fixing org set

patelspratik · patelspratik · commit 6e4c50b065f0 · 2026-05-01T15:08:06.000-07:00
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
@@ -107,6 +107,10 @@ type TokenProvider interface {
 	GetAccessToken() (string, error)
 }
 
+type APIKeyOrgProvider interface {
+	GetAuthTokens() (*entity.AuthTokens, error)
+}
+
 func IsBrevAPIKey(token string) bool {
 	return strings.HasPrefix(strings.TrimSpace(token), BrevAPIKeyPrefix)
 }
@@ -119,6 +123,21 @@ func IsAPIKeyAuthStore(tokenProvider TokenProvider) bool {
 	return IsBrevAPIKey(token)
 }
 
+func GetAPIKeyOrgID(authTokensProvider APIKeyOrgProvider) (string, error) {
+	tokens, err := authTokensProvider.GetAuthTokens()
+	if err != nil {
+		return "", breverrors.WrapAndTrace(err)
+	}
+	if tokens == nil {
+		return "", breverrors.NewValidationError("api key auth requires an org id; run brev login --api-key <api-key> --org-id <org-id>")
+	}
+	orgID := strings.TrimSpace(tokens.APIKeyOrgID)
+	if orgID == "" {
+		return "", breverrors.NewValidationError("api key auth requires an org id; run brev login --api-key <api-key> --org-id <org-id>")
+	}
+	return orgID, nil
+}
+
 func NewAuth(authStore AuthStore, oauth OAuth) *Auth {
 	return &Auth{
 		authStore:            authStore,
@@ -248,14 +267,18 @@ func (t Auth) LoginWithToken(token string) error {
 	return nil
 }
 
-func (t Auth) LoginWithAPIKey(apiKey string) error {
+func (t Auth) LoginWithAPIKey(apiKey string, orgID string) error {
 	apiKey = strings.TrimSpace(apiKey)
 	if apiKey == "" {
 		return breverrors.NewValidationError("api key is empty")
 	}
 	if !strings.HasPrefix(apiKey, BrevAPIKeyPrefix) {
 		return breverrors.NewValidationError(fmt.Sprintf("api key must start with %s", BrevAPIKeyPrefix))
 	}
+	orgID = strings.TrimSpace(orgID)
+	if orgID == "" {
+		return breverrors.NewValidationError("org-id is required with api-key")
+	}
 
 	tokens, err := t.getSavedTokensOrNil()
 	if err != nil {
@@ -265,6 +288,7 @@ func (t Auth) LoginWithAPIKey(apiKey string) error {
 		tokens = &entity.AuthTokens{}
 	}
 	tokens.APIKey = apiKey
+	tokens.APIKeyOrgID = orgID
 
 	err = t.authStore.SaveAuthTokens(*tokens)
 	if err != nil {
diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go
@@ -136,11 +136,12 @@ func TestLoginWithAPIKey_SavesTypedCredential(t *testing.T) {
 		oauth:     &MockOauth{},
 	}
 
-	err := a.LoginWithAPIKey("brev_api_test-key")
+	err := a.LoginWithAPIKey("brev_api_test-key", "org-test")
 	assert.NoError(t, err)
 	assert.True(t, s.didSave)
 	assert.Equal(t, entity.AuthTokens{
-		APIKey: "brev_api_test-key",
+		APIKey:      "brev_api_test-key",
+		APIKeyOrgID: "org-test",
 	}, s.saved)
 }
 
@@ -154,12 +155,13 @@ func TestLoginWithAPIKey_PreservesExistingJWT(t *testing.T) {
 		oauth:     &MockOauth{},
 	}
 
-	err := a.LoginWithAPIKey("brev_api_test-key")
+	err := a.LoginWithAPIKey("brev_api_test-key", "org-test")
 	assert.NoError(t, err)
 	assert.Equal(t, entity.AuthTokens{
 		AccessToken:  "existing-jwt",
 		RefreshToken: "existing-refresh",
 		APIKey:       "brev_api_test-key",
+		APIKeyOrgID:  "org-test",
 	}, s.saved)
 }
 
