Skip to content

Add interactive login#64

Merged
satvik007 merged 24 commits into
mainfrom
dev/ram/interactive-login
May 12, 2026
Merged

Add interactive login#64
satvik007 merged 24 commits into
mainfrom
dev/ram/interactive-login

Conversation

@ramilamparo
Copy link
Copy Markdown
Collaborator

@ramilamparo ramilamparo commented Apr 8, 2026
edited
Loading

Summary

Adds interactive qasphere auth commands for login, logout, and status — replacing the need to manually manage API keys and environment variables.

For testing purposes, you can override the QAS_LOGIN_SERVICE_URL.

Login methods

  • Device Authorization Grant (RFC 8628) — default flow. Opens a browser to the QA Sphere verification page, displays a user code, and polls until the user approves. No secrets typed into the terminal.

Credential storage

Credentials are persisted in priority order:

  1. System keyring (@napi-rs/keyring) — preferred, used when the OS keyring daemon is available
  2. File fallback (~/.config/qasphere/credentials.json) — restricted permissions (0600), used when keyring is unavailable

Credential resolution

resolveCredentialSource() checks sources in priority order:

  1. QAS_TOKEN + QAS_URL environment variables
  2. .env file in cwd
  3. System keyring
  4. ~/.config/qasphere/credentials.json
  5. .qaspherecli file (searched up directory tree)

Auth subcommands

Command Description
qasphere auth login Device authorization flow (browser-based)
qasphere auth status Shows current auth source and validates the API key
qasphere auth logout Clears keyring or file credentials; warns if env-based credentials remain

chatgpt-codex-connector[bot]

This comment was marked as outdated.

Sign in to view

gemini-code-assist[bot]

This comment was marked as outdated.

Sign in to view

@claude
Copy link
Copy Markdown

claude Bot commented Apr 8, 2026
edited
Loading

Code Review: Add interactive login

  • Read review instructions
  • Gather full PR diff and context
  • Run specialized review subagents (code quality, security, performance, test coverage)
  • Aggregate findings and post review with inline comments
  • Clean up outdated bot comments and threads

Running specialized review subagents...

View job run

claude[bot]

This comment was marked as outdated.

Sign in to view

claude[bot]

This comment was marked as outdated.

Sign in to view

@ramilamparo ramilamparo requested a review from a team April 9, 2026 13:40
@ramilamparo ramilamparo force-pushed the dev/ram/interactive-login branch from 8908deb to 6b05689 Compare April 9, 2026 14:10
claude[bot]

This comment was marked as outdated.

Sign in to view

claude[bot]

This comment was marked as outdated.

Sign in to view

claude[bot]

This comment was marked as outdated.

Sign in to view

claude[bot]

This comment was marked as outdated.

Sign in to view

claude[bot]

This comment was marked as outdated.

Sign in to view

claude[bot]

This comment was marked as outdated.

Sign in to view

claude[bot]

This comment was marked as outdated.

Sign in to view

claude[bot]

This comment was marked as outdated.

Sign in to view

@claude
Copy link
Copy Markdown

claude Bot commented Apr 15, 2026
edited
Loading

Claude finished @ramilamparo's task in 8m 37s —— View job

Code Review: Add interactive login

  • Gather PR context and full diff
  • Run specialized review subagents (code quality, security, performance, test coverage)
  • Aggregate findings and post review
  • Clean up outdated bot comments and threads

The latest push (9837ba6 — "Fixes") addresses three open items from prior reviews: replace('-', '')replaceAll, sourceLabels now includes keyring/credentials.json, and resolveAuth error output uses console.error.

