feat: auth token priority and ux (#483)

Author: v3nant

e2e/setup/mock-auth-hooks.mjs

@@ -15,10 +15,19 @@ export async function load(url, context, nextLoad) {
             this.code = code;
           }
         }
+        export const AUTH_ERROR_MESSAGES = {
+          UNAUTHENTICATED: 'Please log in to perform this action. To authenticate, please run an "auth login" command.',
+          SESSION_EXPIRED: 'Your session has expired. To re-authenticate, please run an "auth login" command.',
+          INVALID_TOKEN: 'Your session has expired. To re-authenticate, please run an "auth login" command.',
+          FORBIDDEN: 'You do not have permission to perform this action.',
+          NOT_LOGGED_IN_GENERIC: 'You are not logged in. Please run an "auth login" command to authenticate.',
+        };
         export function persistTokenResponse() { return Promise.resolve(); }
         export function getAccessToken() { return Promise.resolve('test-token'); }
         export function requireAccessToken() { return Promise.resolve('test-token'); }
         export function logoutLocally() { return Promise.resolve(); }
+        export function getTokenForScanWithSource() { return Promise.resolve({ token: 'test-token', source: 'oauth' }); }
+        export function getTokenProvider() { return () => Promise.resolve('test-token'); }
         export function requireAccessTokenForScan() { return Promise.resolve('test-token'); }
       `,
     };

src/api/user-setup.client.ts

@@ -1,7 +1,6 @@
 import type { GraphQLFormattedError } from 'graphql';
 import { config } from '../config/constants.ts';
-import { requireAccessToken, requireAccessTokenForScan } from '../service/auth.svc.ts';
-import { getCIToken } from '../service/ci-token.svc.ts';
+import { getTokenProvider } from '../service/auth.svc.ts';
 import { debugLogger } from '../service/log.svc.ts';
 import { withRetries } from '../utils/retry.ts';
 import { createApollo } from './apollo.client.ts';
@@ -36,12 +35,6 @@ function extractErrorCode(errors: ReadonlyArray<GraphQLFormattedError>): ApiErro
   return code;
 }
 
-function getTokenProvider(preferOAuth?: boolean) {
-  if (preferOAuth) return requireAccessToken;
-  if (getCIToken()) return requireAccessTokenForScan;
-  return requireAccessToken;
-}
-
 export async function getUserSetupStatus(options?: { preferOAuth?: boolean }): Promise<{
   isComplete: boolean;
   orgId?: number | null;
@@ -81,7 +74,7 @@ export async function completeUserSetup(options?: { preferOAuth?: boolean }): Pr
   isComplete: boolean;
   orgId?: number | null;
 }> {
-  const tokenProvider = options?.preferOAuth ? requireAccessToken : requireAccessTokenForScan;
+  const tokenProvider = getTokenProvider(options?.preferOAuth);
   const client = createApollo(getGraphqlUrl(), tokenProvider);
   const res = await client.mutate<CompleteUserSetupResponse>({ mutation: completeUserSetupMutation });
 

src/commands/scan/eol.ts

@@ -6,7 +6,7 @@ import { ApiError } from '../../api/errors.ts';
 import { submitScan } from '../../api/nes.client.ts';
 import { config, filenamePrefix, SCAN_ORIGIN_AUTOMATED, SCAN_ORIGIN_CLI } from '../../config/constants.ts';
 import { track } from '../../service/analytics.svc.ts';
-import { requireAccessTokenForScan } from '../../service/auth.svc.ts';
+import { AUTH_ERROR_MESSAGES, getTokenForScanWithSource } from '../../service/auth.svc.ts';
 import { createSbom } from '../../service/cdx.svc.ts';
 import {
   countComponentsByStatus,
@@ -88,7 +88,11 @@ export default class ScanEol extends Command {
   public async run(): Promise<EolReport | undefined> {
     const { flags } = await this.parse(ScanEol);
 