@@ -170,7 +172,19 @@ func TestLoginWithAPIKey_EmptyKeyReturnsError(t *testing.T) {
 		oauth:     &MockOauth{},
 	}
 
-	err := a.LoginWithAPIKey("")
+	err := a.LoginWithAPIKey("", "org-test")
+	assert.Error(t, err)
+	assert.False(t, s.didSave)
+}
+
+func TestLoginWithAPIKey_EmptyOrgIDReturnsError(t *testing.T) {
+	s := MockAuthStore{}
+	a := Auth{
+		authStore: &s,
+		oauth:     &MockOauth{},
+	}
+
+	err := a.LoginWithAPIKey("brev_api_test-key", "")
 	assert.Error(t, err)
 	assert.False(t, s.didSave)
 }
diff --git a/pkg/cmd/login/login.go b/pkg/cmd/login/login.go
@@ -48,7 +48,7 @@ type LoginStore interface {
 type Auth interface {
 	Login(skipBrowser bool) (*auth.LoginTokens, error)
 	LoginWithToken(token string) error
-	LoginWithAPIKey(apiKey string) error
+	LoginWithAPIKey(apiKey string, orgID string) error
 }
 
 // loginStore must be a no prompt store
@@ -218,7 +218,7 @@ func (o LoginOptions) doApiKeyLogin(t *terminal.Terminal, loginToken string, api
 	if orgID == "" {
 		return breverrors.NewValidationError("org-id is required with api-key")
 	}
-	if err := o.Auth.LoginWithAPIKey(apiKey); err != nil {
+	if err := o.Auth.LoginWithAPIKey(apiKey, orgID); err != nil {
 		return breverrors.WrapAndTrace(err)
 	}
 	if err := o.LoginStore.SetDefaultOrganization(&entity.Organization{
diff --git a/pkg/cmd/login/login_test.go b/pkg/cmd/login/login_test.go
@@ -15,6 +15,7 @@ import (
 type mockLoginAuth struct {
 	apiKeyCalls int
 	apiKey      string
+	apiKeyOrgID string
 	tokenCalls  int
 	loginCalls  int
 }
@@ -29,9 +30,10 @@ func (m *mockLoginAuth) LoginWithToken(_ string) error {
 	return nil
 }
 
-func (m *mockLoginAuth) LoginWithAPIKey(apiKey string) error {
+func (m *mockLoginAuth) LoginWithAPIKey(apiKey string, orgID string) error {
 	m.apiKeyCalls++
 	m.apiKey = apiKey
+	m.apiKeyOrgID = orgID
 	return nil
 }
 
@@ -118,6 +120,7 @@ func TestRunLoginWithAPIKey_SavesKeyAndOrgWithoutUserOrBackendOrgCalls(t *testin
 	require.NoError(t, err)
 	assert.Equal(t, 1, auth.apiKeyCalls)
 	assert.Equal(t, "brev_api_test-key", auth.apiKey)
+	assert.Equal(t, "org-test", auth.apiKeyOrgID)
 	assert.Equal(t, 1, loginStore.setDefaultOrgCalls)
 	require.NotNil(t, loginStore.defaultOrg)
 	assert.Equal(t, "org-test", loginStore.defaultOrg.ID)
diff --git a/pkg/cmd/ls/ls.go b/pkg/cmd/ls/ls.go
@@ -44,6 +44,7 @@ type LsStore interface {
 	GetWorkspace(workspaceID string) (*entity.Workspace, error)
 	GetOrganizations(options *store.GetOrganizationsOptions) ([]entity.Organization, error)
 	GetAccessToken() (string, error)
+	GetAuthTokens() (*entity.AuthTokens, error)
 	GetInstanceTypes(includeCPU bool) (*gpusearch.InstanceTypesResponse, error)
 	hello.HelloStore
 }
@@ -138,14 +139,11 @@ func getOrgForRunLs(lsStore LsStore, orgflag string, apiKeyAuth bool) (*entity.O
 		if orgflag != "" {
 			return nil, breverrors.NewValidationError("api key auth is scoped to the org saved during login; --org is not supported")
 		}
-		cachedOrg, err := lsStore.GetCachedActiveOrganizationOrNil()
+		orgID, err := auth.GetAPIKeyOrgID(lsStore)
 		if err != nil {
 			return nil, breverrors.WrapAndTrace(err)
 		}
-		if cachedOrg == nil || cachedOrg.ID == "" {
-			return nil, breverrors.NewValidationError("api key auth requires an active org; run brev login --api-key <api-key> --org-id <org-id>")
-		}
-		return cachedOrg, nil
+		return &entity.Organization{ID: orgID, Name: orgID}, nil
 	}
 
