Skip to content

Streamline morning-auth.sh + respect $BROWSER (JumpCloud Go-aware)#116

Open
SethPaul wants to merge 2 commits into
mainfrom
morning-auth-go-streamline
Open

Streamline morning-auth.sh + respect $BROWSER (JumpCloud Go-aware)#116
SethPaul wants to merge 2 commits into
mainfrom
morning-auth-go-streamline

Conversation

@SethPaul
Copy link
Copy Markdown
Contributor

@SethPaul SethPaul commented Jun 2, 2026

Combines @jcward's #43 (respect $BROWSER) with a JumpCloud Go-aware simplification. Supersedes #43 — can close that in favor of this.

What changed

aws sso login already drives the JumpCloud login in the browser itself — a JumpCloud Go device tap if Go is set up, otherwise the normal JumpCloud password + MFA form. So the old manual block (log out → open login page → blocking "press Enter"then aws sso login) was redundant.

New flow: version check → AWS-session short-circuit → (optional) logout → aws sso login → verify → CodeArtifact.

  • $BROWSER respected (from Update morning-auth.sh to respect BROWSER #43) for the logout open, and aws sso login inherits it from the env — so the right browser is used. Also handles the %s placeholder form the env var can take.
  • Removed the manual logout/login/read block — fewer steps for everyone, no blocking prompt.
  • --no-logout to reuse an existing JumpCloud session.
  • Non-blocking heads-up if the browser that'll be used is snap/flatpak: JumpCloud Go can't run there, so you'll get the password form (which works) — with a pointer to set BROWSER=google-chrome + the setup wiki.

Works with and without JumpCloud Go

This was the design constraint — we can't assume everyone has set Go up:

  • Go set up (deb browser): aws sso login → one device tap.
  • No Go / snap browser: aws sso login → JumpCloud password + MFA, inline.

Both verified on this machine (the non-Go path tested via snap Chromium, which can't use Go and behaves like a non-Go user — it served password+MFA inline and completed).

Notes

SethPaul added 2 commits June 2, 2026 14:04
@SethPaul
Streamline morning-auth.sh: aws sso login drives JumpCloud auth inline
53d7010 
Combines #43 ($BROWSER support) with a JumpCloud Go-aware simplification.

`aws sso login` already drives the JumpCloud login in the browser -- a Go
device tap if set up, otherwise the normal password + MFA form (verified
both paths). So the manual logout -> open-login-page -> "press Enter" block
was redundant; this removes it. Flow is now: version check -> session
short-circuit -> (optional) logout -> aws sso login -> verify -> CodeArtifact.

- Respect $BROWSER for the logout open and (via env) aws sso login, so the
  right browser is used (supersedes #43; also handles the %s placeholder form).
- Non-blocking heads-up if the resolved browser is snap/flatpak (Go can't run
  there -- you get the password form, which works fine).
- --no-logout to reuse an existing JumpCloud session.

Works whether or not JumpCloud Go is set up.
Wiki: https://github.com/hipponot/nimbee/wiki/JumpCloud-Go-Setup
@SethPaul
Harden snap/flatpak detection in the browser advisory
371aa64 
Vetting surfaced gaps in warn_if_sandboxed_browser: it only knew the
hardcoded firefox/chromium snap desktop-ids and did path-only checks.
Now it detects any name_name.desktop snap id generically and resolves the
xdg default's Exec= binary (via awk, no grep dependency) before the /snap
and /flatpak path check.

Tested against the real deb google-chrome/chromium/firefox (no false
positives) and /snap/bin/chromium (correctly flagged). Dropped an earlier
file(1)+grep content heuristic as too fragile; the snap /usr/bin/firefox
wrapper-shim case stays a documented, accepted blind spot (advisory only --
the login works regardless).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SethPaul