feat(auth): auto-trigger login flow when authentication required (#170)

## Summary

When a command requires authentication but the user isn't logged in,
automatically start the OAuth device flow instead of showing an error.
After successful login, the original command retries automatically.

Only triggers in interactive TTY environments - non-TTY sessions (CI,
scripts, piped input) continue showing the error message as before.

## Changes

- Extract device flow UI logic into `src/lib/interactive-login.ts` for
reuse
- Refactor `auth login` command to use the shared helper
- Add `executeWithAutoAuth()` wrapper in `bin.ts` that catches
`AuthError("not_authenticated")` and triggers login

## Test Plan

1. Log out: `sentry auth logout`
2. Run a command that requires auth: `sentry issue list`
3. Should see "Authentication required. Starting login flow..." and the
OAuth device flow starts
4. Complete login in browser
5. Original command should automatically retry and succeed

**Non-TTY test:**
```bash
echo "" | sentry issue list
# Should show: "Error: Not authenticated. Run 'sentry auth login' first."
```

Author: betegon

src/app.ts

@@ -16,7 +16,7 @@ import { logRoute } from "./commands/log/index.js";
 import { orgRoute } from "./commands/org/index.js";
 import { projectRoute } from "./commands/project/index.js";
 import { CLI_VERSION } from "./lib/constants.js";
-import { CliError, getExitCode } from "./lib/errors.js";
+import { AuthError, CliError, getExitCode } from "./lib/errors.js";
 import { error as errorColor } from "./lib/formatters/colors.js";
 
 /** Top-level route map containing all CLI commands */
@@ -44,13 +44,20 @@ export const routes = buildRouteMap({
 /**
  * Custom error formatting for CLI errors.
  *
- * - CliError subclasses: Show clean user-friendly message without stack trace
+ * - AuthError (not_authenticated): Re-thrown to allow auto-login flow in bin.ts
+ * - Other CliError subclasses: Show clean user-friendly message without stack trace
  * - Other errors: Show stack trace for debugging unexpected issues
  */
 const customText: ApplicationText = {
   ...text_en,
   exceptionWhileRunningCommand: (exc: unknown, ansiColor: boolean): string => {
-    // Report all command errors to Sentry. Stricli catches exceptions and doesn't
+    // Re-throw AuthError("not_authenticated") for auto-login flow in bin.ts
+    // Don't capture to Sentry - it's an expected state (user not logged in), not an error
+    if (exc instanceof AuthError && exc.reason === "not_authenticated") {
+      throw exc;
+    }
+
+    // Report command errors to Sentry. Stricli catches exceptions and doesn't
     // re-throw, so we must capture here to get visibility into command failures.
     Sentry.captureException(exc);
 

src/bin.ts

@@ -1,8 +1,10 @@
+import { isatty } from "node:tty";
 import { run } from "@stricli/core";
 import { app } from "./app.js";
 import { buildContext } from "./context.js";
-import { formatError, getExitCode } from "./lib/errors.js";
+import { AuthError, formatError, getExitCode } from "./lib/errors.js";
 import { error } from "./lib/formatters/colors.js";
+import { runInteractiveLogin } from "./lib/interactive-login.js";
 import { withTelemetry } from "./lib/telemetry.js";
 import {
   abortPendingVersionCheck,
@@ -11,6 +13,61 @@ import {
   shouldSuppressNotification,
 } from "./lib/version-check.js";
 
