feat(cmd): enhance error messages with usage examples and guidance

sgaunet · web-flow · commit 1a005b1c4d61 · 2025-12-27T08:33:48.000+01:00
diff --git a/cmd/decode-es.go b/cmd/decode-es.go
@@ -29,10 +29,32 @@ func createESDecodeCommand(_ /* alg */, use, short, long, example string, pubKey
 			}
 
 			if privateKeyFile == "" && publicKeyFile == "" {
-				return fmt.Errorf("private key file or public key file is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: key file is required
+
+Provide either a public key file (recommended) or private key file in PEM format to verify the JWT token.
+
+Example usage with public key (recommended):
+  jwt-cli decode %s --token "eyJhbGci..." --public-key ./keys/ec-public.pem
+
+Example usage with private key:
+  jwt-cli decode %s --token "eyJhbGci..." --private-key ./keys/ec-private.pem
+
+Tip: Use the public key for verification to follow asymmetric cryptography best practices.
+     The key must match the one used to encode the token.
+     ES256 uses P-256 curve, ES384 uses P-384, ES512 uses P-521.`, use, use)
 			}
 			if token == "" {
-				return fmt.Errorf("token is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: token is required
+
+Provide the JWT token string to decode and verify.
+
+Example usage:
+  jwt-cli decode %s --token "eyJhbGci..." --public-key ./keys/ec-public.pem
+  jwt-cli decode %s --token "$TOKEN" --public-key ./keys/ec-public.pem
+
+Tip: The token is the three-part string (header.payload.signature) produced by the encode command.`, use, use)
 			}
 
 			var j cryptojwt.Decoder
diff --git a/cmd/decode-hs.go b/cmd/decode-hs.go
@@ -26,10 +26,28 @@ func createHSDecodeCommand(_ /* alg */, use, short, long, example string, decode
 			allowWeakSecret, _ := cmd.Flags().GetBool("allow-weak-secret")
 
 			if secret == "" {
-				return fmt.Errorf("secret is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: secret is required
+
+The secret is used to verify the JWT token signature. It must match the secret used for encoding.
+
+Example usage:
+  jwt-cli decode %s --token "eyJhbGci..." --secret "your-secret-key"
+
+Tip: Use the same secret that was used to encode the token.
+     HS256 requires at least 32 bytes, HS384 requires 48 bytes, HS512 requires 64 bytes.`, use)
 			}
 			if token == "" {
-				return fmt.Errorf("token is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: token is required
+
+Provide the JWT token string to decode and verify.
+
+Example usage:
+  jwt-cli decode %s --token "eyJhbGci..." --secret "your-secret-key"
+  jwt-cli decode %s --token "$TOKEN" --secret "your-secret-key"
+
+Tip: The token is the three-part string (header.payload.signature) produced by the encode command.`, use, use)
 			}
 
 			j := decoderWithOpts([]byte(secret), allowWeakSecret)
diff --git a/cmd/decode-rs.go b/cmd/decode-rs.go
@@ -29,10 +29,31 @@ func createRSDecodeCommand(_ /* alg */, use, short, long, example string, pubKey
 			}
 
 			if privateKeyFile == "" && publicKeyFile == "" {
-				return fmt.Errorf("private key file or public key file is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: key file is required
+
+Provide either a public key file (recommended) or private key file in PEM format to verify the JWT token.
+
+Example usage with public key (recommended):
+  jwt-cli decode %s --token "eyJhbGci..." --public-key ./keys/public.pem
+
+Example usage with private key:
+  jwt-cli decode %s --token "eyJhbGci..." --private-key ./keys/private.pem
+
+Tip: Use the public key for verification to follow asymmetric cryptography best practices.
+     The key must match the one used to encode the token.`, use, use)
 			}
 			if token == "" {
-				return fmt.Errorf("token is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: token is required
+
+Provide the JWT token string to decode and verify.
+
+Example usage:
+  jwt-cli decode %s --token "eyJhbGci..." --public-key ./keys/public.pem
+  jwt-cli decode %s --token "$TOKEN" --public-key ./keys/public.pem
+
+Tip: The token is the three-part string (header.payload.signature) produced by the encode command.`, use, use)
 			}
 
