feat: configurable OAuth callback port & remove client flags (#71)

* feat(backlog-utils): accept custom port in startCallbackServer

* test(backlog-utils): use random ports in oauth-callback tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(cli): remove --client-id/--client-secret flags, add BACKLOG_OAUTH_PORT support

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test(cli): update login tests for env-only OAuth config

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: update OAuth docs for env-only config and BACKLOG_OAUTH_PORT

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: use callout for BACKLOG_OAUTH_PORT tip

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(cli): require OAuth credentials via env vars instead of interactive prompt

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: update OAuth docs to reflect required env vars

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: import AddressInfo from node:net instead of node:http

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* style: fix formatting in login tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: lollipop-onl

apps/cli/src/commands/auth/login.test.ts

@@ -3,7 +3,7 @@ import { promptRequired } from "@repo/cli-utils";
 import { updateConfig } from "@repo/config";
 import { Backlog, OAuth2 } from "backlog-js";
 import consola from "consola";
-import { describe, expect, it, vi } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import { parseCommand } from "@repo/test-utils";
 
 const mockGetMyself = vi.fn();
@@ -116,6 +116,9 @@ describe("auth login", () => {
 
   describe("oauth", () => {
     const setupOAuthMocks = () => {
+      process.env.BACKLOG_OAUTH_CLIENT_ID = "my-client-id";
+      process.env.BACKLOG_OAUTH_CLIENT_SECRET = "my-client-secret";
+
       mockGetMyself.mockResolvedValue({ name: "OAuth User", userId: "oauthuser" });
       vi.mocked(updateConfig).mockImplementation((updater) =>
         updater({ spaces: [], defaultSpace: undefined, aliases: {} }),
@@ -138,17 +141,24 @@ describe("auth login", () => {
       return { mockStop, mockWaitForCallback };
     };
 
+    afterEach(() => {
+      delete process.env.BACKLOG_OAUTH_CLIENT_ID;
+      delete process.env.BACKLOG_OAUTH_CLIENT_SECRET;
+    });
+
+    it("throws error when OAuth env vars are missing", async () => {
+      vi.mocked(promptRequired).mockResolvedValueOnce("example.backlog.com");
+
+      await expect(parseCommand(() => import("./login"), ["--method", "oauth"])).rejects.toThrow(
+        "BACKLOG_OAUTH_CLIENT_ID and BACKLOG_OAUTH_CLIENT_SECRET must be set as environment variables.",
+      );
+    });
+
     it("authenticates new space via OAuth flow", async () => {
       setupOAuthMocks();
-      vi.mocked(promptRequired)
-        .mockResolvedValueOnce("example.backlog.com")
-        .mockResolvedValueOnce("my-client-id")
-        .mockResolvedValueOnce("my-client-secret");
+      vi.mocked(promptRequired).mockResolvedValueOnce("example.backlog.com");
 
-      await parseCommand(
-        () => import("./login"),
-        ["--method", "oauth", "--client-id", "my-client-id", "--client-secret", "my-client-secret"],
-      );
+      await parseCommand(() => import("./login"), ["--method", "oauth"]);
 
       expect(startCallbackServer).toHaveBeenCalled();
       expect(OAuth2).toHaveBeenCalledWith({
@@ -191,6 +201,8 @@ describe("auth login", () => {
     });
 
     it("throws error when error occurs during callback", async () => {
+      process.env.BACKLOG_OAUTH_CLIENT_ID = "my-client-id";
+      process.env.BACKLOG_OAUTH_CLIENT_SECRET = "my-client-secret";
       const mockStop = vi.fn();
       vi.mocked(startCallbackServer).mockReturnValue({
         port: 5033,
@@ -199,71 +211,32 @@ describe("auth login", () => {
           .mockRejectedValue(new Error("OAuth callback timed out after 5 minutes")),
         stop: mockStop,
       });
-      vi.mocked(promptRequired)
-        .mockResolvedValueOnce("example.backlog.com")
-        .mockResolvedValueOnce("my-client-id")
-        .mockResolvedValueOnce("my-client-secret");
-
-      await expect(
-        parseCommand(
-          () => import("./login"),
-          [
-            "--method",
-            "oauth",
-            "--client-id",
-            "my-client-id",
-            "--client-secret",
-            "my-client-secret",
-          ],
-        ),
-      ).rejects.toThrow("OAuth authorization failed: OAuth callback timed out after 5 minutes");
+      vi.mocked(promptRequired).mockResolvedValueOnce("example.backlog.com");
+
+      await expect(parseCommand(() => import("./login"), ["--method", "oauth"])).rejects.toThrow(
+        "OAuth authorization failed: OAuth callback timed out after 5 minutes",
+      );
       expect(mockStop).toHaveBeenCalled();
     });
 
