fixing ls

Author: patelspratik

pkg/auth/auth.go

@@ -348,7 +348,7 @@ func (t Auth) getSavedTokensOrNil() (*entity.AuthTokens, error) {
 		}
 		return nil, breverrors.WrapAndTrace(err)
 	}
-	if tokens != nil && tokens.AccessToken == "" && tokens.RefreshToken == "" {
+	if tokens != nil && tokens.AccessToken == "" && tokens.RefreshToken == "" && tokens.APIKey == "" {
 		return nil, nil
 	}
 	return tokens, nil

pkg/auth/auth_test.go

@@ -107,6 +107,28 @@ func TestGetFreshAccessTokenOrNil_APIKeySkipsJWTValidationAndRefresh(t *testing.
 	assert.False(t, s.didSave)
 }
 
+func TestGetFreshAccessTokenOrNil_APIKeyOnlyCredentialReturnsAPIKey(t *testing.T) {
+	s := MockAuthStore{authTokens: &entity.AuthTokens{
+		APIKey: "brev_api_test-key",
+	}}
+	a := Auth{
+		&s,
+		&MockOauth{}, func(_ string) (bool, error) {
+			t.Fatal("api keys must not be parsed as JWTs")
+			return false, nil
+		},
+		func() (bool, error) {
+			t.Fatal("api keys must not trigger login")
+			return false, nil
+		},
+	}
+
+	res, err := a.GetFreshAccessTokenOrNil()
+	assert.NoError(t, err)
+	assert.Equal(t, "brev_api_test-key", res)
+	assert.False(t, s.didSave)
+}
+
 func TestLoginWithAPIKey_SavesTypedCredential(t *testing.T) {
 	s := MockAuthStore{}
 	a := Auth{

pkg/cmd/ls/ls.go

@@ -6,12 +6,14 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"strings"
 	"sync"
 
 	nodev1 "buf.build/gen/go/brevdev/devplane/protocolbuffers/go/devplaneapi/v1"
 	"connectrpc.com/connect"
 
 	"github.com/brevdev/brev-cli/pkg/analytics"
+	"github.com/brevdev/brev-cli/pkg/auth"
 	"github.com/brevdev/brev-cli/pkg/externalnode"
 
 	"github.com/brevdev/brev-cli/pkg/cmd/cmderrors"
@@ -37,6 +39,7 @@ import (
 type LsStore interface {
 	GetWorkspaces(organizationID string, options *store.GetWorkspacesOptions) ([]entity.Workspace, error)
 	GetActiveOrganizationOrDefault() (*entity.Organization, error)
+	GetCachedActiveOrganizationOrNil() (*entity.Organization, error)
 	GetCurrentUser() (*entity.User, error)
 	GetUsers(queryParams map[string]string) ([]entity.User, error)
 	GetWorkspace(workspaceID string) (*entity.Workspace, error)
@@ -75,10 +78,13 @@ with other commands like stop, start, or delete.`,
   brev ls orgs --json
 		`,
 		PersistentPostRunE: func(cmd *cobra.Command, args []string) error {
+			if isAPIKeyAuthStore(noLoginLsStore) {
+				return cmdcontext.InvokeParentPersistentPostRun(cmd, args)
+			}
 			if hello.ShouldWeRunOnboardingLSStep(noLoginLsStore) && hello.ShouldWeRunOnboarding(noLoginLsStore) {
 				// Getting the workspaces should go in the hello.go file but then
 				// requires passing in stores and that makes it hard to use in other commands
-				org, err := getOrgForRunLs(loginLsStore, org)
+				org, err := getOrgForRunLs(loginLsStore, org, false)
 				if err != nil {
 					return err
 				}
@@ -146,9 +152,11 @@ with other commands like stop, start, or delete.`,
 // trackLsAnalytics sends analytics event for ls command
 func trackLsAnalytics(store LsStore) {
 	userID := ""
-	user, err := store.GetCurrentUser()
-	if err == nil {
-		userID = user.ID
+	if !isAPIKeyAuthStore(store) {
+		user, err := store.GetCurrentUser()
+		if err == nil {
+			userID = user.ID
+		}
 	}
 	data := analytics.EventData{
 		EventName: "Brev ls",
@@ -157,8 +165,30 @@ func trackLsAnalytics(store LsStore) {
 	_ = analytics.TrackEvent(data)
 }
 