-    await requireAccessTokenForScan();
+    const { source } = await getTokenForScanWithSource();
+    if (source === 'ci') {
+      this.log('CI credentials found');
+      this.log('Using CI credentials');
+    }
 
     track('CLI EOL Scan Started', (context) => ({
       command: context.command,
@@ -230,13 +234,7 @@ export default class ScanEol extends Command {
           number_of_packages: numberOfPackages,
         }));
 
-        const errorMessages: Record<string, string> = {
-          SESSION_EXPIRED: 'Your session is no longer valid. To re-authenticate, please run an "auth login" command.',
-          INVALID_TOKEN: 'Your session is no longer valid. To re-authenticate, please run an "auth login" command.',
-          UNAUTHENTICATED: 'Please log in to perform a scan. To authenticate, please run an "auth login" command.',
-          FORBIDDEN: 'You do not have permission to perform this action.',
-        };
-        const message = errorMessages[error.code] ?? error.message?.trim();
+        const message = AUTH_ERROR_MESSAGES[error.code] ?? error.message?.trim();
         this.error(message);
       }
 

src/service/auth.svc.ts

@@ -10,6 +10,54 @@ export { CITokenError } from './ci-auth.svc.ts';
 
 export type AuthErrorCode = 'NOT_LOGGED_IN' | 'SESSION_EXPIRED';
 
+export type TokenSource = 'oauth' | 'ci';
+
+export type TokenProvider = (forceRefresh?: boolean) => Promise<string>;
+
+export const AUTH_ERROR_MESSAGES = {
+  UNAUTHENTICATED: 'Please log in to perform this action. To authenticate, please run an "auth login" command.',
+  SESSION_EXPIRED: 'Your session has expired. To re-authenticate, please run an "auth login" command.',
+  INVALID_TOKEN: 'Your session has expired. To re-authenticate, please run an "auth login" command.',
+  FORBIDDEN: 'You do not have permission to perform this action.',
+  NOT_LOGGED_IN_GENERIC: 'You are not logged in. Please run an "auth login" command to authenticate.',
+} as const;
+
+export async function getTokenForScanWithSource(
+  preferOAuth?: boolean,
+): Promise<{ token: string; source: TokenSource }> {
+  if (preferOAuth) {
+    const token = await requireAccessToken();
+    return { token, source: 'oauth' };
+  }
+
+  const tokens = await getStoredTokens();
+  if (tokens?.accessToken && !isAccessTokenExpired(tokens.accessToken)) {
+    return { token: tokens.accessToken, source: 'oauth' };
+  }
+
+  if (tokens?.refreshToken) {
+    try {
+      const newTokens = await refreshTokens(tokens.refreshToken);
+      await persistTokenResponse(newTokens);
+      return { token: newTokens.access_token, source: 'oauth' };
+    } catch (error) {
+      debugLogger('Token refresh failed: %O', error);
+    }
+  }
+
+  const ciToken = getCIToken();
+  if (ciToken) {
+    const accessToken = await requireCIAccessToken();
+    return { token: accessToken, source: 'ci' };
+  }
+
+  if (!tokens?.accessToken) {
+    throw new AuthError(AUTH_ERROR_MESSAGES.UNAUTHENTICATED, 'NOT_LOGGED_IN');
+  }
+
+  throw new AuthError(AUTH_ERROR_MESSAGES.SESSION_EXPIRED, 'SESSION_EXPIRED');
+}
+
 export class AuthError extends Error {
   readonly code: AuthErrorCode;
 
@@ -46,10 +94,17 @@ export async function getAccessToken(): Promise<string | undefined> {
   return refreshed.access_token;
 }
 
+export function getTokenProvider(preferOAuth?: boolean): TokenProvider {
+  return async (_forceRefresh?: boolean): Promise<string> => {
+    const { token } = await getTokenForScanWithSource(preferOAuth);
+    return token;
+  };
+}
+
 export async function requireAccessToken(): Promise<string> {
   const token = await getAccessToken();
   if (!token) {
-    throw new Error('You are not logged in. Please run an "auth login" command to authenticate.');
+    throw new Error(AUTH_ERROR_MESSAGES.NOT_LOGGED_IN_GENERIC);
   }
 
   return token;
@@ -59,36 +114,4 @@ export async function logoutLocally() {
   await clearStoredTokens();
 }
 