     it("throws error when token exchange fails", async () => {
       setupOAuthMocks();
       vi.mocked(exchangeAuthorizationCode).mockRejectedValue(new Error("invalid_grant"));
-      vi.mocked(promptRequired)
-        .mockResolvedValueOnce("example.backlog.com")
-        .mockResolvedValueOnce("my-client-id")
-        .mockResolvedValueOnce("my-client-secret");
-
-      await expect(
-        parseCommand(
-          () => import("./login"),
-          [
-            "--method",
-            "oauth",
-            "--client-id",
-            "my-client-id",
-            "--client-secret",
-            "my-client-secret",
-          ],
-        ),
-      ).rejects.toThrow("Failed to exchange authorization code for tokens.");
+      vi.mocked(promptRequired).mockResolvedValueOnce("example.backlog.com");
+
+      await expect(parseCommand(() => import("./login"), ["--method", "oauth"])).rejects.toThrow(
+        "Failed to exchange authorization code for tokens.",
+      );
     });
 
     it("throws error when token verification fails", async () => {
       setupOAuthMocks();
       mockGetMyself.mockRejectedValue(new Error("Unauthorized"));
-      vi.mocked(promptRequired)
-        .mockResolvedValueOnce("example.backlog.com")
-        .mockResolvedValueOnce("my-client-id")
-        .mockResolvedValueOnce("my-client-secret");
-
-      await expect(
-        parseCommand(
-          () => import("./login"),
-          [
-            "--method",
-            "oauth",
-            "--client-id",
-            "my-client-id",
-            "--client-secret",
-            "my-client-secret",
-          ],
-        ),
-      ).rejects.toThrow("Authentication verification failed.");
+      vi.mocked(promptRequired).mockResolvedValueOnce("example.backlog.com");
+
+      await expect(parseCommand(() => import("./login"), ["--method", "oauth"])).rejects.toThrow(
+        "Authentication verification failed.",
+      );
     });
 
     it("updates OAuth credentials for existing space", async () => {
@@ -286,15 +259,9 @@ describe("auth login", () => {
           aliases: {},
         }),
       );
-      vi.mocked(promptRequired)
-        .mockResolvedValueOnce("example.backlog.com")
-        .mockResolvedValueOnce("my-client-id")
-        .mockResolvedValueOnce("my-client-secret");
+      vi.mocked(promptRequired).mockResolvedValueOnce("example.backlog.com");
 
-      await parseCommand(
-        () => import("./login"),
-        ["--method", "oauth", "--client-id", "my-client-id", "--client-secret", "my-client-secret"],
-      );
+      await parseCommand(() => import("./login"), ["--method", "oauth"]);
 
       const result = vi.mocked(updateConfig).mock.results[0]?.value;
       expect(result.spaces).toEqual([

apps/cli/src/commands/auth/login.ts

@@ -15,15 +15,11 @@ Use \`--method oauth\` for OAuth authentication via the browser.`,
   )
   .option("-m, --method <method>", "The authentication method to use", "api-key")
   .option("--with-token", "Read token from standard input")
-  .option("--client-id <id>", "The OAuth Client ID to use when authenticating with Backlog")
-  .option(
-    "--client-secret <secret>",
-    "The OAuth Client Secret to use when authenticating with Backlog",
-  )
   .envVars([
     ["BACKLOG_SPACE", "Default space hostname"],
     ["BACKLOG_OAUTH_CLIENT_ID", "OAuth Client ID"],
     ["BACKLOG_OAUTH_CLIENT_SECRET", "OAuth Client Secret"],
+    ["BACKLOG_OAUTH_PORT", "OAuth callback port (default: 5033)"],
   ])
   .examples([
     { description: "Start interactive setup", command: "bee auth login" },
@@ -44,7 +40,7 @@ Use \`--method oauth\` for OAuth authentication via the browser.`,
       placeholder: "xxx.backlog.com",
     });
 
-    await (method === "api-key" ? loginWithApiKey(hostname, opts) : loginWithOAuth(hostname, opts));
+    await (method === "api-key" ? loginWithApiKey(hostname, opts) : loginWithOAuth(hostname));
   });
 
 const loginWithApiKey = async (hostname: string, opts: { withToken?: boolean }): Promise<void> => {
@@ -69,21 +65,20 @@ const loginWithApiKey = async (hostname: string, opts: { withToken?: boolean }):
   consola.success(`Logged in to ${hostname} as ${user.name} (${user.userId})`);
 };
 
