJSONSkipsUserAndOrgList(t *testing.T) {
 
 func TestRunLs_APIKeyUsesCredentialOrgNotCachedActiveOrg(t *testing.T) {
 	s := newTestStore()
-	s.accessToken = testAPIKey
 	s.authTokens = &entity.AuthTokens{APIKey: testAPIKey, APIKeyOrgID: "org-login"}
 	s.org = &entity.Organization{ID: "org-set", Name: "set-org"}
 	s.workspaces = []entity.Workspace{
@@ -173,7 +163,6 @@ func TestRunLs_APIKeyUsesCredentialOrgNotCachedActiveOrg(t *testing.T) {
 
 func TestRunLs_APIKeyRequiresCredentialOrg(t *testing.T) {
 	s := newTestStore()
-	s.accessToken = testAPIKey
 	s.authTokens = &entity.AuthTokens{APIKey: testAPIKey}
 	term := terminal.New()
 
diff --git a/pkg/cmd/set/set.go b/pkg/cmd/set/set.go
@@ -22,7 +22,7 @@ type SetStore interface {
 	GetOrganizations(options *store.GetOrganizationsOptions) ([]entity.Organization, error)
 	GetServerSockFile() string
 	GetCurrentWorkspaceID() (string, error)
-	GetAccessToken() (string, error)
+	GetAuthTokens() (*entity.AuthTokens, error)
 }
 
 func NewCmdSet(t *terminal.Terminal, loginSetStore SetStore, noLoginSetStore SetStore) *cobra.Command {
diff --git a/pkg/cmd/set/set_test.go b/pkg/cmd/set/set_test.go
@@ -12,7 +12,7 @@ import (
 const testAPIKey = authpkg.BrevAPIKeyPrefix + "test-key"
 
 type mockSetStore struct {
-	accessToken         string
+	authTokens          *entity.AuthTokens
 	workspaceID         string
 	orgs                []entity.Organization
 	getOrganizations    int
@@ -51,14 +51,14 @@ func (m *mockSetStore) GetCurrentWorkspaceID() (string, error) {
 	return m.workspaceID, nil
 }
 
-func (m *mockSetStore) GetAccessToken() (string, error) {
-	return m.accessToken, nil
+func (m *mockSetStore) GetAuthTokens() (*entity.AuthTokens, error) {
+	return m.authTokens, nil
 }
 
 func TestSetRejectsAPIKeyAuth(t *testing.T) {
 	s := &mockSetStore{
-		accessToken: testAPIKey,
-		orgs:        []entity.Organization{{ID: "org-other", Name: "other-org"}},
+		authTokens: &entity.AuthTokens{APIKey: testAPIKey, APIKeyOrgID: "org-test"},
+		orgs:       []entity.Organization{{ID: "org-other", Name: "other-org"}},
 	}
 
 	err := set("other-org", s)
diff --git a/pkg/cmd/start/start.go b/pkg/cmd/start/start.go
diff --git a/pkg/cmd/start/start_test.go b/pkg/cmd/start/start_test.go
diff --git a/pkg/cmd/stop/stop.go b/pkg/cmd/stop/stop.go
diff --git a/pkg/cmd/util/util.go b/pkg/cmd/util/util.go

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ func deleteWorkspace(workspaceName string, t *terminal.Terminal, deleteStore Del`
`100`	`100`
`101`	`101`	`func handleAdminUser(err error, deleteStore DeleteStore, piped bool) error {`
`102`	`102`	`if strings.Contains(err.Error(), "not found") {`
`103`		`- if tokenProvider, ok := deleteStore.(auth.TokenProvider); ok && auth.IsAPIKeyAuthStore(tokenProvider) {`
	`103`	`+ if auth.IsAPIKeyAuthStore(deleteStore) {`
`104`	`104`	`return breverrors.WrapAndTrace(err)`
`105`	`105`	`}`
`106`	`106`	`user, err1 := deleteStore.GetCurrentUser()`
Original file line number	Diff line number	Diff line change
`@@ -45,8 +45,8 @@ func (m MockGPUCreateStore) GetCurrentUser() (entity.User, error) {`
`45`	`45`	`return m.User, nil`
`46`	`46`	`}`
`47`	`47`
`48`		`-func (m *MockGPUCreateStore) GetAccessToken() (string, error) {`
`49`		`- return "", nil`
	`48`	`+func (m MockGPUCreateStore) GetAuthTokens() (entity.AuthTokens, error) {`
	`49`	`+ return nil, nil`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`func (m MockGPUCreateStore) GetActiveOrganizationOrDefault() (entity.Organization, error) {`
Original file line number	Diff line number	Diff line change
`@@ -17,12 +17,9 @@ import (`
`17`	`17`	`)`
`18`	`18`
`19`	`19`	`type InviteStore interface {`
`20`		`- GetWorkspaces(organizationID string, options *store.GetWorkspacesOptions) ([]entity.Workspace, error)`
`21`		`- GetActiveOrganizationOrDefault() (*entity.Organization, error)`
`22`		`- GetCurrentUser() (*entity.User, error)`
	`20`	`+ completions.CompletionStore`
`23`	`21`	`GetUsers(queryParams map[string]string) ([]entity.User, error)`
`24`	`22`	`GetWorkspace(workspaceID string) (*entity.Workspace, error)`
`25`		`- GetOrganizations(options *store.GetOrganizationsOptions) ([]entity.Organization, error)`
`26`	`23`	`CreateInviteLink(organizationID string) (string, error)`
`27`	`24`	`}`
`28`	`25`