feat: add login and logout command

Author: alerizzo

README.md

@@ -22,13 +22,21 @@ npm link
 
 ## Authentication
 
-Set your Codacy API token as an environment variable:
+Log in interactively (recommended):
+
+```bash
+codacy login
+```
+
+Or set the `CODACY_API_TOKEN` environment variable:
 
 ```bash
 export CODACY_API_TOKEN=your-token-here
 ```
 
-You can get a token from **Codacy > My Account > Access Management > Account API Tokens**.
+You can get a token from **Codacy > My Account > Access Management > API Tokens** ([link](https://app.codacy.com/account/access-management)).
+
+The `login` command stores the token encrypted at `~/.codacy/credentials`. The environment variable takes precedence over stored credentials when both are present.
 
 ## Usage
 
@@ -49,6 +57,8 @@ codacy <command> --help   # Detailed usage for any command
 
 | Command | Description |
 |---|---|
+| `login` | Authenticate with Codacy by storing your API token |
+| `logout` | Remove stored Codacy API token |
 | `info` | Show authenticated user info and their organizations |
 | `repositories <provider> <org>` | List repositories for an organization |
 | `repository <provider> <org> <repo>` | Show metrics for a repository, or add/remove/follow/unfollow/reanalyze it |

SPECS/README.md

@@ -26,6 +26,8 @@ _No pending tasks._ All commands implemented.
 | `pattern` | `pat` | ✅ Done | [tools-and-patterns.md](commands/tools-and-patterns.md) |
 | `analysis` | N/A | ✅ Done | [analysis.md](commands/analysis.md) |
 | `json-output` | N/A | ✅ Done | [json-output.md](commands/json-output.md) |
+| `login` | N/A | ✅ Done | — |
+| `logout` | N/A | ✅ Done | — |
 
 
 ## Other Specs
@@ -62,3 +64,4 @@ _No pending tasks._ All commands implemented.
 | 2026-03-05 | Analysis status in `repository` and `pull-request` About sections using `formatAnalysisStatus()`; `--reanalyze` option for both commands (13 new tests, 185 total) |
 | 2026-03-05 | JSON output filtering with `pickDeep` across all commands: `info`, `repositories`, `repository`, `pull-request`, `issues`, `issue`, `findings`, `finding`, `tools`, `patterns`; documented pattern in `src/commands/CLAUDE.md` |
 | 2026-03-12 | `patterns --enable-all` / `--disable-all` bulk update with filter support (6 new tests, 196 total) |
+| 2026-03-12 | `login` and `logout` commands: encrypted token storage in `~/.codacy/credentials`, masked interactive prompt, `--token` flag for non-interactive use, token resolution chain (env var → stored credentials); `checkApiToken()` updated to set `OpenAPI.HEADERS` dynamically (9 new tests, 219 total) |

