v0.0.2: fixed keychain bug, added token validation

geemus · geemus · commit ae6656be97cf · 2023-04-19T11:23:36.000-05:00
diff --git a/api/api.go b/api/api.go
@@ -8,6 +8,7 @@ import (
 	"mime"
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/anchordotdev/cli"
 	"github.com/anchordotdev/cli/keyring"
@@ -40,7 +41,10 @@ func Client(cfg *cli.Config) (*http.Client, error) {
 		if apiToken, err = kr.Get(keyring.APIToken); err == keyring.ErrNotFound {
 			return client, ErrSignedOut
 		} else if err != nil {
-			return nil, fmt.Errorf("reading API token from keyring failed: %w", err)
+			return nil, fmt.Errorf("reading PAT token from keyring failed: %w", err)
+		}
+		if !strings.HasPrefix(apiToken, "ap0_") || len(apiToken) != 64 {
+			return nil, fmt.Errorf("read invalid PAT token from keyring")
 		}
 	}
 
diff --git a/auth/signin.go b/auth/signin.go
@@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"strings"
@@ -15,6 +16,10 @@ import (
 	"github.com/anchordotdev/cli/keyring"
 )
 
+var (
+	ErrSigninFailed = errors.New("sign in failed")
+)
+
 type SignIn struct {
 	Config *cli.Config
 }
@@ -26,17 +31,23 @@ func (s SignIn) TUI() cli.TUI {
 }
 
 func (s *SignIn) run(ctx context.Context, tty termenv.File) error {
-	apiToken := s.Config.API.Token
-	if len(apiToken) == 0 {
-		if _, err := fmt.Fprintf(tty, "API Token: "); err != nil {
+	if len(s.Config.API.Token) == 0 {
+		fmt.Fprintf(tty, "To complete sign in, please:\n  1. Visit https://anchor.dev/settings and add a new Personal Access Token (PAT).\n  2. Copy the key from the new token and paste it below when prompted.\n")
+
+		if _, err := fmt.Fprintf(tty, "Personal Access Token (PAT): "); err != nil {
 			return err
 		}
 
 		line, err := term.ReadPassword(int(tty.Fd()))
 		if err != nil {
 			return err
 		}
-		apiToken = strings.TrimSpace(string(line))
+		pat := strings.TrimSpace(string(line))
+		if !strings.HasPrefix(pat, "ap0_") || len(pat) != 64 {
+			return fmt.Errorf("invalid PAT key")
+		}
+
+		s.Config.API.Token = pat
 
 		if _, err := fmt.Fprintln(tty); err != nil {
 			return err
@@ -52,12 +63,15 @@ func (s *SignIn) run(ctx context.Context, tty termenv.File) error {
 	if err != nil {
 		return err
 	}
-	req.SetBasicAuth(apiToken, "")
+	req.SetBasicAuth(s.Config.API.Token, "")
 
 	res, err := anc.Do(req)
 	if err != nil {
 		return err
 	}
+	if res.StatusCode == http.StatusForbidden {
+		return ErrSigninFailed
+	}
 	if res.StatusCode != http.StatusOK {
 		return fmt.Errorf("unexpected response code: %d", res.StatusCode)
 	}
@@ -68,7 +82,7 @@ func (s *SignIn) run(ctx context.Context, tty termenv.File) error {
 	}
 
 	kr := keyring.Keyring{Config: s.Config}
-	if err := kr.Set(keyring.APIToken, apiToken); err != nil {
+	if err := kr.Set(keyring.APIToken, s.Config.API.Token); err != nil {
 		return err
 	}
 
diff --git a/auth/signin_test.go b/auth/signin_test.go
@@ -16,21 +16,41 @@ func TestSignIn(t *testing.T) {
 	cfg.API.URL = srv.URL
 	cfg.Keyring.MockMode = true
 
-	var err error
-	if cfg.API.Token, err = srv.GeneratePAT("example@example.com"); err != nil {
-		t.Fatal(err)
-	}
-
-	cmd := &SignIn{
-		Config: cfg,
-	}
-
-	buf, err := apitest.RunTUI(ctx, cmd.TUI())
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if want, got := "Success, hello example@example.com!\n", buf.String(); want != got {
-		t.Errorf("want output %q, got %q", want, got)
-	}
+	t.Run("valid-token", func(t *testing.T) {
+		var err error
+		if cfg.API.Token, err = srv.GeneratePAT("example@example.com"); err != nil {
+			t.Fatal(err)
+		}
+
+		cmd := &SignIn{
+			Config: cfg,
+		}
+
+		buf, err := apitest.RunTUI(ctx, cmd.TUI())
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if want, got := "Success, hello example@example.com!\n", buf.String(); want != got {
+			t.Errorf("want output %q, got %q", want, got)
+		}
+	})
+
+	t.Run("invalid-token", func(t *testing.T) {
+		if !srv.IsProxy() {
+			t.Skip("server doesn't authenticate in mock mode")
+			return
+		}
+
+		cfg.API.Token = "bad-pat-token"
+
+		cmd := &SignIn{
+			Config: cfg,
+		}
+
+		_, err := apitest.RunTUI(ctx, cmd.TUI())
+		if want, got := ErrSigninFailed, err; want != got {
+			t.Fatalf("want signin failure error %q, got %q", want, got)
+		}
+	})
 }
diff --git a/command.go b/command.go
@@ -30,11 +30,13 @@ type Command struct {
 func (c *Command) Execute(ctx context.Context, cfg *Config) error {
 	defaults.SetDefaults(cfg)
 
+	cmd := c.cobraCommand(ctx, reflect.ValueOf(cfg))
+
 	if err := envdecode.Decode(cfg); err != nil && err != envdecode.ErrNoTargetFieldsAreSet {
 		return err
 	}
 
-	return c.cobraCommand(ctx, reflect.ValueOf(cfg)).ExecuteContext(ctx)
+	return cmd.ExecuteContext(ctx)
 }
 
 func (c *Command) cobraCommand(ctx context.Context, cfgv reflect.Value) *cobra.Command {

Original file line number	Diff line number	Diff line change
`@@ -30,11 +30,13 @@ type Command struct {`
`30`	`30`	`func (c Command) Execute(ctx context.Context, cfg Config) error {`
`31`	`31`	`defaults.SetDefaults(cfg)`
`32`	`32`
	`33`	`+ cmd := c.cobraCommand(ctx, reflect.ValueOf(cfg))`
	`34`	`+`
`33`	`35`	`if err := envdecode.Decode(cfg); err != nil && err != envdecode.ErrNoTargetFieldsAreSet {`
`34`	`36`	`return err`
`35`	`37`	`}`
`36`	`38`
`37`		`- return c.cobraCommand(ctx, reflect.ValueOf(cfg)).ExecuteContext(ctx)`
	`39`	`+ return cmd.ExecuteContext(ctx)`
`38`	`40`	`}`
`39`	`41`
`40`	`42`	`func (c Command) cobraCommand(ctx context.Context, cfgv reflect.Value) cobra.Command {`