-export async function requireAccessTokenForScan(): Promise<string> {
-  if (getCIToken()) {
-    return requireCIAccessToken();
-  }
-
-  const tokens = await getStoredTokens();
-
-  if (!tokens?.accessToken) {
-    throw new AuthError(
-      'Please log in to perform a scan. To authenticate, please run an "auth login" command.',
-      'NOT_LOGGED_IN',
-    );
-  }
-
-  if (!isAccessTokenExpired(tokens.accessToken)) {
-    return tokens.accessToken;
-  }
-
-  if (tokens.refreshToken) {
-    try {
-      const newTokens = await refreshTokens(tokens.refreshToken);
-      await persistTokenResponse(newTokens);
-      return newTokens.access_token;
-    } catch (error) {
-      debugLogger('Token refresh failed: %O', error);
-    }
-  }
-
-  throw new AuthError(
-    'Your session is no longer valid. To re-authenticate, please run an "auth login" command.',
-    'SESSION_EXPIRED',
-  );
-}
+export const requireAccessTokenForScan = getTokenProvider();

test/api/user-setup.client.test.ts

@@ -4,8 +4,7 @@ import { completeUserSetup, ensureUserSetup, getUserSetupStatus } from '../../sr
 import { FetchMock } from '../utils/mocks/fetch.mock.ts';
 
 vi.mock('../../src/service/auth.svc.ts', () => ({
-  requireAccessTokenForScan: vi.fn().mockResolvedValue('test-token'),
-  requireAccessToken: vi.fn().mockResolvedValue('test-token'),
+  getTokenProvider: vi.fn(() => vi.fn().mockResolvedValue('test-token')),
 }));
 
 describe('user-setup.client', () => {

test/commands/scan/eol.analytics.test.ts

@@ -2,8 +2,15 @@ import type { CdxBom, EolReport } from '@herodevs/eol-shared';
 import { ApiError } from '../../../src/api/errors.ts';
 import ScanEol from '../../../src/commands/scan/eol.ts';
 
-const { trackMock, requireAccessTokenForScanMock, submitScanMock, countComponentsByStatusMock } = vi.hoisted(() => ({
+const {
+  trackMock,
+  getTokenForScanWithSourceMock,
+  requireAccessTokenForScanMock,
+  submitScanMock,
+  countComponentsByStatusMock,
+} = vi.hoisted(() => ({
   trackMock: vi.fn(),
+  getTokenForScanWithSourceMock: vi.fn(),
   requireAccessTokenForScanMock: vi.fn(),
   submitScanMock: vi.fn(),
   countComponentsByStatusMock: vi.fn(),
@@ -17,9 +24,14 @@ vi.mock('../../../src/service/analytics.svc.ts', () => ({
   track: trackMock,
 }));
 
-vi.mock('../../../src/service/auth.svc.ts', () => ({
-  requireAccessTokenForScan: requireAccessTokenForScanMock,
-}));
+vi.mock('../../../src/service/auth.svc.ts', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('../../../src/service/auth.svc.ts')>();
+  return {
+    ...actual,
+    getTokenForScanWithSource: getTokenForScanWithSourceMock,
+    requireAccessTokenForScan: requireAccessTokenForScanMock,
+  };
+});
 
 vi.mock('../../../src/api/nes.client.ts', () => ({
   submitScan: submitScanMock,
@@ -104,7 +116,8 @@ describe('scan:eol analytics timing', () => {
 
   beforeEach(() => {
     vi.clearAllMocks();
-    requireAccessTokenForScanMock.mockResolvedValue(undefined);
+    getTokenForScanWithSourceMock.mockResolvedValue({ token: 'test-token', source: 'oauth' });
+    requireAccessTokenForScanMock.mockResolvedValue('test-token');
     countComponentsByStatusMock.mockReturnValue({
       EOL: 1,
       EOL_UPCOMING: 0,