Ran four specialized subagents against the full PR diff. No new noteworthy findings beyond what prior reviews have already raised. Five open items remain unaddressed but none are blocking:

  1. oauth.ts:134refreshAccessToken omits client_id
  2. browser.ts:15 — Windows cmd /c start shell metacharacter handling
  3. keyring.ts:22loadKeyringModule() cache opportunity
  4. oauth.ts — OAuth responses lack Zod runtime validation
  5. auth-e2e.spec.ts — test gaps (default OAuth error branch, polling network error, keyring-backed refresh persistence, clearCredentials failure in logout)

Resolved 3 now-addressed bot threads, minimized 14 outdated bot review summaries, and deleted 1 progress-tracking comment. Submitted as APPROVE.

claude[bot]

This comment was marked as outdated.

Sign in to view

hi-rai
hi-rai approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@hi-rai hi-rai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR looks okay. Few minor nits

Comment thread README.md
Comment thread src/api/oauth.ts
Comment thread src/commands/auth.ts
Comment thread src/commands/auth.ts Outdated
Comment thread src/commands/auth.ts Outdated
Comment thread src/commands/auth.ts Outdated
Comment thread src/commands/auth.ts Outdated
Comment thread src/commands/auth.ts
Comment on lines +194 to +195
keyring: 'the system keyring',
'credentials.json': 'a credentials file (~/.config/qasphere/credentials.json)',
Copy link
Copy Markdown
Contributor

@hi-rai hi-rai Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we expose the internal details of how the oauth credentials are stored to the user ? Or simply mention oauth ?

Copy link
Copy Markdown
Collaborator Author

@ramilamparo ramilamparo Apr 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see the harm. Showing "OAuth" could be a bit misleading. Since keyring also uses OAuth.

Comment thread src/commands/auth.ts Outdated
Comment thread src/commands/auth.ts Outdated
@claude
Copy link
Copy Markdown

claude Bot commented Apr 24, 2026
edited
Loading

Claude finished @ramilamparo's task in 10m 18s —— View job

Code Review: Add interactive login

  • Gather PR context and full diff
  • Run specialized review subagents (code quality, security, performance, test coverage)
  • Aggregate findings, deduplicate against existing comments, and post review
  • Clean up outdated bot comments and threads

The latest commit (b103da8 — "Tweaks") addresses hi-rai's review feedback: REFRESH_TOKEN_GRANT_TYPE constant added, status message changed to "Credentials connected via", token expiry only shown when status is valid, more specific revocation instructions, and simplified "Remove them manually." text.

Ran four specialized subagents against the full PR diff. No new noteworthy findings beyond what prior reviews have already raised. Two previously-open test gaps are now addressed (clearCredentials failure path at line 1001, keyring-backed refresh persistence at line 945). Resolved 2 now-addressed bot threads and minimized 13 outdated bot review summaries. Submitted as APPROVE.

claude[bot]

This comment was marked as outdated.

Sign in to view

@claude
Copy link
Copy Markdown

claude Bot commented Apr 24, 2026
edited
Loading

Claude finished @ramilamparo's task in 10m 25s —— View job

Code Review: Add interactive login

  • Gather PR context and full diff
  • Run specialized review subagents (code quality, security, performance, test coverage)
  • Aggregate findings, deduplicate against existing comments, and post review
  • Clean up outdated bot comments and threads

The latest commit (ba1fe61 — "Improve command description") updates the auth status describe text to better reflect its behavior, addressing hi-rai's feedback.

Ran four specialized subagents against the full PR diff. Two new findings posted as inline comments:

  1. types.ts:9tenantUrl schema uses .min(1) instead of .url(), missing URL format validation at the credential boundary
  2. resolvers.ts:153resolveAuth() error message leads with "Missing required environment variables" when OAuth is now the primary auth path

Minimized 16 outdated bot review summaries. Three open items from prior reviews remain unaddressed but none are blocking. Submitted as APPROVE.

claude[bot]

This comment was marked as outdated.

Sign in to view

@claude
Copy link
Copy Markdown

claude Bot commented Apr 24, 2026
edited
Loading

Code Review: Add interactive login

  • Gather PR context and full diff
  • Run specialized review subagents (code quality, security, performance, test coverage)
  • Aggregate findings, deduplicate against existing comments, and post review
  • Clean up outdated bot comments and threads

Running specialized review subagents...

