erik/slugkit
1
0
Fork 0
Code Issues 6 Pull requests Projects Releases 6 Packages Wiki Activity Actions

Add slug login browser flow #57

New issue
Closed
opened 2026-05-22 12:57:01 -05:00 by erik · 5 comments
erik commented 2026-05-22 12:57:01 -05:00
Owner
Copy link

Goal

Let slug login open the site's browser-based authentication flow, receive or prompt for a newly generated API key, verify it, and store it in the local Slugkit CLI config.

Reference behavior: /home/erik/Private/code/github/evcraddock/erikcraddock.me uses an /cli/auth browser page that requires an authenticated session and then generates an API key for the CLI.

Requirements

  • Add slug login CLI command.
  • Use configured or prompted API base URL to derive the site auth URL.
  • Add a browser-facing site route such as /cli/auth that requires an authenticated admin session.
  • If the browser route is visited without a session, send the user through the magic-link login flow and redirect back after verification.
  • After authentication, create an API key using the API key service and show the raw key exactly once.
  • CLI should open the browser auth URL when possible and then prompt the user to paste the raw API key.
  • CLI should verify the pasted key against a protected compatibility/auth check before saving it.
  • Store only the API base URL and raw API key in the local CLI config; never print the key after saving.
  • Do not implement OAuth/device-code automation in this slice.

Acceptance criteria

  • slug login opens or prints the browser auth URL.
  • /cli/auth requires an authenticated admin session before generating an API key.
  • Unauthenticated /cli/auth redirects through login and returns after successful magic-link verification.
  • Authenticated /cli/auth creates an API key and displays the raw key once.
  • CLI verifies the pasted API key before saving config.
  • Saved CLI config redacts API key output in existing config display commands.
  • Tests cover login URL derivation, missing config/prompt behavior where practical, key verification failure, key verification success, and API key redaction.
  • Relevant lint/test checks pass.

Dependencies

  • task-8af07ab8
  • task-931b710f
## Goal Let `slug login` open the site's browser-based authentication flow, receive or prompt for a newly generated API key, verify it, and store it in the local Slugkit CLI config. Reference behavior: `/home/erik/Private/code/github/evcraddock/erikcraddock.me` uses an `/cli/auth` browser page that requires an authenticated session and then generates an API key for the CLI. ## Requirements - Add `slug login` CLI command. - Use configured or prompted API base URL to derive the site auth URL. - Add a browser-facing site route such as `/cli/auth` that requires an authenticated admin session. - If the browser route is visited without a session, send the user through the magic-link login flow and redirect back after verification. - After authentication, create an API key using the API key service and show the raw key exactly once. - CLI should open the browser auth URL when possible and then prompt the user to paste the raw API key. - CLI should verify the pasted key against a protected compatibility/auth check before saving it. - Store only the API base URL and raw API key in the local CLI config; never print the key after saving. - Do not implement OAuth/device-code automation in this slice. ## Acceptance criteria - [ ] `slug login` opens or prints the browser auth URL. - [ ] `/cli/auth` requires an authenticated admin session before generating an API key. - [ ] Unauthenticated `/cli/auth` redirects through login and returns after successful magic-link verification. - [ ] Authenticated `/cli/auth` creates an API key and displays the raw key once. - [ ] CLI verifies the pasted API key before saving config. - [ ] Saved CLI config redacts API key output in existing config display commands. - [ ] Tests cover login URL derivation, missing config/prompt behavior where practical, key verification failure, key verification success, and API key redaction. - [ ] Relevant lint/test checks pass. ## Dependencies - task-8af07ab8 - task-931b710f
erik commented 2026-05-22 14:21:28 -05:00
Author
Owner
Copy link

Synced from todu comment by @todu on 2026-05-22T19:17:02.140Z

PR Review: Approved

PR: #60

Summary

Reviewed PR #60 at commit 846b4ae. The PR adds the browser-assisted CLI login flow: /cli/auth redirects anonymous users through admin login and generates a raw API key for authenticated sessions, /api/v1/auth/check verifies bearer API keys, and slug login [api-base-url] opens/prints the browser auth URL, prompts for the pasted key, verifies it, and saves local config without printing the key.

Acceptance Criteria

  • slug login opens or prints the browser auth URL.
  • /cli/auth requires an authenticated admin session before generating an API key.
  • Unauthenticated /cli/auth redirects through login and returns after successful magic-link verification.
  • Authenticated /cli/auth creates an API key and displays the raw key once.
  • CLI verifies the pasted API key before saving config.
  • Saved CLI config redacts API key output in existing config display commands.
  • Tests cover login URL derivation, missing config/prompt behavior, key verification failure, key verification success, API key redaction, route auth/redirect behavior, and API auth-check behavior.
  • Relevant lint/test checks pass — make check, ./scripts/pre-pr.sh, and Forgejo CI passed.

Blocking Issues

None.

Warnings

None.

Verdict

Approved for merge.

