decide loginFlow based on config AuthMode

burmudar · burmudar · commit 2647a9eeba8a · 2026-03-09T20:59:23.000+02:00
diff --git a/cmd/src/login.go b/cmd/src/login.go
@@ -103,8 +103,6 @@ const (
 	loginFlowValidate
 )
 
-var loadStoredOAuthToken = oauth.LoadToken
-
 func loginCmd(ctx context.Context, p loginParams) error {
 	if p.cfg.ConfigFilePath != "" {
 		fmt.Fprintln(p.out)
@@ -115,34 +113,25 @@ func loginCmd(ctx context.Context, p loginParams) error {
 	return flow(ctx, p)
 }
 
-// selectLoginFlow decides what login flow to run based on flags and config.
-func selectLoginFlow(ctx context.Context, p loginParams) (loginFlowKind, loginFlow) {
+// selectLoginFlow decides what login flow to run based on configigured AuthMode.
+func selectLoginFlow(_ context.Context, p loginParams) (loginFlowKind, loginFlow) {
 	endpointArg := cleanEndpoint(p.endpoint)
 
 	if p.useOAuth {
 		return loginFlowOAuth, runOAuthLogin
 	}
-	if !hasEffectiveAuth(ctx, p.cfg, endpointArg) {
-		return loginFlowMissingAuth, runMissingAuthLogin
-	}
-	if endpointArg != p.cfg.Endpoint {
-		return loginFlowEndpointConflict, runEndpointConflictLogin
-	}
-	return loginFlowValidate, runValidatedLogin
-}
 
-// hasEffectiveAuth determines whether we have auth credentials to continue. It first checks for a resolved Access Token in
-// config, then it checks for a stored OAuth token.
-func hasEffectiveAuth(ctx context.Context, cfg *config, resolvedEndpoint string) bool {
-	if cfg.AccessToken != "" {
-		return true
-	}
-
-	if _, err := loadStoredOAuthToken(ctx, resolvedEndpoint); err == nil {
-		return true
+	switch p.cfg.AuthMode() {
+	case AuthModeOAuth:
+		return loginFlowOAuth, runOAuthLogin
+	case AuthModeAccessToken:
+		if endpointArg != p.cfg.Endpoint {
+			return loginFlowEndpointConflict, runEndpointConflictLogin
+		}
+		return loginFlowValidate, runValidatedLogin
+	default:
+		return loginFlowMissingAuth, runMissingAuthLogin
 	}
-
-	return false
 }
 
 func printLoginProblem(out io.Writer, problem string) {
diff --git a/cmd/src/login_test.go b/cmd/src/login_test.go
@@ -9,6 +9,7 @@ import (
 	"net/http/httptest"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/sourcegraph/src-cli/internal/cmderrors"
 	"github.com/sourcegraph/src-cli/internal/oauth"
@@ -18,51 +19,47 @@ func TestLogin(t *testing.T) {
 	check := func(t *testing.T, cfg *config, endpointArg string) (output string, err error) {
 		t.Helper()
 
-		restoreStoredOAuthLoader(t, func(context.Context, string) (*oauth.Token, error) {
-			return nil, fmt.Errorf("not found")
-		})
-
 		var out bytes.Buffer
 		err = loginCmd(context.Background(), loginParams{
 			cfg:         cfg,
 			client:      cfg.apiClient(nil, io.Discard),
 			endpoint:    endpointArg,
 			out:         &out,
-			oauthClient: oauth.NewClient(oauth.DefaultClientID),
+			oauthClient: fakeOAuthClient{startErr: fmt.Errorf("oauth unavailable")},
 		})
 		return strings.TrimSpace(out.String()), err
 	}
 
 	t.Run("different endpoint in config vs. arg", func(t *testing.T) {
 		out, err := check(t, &config{Endpoint: "https://example.com"}, "https://sourcegraph.example.com")
-		if err != cmderrors.ExitCode1 {
+		if err == nil {
 			t.Fatal(err)
 		}
-		wantOut := "❌ Problem: No access token is configured.\n\n🛠  To fix: Create an access token by going to https://sourcegraph.example.com/user/settings/tokens, then set the following environment variables in your terminal:\n\n   export SRC_ENDPOINT=https://sourcegraph.example.com\n   export SRC_ACCESS_TOKEN=(your access token)\n\n   To verify that it's working, run the login command again.\n\n   Alternatively, you can try logging in using OAuth by running: src login --oauth https://sourcegraph.example.com"
-		if out != wantOut {
-			t.Errorf("got output %q, want %q", out, wantOut)
+		if !strings.Contains(out, "OAuth Device flow authentication failed:") {
+			t.Errorf("got output %q, want oauth failure output", out)
 		}
 	})
 