+/** Run CLI command with telemetry wrapper */
+async function runCommand(args: string[]): Promise<void> {
+  await withTelemetry(async (span) =>
+    run(app, args, buildContext(process, span))
+  );
+}
+
+/**
+ * Execute command with automatic authentication.
+ *
+ * If the command fails due to missing authentication and we're in a TTY,
+ * automatically run the interactive login flow and retry the command.
+ *
+ * @throws Re-throws any non-authentication errors from the command
+ */
+async function executeWithAutoAuth(args: string[]): Promise<void> {
+  try {
+    await runCommand(args);
+  } catch (err) {
+    // Auto-login for auth errors in interactive TTY environments
+    // Use isatty(0) for reliable stdin TTY detection (process.stdin.isTTY can be undefined in Bun)
+    // Errors can opt-out via skipAutoAuth (e.g., auth status command)
+    if (
+      err instanceof AuthError &&
+      err.reason === "not_authenticated" &&
+      !err.skipAutoAuth &&
+      isatty(0)
+    ) {
+      process.stderr.write(
+        "Authentication required. Starting login flow...\n\n"
+      );
+
+      const loginSuccess = await runInteractiveLogin(
+        process.stdout,
+        process.stderr,
+        process.stdin
+      );
+
+      if (loginSuccess) {
+        process.stderr.write("\nRetrying command...\n\n");
+        await runCommand(args);
+        return;
+      }
+
+      // Login failed or was cancelled - set exit code and return
+      // (don't call process.exit() directly to allow finally blocks to run)
+      process.exitCode = 1;
+      return;
+    }
+
+    // Re-throw non-auth errors to be handled by main
+    throw err;
+  }
+}
+
 async function main(): Promise<void> {
   const args = process.argv.slice(2);
   const suppressNotification = shouldSuppressNotification(args);
@@ -21,12 +78,11 @@ async function main(): Promise<void> {
   }
 
   try {
-    await withTelemetry(async (span) =>
-      run(app, args, buildContext(process, span))
-    );
+    await executeWithAutoAuth(args);
   } catch (err) {
     process.stderr.write(`${error("Error:")} ${formatError(err)}\n`);
-    process.exit(getExitCode(err));
+    process.exitCode = getExitCode(err);
+    return;
   } finally {
     // Abort any pending version check to allow clean exit
     abortPendingVersionCheck();

src/commands/auth/login.ts

@@ -3,19 +3,13 @@ import * as Sentry from "@sentry/bun";
 import { buildCommand, numberParser } from "@stricli/core";
 import type { SentryContext } from "../../context.js";
 import { getCurrentUser } from "../../lib/api-client.js";
-import { openBrowser } from "../../lib/browser.js";
-import { setupCopyKeyListener } from "../../lib/clipboard.js";
 import { clearAuth, isAuthenticated, setAuthToken } from "../../lib/db/auth.js";
 import { getDbPath } from "../../lib/db/index.js";
 import { setUserInfo } from "../../lib/db/user.js";
 import { AuthError } from "../../lib/errors.js";
 import { muted, success } from "../../lib/formatters/colors.js";
-import {
-  formatDuration,
-  formatUserIdentity,
-} from "../../lib/formatters/human.js";
-import { completeOAuthFlow, performDeviceFlow } from "../../lib/oauth.js";
-import { generateQRCode } from "../../lib/qrcode.js";
+import { formatUserIdentity } from "../../lib/formatters/human.js";
+import { runInteractiveLogin } from "../../lib/interactive-login.js";
 import type { SentryUser } from "../../types/index.js";
 
 type LoginFlags = {
@@ -49,7 +43,7 @@ export const loginCommand = buildCommand({
     },
   },
   async func(this: SentryContext, flags: LoginFlags): Promise<void> {
-    const { stdout } = this;
+    const { stdout, stderr } = this;
 
     // Check if already authenticated
     if (await isAuthenticated()) {
@@ -97,93 +91,18 @@ export const loginCommand = buildCommand({
     }
 
