feat(auth): require explicit login subcommand#182
Conversation
…` shortcut Bare `hotdata auth` previously triggered an automatic browser login. Now it prints the `auth` help (listing login/register/logout/status), matching how other commands behave when invoked with no subcommand. Users must type `hotdata auth login` to authenticate. Also exempt bare `auth` from the update gate since it no longer hits the API.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| None => { | ||
| use clap::CommandFactory; | ||
| let mut cmd = Cli::command(); | ||
| cmd.build(); | ||
| cmd.find_subcommand_mut("auth") | ||
| .unwrap() | ||
| .print_help() | ||
| .unwrap(); | ||
| } |
There was a problem hiding this comment.
This behavior change leaves several user-facing hints that still tell users bare hotdata auth will log them in — they're now incorrect and should be updated in this PR:
src/sdk.rs:460-463(blocking):"Run {} to log in, or pass --api-key."with"hotdata auth". This is the clearest break — it only references barehotdata auth, which now just prints help. A user hitting an expired session who follows this hint will not be logged in. It should point athotdata auth login.src/sdk.rs:818:"... Run 'hotdata auth login' (or 'hotdata auth') to re-authenticate."— the(or 'hotdata auth')parenthetical is now wrong.src/config.rs:267:"... Run 'hotdata auth login' (or 'hotdata auth') or specify --workspace-id."— same stale parenthetical.src/config.rs:287:"Run 'hotdata auth login' (or 'hotdata auth') to generate a new config file."— same.src/jwt.rs:15(doc comment):"user musthotdata authagain"— minor, but worth updating for accuracy.
The PR's goal is consistency, so leaving these pointing at the removed shortcut is contradictory.
There was a problem hiding this comment.
Review
Blocking Issues
src/sdk.rs:460-463— The session-expired hint readsRun hotdata auth to log in, or pass --api-key, but after this PR barehotdata authonly prints help and no longer logs in. Following this hint will not authenticate the user. It must point athotdata auth login.
Action Required
Update the user-facing strings that still reference bare hotdata auth as a login/re-auth path so they're consistent with the new behavior:
src/sdk.rs:460-463— changehotdata auth→hotdata auth login.src/sdk.rs:818— drop or fix the(or 'hotdata auth')parenthetical.src/config.rs:267andsrc/config.rs:287— drop or fix the(or 'hotdata auth')parenthetical.src/jwt.rs:15doc comment (user must hotdata auth again) — minor, update for accuracy.
The implementation of the change itself looks correct and mirrors the existing Commands::Query no-subcommand pattern; the update-gate exemption is also appropriate.
`hotdata auth profiles` writes ~/.hotdata/profiles.yml seeded with a
`default` profile pointing at the production API and app URLs:
profiles:
default:
HOTDATA_API_URL: https://api.hotdata.dev/v1
HOTDATA_APP_URL: https://app.hotdata.dev
Refuses to overwrite an existing file. Local-only, so it is exempt from
the API update gate.
| .unwrap() | ||
| .print_help() | ||
| .unwrap(); | ||
| } |
There was a problem hiding this comment.
Blocking (re-raised from cycle 1, still unaddressed): This PR changes bare hotdata auth to print help instead of logging in, but the user-facing hints that still tell users hotdata auth will log them in were not updated. They are now incorrect:
src/sdk.rs:460-463(most severe):"Run {} to log in, or pass --api-key."with"hotdata auth".cyan(). This references only barehotdata auth, which now just prints help — a user hitting an expired session who follows this hint will not be logged in. Should point athotdata auth login.src/sdk.rs:818:"... Run 'hotdata auth login' (or 'hotdata auth') to re-authenticate."— the(or 'hotdata auth')parenthetical is now wrong.src/config.rs:288:"... Run 'hotdata auth login' (or 'hotdata auth') or specify --workspace-id."— same stale parenthetical.src/config.rs:308:"Run 'hotdata auth login' (or 'hotdata auth') to generate a new config file."— same.src/jwt.rs:15(doc comment):"user musthotdata authagain"— minor, but worth updating for accuracy.