 	if orgflag != "" {
diff --git a/pkg/cmd/ls/ls_test.go b/pkg/cmd/ls/ls_test.go
@@ -22,6 +22,8 @@ type mockLsStore struct {
 	orgs                 []entity.Organization
 	workspaces           []entity.Workspace
 	accessToken          string
+	authTokens           *entity.AuthTokens
+	workspaceOrgID       string
 	currentUserCalls     int
 	getOrganizationsCall int
 }
@@ -38,6 +40,10 @@ func (m *mockLsStore) GetAccessToken() (string, error) {
 	return "tok", nil
 }
 
+func (m *mockLsStore) GetAuthTokens() (*entity.AuthTokens, error) {
+	return m.authTokens, nil
+}
+
 func (m *mockLsStore) GetWorkspace(_ string) (*entity.Workspace, error) {
 	return nil, nil
 }
@@ -50,7 +56,8 @@ func (m *mockLsStore) GetCachedActiveOrganizationOrNil() (*entity.Organization,
 	return m.org, nil
 }
 
-func (m *mockLsStore) GetWorkspaces(_ string, _ *store.GetWorkspacesOptions) ([]entity.Workspace, error) {
+func (m *mockLsStore) GetWorkspaces(orgID string, _ *store.GetWorkspacesOptions) ([]entity.Workspace, error) {
+	m.workspaceOrgID = orgID
 	return m.workspaces, nil
 }
 
@@ -90,6 +97,7 @@ func newTestStore() *mockLsStore {
 func TestRunLs_APIKeyJSONSkipsUserAndOrgList(t *testing.T) {
 	s := newTestStore()
 	s.accessToken = "brev_api_test-key"
+	s.authTokens = &entity.AuthTokens{APIKey: "brev_api_test-key", APIKeyOrgID: "org1"}
 	s.workspaces = []entity.Workspace{
 		{
 			ID:              "ws1",
@@ -130,6 +138,55 @@ func TestRunLs_APIKeyJSONSkipsUserAndOrgList(t *testing.T) {
 	}
 }
 
+func TestRunLs_APIKeyUsesCredentialOrgNotCachedActiveOrg(t *testing.T) {
+	s := newTestStore()
+	s.accessToken = "brev_api_test-key"
+	s.authTokens = &entity.AuthTokens{APIKey: "brev_api_test-key", APIKeyOrgID: "org-login"}
+	s.org = &entity.Organization{ID: "org-set", Name: "set-org"}
+	s.workspaces = []entity.Workspace{
+		{
+			ID:              "ws1",
+			Name:            "api-key-instance",
+			Status:          entity.Running,
+			CreatedByUserID: "other-user",
+		},
+	}
+	term := terminal.New()
+
+	out := captureStdout(t, func() {
+		err := RunLs(term, s, nil, "", false, true)
+		if err != nil {
+			t.Fatalf("RunLs returned error: %v", err)
+		}
+	})
+
+	if !strings.Contains(out, "api-key-instance") {
+		t.Fatalf("expected workspace output, got %s", out)
+	}
+	if s.workspaceOrgID != "org-login" {
+		t.Fatalf("expected API key credential org org-login, got %s", s.workspaceOrgID)
+	}
+}
+
+func TestRunLs_APIKeyRequiresCredentialOrg(t *testing.T) {
+	s := newTestStore()
+	s.accessToken = "brev_api_test-key"
+	s.authTokens = &entity.AuthTokens{APIKey: "brev_api_test-key"}
+	term := terminal.New()
+
+	err := RunLs(term, s, nil, "", false, true)
+
+	if err == nil {
+		t.Fatal("expected missing API key org error, got nil")
+	}
+	if !strings.Contains(err.Error(), "api key auth requires an org id") {
+		t.Fatalf("expected API key org validation error, got %v", err)
+	}
+	if s.workspaceOrgID != "" {
+		t.Fatalf("expected no workspace call, got org %s", s.workspaceOrgID)
+	}
+}
+
 // captureStdout runs fn while capturing stdout and returns the output.
 func captureStdout(t *testing.T, fn func()) string {
 	t.Helper()
diff --git a/pkg/cmd/set/set.go b/pkg/cmd/set/set.go
@@ -4,6 +4,7 @@ package set
 import (
 	"fmt"
 
