fix: user setup uses org token on provision (#495)

v3nant · web-flow · commit 4e64ee65313a · 2026-02-26T15:13:27.000-06:00
diff --git a/src/api/ci-token.client.ts b/src/api/ci-token.client.ts
@@ -17,6 +17,7 @@ export type IamAccessOrgTokensInput =
 
 export interface ProvisionCITokenResponse {
   refresh_token: string;
+  access_token: string;
 }
 
 export interface ProvisionCITokenOptions {
@@ -139,5 +140,5 @@ export async function provisionCIToken(options: ProvisionCITokenOptions = {}): P
     throw new Error('Either orgId or previousToken is required to provision a CI token');
   }
   const result = await getOrgAccessTokens(input);
-  return { refresh_token: result.refreshToken };
+  return { access_token: result.accessToken, refresh_token: result.refreshToken };
 }
diff --git a/src/api/user-setup.client.ts b/src/api/user-setup.client.ts
@@ -35,11 +35,11 @@ function extractErrorCode(errors: ReadonlyArray<GraphQLFormattedError>): ApiErro
   return code;
 }
 
-export async function getUserSetupStatus(options?: { preferOAuth?: boolean }): Promise<{
+export async function getUserSetupStatus(options?: { preferOAuth?: boolean; orgAccessToken?: string }): Promise<{
   isComplete: boolean;
   orgId?: number | null;
 }> {
-  const tokenProvider = getTokenProvider(options?.preferOAuth);
+  const tokenProvider = getTokenProvider(options?.preferOAuth, options?.orgAccessToken);
   const client = createApollo(getGraphqlUrl(), tokenProvider);
   const res = await client.query<UserSetupStatusResponse>({ query: userSetupStatusQuery });
 
@@ -70,11 +70,11 @@ export async function getUserSetupStatus(options?: { preferOAuth?: boolean }): P
   return { isComplete: status.isComplete, orgId: status.orgId ?? undefined };
 }
 
-export async function completeUserSetup(options?: { preferOAuth?: boolean }): Promise<{
+export async function completeUserSetup(options?: { preferOAuth?: boolean; orgAccessToken?: string }): Promise<{
   isComplete: boolean;
   orgId?: number | null;
 }> {
-  const tokenProvider = getTokenProvider(options?.preferOAuth);
+  const tokenProvider = getTokenProvider(options?.preferOAuth, options?.orgAccessToken);
   const client = createApollo(getGraphqlUrl(), tokenProvider);
   const res = await client.mutate<CompleteUserSetupResponse>({ mutation: completeUserSetupMutation });
 
@@ -105,7 +105,7 @@ export async function completeUserSetup(options?: { preferOAuth?: boolean }): Pr
   return { isComplete: true, orgId: result.orgId ?? undefined };
 }
 
-export async function ensureUserSetup(options?: { preferOAuth?: boolean }): Promise<number> {
+export async function ensureUserSetup(options?: { preferOAuth?: boolean; orgAccessToken?: string }): Promise<number> {
   const status = await withRetries('user-setup-status', () => getUserSetupStatus(options), {
     attempts: USER_SETUP_MAX_ATTEMPTS,
     baseDelayMs: USER_SETUP_RETRY_DELAY_MS,
diff --git a/src/commands/auth/provision-ci-token.ts b/src/commands/auth/provision-ci-token.ts
@@ -45,6 +45,15 @@ export default class AuthProvisionCiToken extends Command {
 
     try {
       const result = await provisionCIToken({ orgId });
+      try {
+        await ensureUserSetup({ orgAccessToken: result.access_token });
+      } catch (error) {
+        track('CLI CI Token Provision Failed', () => ({
+          command: 'auth provision-ci-token',
+          error: `user_setup_failed:${getErrorMessage(error)}`,
+        }));
+        this.error(`User Org setup failed. ${getErrorMessage(error)}`);
+      }
       const refreshToken = result.refresh_token;
       saveCIToken(refreshToken);
       this.log('CI token provisioned and saved locally.');
diff --git a/src/service/auth.svc.ts b/src/service/auth.svc.ts
@@ -24,7 +24,11 @@ export const AUTH_ERROR_MESSAGES = {
 
 export async function getTokenForScanWithSource(
   preferOAuth?: boolean,
+  orgAccessToken?: string,
 ): Promise<{ token: string; source: TokenSource }> {
+  if (orgAccessToken) {
+    return { token: orgAccessToken, source: 'ci' };
+  }
   if (preferOAuth) {
     const token = await requireAccessToken();
     return { token, source: 'oauth' };
@@ -94,9 +98,9 @@ export async function getAccessToken(): Promise<string | undefined> {
   return refreshed.access_token;
 }
 
-export function getTokenProvider(preferOAuth?: boolean): TokenProvider {
+export function getTokenProvider(preferOAuth?: boolean, orgAccessToken?: string): TokenProvider {
   return async (_forceRefresh?: boolean): Promise<string> => {
-    const { token } = await getTokenForScanWithSource(preferOAuth);
+    const { token } = await getTokenForScanWithSource(preferOAuth, orgAccessToken);
     return token;
   };
 }
diff --git a/test/api/ci-token.client.test.ts b/test/api/ci-token.client.test.ts
@@ -107,7 +107,7 @@ describe('ci-token.client', () => {
     );
 
     const result = await provisionCIToken({ orgId: 42 });
-    expect(result).toEqual({ refresh_token: 'ci-refresh-token-123' });
+    expect(result).toEqual({ refresh_token: 'ci-refresh-token-123', access_token: 'new-access' });
 
     const calls = fetchMock.getCalls();
     expect(calls).toHaveLength(1);

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ export type IamAccessOrgTokensInput =`
`17`	`17`
`18`	`18`	`export interface ProvisionCITokenResponse {`
`19`	`19`	`refresh_token: string;`
	`20`	`+ access_token: string;`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`export interface ProvisionCITokenOptions {`
`@@ -139,5 +140,5 @@ export async function provisionCIToken(options: ProvisionCITokenOptions = {}): P`
`139`	`140`	`throw new Error('Either orgId or previousToken is required to provision a CI token');`
`140`	`141`	`}`
`141`	`142`	`const result = await getOrgAccessTokens(input);`
`142`		`- return { refresh_token: result.refreshToken };`
	`143`	`+ return { access_token: result.accessToken, refresh_token: result.refreshToken };`
`143`	`144`	`}`