Fail fast on azd ai agent init when not logged in#7614
Conversation
There was a problem hiding this comment.
Pull request overview
Adds an early authentication probe to azd ai agent init so the command fails immediately when the user isn’t logged in, avoiding partially-initialized project state (Fixes #7547).
Changes:
- Introduces
ensureLoggedIn()which callsAccount.ListSubscriptionsand converts gRPCUnauthenticatedinto a structured auth error with a login suggestion. - Invokes
ensureLoggedIn()near the start ofinit’sRunE, before prompts and file-modifying work.
jongio
left a comment
There was a problem hiding this comment.
Clean fix for #7547. The early auth check prevents the user from going through manifest detection, scaffolding, and environment creation only to fail later at subscription selection. The function mirrors the checkAiModelServiceAvailable pattern right above it - consistent and easy to follow. One suggestion below.
Worth considering as a follow-up: azd core's AccountService doesn't have a dedicated CheckAuth or IsAuthenticated RPC. ListSubscriptions works as a probe here but it's indirect - it may enumerate all subscriptions just to verify auth. A lightweight auth-check method in core would give extensions a cleaner, cheaper way to gate on authentication, and could handle error classification (not_logged_in vs login_expired) server-side where the info is available.
…in init command. Fixes Azure#7547
jongio
left a comment
There was a problem hiding this comment.
Nice rewrite. The subprocess approach is well-justified given the Workflow API limitation, and the fail-open design is the right call. Tests are thorough.
One minor thing (non-blocking): unrecognized status values fall through silently with no log entry. If azd auth status ever adds new states (e.g. "expired"), the guard would disable itself without a trace. Consider adding a log.Printf for the unrecognized-status branch too, next to the existing one for exec failures.
Problem: Running azd ai agent init without being authenticated lets the user proceed through manifest detection, project scaffolding (azd init -t), and environment creation before finally failing at subscription selection with "not logged in". This leaves the directory in a partially-initialized state.
Fix: Add an ensureLoggedIn check early in the init command's RunE, before any interactive prompts or file-modifying operations. It calls ListSubscriptions as a lightweight auth probe — if the user isn't authenticated, they see the error immediately with a suggestion to run azd auth login.
Fixes #7547