+	"github.com/brevdev/brev-cli/pkg/auth"
 	"github.com/brevdev/brev-cli/pkg/cmd/cmderrors"
 	"github.com/brevdev/brev-cli/pkg/cmd/completions"
 	"github.com/brevdev/brev-cli/pkg/cmdcontext"
@@ -21,6 +22,7 @@ type SetStore interface {
 	GetOrganizations(options *store.GetOrganizationsOptions) ([]entity.Organization, error)
 	GetServerSockFile() string
 	GetCurrentWorkspaceID() (string, error)
+	GetAccessToken() (string, error)
 }
 
 func NewCmdSet(t *terminal.Terminal, loginSetStore SetStore, noLoginSetStore SetStore) *cobra.Command {
@@ -59,6 +61,9 @@ func set(orgName string, setStore SetStore) error {
 	if workspaceID != "" {
 		return fmt.Errorf("can not set orgs in a workspace")
 	}
+	if auth.IsAPIKeyAuthStore(setStore) {
+		return breverrors.NewValidationError("api key auth is scoped to the org saved during login; run brev login --api-key <api-key> --org-id <org-id> to change it")
+	}
 	orgs, err := setStore.GetOrganizations(&store.GetOrganizationsOptions{Name: orgName})
 	if err != nil {
 		return breverrors.WrapAndTrace(err)
diff --git a/pkg/cmd/set/set_test.go b/pkg/cmd/set/set_test.go
@@ -1 +1,75 @@
 package set
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/brevdev/brev-cli/pkg/entity"
+	"github.com/brevdev/brev-cli/pkg/store"
+)
+
+type mockSetStore struct {
+	accessToken         string
+	workspaceID         string
+	orgs                []entity.Organization
+	getOrganizations    int
+	setDefaultOrgCalls  int
+	defaultOrganization *entity.Organization
+}
+
+func (m *mockSetStore) GetWorkspaces(_ string, _ *store.GetWorkspacesOptions) ([]entity.Workspace, error) {
+	return nil, nil
+}
+
+func (m *mockSetStore) GetActiveOrganizationOrDefault() (*entity.Organization, error) {
+	return nil, nil
+}
+
+func (m *mockSetStore) GetCurrentUser() (*entity.User, error) {
+	return nil, nil
+}
+
+func (m *mockSetStore) SetDefaultOrganization(org *entity.Organization) error {
+	m.setDefaultOrgCalls++
+	m.defaultOrganization = org
+	return nil
+}
+
+func (m *mockSetStore) GetOrganizations(_ *store.GetOrganizationsOptions) ([]entity.Organization, error) {
+	m.getOrganizations++
+	return m.orgs, nil
+}
+
+func (m *mockSetStore) GetServerSockFile() string {
+	return ""
+}
+
+func (m *mockSetStore) GetCurrentWorkspaceID() (string, error) {
+	return m.workspaceID, nil
+}
+
+func (m *mockSetStore) GetAccessToken() (string, error) {
+	return m.accessToken, nil
+}
+
+func TestSetRejectsAPIKeyAuth(t *testing.T) {
+	s := &mockSetStore{
+		accessToken: "brev_api_test-key",
+		orgs:        []entity.Organization{{ID: "org-other", Name: "other-org"}},
+	}
+
+	err := set("other-org", s)
+
+	if err == nil {
+		t.Fatal("expected API key auth set error, got nil")
+	}
+	if !strings.Contains(err.Error(), "api key auth is scoped") {
+		t.Fatalf("expected API key auth validation error, got %v", err)
+	}
+	if s.getOrganizations != 0 {
+		t.Fatalf("expected set to skip org lookup, got %d calls", s.getOrganizations)
+	}
+	if s.setDefaultOrgCalls != 0 {
+		t.Fatalf("expected set to skip default org write, got %d calls", s.setDefaultOrgCalls)
+	}
+}
diff --git a/pkg/entity/entity.go b/pkg/entity/entity.go
@@ -28,6 +28,7 @@ type AuthTokens struct {
 	AccessToken  string `json:"access_token"`
 	RefreshToken string `json:"refresh_token"`
 	APIKey       string `json:"api_key,omitempty"`
+	APIKeyOrgID  string `json:"api_key_org_id,omitempty"`
 }
 