-func getOrgForRunLs(lsStore LsStore, orgflag string) (*entity.Organization, error) {
+func isAPIKeyAuthStore(lsStore LsStore) bool {
+	token, err := lsStore.GetAccessToken()
+	if err != nil {
+		return false
+	}
+	return strings.HasPrefix(strings.TrimSpace(token), auth.BrevAPIKeyPrefix)
+}
+
+func getOrgForRunLs(lsStore LsStore, orgflag string, apiKeyAuth bool) (*entity.Organization, error) {
 	var org *entity.Organization
+	if apiKeyAuth {
+		if orgflag != "" {
+			return nil, breverrors.NewValidationError("api key auth is scoped to the org saved during login; --org is not supported")
+		}
+		cachedOrg, err := lsStore.GetCachedActiveOrganizationOrNil()
+		if err != nil {
+			return nil, breverrors.WrapAndTrace(err)
+		}
+		if cachedOrg == nil || cachedOrg.ID == "" {
+			return nil, breverrors.NewValidationError("api key auth requires an active org; run brev login --api-key <api-key>::<org-id>")
+		}
+		return cachedOrg, nil
+	}
+
 	if orgflag != "" {
 		var orgs []entity.Organization
 		orgs, err := lsStore.GetOrganizations(&store.GetOrganizationsOptions{Name: orgflag})
@@ -188,12 +218,18 @@ func getOrgForRunLs(lsStore LsStore, orgflag string) (*entity.Organization, erro
 
 func RunLs(t *terminal.Terminal, lsStore LsStore, args []string, orgflag string, showAll bool, jsonOutput bool) error {
 	ls := NewLs(lsStore, t, jsonOutput)
-	user, err := lsStore.GetCurrentUser()
-	if err != nil {
-		return breverrors.WrapAndTrace(err)
+	apiKeyAuth := isAPIKeyAuthStore(lsStore)
+
+	var user *entity.User
+	if !apiKeyAuth {
+		var err error
+		user, err = lsStore.GetCurrentUser()
+		if err != nil {
+			return breverrors.WrapAndTrace(err)
+		}
 	}
 
-	org, err := getOrgForRunLs(lsStore, orgflag)
+	org, err := getOrgForRunLs(lsStore, orgflag, apiKeyAuth)
 	if err != nil {
 		return breverrors.WrapAndTrace(err)
 	}
@@ -202,7 +238,7 @@ func RunLs(t *terminal.Terminal, lsStore LsStore, args []string, orgflag string,
 	}
 
 	if len(args) == 1 { //nolint:gocritic // don't want to switch
-		err = handleLsArg(ls, args[0], user, org, showAll)
+		err = handleLsArg(ls, args[0], user, org, showAll, apiKeyAuth)
 		if err != nil {
 			return breverrors.WrapAndTrace(err)
 		}
@@ -218,10 +254,13 @@ func RunLs(t *terminal.Terminal, lsStore LsStore, args []string, orgflag string,
 	return nil
 }
 