src/commands/login.test.ts

@@ -0,0 +1,113 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { Command } from "commander";
+import { registerLoginCommand } from "./login";
+import { AccountService } from "../api/client/services/AccountService";
+
+vi.mock("../api/client/services/AccountService");
+vi.mock("../utils/credentials", () => ({
+  saveCredentials: vi.fn(),
+  getCredentialsPath: vi.fn(() => "/home/test/.codacy/credentials"),
+  promptForToken: vi.fn(),
+}));
+
+vi.spyOn(console, "log").mockImplementation(() => {});
+vi.spyOn(console, "error").mockImplementation(() => {});
+
+import { saveCredentials, promptForToken } from "../utils/credentials";
+
+function createProgram(): Command {
+  const program = new Command();
+  program.exitOverride();
+  registerLoginCommand(program);
+  return program;
+}
+
+const mockUser = {
+  name: "Test User",
+  mainEmail: "test@example.com",
+  otherEmails: [],
+  isAdmin: false,
+  isActive: true,
+};
+
+describe("login command", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("should validate and store token via --token flag", async () => {
+    vi.mocked(AccountService.getUser).mockResolvedValue({ data: mockUser });
+
+    const program = createProgram();
+    await program.parseAsync(["node", "test", "login", "--token", "my-token"]);
+
+    expect(AccountService.getUser).toHaveBeenCalledOnce();
+    expect(saveCredentials).toHaveBeenCalledWith("my-token");
+    expect(console.log).toHaveBeenCalledWith(
+      expect.stringContaining("Token stored at"),
+    );
+  });
+
+  it("should show error on invalid token (401)", async () => {
+    const apiError = new Error("Unauthorized");
+    (apiError as any).status = 401;
+    vi.mocked(AccountService.getUser).mockRejectedValue(apiError);
+
+    const mockExit = vi.spyOn(process, "exit").mockImplementation(() => {
+      throw new Error("process.exit called");
+    });
+
+    const program = createProgram();
+    await expect(
+      program.parseAsync(["node", "test", "login", "--token", "bad-token"]),
+    ).rejects.toThrow("process.exit called");
+
+    expect(saveCredentials).not.toHaveBeenCalled();
+    mockExit.mockRestore();
+  });
+
+  it("should show network error when API is unreachable", async () => {
+    vi.mocked(AccountService.getUser).mockRejectedValue(
+      new Error("fetch failed"),
+    );
+
+    const mockExit = vi.spyOn(process, "exit").mockImplementation(() => {
+      throw new Error("process.exit called");
+    });
+
+    const program = createProgram();
+    await expect(
+      program.parseAsync(["node", "test", "login", "--token", "some-token"]),
+    ).rejects.toThrow("process.exit called");
+
+    expect(saveCredentials).not.toHaveBeenCalled();
+    mockExit.mockRestore();
+  });
+
+  it("should use interactive prompt when no --token flag", async () => {
+    vi.mocked(promptForToken).mockResolvedValue("prompted-token");
+    vi.mocked(AccountService.getUser).mockResolvedValue({ data: mockUser });
+
+    const program = createProgram();
+    await program.parseAsync(["node", "test", "login"]);
+
+    expect(promptForToken).toHaveBeenCalledWith("API Token: ");
+    expect(saveCredentials).toHaveBeenCalledWith("prompted-token");
+  });
+
+  it("should reject empty token from interactive prompt", async () => {
+    vi.mocked(promptForToken).mockResolvedValue("   ");
+
+    const mockExit = vi.spyOn(process, "exit").mockImplementation(() => {
+      throw new Error("process.exit called");
+    });
+
+    const program = createProgram();
+    await expect(
+      program.parseAsync(["node", "test", "login"]),
+    ).rejects.toThrow("process.exit called");
+
+    expect(saveCredentials).not.toHaveBeenCalled();
+    mockExit.mockRestore();
+  });
+});

src/commands/login.ts

@@ -0,0 +1,86 @@
+import { Command } from "commander";
+import ansis from "ansis";
+import ora from "ora";
+import { OpenAPI } from "../api/client/core/OpenAPI";
+import { AccountService } from "../api/client/services/AccountService";
+import { handleError } from "../utils/error";
+import {
+  saveCredentials,
+  getCredentialsPath,
+  promptForToken,
+} from "../utils/credentials";
+
+export function registerLoginCommand(program: Command) {
+  program
+    .command("login")
+    .description("Authenticate with Codacy by storing your API token")
+    .option("-t, --token <token>", "API token (skips interactive prompt)")
+    .addHelpText(
+      "after",
+      `
+Examples:
+  $ codacy login
+  $ codacy login --token <your-api-token>
+
+Get your token at: https://app.codacy.com/account/access-management
+  My Account > Access Management > API Tokens`,
+    )
+    .action(async (options) => {
+      try {
+        let token: string;
+
+        if (options.token) {
+          token = options.token;
+        } else {
+          console.log(ansis.bold("\nCodacy Login\n"));
+          console.log("You need an Account API Token to authenticate.");
+          console.log(
+            `Get one at: ${ansis.cyan("https://app.codacy.com/account/access-management")}`,
+          );
+          console.log(
+            ansis.dim("  My Account > Access Management > API Tokens\n"),
+          );
+
+          token = await promptForToken("API Token: ");
+
+          if (!token.trim()) {
+            console.error(ansis.red("Error: Token cannot be empty."));
+            process.exit(1);
+          }
+
+          token = token.trim();
+        }
+
+        const spinner = ora("Validating token...").start();
+
+        OpenAPI.HEADERS = {
+          "api-token": token,
+          "X-Codacy-Origin": "cli-cloud-tool",
+        };
+
+        let userName: string;
+        let userEmail: string;
+        try {
+          const response = await AccountService.getUser();
+          userName = response.data.name || "Unknown";
+          userEmail = response.data.mainEmail;
+        } catch (apiErr: any) {
+          spinner.fail("Authentication failed.");
+          if (apiErr?.status === 401) {
+            throw new Error(
+              "Invalid API token. Check that it is correct and not expired.",
+            );
+          }
+          throw new Error(
+            "Could not reach the Codacy API. Check your network connection.",
+          );
+        }
+
+        saveCredentials(token);
+        spinner.succeed(`Logged in as ${ansis.bold(userName)} (${userEmail})`);
+        console.log(ansis.dim(`  Token stored at ${getCredentialsPath()}`));
+      } catch (err) {
+        handleError(err);
+      }
+    });
+}