-const loginWithOAuth = async (
-  hostname: string,
-  opts: { clientId?: string; clientSecret?: string },
-): Promise<void> => {
-  const clientId = await promptRequired(
-    "OAuth Client ID:",
-    opts.clientId ?? process.env.BACKLOG_OAUTH_CLIENT_ID,
-  );
-
-  const clientSecret = await promptRequired(
-    "OAuth Client Secret:",
-    opts.clientSecret ?? process.env.BACKLOG_OAUTH_CLIENT_SECRET,
-  );
-
-  const callbackServer = startCallbackServer();
+const loginWithOAuth = async (hostname: string): Promise<void> => {
+  const clientId = process.env.BACKLOG_OAUTH_CLIENT_ID;
+  const clientSecret = process.env.BACKLOG_OAUTH_CLIENT_SECRET;
+  if (!clientId || !clientSecret) {
+    throw new UserError(
+      "BACKLOG_OAUTH_CLIENT_ID and BACKLOG_OAUTH_CLIENT_SECRET must be set as environment variables.",
+    );
+  }
+
+  const port = process.env.BACKLOG_OAUTH_PORT ? Number(process.env.BACKLOG_OAUTH_PORT) : undefined;
+  if (port !== undefined && (!Number.isInteger(port) || port < 0 || port > 65_535)) {
+    throw new UserError("BACKLOG_OAUTH_PORT must be an integer between 0 and 65535.");
+  }
+  const callbackServer = startCallbackServer(port);
   const redirectUri = `http://localhost:${callbackServer.port}/callback`;
   const state = crypto.randomUUID();
 

apps/docs/src/content/docs/guides/authentication.mdx

@@ -4,7 +4,7 @@ description: |-
   bee CLI の認証方法。Backlog への API キー・OAuth 認証の設定手順、使い分け、複数スペースの切り替えに対応。
 ---
 
-import { Tabs, TabItem, Card, LinkCard, CardGrid } from "@astrojs/starlight/components";
+import { Card, LinkCard, CardGrid } from "@astrojs/starlight/components";
 
 bee は 2 つの認証方式をサポートしています。
 
@@ -60,6 +60,10 @@ OAuth を使うと、API キーを直接扱わずに認証できます。
    - **リダイレクト URI**: `http://localhost:5033/callback`
 5. 登録後に表示される **Client ID** と **Client Secret** をメモします
 
+:::tip
+ポート `5033` が他のアプリケーションと競合する場合は、環境変数 `BACKLOG_OAUTH_PORT` で変更できます。リダイレクト URI も合わせて変更してください。
+:::
+
 ### ログイン
 
 ```sh
@@ -68,22 +72,13 @@ bee auth login --method oauth
 
 ブラウザが開き、Backlog の認証画面が表示されます。承認するとトークンが自動的に取得されます。
 
-OAuth クライアント ID とシークレットは、フラグまたは環境変数で指定できます。
-
-<Tabs>
-  <TabItem label="フラグ">
-    ```sh
-    bee auth login --method oauth --client-id YOUR_ID --client-secret YOUR_SECRET
-    ```
-  </TabItem>
-  <TabItem label="環境変数">
-    ```sh
-    export BACKLOG_OAUTH_CLIENT_ID=YOUR_ID
-    export BACKLOG_OAUTH_CLIENT_SECRET=YOUR_SECRET
-    bee auth login --method oauth
-    ```
-  </TabItem>
-</Tabs>
+事前に環境変数 `BACKLOG_OAUTH_CLIENT_ID` と `BACKLOG_OAUTH_CLIENT_SECRET` を設定してください。
+
+```sh
+export BACKLOG_OAUTH_CLIENT_ID=YOUR_ID
+export BACKLOG_OAUTH_CLIENT_SECRET=YOUR_SECRET
+bee auth login --method oauth
+```
 
 ## どちらを選ぶべきか
 

apps/docs/src/content/docs/guides/environment-variables.mdx

@@ -25,10 +25,13 @@ description: |-
 : API キーによる認証に使用します。`BACKLOG_SPACE` と併用すると、`bee auth login` を実行しなくても認証済みの状態で bee を利用できます。CI/CD 環境で特に便利です。
 
 `BACKLOG_OAUTH_CLIENT_ID`
-: OAuth 認証で使用するクライアント ID。`bee auth login --method oauth` 時に `--client-id` フラグの代わりに使用できます。
+: OAuth 認証で使用するクライアント ID。`bee auth login --method oauth` で必須です。
 
 `BACKLOG_OAUTH_CLIENT_SECRET`
-: OAuth 認証で使用するクライアントシークレット。`bee auth login --method oauth` 時に `--client-secret` フラグの代わりに使用できます。
+: OAuth 認証で使用するクライアントシークレット。`bee auth login --method oauth` で必須です。
+
+`BACKLOG_OAUTH_PORT`
+: OAuth 認証で使用するコールバックサーバーのポート番号。デフォルトは `5033`。別のアプリケーションとポートが競合する場合に変更できます。
 
 ## よく使うパターン