feat(auth): switch to /auth/ endpoint and add whoami command (#266)

## Summary

- Switch `getCurrentUser()` from `/users/me/` to `/auth/`, which works
with all token types (OAuth, API tokens, OAuth App tokens) and avoids
403 errors
- Remove the try-catch fallback in `--token` login — user info is now
always fetched and stored unconditionally
- Add `sentry auth whoami` (and `sentry whoami` alias): fetches live
identity from `/auth/`, supports `--json`

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: BYK

plugins/sentry-cli/skills/sentry-cli/SKILL.md

@@ -94,6 +94,13 @@ sentry auth status
 
 Print the stored authentication token
 
+#### `sentry auth whoami`
+
+Show the currently authenticated user
+
+**Flags:**
+- `--json - Output as JSON`
+
 ### Org
 
 Work with Sentry organizations
@@ -669,6 +676,17 @@ List recent traces in a project
 - `-s, --sort <value> - Sort by: date, duration - (default: "date")`
 - `--json - Output as JSON`
 
+### Whoami
+
+Show the currently authenticated user
+
+#### `sentry whoami`
+
+Show the currently authenticated user
+
+**Flags:**
+- `--json - Output as JSON`
+
 ## Output Formats
 
 ### JSON Output

src/app.ts

@@ -8,6 +8,7 @@ import {
 } from "@stricli/core";
 import { apiCommand } from "./commands/api.js";
 import { authRoute } from "./commands/auth/index.js";
+import { whoamiCommand } from "./commands/auth/whoami.js";
 import { cliRoute } from "./commands/cli/index.js";
 import { eventRoute } from "./commands/event/index.js";
 import { helpCommand } from "./commands/help.js";
@@ -56,6 +57,7 @@ export const routes = buildRouteMap({
     teams: teamListCommand,
     logs: logListCommand,
     traces: traceListCommand,
+    whoami: whoamiCommand,
   },
   defaultCommand: "help",
   docs: {

src/commands/auth/index.ts

@@ -4,6 +4,7 @@ import { logoutCommand } from "./logout.js";
 import { refreshCommand } from "./refresh.js";
 import { statusCommand } from "./status.js";
 import { tokenCommand } from "./token.js";
+import { whoamiCommand } from "./whoami.js";
 
 export const authRoute = buildRouteMap({
   routes: {
@@ -12,13 +13,15 @@ export const authRoute = buildRouteMap({
     refresh: refreshCommand,
     status: statusCommand,
     token: tokenCommand,
+    whoami: whoamiCommand,
   },
   docs: {
     brief: "Authenticate with Sentry",
     fullDescription:
       "Manage authentication with Sentry. Use 'sentry auth login' to authenticate, " +
       "'sentry auth logout' to remove credentials, 'sentry auth refresh' to manually refresh your token, " +
       "'sentry auth status' to check your authentication status, " +
+      "'sentry auth whoami' to show your current user identity, " +
       "and 'sentry auth token' to print your token for use in scripts.",
   },
 });

src/commands/auth/login.ts

@@ -67,7 +67,8 @@ export const loginCommand = buildCommand({
         );
       }
 
-      // Try to get user info (works with API tokens, may not work with OAuth App tokens)
+      // Fetch and cache user info via /auth/ (works with all token types).
+      // A transient failure here must not block login — the token is already valid.
       let user: Awaited<ReturnType<typeof getCurrentUser>> | undefined;
       try {
         user = await getCurrentUser();
@@ -78,7 +79,7 @@ export const loginCommand = buildCommand({
           name: user.name,
         });
       } catch {
-        // Ignore - user info is optional, token may not have permission
+        // Non-fatal: user info is supplementary. Token remains stored and valid.
       }
 
       stdout.write(`${success("✓")} Authenticated with API token\n`);

src/commands/auth/whoami.ts

@@ -0,0 +1,72 @@
+/**
+ * sentry auth whoami
+ *
+ * Display the currently authenticated user's identity by fetching live from
+ * the /auth/ endpoint. Unlike `sentry auth status`, this command only shows
+ * who you are — no token details, no defaults, no org verification.
+ */
+
+import type { SentryContext } from "../../context.js";
+import { getCurrentUser } from "../../lib/api-client.js";
+import { buildCommand } from "../../lib/command.js";
+import { isAuthenticated } from "../../lib/db/auth.js";
+import { setUserInfo } from "../../lib/db/user.js";
+import { AuthError } from "../../lib/errors.js";
+import { formatUserIdentity, writeJson } from "../../lib/formatters/index.js";
+
+type WhoamiFlags = {
+  readonly json: boolean;
+};
+
+export const whoamiCommand = buildCommand({
+  docs: {
+    brief: "Show the currently authenticated user",
+    fullDescription:
+      "Fetch and display the identity of the currently authenticated user.\n\n" +
+      "This calls the Sentry API live (not cached) so the result always reflects " +
+      "the current token. Works with all token types: OAuth, API tokens, and OAuth App tokens.",
+  },
+  parameters: {
+    flags: {
+      json: {
+        kind: "boolean",
+        brief: "Output as JSON",
+        default: false,
+      },
+    },
+  },
+  async func(this: SentryContext, flags: WhoamiFlags): Promise<void> {
+    const { stdout } = this;
+
+    if (!(await isAuthenticated())) {
+      throw new AuthError("not_authenticated");
+    }
+
+    const user = await getCurrentUser();
+
+    // Keep cached user info up to date. Non-fatal: display must succeed even
+    // if the DB write fails (read-only filesystem, corrupted database, etc.).
+    try {
+      setUserInfo({
+        userId: user.id,
+        email: user.email,
+        username: user.username,
+        name: user.name,
+      });
+    } catch {
+      // Cache update failure is non-essential — user identity was already fetched.
+    }
+
+    if (flags.json) {
+      writeJson(stdout, {
+        id: user.id,
+        name: user.name ?? null,
+        username: user.username ?? null,
+        email: user.email ?? null,
+      });
+      return;
+    }
+
+    stdout.write(`${formatUserIdentity(user)}\n`);
+  },
+});