View job run

@claude
Copy link
Copy Markdown

claude Bot commented Apr 24, 2026
edited
Loading

Claude finished @ramilamparo's task in 14m 7s —— View job

Code Review: Add interactive login

  • Gather PR context and full diff
  • Run specialized review subagents (code quality, security, performance, test coverage)
  • Aggregate findings, deduplicate against existing comments, and post review
  • Clean up outdated bot comments and threads

The latest commits (5ce6d76 — "Nits", 90bac86 — "Add refresh token expiration") address both findings from the prior review: tenantUrl schema now uses .url() for proper URL validation, and resolveAuth error message now leads with "Not authenticated" and suggests auth login first. Status now shows refresh token expiry in days, and user code is shown as-is without normalization.

Ran four specialized subagents against the full PR diff. One new finding posted as an inline comment: refresh_token_expires_in is used without a fallback default — if the server hasn't been updated to return this field yet, login will crash with a RangeError.

Minimized 17 outdated bot review summaries. Three open items from prior reviews remain unaddressed but none are blocking. Submitted as APPROVE.

claude[bot]

This comment was marked as outdated.

Sign in to view

satvik007
satvik007 requested changes May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@satvik007 satvik007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did some local reviews with agents and helped me find out some issues that we can address before merge.

Comment thread src/api/utils.ts
Comment thread src/utils/browser.ts Outdated
Comment thread src/utils/credentials/resolvers.ts Outdated
Comment thread src/tests/auth-e2e.spec.ts
Comment thread src/utils/credentials/resolvers.ts Outdated
Comment thread src/api/oauth.ts
Comment thread src/api/oauth.ts Outdated
Comment thread src/utils/browser.ts Outdated
Comment thread src/utils/credentials/types.ts Outdated
Comment thread src/utils/result-upload/ResultUploadCommandHandler.ts
@ramilamparo
Address PR review feedback
679780e 
- Restrict openBrowser URL scheme to http/https, surface execFile stderr
- Restore withDevAuth middleware in createApi
- Include client_id on refresh (RFC 6749 §6) and validate OAuth responses with Zod
- Distinguish OAuth protocol vs transport errors so transient failures preserve credentials
- Warn when stale-credential clear fails
- Strip trailing slash on tenantUrl in apikey resolvers
- Narrow credential source into ApiKeyCredentialSource | OAuthCredentialSource
- Warn on partial QAS_TOKEN/QAS_URL config per source
- Drop redundant pre-exit SIGINT removeListener calls
- Reword --run-url host mismatch error to show both hosts
- Cover OAuth bearer upload path and host-mismatch case in tests
@claude
Copy link
Copy Markdown

claude Bot commented May 12, 2026
edited
Loading

Claude finished @ramilamparo's task in 13m 4s —— View job

Code Review: Add interactive login

  • Gather PR context and full diff
  • Run specialized review subagents (code quality, security, performance, test coverage)
  • Aggregate findings, deduplicate against existing comments, and post review
  • Clean up outdated bot comments and threads

The latest commit (679780e — "Address PR review feedback") comprehensively addresses satvik007's CHANGES_REQUESTED review: URL scheme validation in openBrowser, withDevAuth restored, client_id on refresh, Zod validation for OAuth responses, transport vs protocol error distinction, partial env-var warnings, trailing-slash normalization, narrowed credential source types, and bearer upload test coverage.

Ran four specialized subagents against the full PR diff. Three new findings posted as inline comments — none blocking:

  1. oauth.ts:85withHttpRetry in the polling fetcher creates hidden retries that silently eat into the deadline (medium)
  2. oauth.ts:28-29verification_uri/verification_uri_complete lack .url() validation (low)
  3. auth.ts:97-106 — OAuthTokenResponse → OAuthCredentials mapping duplicated with resolvers.ts:175-184 (low)

Resolved 1 now-addressed bot thread (client_id in refresh) and minimized 16 outdated bot review summaries. Submitted as APPROVE.

claude[bot]

This comment was marked as outdated.

