Skip to content

fix(cli): trim auth login client credential env vars#2537

Merged
mergify[bot] merged 1 commit into
mainfrom
fix/issue-2423-auth-env-trim
May 31, 2026
Merged

fix(cli): trim auth login client credential env vars#2537
mergify[bot] merged 1 commit into
mainfrom
fix/issue-2423-auth-env-trim

Conversation

@tmchow

@tmchow tmchow commented May 31, 2026

Copy link
Copy Markdown
Owner

Summary

OAuth2 client-credentials auth login now trims env-derived client ID and secret values before POSTing to token endpoints. This keeps copied credentials with leading or trailing whitespace from producing upstream invalid_client errors while preserving explicit flag behavior and the existing credential flow.

Closes #2423.

Verification

  • go test ./internal/generator -run 'TestClientCredentials(AuthLoginTrimsEnvCredentials|EnvVarsSkipTenantSetupInput|LegacyEnvVarsSubstituteTenantTokenURL|TenantPrefixDoesNotHideClientCredentials|MixedKindEnvVarsPreserveClientRoles)'
  • scripts/golden.sh verify
  • scripts/verify-generator-output.sh generate-golden-api-oauth2-cc
  • go build -o ./cli-printing-press ./cmd/cli-printing-press
  • go test ./...
  • Pre-push hook: fmt, golangci-lint

@mergify

mergify Bot commented May 31, 2026

Copy link
Copy Markdown
Contributor

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 require-ready-label-and-ci

Wonderful, this rule succeeded.
  • #changes-requested-reviews-by = 0
  • #review-threads-unresolved = 0
  • check-success = build-and-test
  • check-success = generated-test
  • check-success = go-lint
  • check-success = golden
  • check-success = pr-title
  • check-success = test
  • any of:
    • label = ready-to-merge
    • all of:
      • head = release-please--branches--main
      • title ~= ^chore\(main\): release
  • any of:
    • -files ~= ^(\.github/workflows/|\.github/scripts/|scripts/|\.github/CODEOWNERS$)
    • author = tmchow
    • approved-reviews-by = mvanhorn
    • approved-reviews-by = tmchow
    • author = mvanhorn
  • any of:
    • check-success = Greptile Review
    • label = queued
    • check-neutral = Greptile Review
    • check-skipped = Greptile Review
    • head ~= ^mergify/merge-queue/
    • all of:
      • head = release-please--branches--main
      • title ~= ^chore\(main\): release

@greptile-apps

greptile-apps Bot commented May 31, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds strings.TrimSpace around the os.Getenv calls for clientID and clientSecret in the generated OAuth2 client-credentials auth login command, preventing upstream invalid_client errors caused by copy-pasted credentials with leading or trailing whitespace. The fix is intentionally scoped to the env-var fallback path only; explicit --client-id/--client-secret flag values are left untrimmed.

  • Template (auth_client_credentials.go.tmpl): wraps both os.Getenv env-var lookups with strings.TrimSpace; strings was already imported.
  • Tests (auth_env_precedence_test.go): four existing tests updated to assert the new wrapper, plus a new end-to-end test TestClientCredentialsAuthLoginTrimsEnvCredentials that generates a CLI, writes a runtime test against a mock HTTP server, and verifies that whitespace-padded env vars are stripped before the token POST.
  • Golden file (testdata/golden/expected/…/internal/cli/auth.go): regenerated to reflect the two trimmed os.Getenv calls.

Confidence Score: 5/5

Safe to merge; the change is a narrow whitespace-normalization fix on the env-var fallback path with no impact on flag-supplied credentials or the token storage format.

The template change is minimal — two lines swapping bare os.Getenv for strings.TrimSpace. The strings package is already imported in every generated file, so there is no risk of compile failures. The empty-after-trim case (env var set to all whitespace) falls through to the existing 'client ID and secret required' error, which is correct behavior. The golden file and all relevant test assertions are updated consistently. The new runtime test exercises the actual trim-then-POST path end-to-end against a mock server, giving strong behavioral coverage.

No files require special attention.

Important Files Changed

Filename Overview
internal/generator/templates/auth_client_credentials.go.tmpl Adds strings.TrimSpace around both os.Getenv env-var lookups for clientID and clientSecret; the strings package was already imported so no import changes needed.
internal/generator/auth_env_precedence_test.go Updates four existing string-content assertions to expect the TrimSpace wrapper; adds TestClientCredentialsAuthLoginTrimsEnvCredentials with a full generate→runtime-test round-trip against a mock token server.
testdata/golden/expected/generate-golden-api-oauth2-cc/printing-press-oauth2-cc/internal/cli/auth.go Golden file regenerated to reflect strings.TrimSpace on both PRINTING_PRESS_OAUTH2_CLIENT_ID and PRINTING_PRESS_OAUTH2_CLIENT_SECRET env reads; no other changes.

Sequence Diagram

sequenceDiagram
    participant User
    participant CLI as auth login cmd
    participant Env as os.Getenv
    participant Trim as strings.TrimSpace
    participant Token as mintClientCredentialsToken
    participant Server as Token Endpoint

    User->>CLI: auth login (no --client-id flag)
    CLI->>Env: os.Getenv("CLIENT_ID_VAR")
    Env-->>CLI: " cid.test123 " (padded value)
    CLI->>Trim: strings.TrimSpace(" cid.test123 ")
    Trim-->>CLI: "cid.test123"
    CLI->>Env: os.Getenv("CLIENT_SECRET_VAR")
    Env-->>CLI: "\tsecret.test456\n" (padded value)
    CLI->>Trim: strings.TrimSpace("\tsecret.test456\n")
    Trim-->>CLI: "secret.test456"
    CLI->>Token: mintClientCredentialsToken(url, "cid.test123", "secret.test456")
    Token->>Server: "POST grant_type=client_credentials"
    Server-->>Token: "{"access_token":"...", "expires_in":3600}"
    Token-->>CLI: tokenResponse
    CLI->>CLI: cfg.SaveTokens(trimmedID, trimmedSecret, ...)
    CLI-->>User: Logged in. Token expires ...
Loading

Reviews (1): Last reviewed commit: "fix(cli): trim client credential env var..." | Re-trigger Greptile

@tmchow tmchow added the ready-to-merge Queue when Mergify passes; scripts/.github PRs also need Approve from tmchow/mvanhorn. label May 31, 2026
@mergify mergify Bot added the queued PR is in the Mergify merge queue label May 31, 2026
mergify Bot added a commit that referenced this pull request May 31, 2026
mergify Bot added a commit that referenced this pull request May 31, 2026
mergify Bot added a commit that referenced this pull request May 31, 2026
@mergify mergify Bot merged commit 2742ef7 into main May 31, 2026
28 checks passed
@mergify mergify Bot deleted the fix/issue-2423-auth-env-trim branch May 31, 2026 18:17
@mergify

mergify Bot commented May 31, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

This pull request spent 23 minutes in the queue, including 14 minutes 42 seconds running CI.

Required conditions to merge

@mergify mergify Bot removed the queued PR is in the Mergify merge queue label May 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-to-merge Queue when Mergify passes; scripts/.github PRs also need Approve from tmchow/mvanhorn.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

generator: composed-auth-credentials-trim patch missing from auth.go newAuthLoginCmd — 19 of 23 ST CLIs reproduce

1 participant