 type IDEConfig struct {
diff --git a/pkg/store/authtoken_test.go b/pkg/store/authtoken_test.go

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ type LoginStore interface {`
`48`	`48`	`type Auth interface {`
`49`	`49`	`Login(skipBrowser bool) (*auth.LoginTokens, error)`
`50`	`50`	`LoginWithToken(token string) error`
`51`		`- LoginWithAPIKey(apiKey string) error`
	`51`	`+ LoginWithAPIKey(apiKey string, orgID string) error`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`// loginStore must be a no prompt store`
`@@ -218,7 +218,7 @@ func (o LoginOptions) doApiKeyLogin(t *terminal.Terminal, loginToken string, api`
`218`	`218`	`if orgID == "" {`
`219`	`219`	`return breverrors.NewValidationError("org-id is required with api-key")`
`220`	`220`	`}`
`221`		`- if err := o.Auth.LoginWithAPIKey(apiKey); err != nil {`
	`221`	`+ if err := o.Auth.LoginWithAPIKey(apiKey, orgID); err != nil {`
`222`	`222`	`return breverrors.WrapAndTrace(err)`
`223`	`223`	`}`
`224`	`224`	`if err := o.LoginStore.SetDefaultOrganization(&entity.Organization{`
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ type LsStore interface {`
`44`	`44`	`GetWorkspace(workspaceID string) (*entity.Workspace, error)`
`45`	`45`	`GetOrganizations(options *store.GetOrganizationsOptions) ([]entity.Organization, error)`
`46`	`46`	`GetAccessToken() (string, error)`
	`47`	`+ GetAuthTokens() (*entity.AuthTokens, error)`
`47`	`48`	`GetInstanceTypes(includeCPU bool) (*gpusearch.InstanceTypesResponse, error)`
`48`	`49`	`hello.HelloStore`
`49`	`50`	`}`
`@@ -138,14 +139,11 @@ func getOrgForRunLs(lsStore LsStore, orgflag string, apiKeyAuth bool) (*entity.O`
`138`	`139`	`if orgflag != "" {`
`139`	`140`	`return nil, breverrors.NewValidationError("api key auth is scoped to the org saved during login; --org is not supported")`
`140`	`141`	`}`
`141`		`- cachedOrg, err := lsStore.GetCachedActiveOrganizationOrNil()`
	`142`	`+ orgID, err := auth.GetAPIKeyOrgID(lsStore)`
`142`	`143`	`if err != nil {`
`143`	`144`	`return nil, breverrors.WrapAndTrace(err)`
`144`	`145`	`}`
`145`		`- if cachedOrg == nil \|\| cachedOrg.ID == "" {`
`146`		`- return nil, breverrors.NewValidationError("api key auth requires an active org; run brev login --api-key <api-key> --org-id <org-id>")`
`147`		`- }`
`148`		`- return cachedOrg, nil`
	`146`	`+ return &entity.Organization{ID: orgID, Name: orgID}, nil`
`149`	`147`	`}`
`150`	`148`
`151`	`149`	`if orgflag != "" {`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ type AuthTokens struct {`
`28`	`28`	AccessToken string `json:"access_token"`
`29`	`29`	RefreshToken string `json:"refresh_token"`
`30`	`30`	APIKey string `json:"api_key,omitempty"`
	`31`	+ APIKeyOrgID string `json:"api_key_org_id,omitempty"`
`31`	`32`	`}`
`32`	`33`
`33`	`34`	`type IDEConfig struct {`