src/lib/api-client.ts

@@ -305,9 +305,23 @@ export async function apiRequestToRegion<T>(
   }
 
   const data = await response.json();
-  const validated = schema ? schema.parse(data) : (data as T);
 
-  return { data: validated, headers: response.headers };
+  if (schema) {
+    const result = schema.safeParse(data);
+    if (!result.success) {
+      // Treat schema validation failures as API errors so they surface cleanly
+      // through the central error handler rather than showing a raw ZodError
+      // stack trace. This guards against unexpected API response format changes.
+      throw new ApiError(
+        `Unexpected response format from ${endpoint}`,
+        response.status,
+        result.error.message
+      );
+    }
+    return { data: result.data, headers: response.headers };
+  }
+
+  return { data: data as T, headers: response.headers };
 }
 
 /**
@@ -1357,12 +1371,15 @@ export async function triggerSolutionPlanning(
 
 /**
  * Get the currently authenticated user's information.
- * Uses the /users/me/ endpoint on the control silo.
+ *
+ * Uses the `/auth/` endpoint on the control silo, which works with all token
+ * types (OAuth, API tokens, OAuth App tokens). Unlike `/users/me/`, this
+ * endpoint does not return 403 for OAuth tokens.
  */
 export async function getCurrentUser(): Promise<SentryUser> {
   const { data } = await apiRequestToRegion<SentryUser>(
     getControlSiloUrl(),
-    "/users/me/",
+    "/auth/",
     { schema: SentryUserSchema }
   );
   return data;