The PR's stated goal is consistency; leaving these pointing at the removed shortcut is contradictory. The sdk.rs:460-463 case is a real correctness break (the hint sends users down a dead end), so this remains blocking.
There was a problem hiding this comment.
Review
Blocking Issues
- Stale auth hints not updated (re-raised from cycle 1). This PR makes bare
hotdata authprint help instead of logging in, but several user-facing hints still tell usershotdata authwill authenticate them:src/sdk.rs:460-463— "Runhotdata authto log in, or pass --api-key." references only the removed shortcut. A user with an expired session who follows this hint is led to a dead end (it now just prints help). This is a correctness break.src/sdk.rs:818,src/config.rs:288,src/config.rs:308— stale(or 'hotdata auth')parentheticals.src/jwt.rs:15— doc comment "user musthotdata authagain" (minor).
Action Required
Update the hints above to point at hotdata auth login, and drop the now-incorrect (or 'hotdata auth') parentheticals. The sdk.rs:460-463 case is the must-fix — it actively misdirects users with expired sessions.
The new auth profiles functionality and its tests look good.
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
The profiles.yml duplicated existing behavior: api_url/app_url are already overridable via the HOTDATA_API_URL / HOTDATA_APP_URL env vars, and the scaffolded file restated the built-in defaults without anything reading it.
| .unwrap() | ||
| .print_help() | ||
| .unwrap(); | ||
| } |
There was a problem hiding this comment.
Blocking (re-raised from cycles 1 & 2, still unaddressed): This PR changes bare hotdata auth to print help instead of logging in, but the user-facing hints that still tell users hotdata auth will log them in were not updated. None of src/sdk.rs, src/config.rs, or src/jwt.rs were touched in this PR, so they remain stale and now incorrect:
src/sdk.rs:460-463(real correctness break):"Run {} to log in, or pass --api-key."with"hotdata auth".cyan(). This references only barehotdata auth, which now just prints help — a user hitting an expired session who follows this hint will not be logged in. It must point athotdata auth login.src/sdk.rs:818:"... Run 'hotdata auth login' (or 'hotdata auth') to re-authenticate."— the(or 'hotdata auth')parenthetical is now wrong.src/config.rs:267:"... Run 'hotdata auth login' (or 'hotdata auth') or specify --workspace-id."— same stale parenthetical.src/config.rs:287:"Run 'hotdata auth login' (or 'hotdata auth') to generate a new config file."— same.src/jwt.rs:15(doc comment):"user musthotdata authagain"— minor, but worth updating for accuracy.
The PR's stated goal is consistency; leaving these pointing at the removed shortcut is contradictory. The sdk.rs:460-463 case sends users down a dead end, so this remains blocking.
There was a problem hiding this comment.
Review
Blocking Issues
src/sdk.rs:460-463— The session-refresh failure hint still tells users toRun hotdata auth to log in. After this PR, barehotdata authonly prints help, so a user with an expired session who follows this hint is sent to a dead end and is not logged in. Must point athotdata auth login.src/sdk.rs:818,src/config.rs:267,src/config.rs:287— the(or 'hotdata auth')parentheticals are now incorrect and should be removed.src/jwt.rs:15— doc comment "user musthotdata authagain" is now inaccurate (minor).
Action Required
Update the stale hints in src/sdk.rs, src/config.rs, and src/jwt.rs so they no longer point at the removed bare-hotdata auth shortcut. The sdk.rs:460-463 case is a genuine correctness break. This was raised in cycles 1 and 2 and remains unaddressed in the code (author replies alone do not resolve a blocking issue).
| .unwrap() | ||
| .print_help() | ||
| .unwrap(); | ||
| } |
There was a problem hiding this comment.