-func handleLsArg(ls *Ls, arg string, user *entity.User, org *entity.Organization, showAll bool) error {
+func handleLsArg(ls *Ls, arg string, user *entity.User, org *entity.Organization, showAll bool, apiKeyAuth bool) error {
 	// todo refactor this to cmd.register
 	//nolint:gocritic // idk how to write this as a switch
 	if util.IsSingularOrPlural(arg, "org") || util.IsSingularOrPlural(arg, "organization") { // handle org, orgs, and organization(s)
+		if apiKeyAuth {
+			return breverrors.NewValidationError("api key auth cannot list organizations")
+		}
 		err := ls.RunOrgs()
 		if err != nil {
 			return breverrors.WrapAndTrace(err)
@@ -232,13 +271,25 @@ func handleLsArg(ls *Ls, arg string, user *entity.User, org *entity.Organization
 		if err != nil {
 			return breverrors.WrapAndTrace(err)
 		}
-	} else if util.IsSingularOrPlural(arg, "user") && featureflag.IsAdmin(user.GlobalUserType) {
+	} else if util.IsSingularOrPlural(arg, "user") {
+		if apiKeyAuth {
+			return breverrors.NewValidationError("api key auth cannot list users")
+		}
+		if !featureflag.IsAdmin(user.GlobalUserType) {
+			return nil
+		}
 		err := ls.RunUser(showAll)
 		if err != nil {
 			return breverrors.WrapAndTrace(err)
 		}
 		return nil
-	} else if util.IsSingularOrPlural(arg, "host") && featureflag.IsAdmin(user.GlobalUserType) {
+	} else if util.IsSingularOrPlural(arg, "host") {
+		if apiKeyAuth {
+			return breverrors.NewValidationError("api key auth cannot list hosts")
+		}
+		if !featureflag.IsAdmin(user.GlobalUserType) {
+			return nil
+		}
 		err := ls.RunHosts(org)
 		if err != nil {
 			return breverrors.WrapAndTrace(err)
@@ -388,6 +439,19 @@ func (ls Ls) ShowUserWorkspaces(org *entity.Organization, otherOrgs []entity.Org
 	ls.displayWorkspacesAndHelp(org, otherOrgs, userWorkspaces, allWorkspaces, gpuLookup)
 }
 
+func (ls Ls) ShowOrgWorkspaces(org *entity.Organization, workspaces []entity.Workspace, gpuLookup map[string]string) {
+	if len(workspaces) == 0 {
+		ls.terminal.Vprint(ls.terminal.Yellow("No instances in org %s\n", org.Name))
+		return
+	}
+	ls.terminal.Vprintf("Org %s has %d instances\n", ls.terminal.Yellow(org.Name), len(workspaces))
+	displayWorkspacesTable(ls.terminal, workspaces, gpuLookup)
+
+	fmt.Print("\n")
+
+	displayLsResetBreadCrumb(ls.terminal, workspaces)
+}
+
 func (ls Ls) displayWorkspacesAndHelp(org *entity.Organization, otherOrgs []entity.Organization, userWorkspaces []entity.Workspace, allWorkspaces []entity.Workspace, gpuLookup map[string]string) {
 	if len(userWorkspaces) == 0 {
 		ls.terminal.Vprint(ls.terminal.Yellow("No instances in org %s\n", org.Name))
@@ -489,6 +553,8 @@ func (ls Ls) RunWorkspaces(org *entity.Organization, user *entity.User, showAll
 	var workspacesToShow []entity.Workspace
 	if showAll {
 		workspacesToShow = allWorkspaces
+	} else if user == nil {
+		workspacesToShow = allWorkspaces
 	} else {
 		workspacesToShow = store.FilterForUserWorkspaces(allWorkspaces, user.ID)
 	}
@@ -498,6 +564,11 @@ func (ls Ls) RunWorkspaces(org *entity.Organization, user *entity.User, showAll
 		return ls.outputWorkspacesJSON(workspacesToShow, gpuLookup, nodes)
 	}
 
+	if user == nil {
+		ls.ShowOrgWorkspaces(org, workspacesToShow, gpuLookup)
+		return nil
+	}
+
 	// Table output with colors and help text
 	orgs, err := ls.lsStore.GetOrganizations(nil)
 	if err != nil {

pkg/cmd/ls/ls_test.go

@@ -17,14 +17,27 @@ import (
 // mockLsStore implements LsStore (including the embedded hello.HelloStore) for
 // testing the ls command routing without real API calls.
 type mockLsStore struct {
-	user       *entity.User
-	org        *entity.Organization
-	orgs       []entity.Organization
-	workspaces []entity.Workspace
+	user                 *entity.User
+	org                  *entity.Organization
+	orgs                 []entity.Organization
+	workspaces           []entity.Workspace
+	accessToken          string
+	currentUserCalls     int
+	getOrganizationsCall int
+}
+
+func (m *mockLsStore) GetCurrentUser() (*entity.User, error) {
+	m.currentUserCalls++
+	return m.user, nil
+}
+
+func (m *mockLsStore) GetAccessToken() (string, error) {
+	if m.accessToken != "" {
+		return m.accessToken, nil
+	}
+	return "tok", nil
 }
 