src/commands/logout.test.ts

@@ -0,0 +1,46 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { Command } from "commander";
+import { registerLogoutCommand } from "./logout";
+
+vi.mock("../utils/credentials", () => ({
+  deleteCredentials: vi.fn(),
+  getCredentialsPath: vi.fn(() => "/home/test/.codacy/credentials"),
+}));
+
+vi.spyOn(console, "log").mockImplementation(() => {});
+
+import { deleteCredentials } from "../utils/credentials";
+
+function createProgram(): Command {
+  const program = new Command();
+  registerLogoutCommand(program);
+  return program;
+}
+
+describe("logout command", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("should delete credentials and show confirmation", async () => {
+    vi.mocked(deleteCredentials).mockReturnValue(true);
+
+    const program = createProgram();
+    await program.parseAsync(["node", "test", "logout"]);
+
+    expect(deleteCredentials).toHaveBeenCalledOnce();
+    expect(console.log).toHaveBeenCalledWith(
+      expect.stringContaining("Logged out"),
+    );
+  });
+
+  it("should show message when no credentials exist", async () => {
+    vi.mocked(deleteCredentials).mockReturnValue(false);
+
+    const program = createProgram();
+    await program.parseAsync(["node", "test", "logout"]);
+
+    expect(deleteCredentials).toHaveBeenCalledOnce();
+    expect(console.log).toHaveBeenCalledWith("No stored credentials found.");
+  });
+});

src/commands/logout.ts

@@ -0,0 +1,34 @@
+import { Command } from "commander";
+import ansis from "ansis";
+import {
+  deleteCredentials,
+  getCredentialsPath,
+} from "../utils/credentials";
+import { handleError } from "../utils/error";
+
+export function registerLogoutCommand(program: Command) {
+  program
+    .command("logout")
+    .description("Remove stored Codacy API token")
+    .addHelpText(
+      "after",
+      `
+Examples:
+  $ codacy logout`,
+    )
+    .action(() => {
+      try {
+        const deleted = deleteCredentials();
+        if (deleted) {
+          console.log(
+            ansis.green("Logged out.") +
+              ansis.dim(` Removed ${getCredentialsPath()}`),
+          );
+        } else {
+          console.log("No stored credentials found.");
+        }
+      } catch (err) {
+        handleError(err);
+      }
+    });
+}

src/index.ts

@@ -13,6 +13,8 @@ import { registerToolsCommand } from "./commands/tools";
 import { registerToolCommand } from "./commands/tool";
 import { registerPatternsCommand } from "./commands/patterns";
 import { registerPatternCommand } from "./commands/pattern";
+import { registerLoginCommand } from "./commands/login";
+import { registerLogoutCommand } from "./commands/logout";
 
 const program = new Command();
 
@@ -40,5 +42,7 @@ registerToolsCommand(program);
 registerToolCommand(program);
 registerPatternsCommand(program);
 registerPatternCommand(program);
+registerLoginCommand(program);
+registerLogoutCommand(program);
 
 program.parse(process.argv);

src/utils/auth.test.ts

@@ -1,19 +1,38 @@
-import { describe, it, expect, beforeEach } from "vitest";
+import { describe, it, expect, beforeEach, vi } from "vitest";
 import { checkApiToken } from "./auth";
 
+vi.mock("./credentials", () => ({
+  loadCredentials: vi.fn(() => null),
+}));
+
+import { loadCredentials } from "./credentials";
+
 describe("checkApiToken", () => {
   beforeEach(() => {
     delete process.env.CODACY_API_TOKEN;
+    vi.mocked(loadCredentials).mockReturnValue(null);
   });
 
-  it("should return the token when set", () => {
+  it("should return the token when CODACY_API_TOKEN is set", () => {
     process.env.CODACY_API_TOKEN = "my-token";
     expect(checkApiToken()).toBe("my-token");
   });
 
-  it("should throw when CODACY_API_TOKEN is not set", () => {
+  it("should prefer env var over stored credentials", () => {
+    process.env.CODACY_API_TOKEN = "env-token";
+    vi.mocked(loadCredentials).mockReturnValue("stored-token");
+    expect(checkApiToken()).toBe("env-token");
+    expect(loadCredentials).not.toHaveBeenCalled();
+  });
+
+  it("should fall back to stored credentials when env var is not set", () => {
+    vi.mocked(loadCredentials).mockReturnValue("stored-token");
+    expect(checkApiToken()).toBe("stored-token");
+  });
+
+  it("should throw when no env var and no stored credentials", () => {
     expect(() => checkApiToken()).toThrow(
-      "CODACY_API_TOKEN environment variable is not set"
+      "No API token found. Set CODACY_API_TOKEN or run 'codacy login'.",
     );
   });
 });