test/commands/auth/login.test.ts

@@ -0,0 +1,189 @@
+/**
+ * Login Command Tests
+ *
+ * Unit tests for the --token authentication path in src/commands/auth/login.ts.
+ * Uses spyOn to mock api-client, db/auth, db/user, and interactive-login
+ * to cover all branches without real HTTP calls or database access.
+ */
+
+import {
+  afterEach,
+  beforeEach,
+  describe,
+  expect,
+  mock,
+  spyOn,
+  test,
+} from "bun:test";
+import { loginCommand } from "../../../src/commands/auth/login.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as apiClient from "../../../src/lib/api-client.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as dbAuth from "../../../src/lib/db/auth.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as dbUser from "../../../src/lib/db/user.js";
+import { AuthError } from "../../../src/lib/errors.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as interactiveLogin from "../../../src/lib/interactive-login.js";
+
+type LoginFlags = { readonly token?: string; readonly timeout: number };
+
+/** Command function type extracted from loader result */
+type LoginFunc = (this: unknown, flags: LoginFlags) => Promise<void>;
+
+const SAMPLE_USER = {
+  id: "42",
+  name: "Jane Doe",
+  username: "janedoe",
+  email: "jane@example.com",
+};
+
+function createContext() {
+  const stdoutLines: string[] = [];
+  const stderrLines: string[] = [];
+  const context = {
+    stdout: {
+      write: mock((s: string) => {
+        stdoutLines.push(s);
+      }),
+    },
+    stderr: {
+      write: mock((s: string) => {
+        stderrLines.push(s);
+      }),
+    },
+    cwd: "/tmp",
+    setContext: mock((_k: string, _v: unknown) => {
+      /* no-op */
+    }),
+  };
+  const getStdout = () => stdoutLines.join("");
+  return { context, getStdout };
+}
+
+describe("loginCommand.func --token path", () => {
+  let isAuthenticatedSpy: ReturnType<typeof spyOn>;
+  let setAuthTokenSpy: ReturnType<typeof spyOn>;
+  let getUserRegionsSpy: ReturnType<typeof spyOn>;
+  let clearAuthSpy: ReturnType<typeof spyOn>;
+  let getCurrentUserSpy: ReturnType<typeof spyOn>;
+  let setUserInfoSpy: ReturnType<typeof spyOn>;
+  let runInteractiveLoginSpy: ReturnType<typeof spyOn>;
+  let func: LoginFunc;
+
+  beforeEach(async () => {
+    isAuthenticatedSpy = spyOn(dbAuth, "isAuthenticated");
+    setAuthTokenSpy = spyOn(dbAuth, "setAuthToken");
+    getUserRegionsSpy = spyOn(apiClient, "getUserRegions");
+    clearAuthSpy = spyOn(dbAuth, "clearAuth");
+    getCurrentUserSpy = spyOn(apiClient, "getCurrentUser");
+    setUserInfoSpy = spyOn(dbUser, "setUserInfo");
+    runInteractiveLoginSpy = spyOn(interactiveLogin, "runInteractiveLogin");
+    func = (await loginCommand.loader()) as unknown as LoginFunc;
+  });
+
+  afterEach(() => {
+    isAuthenticatedSpy.mockRestore();
+    setAuthTokenSpy.mockRestore();
+    getUserRegionsSpy.mockRestore();
+    clearAuthSpy.mockRestore();
+    getCurrentUserSpy.mockRestore();
+    setUserInfoSpy.mockRestore();
+    runInteractiveLoginSpy.mockRestore();
+  });
+
+  test("already authenticated: prints message and returns early", async () => {
+    isAuthenticatedSpy.mockResolvedValue(true);
+
+    const { context, getStdout } = createContext();
+    await func.call(context, { timeout: 900 });
+
+    expect(getStdout()).toContain("already authenticated");
+    expect(setAuthTokenSpy).not.toHaveBeenCalled();
+    expect(getCurrentUserSpy).not.toHaveBeenCalled();
+  });
+
+  test("--token: stores token, fetches user, writes success", async () => {
+    isAuthenticatedSpy.mockResolvedValue(false);
+    setAuthTokenSpy.mockResolvedValue(undefined);
+    getUserRegionsSpy.mockResolvedValue([]);
+    getCurrentUserSpy.mockResolvedValue(SAMPLE_USER);
+    setUserInfoSpy.mockReturnValue(undefined);
+
+    const { context, getStdout } = createContext();
+    await func.call(context, { token: "my-token", timeout: 900 });
+
+    expect(setAuthTokenSpy).toHaveBeenCalledWith("my-token");
+    expect(getCurrentUserSpy).toHaveBeenCalled();
+    expect(setUserInfoSpy).toHaveBeenCalledWith({
+      userId: "42",
+      name: "Jane Doe",
+      username: "janedoe",
+      email: "jane@example.com",
+    });
+    const out = getStdout();
+    expect(out).toContain("Authenticated");
+    expect(out).toContain("Jane Doe");
+  });
+
+  test("--token: invalid token clears auth and throws AuthError", async () => {
+    isAuthenticatedSpy.mockResolvedValue(false);
+    setAuthTokenSpy.mockResolvedValue(undefined);
+    getUserRegionsSpy.mockRejectedValue(new Error("401 Unauthorized"));
+    clearAuthSpy.mockResolvedValue(undefined);
+
+    const { context } = createContext();
+
+    await expect(
+      func.call(context, { token: "bad-token", timeout: 900 })
+    ).rejects.toBeInstanceOf(AuthError);
+
+    expect(clearAuthSpy).toHaveBeenCalled();
+    expect(getCurrentUserSpy).not.toHaveBeenCalled();
+  });
+
+  test("--token: shows 'Logged in as' when user info fetch succeeds", async () => {
+    isAuthenticatedSpy.mockResolvedValue(false);
+    setAuthTokenSpy.mockResolvedValue(undefined);
+    getUserRegionsSpy.mockResolvedValue([]);
+    getCurrentUserSpy.mockResolvedValue({ id: "5", email: "only@email.com" });
+    setUserInfoSpy.mockReturnValue(undefined);
+
+    const { context, getStdout } = createContext();
+    await func.call(context, { token: "valid-token", timeout: 900 });
+
+    expect(getStdout()).toContain("Logged in as");
+    expect(getStdout()).toContain("only@email.com");
+  });
+
+  test("--token: login succeeds even when getCurrentUser() fails transiently", async () => {
+    isAuthenticatedSpy.mockResolvedValue(false);
+    setAuthTokenSpy.mockResolvedValue(undefined);
+    getUserRegionsSpy.mockResolvedValue([]);
+    getCurrentUserSpy.mockRejectedValue(new Error("Network error"));
+
+    const { context, getStdout } = createContext();
+
+    // Must not throw — login should succeed with the stored token
+    await func.call(context, { token: "valid-token", timeout: 900 });
+
+    const out = getStdout();
+    expect(out).toContain("Authenticated");
+    // 'Logged in as' is omitted when user info is unavailable
+    expect(out).not.toContain("Logged in as");
+    // Token was stored and not cleared
+    expect(clearAuthSpy).not.toHaveBeenCalled();
+    expect(setUserInfoSpy).not.toHaveBeenCalled();
+  });
+
+  test("no token: falls through to interactive login", async () => {
+    isAuthenticatedSpy.mockResolvedValue(false);
+    runInteractiveLoginSpy.mockResolvedValue(true);
+
+    const { context } = createContext();
+    await func.call(context, { timeout: 900 });
+
+    expect(runInteractiveLoginSpy).toHaveBeenCalled();
+    expect(setAuthTokenSpy).not.toHaveBeenCalled();
+  });
+});