fix(cli): auth recovery for stale keys and clearer 401 UX#286
Open
fix(cli): auth recovery for stale keys and clearer 401 UX#286
Conversation
- Map API 401s to a friendly message in Execute(); gateway MCP prints it to stderr only. - Log 401 responses at debug in the HTTP client to reduce noisy errors for whoami and agents. - Add hookdeck.IsUnauthorizedError for consistent detection. - login: if /cli-auth/validate returns 401, clear the stale in-memory key and continue into the browser/device flow. - Reset the cached API client after a successful browser login so the same process uses the new key. - Tests: hookdeck client + login unit tests; basic acceptance (mock login after 401, ci invalid key fast-fail without browser phrases). Made-with: Cursor
…tting Replace exported ResetAPIClient with RefreshCachedAPIClient that updates the singleton in place (matches how MCP already mutates credentials on the shared *hookdeck.Client). Keep resetAPIClient unexported for tests only. MCP login continues to assign client.APIKey/ProjectID explicitly: tests use a dedicated client pointer, not the global singleton. Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Improves how the CLI behaves when credentials are missing, invalid, or expired: users and agents get clearer messages,
hookdeck logincan recover from a rejected stored key without a separatelogout, and noisy log output for expected 401s is reduced.Changes
Execute(): Map API unauthorized errors to a short, actionable message (stdout for normal CLI; stderr only forhookdeck gateway mcpso JSON-RPC on stdout stays clean). Suggestshookdeck login,-i,--api-key, and MCPreauth.hookdeck.IsUnauthorizedError. Log 401 responses at debug instead of error so default runs are not flooded withUnexpected responsefor expected bad keys (still diagnosable with--log-level debug).hookdeck login: IfGET /cli-auth/validatereturns 401, stop the verify spinner, printYour saved API key is no longer valid. Starting browser sign-in..., clear the in-memory key, and continue the existing browser/device flow.ResetAPIClient()after a successful browser login so a long-lived process picks up the new key;ResetAPIClientForTestingdelegates to it.IsUnauthorizedErrorand login 401→browser flow; basic acceptance tests (mock API for login recovery; real API forciwith invalid key—fast fail, no browser phrases).Type of change
User-facing behavior and messaging (fix / UX improvement;
loginrecovery is a small feature in behavior terms). Suggested release note: patch-level unless you treatloginrecovery as minor.How to verify
hookdeck whoamiwith a bad key → friendly message, no ERROR log line at default--log-level.hookdeck loginwith stale config key → message then browser/device flow.hookdeck ci --api-key <invalid>→ quick failure, no interactive login copy.go test ./...and basic acceptance slice including new tests.Made with Cursor