-
-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathlogin.ts
More file actions
230 lines (213 loc) · 7.08 KB
/
login.ts
File metadata and controls
230 lines (213 loc) · 7.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
import { isatty } from "node:tty";
import type { SentryContext } from "../../context.js";
import {
getCurrentUser,
getUserRegions,
listOrganizationsUncached,
} from "../../lib/api-client.js";
import { buildCommand, numberParser } from "../../lib/command.js";
import {
clearAuth,
getActiveEnvVarName,
isAuthenticated,
isEnvTokenActive,
setAuthToken,
} from "../../lib/db/auth.js";
import { getDbPath } from "../../lib/db/index.js";
import { getUserInfo, setUserInfo } from "../../lib/db/user.js";
import { AuthError } from "../../lib/errors.js";
import { success } from "../../lib/formatters/colors.js";
import {
formatDuration,
formatUserIdentity,
} from "../../lib/formatters/human.js";
import { CommandOutput } from "../../lib/formatters/output.js";
import type { LoginResult } from "../../lib/interactive-login.js";
import {
runInteractiveLogin,
toLoginUser,
} from "../../lib/interactive-login.js";
import { logger } from "../../lib/logger.js";
import { clearResponseCache } from "../../lib/response-cache.js";
const log = logger.withTag("auth.login");
/** Format a {@link LoginResult} for human-readable terminal output. */
function formatLoginResult(result: LoginResult): string {
const lines: string[] = [];
lines.push(
success(
`✔ ${result.method === "token" ? "Authenticated with API token" : "Authentication successful!"}`
)
);
if (result.user) {
lines.push(` Logged in as: ${formatUserIdentity(result.user)}`);
}
lines.push(` Config saved to: ${result.configPath}`);
if (result.expiresIn) {
lines.push(` Token expires in: ${formatDuration(result.expiresIn)}`);
}
lines.push(""); // trailing newline
return lines.join("\n");
}
type LoginFlags = {
readonly token?: string;
readonly timeout: number;
readonly force: boolean;
};
/**
* Handle the case where the user is already authenticated.
*
* Returns `true` if the login flow should proceed (credentials cleared),
* or `false` if the command should exit early.
*
* - Env-var auth: always blocks re-auth (user must unset the var).
* - `--force`: clears auth silently and proceeds.
* - Interactive TTY: prompts user to confirm re-authentication.
* - Non-interactive without `--force`: prints a message and blocks.
*/
async function handleExistingAuth(force: boolean): Promise<boolean> {
if (isEnvTokenActive()) {
const envVar = getActiveEnvVarName();
log.info(
`Authentication is provided via ${envVar} environment variable. ` +
`Unset ${envVar} to use OAuth-based login instead.`
);
return false;
}
if (!force) {
// Non-interactive (piped, CI): print message and block
if (!isatty(0)) {
log.info(
"You are already authenticated. Use '--force' or 'sentry auth logout' first to re-authenticate."
);
return false;
}
// Interactive TTY: prompt user to confirm re-authentication
const userInfo = getUserInfo();
const identity = userInfo ? formatUserIdentity(userInfo) : "current user";
const confirmed = await log.prompt(
`Already authenticated as ${identity}. Re-authenticate?`,
{ type: "confirm", initial: false }
);
// Symbol(clack:cancel) is truthy — strict equality check
if (confirmed !== true) {
return false;
}
}
// Clear existing credentials and caches before re-authenticating
await clearAuth();
return true;
}
export const loginCommand = buildCommand({
auth: false,
docs: {
brief: "Authenticate with Sentry",
fullDescription:
"Log in to Sentry using OAuth or an API token.\n\n" +
"The OAuth flow uses a device code - you'll be given a code to enter at a URL.\n" +
"Alternatively, use --token to authenticate with an existing API token.",
},
parameters: {
flags: {
token: {
kind: "parsed",
parse: String,
brief: "Authenticate using an API token instead of OAuth",
optional: true,
},
timeout: {
kind: "parsed",
parse: numberParser,
brief: "Timeout for OAuth flow in seconds (default: 900)",
// Stricli requires string defaults (raw CLI input); numberParser converts to number
default: "900",
},
force: {
kind: "boolean",
brief: "Re-authenticate without prompting",
default: false,
},
},
},
output: { human: formatLoginResult },
async *func(this: SentryContext, flags: LoginFlags) {
// Check if already authenticated and handle re-authentication
if (isAuthenticated()) {
const shouldProceed = await handleExistingAuth(flags.force);
if (!shouldProceed) {
return;
}
}
// Clear stale cached responses from a previous session
try {
await clearResponseCache();
} catch {
// Non-fatal: cache directory may not exist
}
// Token-based authentication
if (flags.token) {
// Save token first, then validate by fetching user regions
await setAuthToken(flags.token);
// Validate token by fetching user regions
try {
await getUserRegions();
} catch {
// Token is invalid - clear it and throw
await clearAuth();
throw new AuthError(
"invalid",
"Invalid API token. Please check your token and try again."
);
}
// Fetch and cache user info via /auth/ (works with all token types).
// A transient failure here must not block login — the token is already valid.
const result: LoginResult = {
method: "token",
configPath: getDbPath(),
};
try {
const user = await getCurrentUser();
setUserInfo({
userId: user.id,
email: user.email ?? undefined,
username: user.username ?? undefined,
name: user.name ?? undefined,
});
result.user = toLoginUser(user);
} catch {
// Non-fatal: user info is supplementary. Token remains stored and valid.
}
// Warm the org + region cache so the first real command is fast.
// Fire-and-forget — login already succeeded, caching is best-effort.
warmOrgCache();
return yield new CommandOutput(result);
}
// OAuth device flow
const result = await runInteractiveLogin({
timeout: flags.timeout * 1000,
});
if (result) {
// Warm the org + region cache so the first real command is fast.
// Fire-and-forget — login already succeeded, caching is best-effort.
warmOrgCache();
yield new CommandOutput(result);
} else {
// Error already displayed by runInteractiveLogin
process.exitCode = 1;
}
},
});
/**
* Pre-populate the org + region SQLite cache in the background.
*
* Called after successful authentication so that the first real command
* doesn't pay the cold-start cost of `getUserRegions()` + fan-out to
* each region's org list endpoint (~800ms on a typical SaaS account).
*
* Failures are silently ignored — the cache will be populated lazily
* on the next command that needs it.
*/
function warmOrgCache(): void {
listOrganizationsUncached().catch(() => {
// Best-effort: cache warming failure doesn't affect the login result
});
}