 			var j cryptojwt.Decoder
diff --git a/cmd/encode-es.go b/cmd/encode-es.go
@@ -25,10 +25,30 @@ func createESEncodeCommand(_ /* alg */, use, short, long, example string, encode
 			}
 
 			if privateKeyFile == "" {
-				return fmt.Errorf("private key file is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: private key file is required
+
+Provide the path to your ECDSA private key file in PEM format for signing the JWT token.
+
+Example usage:
+  jwt-cli encode %s --private-key ./keys/ec-private.pem --payload '{"sub":"1234567890","name":"Alice"}'
+
+Generate keys with:
+  jwt-cli genkeys %s
+
+Tip: ECDSA provides strong security with smaller key sizes compared to RSA.
+     ES256 uses P-256 curve, ES384 uses P-384, ES512 uses P-521.`, use, use)
 			}
 			if payload == "" {
-				return fmt.Errorf("payload is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: payload is required
+
+The payload contains the claims (data) to be encoded in the JWT token.
+
+Example usage:
+  jwt-cli encode %s --private-key ./keys/ec-private.pem --payload '{"sub":"1234567890","name":"Alice"}'
+
+Tip: Payload must be valid JSON. Common claims include 'sub' (subject), 'exp' (expiration), 'iat' (issued at).`, use)
 			}
 
 			j := encoder(privateKeyFile)
diff --git a/cmd/encode-hs.go b/cmd/encode-hs.go
@@ -26,10 +26,27 @@ func createHSEncodeCommand(_ /* alg */, use, short, long, example string, encode
 			allowWeakSecret, _ := cmd.Flags().GetBool("allow-weak-secret")
 
 			if secret == "" {
-				return fmt.Errorf("secret is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: secret is required
+
+The secret is used to sign and verify HMAC-based JWT tokens. It must be kept confidential.
+
+Example usage:
+  jwt-cli encode %s --secret "your-secret-key" --payload '{"user":"alice","role":"admin"}'
+
+Tip: Use a strong secret. HS256 requires at least 32 bytes, HS384 requires 48 bytes, HS512 requires 64 bytes.
+     Use --allow-weak-secret flag only for testing purposes.`, use)
 			}
 			if payload == "" {
-				return fmt.Errorf("payload is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: payload is required
+
+The payload contains the claims (data) to be encoded in the JWT token.
+
+Example usage:
+  jwt-cli encode %s --secret "your-secret-key" --payload '{"user":"alice","role":"admin"}'
+
+Tip: Payload must be valid JSON. Common claims include 'sub' (subject), 'exp' (expiration), 'iat' (issued at).`, use)
 			}
 
 			j := encoderWithOpts([]byte(secret), allowWeakSecret)
diff --git a/cmd/encode-rs.go b/cmd/encode-rs.go
@@ -25,10 +25,29 @@ func createRSEncodeCommand(_ /* alg */, use, short, long, example string, encode
 			}
 
 			if privateKeyFile == "" {
-				return fmt.Errorf("private key file is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: private key file is required
+
+Provide the path to your RSA private key file in PEM format for signing the JWT token.
+
+Example usage:
+  jwt-cli encode %s --private-key ./keys/private.pem --payload '{"sub":"1234567890","name":"Alice"}'
+
+Generate keys with:
+  jwt-cli genkeys %s
+
+Tip: Keep your private key secure and never share it. Use minimum 2048-bit RSA keys.`, use, use)
 			}
 			if payload == "" {
-				return fmt.Errorf("payload is mandatory\n\n%s", cmd.UsageString())
+				//nolint:revive,staticcheck // User-facing error message with proper formatting
+				return fmt.Errorf(`Error: payload is required
+
+The payload contains the claims (data) to be encoded in the JWT token.
+
+Example usage:
+  jwt-cli encode %s --private-key ./keys/private.pem --payload '{"sub":"1234567890","name":"Alice"}'
+
+Tip: Payload must be valid JSON. Common claims include 'sub' (subject), 'exp' (expiration), 'iat' (issued at).`, use)
 			}
 
 			j := encoder(privateKeyFile)