     // Device Flow OAuth
-    stdout.write("Starting authentication...\n\n");
-
-    let urlToCopy = "";
-    // Object wrapper needed for TypeScript control flow analysis with async callbacks
-    const keyListener = { cleanup: null as (() => void) | null };
-    const stdin = process.stdin;
-
-    try {
-      const tokenResponse = await performDeviceFlow(
-        {
-          onUserCode: async (
-            userCode,
-            verificationUri,
-            verificationUriComplete
-          ) => {
-            urlToCopy = verificationUriComplete;
-
-            // Try to open browser (best effort)
-            const browserOpened = await openBrowser(verificationUriComplete);
-
-            if (browserOpened) {
-              stdout.write("Opening in browser...\n\n");
-            } else {
-              // Show QR code as fallback when browser can't open
-              stdout.write("Scan this QR code or visit the URL below:\n\n");
-              const qr = await generateQRCode(verificationUriComplete);
-              stdout.write(qr);
-              stdout.write("\n");
-            }
-
-            stdout.write(`URL: ${verificationUri}\n`);
-            stdout.write(`Code: ${userCode}\n\n`);
-            const copyHint = stdin.isTTY ? ` ${muted("(c to copy)")}` : "";
-            stdout.write(
-              `Browser didn't open? Use the url above to sign in${copyHint}\n\n`
-            );
-            stdout.write("Waiting for authorization...\n");
-
-            // Setup keyboard listener for 'c' to copy URL
-            keyListener.cleanup = setupCopyKeyListener(
-              stdin,
-              () => urlToCopy,
-              stdout
-            );
-          },
-          onPolling: () => {
-            stdout.write(".");
-          },
-        },
-        flags.timeout * 1000
-      );
-
-      // Clear the polling dots
-      stdout.write("\n");
-
-      // Store the token
-      await completeOAuthFlow(tokenResponse);
-
-      // Store user info from token response for telemetry and display
-      const user = tokenResponse.user;
-      if (user) {
-        try {
-          setUserInfo({
-            userId: user.id,
-            email: user.email,
-            name: user.name,
-          });
-        } catch (error) {
-          // Report to Sentry but don't block auth - user info is not critical
-          Sentry.captureException(error);
-        }
+    const loginSuccess = await runInteractiveLogin(
+      stdout,
+      stderr,
+      process.stdin,
+      {
+        timeout: flags.timeout * 1000,
       }
+    );
 
-      stdout.write(`${success("✓")} Authentication successful!\n`);
-      if (user) {
-        stdout.write(`  Logged in as: ${muted(formatUserIdentity(user))}\n`);
-      }
-      stdout.write(`  Config saved to: ${getDbPath()}\n`);
-
-      if (tokenResponse.expires_in) {
-        stdout.write(
-          `  Token expires in: ${formatDuration(tokenResponse.expires_in)}\n`
-        );
-      }
-    } finally {
-      // Always cleanup keyboard listener
-      keyListener.cleanup?.();
+    if (!loginSuccess) {
+      // Error already displayed by runInteractiveLogin - just set exit code
+      process.exitCode = 1;
     }
   },
 });

src/commands/auth/status.ts

@@ -142,7 +142,10 @@ export const statusCommand = buildCommand({
     stdout.write(`Config: ${getDbPath()}\n`);
 
     if (!authenticated) {
-      throw new AuthError("not_authenticated");
+      // Skip auto-login - user explicitly ran status to check auth state
+      throw new AuthError("not_authenticated", undefined, {
+        skipAutoAuth: true,
+      });
     }
 
     stdout.write(`Status: Authenticated ${success("✓")}\n`);

src/lib/errors.ts

@@ -70,16 +70,29 @@ export class ApiError extends CliError {
 
 export type AuthErrorReason = "not_authenticated" | "expired" | "invalid";
 
+/** Options for AuthError */
+export type AuthErrorOptions = {
+  /** Skip auto-login flow when this error is caught (for auth commands) */
+  skipAutoAuth?: boolean;
+};
+
 /**
  * Authentication errors.
  *
  * @param reason - Type of auth failure
  * @param message - Custom message (uses default if not provided)
+ * @param options - Additional options (e.g., skipAutoAuth for auth commands)
  */
 export class AuthError extends CliError {
   readonly reason: AuthErrorReason;
+  /** When true, the auto-login flow should not be triggered for this error */
+  readonly skipAutoAuth: boolean;
 
-  constructor(reason: AuthErrorReason, message?: string) {
+  constructor(
+    reason: AuthErrorReason,
+    message?: string,
+    options?: AuthErrorOptions
+  ) {
     const defaultMessages: Record<AuthErrorReason, string> = {
       not_authenticated: "Not authenticated. Run 'sentry auth login' first.",
       expired:
@@ -89,6 +102,7 @@ export class AuthError extends CliError {
     super(message ?? defaultMessages[reason]);
     this.name = "AuthError";
     this.reason = reason;
+    this.skipAutoAuth = options?.skipAutoAuth ?? false;
   }
 }