Sign in to view

@ramilamparo
Address second-pass review
e964e8e 
- Validate verification_uri / verification_uri_complete as URLs
- Extract credentialsFromTokenResponse to deduplicate token-to-credentials mapping
- Disable withHttpRetry on pollDeviceToken so the polling loop owns retry timing; treat 429/502/503 as transient and keep polling, honoring Retry-After
- Share parseRetryAfterMs and DEFAULT_HTTP_RETRY_OPTIONS between withHttpRetry and the poll path
@claude
Copy link
Copy Markdown

claude Bot commented May 12, 2026
edited
Loading

Claude finished @ramilamparo's task in 11m 0s —— View job

Code Review: Add interactive login

  • Gather PR context and full diff
  • Run specialized review subagents (code quality, security, performance, test coverage)
  • Aggregate findings, deduplicate against existing comments, and post review
  • Clean up outdated bot comments and threads

The latest commit (e964e8e — "Address second-pass review") addresses all three findings from the prior review:

  1. verification_uri / verification_uri_complete now validated with .url()
  2. credentialsFromTokenResponse extracted to storage.ts to deduplicate token-to-credentials mapping ✓
  3. withHttpRetry disabled on pollDeviceToken — polling loop now owns retry timing, treats 429/502/503 as transient and honors Retry-After

Ran four specialized subagents against the full PR diff. All findings map to items already raised and addressed or acknowledged in prior review cycles. Resolved 3 now-addressed bot threads and minimized 19 outdated bot review summaries. One remaining low-priority item from prior reviews is still open but not blocking:

  • keyring.ts:22loadKeyringModule() re-attempts dynamic import on every call (performance/low)

Submitted as APPROVE.

claude[bot]

This comment was marked as outdated.

Sign in to view

@ramilamparo ramilamparo requested a review from satvik007 May 12, 2026 14:32
@claude
Copy link
Copy Markdown

claude Bot commented May 12, 2026
edited
Loading

Claude finished @satvik007's task in 13m 36s —— View job

Code Review: Add interactive login

  • Gather PR context and full diff
  • Run specialized review subagents (code quality, security, performance, test coverage)
  • Aggregate findings, deduplicate against existing comments, and post review
  • Clean up outdated bot comments and threads

The latest commit (557ec01 — "Add user details in auth status") replaces projects.list() with users.me() for status validation and now displays the authenticated user's name, email, and role. The change is clean and well-tested.

Ran four specialized subagents against the full PR diff. All findings map to items already raised and addressed or acknowledged in prior review cycles. Minimized 20 outdated bot review summaries. One remaining low-priority item from prior reviews is still open but not blocking:

  • keyring.ts:22loadKeyringModule() re-attempts dynamic import on every call (performance/low)

Submitted as APPROVE.

@satvik007 satvik007 merged commit 0325ac0 into main May 12, 2026
3 checks passed
@satvik007 satvik007 deleted the dev/ram/interactive-login branch May 12, 2026 18:47
@satvik007 satvik007 mentioned this pull request May 12, 2026
Merged
3 tasks
claude[bot]
claude Bot approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The latest commit (557ec01 — "Add user details in auth status") replaces projects.list() with users.me() for status validation and now displays the authenticated user's name, email, and role. The change is clean and well-tested — lifecycle and refresh tests updated to match.

Ran four specialized subagents (code quality, security, performance, test coverage) against the full PR diff. All findings map to items already raised and addressed or acknowledged in prior review cycles. One remaining low-priority item is still open but not blocking:

  • keyring.ts:22loadKeyringModule() re-attempts dynamic import on every call (performance/low — Node.js caches successful imports internally, so this only adds overhead on the failure path)

LGTM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hi-rai hi-rai hi-rai approved these changes

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@satvik007 satvik007 satvik007 approved these changes

@claude claude[bot] claude[bot] approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ramilamparo @satvik007 @hi-rai