feat(cli): add browser-assisted login and logout flow#1985
feat(cli): add browser-assisted login and logout flow#1985maciej-flexcompute wants to merge 6 commits intomainfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 304f955. Configure here.
|
|
||
| with open(config_file, "w", encoding="utf-8") as file_handler: | ||
| file_handler.write(toml.dumps(config)) | ||
| write_user_config(config) |
There was a problem hiding this comment.
Premature config write creates partial state on disk
Low Severity
store_apikey internally does a full read-modify-write cycle (including flushing to disk), but configure then modifies the returned config further (for suppress_submit_warning / beta_features) and calls write_user_config again. When both --apikey and --suppress-submit-warning are passed, the first write from store_apikey creates an intermediate on-disk state missing the other config changes. The initial read_user_config() on line 68 is also discarded when store_apikey re-reads internally. A cleaner approach would separate the merge logic from the I/O so configure can batch all changes into a single write.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 304f955. Configure here.
|
|
||
| def _store_callback_params(self, params: Dict[str, str]): | ||
| self.server.callback_params = params | ||
| self.server.callback_event.set() |
There was a problem hiding this comment.
Callback event fires once, spurious request blocks login
Low Severity
_store_callback_params unconditionally fires the one-shot callback_event for every request reaching /callback (GET or POST), regardless of whether the payload contains a valid state. Once set, wait_for_login wakes up and checks the params — if the state doesn't match, a LoginError is raised and the legitimate callback arriving later is permanently ignored. Any spurious or duplicate request to the endpoint causes an unrecoverable login failure.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 304f955. Configure here.
2 participants
Summary
flow360 loginwith localhost callback handlingflow360 logoutfor removing stored credentials by profile/environmentExample
Cross-PR
Notes
flow360 loginnow always prints the URL immediately, attempts browser-open best-effort, and keeps waiting for the callback.env=prodquery parameter.--localremains available as a hidden/internal flag for local UI development.Verification
Result:
11 passedNote
High Risk
Adds new CLI authentication flows that open a local callback server and write/remove API keys from disk, touching credential handling and introducing new network-facing behavior on localhost. Misconfigurations or edge cases could lead to auth failures or inadvertent key exposure despite added file-permission hardening.
Overview
Adds browser-assisted authentication to the CLI via new
flow360 login/flow360 logoutcommands, including environment/profile selection, best-effort browser launching with printed fallback URL, and localhost callback handling to persist the returned API key.Refactors
configureto use centralized config helpers and consistent environment resolution, and extendsuser_configwithread_user_config/write_user_configplusstore_apikey/delete_apikeyhelpers that harden config directory/file permissions.Updates tests to use temp config paths and adds coverage for the new login/logout flows and environment-specific API key storage.
Reviewed by Cursor Bugbot for commit 304f955. Bugbot is set up for automated code reviews on this repo. Configure here.