-func (m *mockLsStore) GetCurrentUser() (*entity.User, error) { return m.user, nil }
-func (m *mockLsStore) GetAccessToken() (string, error)       { return "tok", nil }
 func (m *mockLsStore) GetWorkspace(_ string) (*entity.Workspace, error) {
 	return nil, nil
 }
@@ -33,11 +46,16 @@ func (m *mockLsStore) GetActiveOrganizationOrDefault() (*entity.Organization, er
 	return m.org, nil
 }
 
+func (m *mockLsStore) GetCachedActiveOrganizationOrNil() (*entity.Organization, error) {
+	return m.org, nil
+}
+
 func (m *mockLsStore) GetWorkspaces(_ string, _ *store.GetWorkspacesOptions) ([]entity.Workspace, error) {
 	return m.workspaces, nil
 }
 
 func (m *mockLsStore) GetOrganizations(_ *store.GetOrganizationsOptions) ([]entity.Organization, error) {
+	m.getOrganizationsCall++
 	return m.orgs, nil
 }
 
@@ -69,6 +87,49 @@ func newTestStore() *mockLsStore {
 	}
 }
 
+func TestRunLs_APIKeyJSONSkipsUserAndOrgList(t *testing.T) {
+	s := newTestStore()
+	s.accessToken = "brev_api_test-key"
+	s.workspaces = []entity.Workspace{
+		{
+			ID:              "ws1",
+			Name:            "owned-by-someone",
+			Status:          entity.Running,
+			CreatedByUserID: "other-user",
+		},
+		{
+			ID:              "ws2",
+			Name:            "owned-by-user",
+			Status:          entity.Stopped,
+			CreatedByUserID: "u1",
+		},
+	}
+	term := terminal.New()
+
+	out := captureStdout(t, func() {
+		err := RunLs(term, s, nil, "", false, true)
+		if err != nil {
+			t.Fatalf("RunLs returned error: %v", err)
+		}
+	})
+
+	var parsed struct {
+		Workspaces []WorkspaceInfo `json:"workspaces"`
+	}
+	if err := json.Unmarshal([]byte(out), &parsed); err != nil {
+		t.Fatalf("failed to parse JSON output: %v\nraw output: %s", err, out)
+	}
+	if len(parsed.Workspaces) != 2 {
+		t.Fatalf("expected API key ls to show all org workspaces, got %d", len(parsed.Workspaces))
+	}
+	if s.currentUserCalls != 0 {
+		t.Fatalf("expected no GetCurrentUser calls, got %d", s.currentUserCalls)
+	}
+	if s.getOrganizationsCall != 0 {
+		t.Fatalf("expected no GetOrganizations calls, got %d", s.getOrganizationsCall)
+	}
+}
+
 // captureStdout runs fn while capturing stdout and returns the output.
 func captureStdout(t *testing.T, fn func()) string {
 	t.Helper()
@@ -413,15 +474,15 @@ func TestHandleLsArg_Routing(t *testing.T) {
 		"workspace", "workspaces",
 	}
 	for _, arg := range successArgs {
-		if err := handleLsArg(ls, arg, s.user, s.org, false); err != nil {
+		if err := handleLsArg(ls, arg, s.user, s.org, false, false); err != nil {
 			t.Errorf("handleLsArg(%q) returned unexpected error: %v", arg, err)
 		}
 	}
 
 	// "node"/"nodes" route to RunNodes which calls the gRPC client — verify
 	// it attempts the path (error expected due to no real client).
 	for _, arg := range []string{"node", "nodes"} {
-		_ = handleLsArg(ls, arg, s.user, s.org, false)
+		_ = handleLsArg(ls, arg, s.user, s.org, false, false)
 	}
 }