Blocking (re-raised from cycles 1, 2 & 3 — still unaddressed): This PR changes bare hotdata auth to print help instead of logging in, but the user-facing hints that still tell users hotdata auth will log them in were not updated. sdk.rs, config.rs, and jwt.rs are untouched in this PR, so they remain stale and are now incorrect:
src/sdk.rs:485-486(real correctness break):"Run {} to log in, or pass --api-key."with"hotdata auth".cyan(). This references only barehotdata auth, which now just prints help — a user hitting an expired session who follows this hint will not be logged in. It must point athotdata auth login.src/sdk.rs:843:"... Run 'hotdata auth login' (or 'hotdata auth') to re-authenticate."— the(or 'hotdata auth')parenthetical is now wrong.src/config.rs:267:"... Run 'hotdata auth login' (or 'hotdata auth') or specify --workspace-id."— same stale parenthetical.src/config.rs:287:"Run 'hotdata auth login' (or 'hotdata auth') to generate a new config file."— same.src/jwt.rs:15(doc comment):"user musthotdata authagain"— minor, but worth updating for accuracy.
The PR's stated goal is consistency; leaving these pointing at the removed shortcut is contradictory. The sdk.rs:485-486 case sends users down a dead end, so this remains blocking.
There was a problem hiding this comment.
Review
Blocking Issues
src/sdk.rs:485-486—"Run {} to log in, or pass --api-key."with"hotdata auth".cyan()now points users at the barehotdata authshortcut, which this PR changed to print help instead of logging in. A user with an expired session who follows this hint will not be logged in. Must point athotdata auth login.- Stale
(or 'hotdata auth')parentheticals / references that are now incorrect:src/sdk.rs:843,src/config.rs:267,src/config.rs:287, and thesrc/jwt.rs:15doc comment.
Action Required
Update the above user-facing hints (none of these files are touched in this PR yet) to reference hotdata auth login instead of bare hotdata auth. This has been raised in cycles 1, 2, and 3 and remains unaddressed in the code — an author reply alone does not resolve it. The PR's stated goal is consistency, so leaving these pointing at the removed shortcut is contradictory.
…change Bare `hotdata auth` now prints help instead of logging in, so the runtime hints, bundled docs/skills, and internal comments that told users `hotdata auth` (no subcommand) authenticates were misleading. Point them all at `hotdata auth login`, and tighten two tests that asserted the weaker substring. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
All prior blocking issues (cycles 1–4) are resolved in this cycle: the stale user-facing hints in src/sdk.rs, src/config.rs, and src/jwt.rs now point at hotdata auth login and the (or 'hotdata auth') parentheticals are gone. Tests updated accordingly. LGTM.
Adds an integration test for the new no-subcommand arm (the 0%-patch-coverage lines Codecov flagged): `hotdata auth` exits 0 with the clap help block listing its subcommands and does NOT start the browser login flow. Runs offline and without credentials. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Collapse the now-shorter hint strings and sort the test import — fixes the fmt CI check. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
All prior blocking issues are resolved: the user-facing hints in src/sdk.rs, src/config.rs, and src/jwt.rs now point at hotdata auth login instead of the removed bare-hotdata auth shortcut, and the related tests were updated to match. The behavior change is consistent across code, docs, and tests.
1 participant
Summary
Removes the shortcut where bare
hotdata authautomatically triggered a browser login. Now it prints theauthhelp — listinglogin,register,logout, andstatus— consistent with how other commands (e.g.query) behave when invoked without a subcommand.Users must now type
hotdata auth loginexplicitly to authenticate.Changes
src/main.rs: theNonearm ofCommands::Authprintsauthsubcommand help instead of callingauth::login().src/main.rs: exempted bareauthfrom the update gate since it no longer hits the API.src/command.rs: updated theLogindoc comment to drop the "same ashotdata authwith no subcommand" note.Testing
cargo build— cleancargo test— all 221+ tests passhotdata authprints help and no longer initiates login