-	t.Run("no access token", func(t *testing.T) {
+	t.Run("no access token triggers oauth flow", func(t *testing.T) {
 		out, err := check(t, &config{Endpoint: "https://example.com"}, "https://sourcegraph.example.com")
-		if err != cmderrors.ExitCode1 {
+		if err == nil {
 			t.Fatal(err)
 		}
-		wantOut := "❌ Problem: No access token is configured.\n\n🛠  To fix: Create an access token by going to https://sourcegraph.example.com/user/settings/tokens, then set the following environment variables in your terminal:\n\n   export SRC_ENDPOINT=https://sourcegraph.example.com\n   export SRC_ACCESS_TOKEN=(your access token)\n\n   To verify that it's working, run the login command again.\n\n   Alternatively, you can try logging in using OAuth by running: src login --oauth https://sourcegraph.example.com"
-		if out != wantOut {
-			t.Errorf("got output %q, want %q", out, wantOut)
+		if !strings.Contains(out, "OAuth Device flow authentication failed:") {
+			t.Errorf("got output %q, want oauth failure output", out)
 		}
 	})
 
 	t.Run("warning when using config file", func(t *testing.T) {
 		out, err := check(t, &config{Endpoint: "https://example.com", ConfigFilePath: "f"}, "https://example.com")
-		if err != cmderrors.ExitCode1 {
+		if err == nil {
 			t.Fatal(err)
 		}
-		wantOut := "⚠️  Warning: Configuring src with a JSON file is deprecated. Please migrate to using the env vars SRC_ENDPOINT, SRC_ACCESS_TOKEN, and SRC_PROXY instead, and then remove f. See https://github.com/sourcegraph/src-cli#readme for more information.\n\n❌ Problem: No access token is configured.\n\n🛠  To fix: Create an access token by going to https://example.com/user/settings/tokens, then set the following environment variables in your terminal:\n\n   export SRC_ENDPOINT=https://example.com\n   export SRC_ACCESS_TOKEN=(your access token)\n\n   To verify that it's working, run the login command again.\n\n   Alternatively, you can try logging in using OAuth by running: src login --oauth https://example.com"
-		if out != wantOut {
-			t.Errorf("got output %q, want %q", out, wantOut)
+		if !strings.Contains(out, "Configuring src with a JSON file is deprecated") {
+			t.Errorf("got output %q, want deprecation warning", out)
+		}
+		if !strings.Contains(out, "OAuth Device flow authentication failed:") {
+			t.Errorf("got output %q, want oauth failure output", out)
 		}
 	})
 
@@ -103,11 +100,31 @@ func TestLogin(t *testing.T) {
 	})
 }
 
-func TestSelectLoginFlow(t *testing.T) {
-	restoreStoredOAuthLoader(t, func(context.Context, string) (*oauth.Token, error) {
-		return nil, fmt.Errorf("not found")
-	})
+type fakeOAuthClient struct {
+	startErr error
+}
+
+func (f fakeOAuthClient) ClientID() string {
+	return oauth.DefaultClientID
+}
+
+func (f fakeOAuthClient) Discover(context.Context, string) (*oauth.OIDCConfiguration, error) {
+	return nil, fmt.Errorf("unexpected call to Discover")
+}
+
+func (f fakeOAuthClient) Start(context.Context, string, []string) (*oauth.DeviceAuthResponse, error) {
+	return nil, f.startErr
+}
+
+func (f fakeOAuthClient) Poll(context.Context, string, string, time.Duration, int) (*oauth.TokenResponse, error) {
+	return nil, fmt.Errorf("unexpected call to Poll")
+}
+
+func (f fakeOAuthClient) Refresh(context.Context, *oauth.Token) (*oauth.TokenResponse, error) {
+	return nil, fmt.Errorf("unexpected call to Refresh")
+}
 
+func TestSelectLoginFlow(t *testing.T) {
 	t.Run("uses oauth flow when oauth flag is set", func(t *testing.T) {
 		params := loginParams{
 			cfg:      &config{Endpoint: "https://example.com"},
@@ -120,14 +137,14 @@ func TestSelectLoginFlow(t *testing.T) {
 		}
 	})
 
-	t.Run("uses missing auth flow when auth is unavailable", func(t *testing.T) {
+	t.Run("uses oauth flow when no access token is configured", func(t *testing.T) {
 		params := loginParams{
 			cfg:      &config{Endpoint: "https://example.com"},
 			endpoint: "https://sourcegraph.example.com",
 		}
 
-		if got, _ := selectLoginFlow(context.Background(), params); got != loginFlowMissingAuth {
-			t.Fatalf("flow = %v, want %v", got, loginFlowMissingAuth)
+		if got, _ := selectLoginFlow(context.Background(), params); got != loginFlowOAuth {
+			t.Fatalf("flow = %v, want %v", got, loginFlowOAuth)
 		}
 	})
 
@@ -152,29 +169,4 @@ func TestSelectLoginFlow(t *testing.T) {
 			t.Fatalf("flow = %v, want %v", got, loginFlowValidate)
 		}
 	})
-
-	t.Run("treats stored oauth as effective auth", func(t *testing.T) {
-		restoreStoredOAuthLoader(t, func(context.Context, string) (*oauth.Token, error) {
-			return &oauth.Token{AccessToken: "oauth-token"}, nil
-		})
-
-		params := loginParams{
-			cfg:      &config{Endpoint: "https://example.com"},
-			endpoint: "https://example.com",
-		}
-
-		if got, _ := selectLoginFlow(context.Background(), params); got != loginFlowValidate {
-			t.Fatalf("flow = %v, want %v", got, loginFlowValidate)
-		}
-	})
-}
-
-func restoreStoredOAuthLoader(t *testing.T, loader func(context.Context, string) (*oauth.Token, error)) {
-	t.Helper()
-
-	prev := loadStoredOAuthToken
-	loadStoredOAuthToken = loader
-	t.Cleanup(func() {
-		loadStoredOAuthToken = prev
-	})
 }