_Synced from todu comment by @todu on 2026-05-22T19:17:02.140Z_ ## PR Review: Approved PR: https://forge.caradoc.com/erik/slugkit/pulls/60 ### Summary Reviewed PR #60 at commit `846b4ae`. The PR adds the browser-assisted CLI login flow: `/cli/auth` redirects anonymous users through admin login and generates a raw API key for authenticated sessions, `/api/v1/auth/check` verifies bearer API keys, and `slug login [api-base-url]` opens/prints the browser auth URL, prompts for the pasted key, verifies it, and saves local config without printing the key. ### Acceptance Criteria - [x] `slug login` opens or prints the browser auth URL. - [x] `/cli/auth` requires an authenticated admin session before generating an API key. - [x] Unauthenticated `/cli/auth` redirects through login and returns after successful magic-link verification. - [x] Authenticated `/cli/auth` creates an API key and displays the raw key once. - [x] CLI verifies the pasted API key before saving config. - [x] Saved CLI config redacts API key output in existing config display commands. - [x] Tests cover login URL derivation, missing config/prompt behavior, key verification failure, key verification success, API key redaction, route auth/redirect behavior, and API auth-check behavior. - [x] Relevant lint/test checks pass — `make check`, `./scripts/pre-pr.sh`, and Forgejo CI passed. ### Blocking Issues None. ### Warnings None. ### Verdict Approved for merge.
erik commented 2026-05-22 14:32:03 -05:00
Author
Owner
Copy link

Synced from todu comment by @todu on 2026-05-22T19:31:21.627Z

PR Review Update: Approved

PR: #60
Commit: 26da9bb

Update verified

  • slug login now works without a manually supplied URL when a local dev server is reachable at http://localhost:3000/api/v1.
  • The CLI now prints the selected API base URL before opening/printing /cli/auth, so the source is visible.
  • Explicit URLs and existing saved config still take precedence over the local-dev default.
  • If local dev is unavailable and no config exists, the CLI falls back to prompting for the API base URL.
  • Added tests for local-dev default selection and fallback prompting.

Checks

  • make check passed locally.
  • ./scripts/pre-pr.sh passed locally.
  • Forgejo CI passed for commit 26da9bb.

Verdict

Approved for merge.

_Synced from todu comment by @todu on 2026-05-22T19:31:21.627Z_ ## PR Review Update: Approved PR: https://forge.caradoc.com/erik/slugkit/pulls/60 Commit: `26da9bb` ### Update verified - `slug login` now works without a manually supplied URL when a local dev server is reachable at `http://localhost:3000/api/v1`. - The CLI now prints the selected API base URL before opening/printing `/cli/auth`, so the source is visible. - Explicit URLs and existing saved config still take precedence over the local-dev default. - If local dev is unavailable and no config exists, the CLI falls back to prompting for the API base URL. - Added tests for local-dev default selection and fallback prompting. ### Checks - `make check` passed locally. - `./scripts/pre-pr.sh` passed locally. - Forgejo CI passed for commit `26da9bb`. ### Verdict Approved for merge.
erik commented 2026-05-22 15:08:59 -05:00
Author
Owner
Copy link

Synced from todu comment by @todu on 2026-05-22T20:07:48.698Z

PR Review Update: Approved

PR: #60
Commit: ac9e167

Update verified

  • CLI config now defaults to YAML at ${XDG_CONFIG_HOME:-~/.config}/slug/config.yaml.
  • Config is now a simple single-site shape: apiBaseUrl, apiKey, and optional apiKeyReference; no profiles.
  • Added global --config <file> support, e.g. slug --config ./dev.slug.yaml login.
  • slug login uses the configured apiBaseUrl; no URL argument is required for normal use.
  • slug config show continues to redact the raw API key.
  • Tests cover YAML read/write and explicit --config file usage.

Checks

  • make check passed locally.
  • ./scripts/pre-pr.sh passed locally.
  • Forgejo CI passed for commit ac9e167.

Verdict

Approved for merge.

_Synced from todu comment by @todu on 2026-05-22T20:07:48.698Z_ ## PR Review Update: Approved PR: https://forge.caradoc.com/erik/slugkit/pulls/60 Commit: `ac9e167` ### Update verified - CLI config now defaults to YAML at `${XDG_CONFIG_HOME:-~/.config}/slug/config.yaml`. - Config is now a simple single-site shape: `apiBaseUrl`, `apiKey`, and optional `apiKeyReference`; no profiles. - Added global `--config <file>` support, e.g. `slug --config ./dev.slug.yaml login`. - `slug login` uses the configured `apiBaseUrl`; no URL argument is required for normal use. - `slug config show` continues to redact the raw API key. - Tests cover YAML read/write and explicit `--config` file usage. ### Checks - `make check` passed locally. - `./scripts/pre-pr.sh` passed locally. - Forgejo CI passed for commit `ac9e167`. ### Verdict Approved for merge.
erik commented 2026-05-22 15:19:32 -05:00
Author
Owner
Copy link

Synced from todu comment by @todu on 2026-05-22T20:16:20.969Z

PR Review Update: Approved

PR: #60
Commit: 763b3ba

Update verified

  • Added make dev-config to write ignored local CLI config at ./.slug/dev.yaml.
  • Added make slug ARGS="..." to build and run the slug CLI with that dev config.
  • .slug/ is ignored so generated dev config is not committed.
  • make dev-config writes the machine IP API URL, e.g. apiBaseUrl: http://<machine-ip>:3000/api/v1.

Checks

  • make dev-config passed locally.
  • make check passed locally.
  • ./scripts/pre-pr.sh passed locally.
  • Forgejo CI passed for commit 763b3ba.

Verdict

Approved for merge.

_Synced from todu comment by @todu on 2026-05-22T20:16:20.969Z_ ## PR Review Update: Approved PR: https://forge.caradoc.com/erik/slugkit/pulls/60 Commit: `763b3ba` ### Update verified - Added `make dev-config` to write ignored local CLI config at `./.slug/dev.yaml`. - Added `make slug ARGS="..."` to build and run the `slug` CLI with that dev config. - `.slug/` is ignored so generated dev config is not committed. - `make dev-config` writes the machine IP API URL, e.g. `apiBaseUrl: http://<machine-ip>:3000/api/v1`. ### Checks - `make dev-config` passed locally. - `make check` passed locally. - `./scripts/pre-pr.sh` passed locally. - Forgejo CI passed for commit `763b3ba`. ### Verdict Approved for merge.
erik 2026-05-22 15:24:47 -05:00
erik commented 2026-05-22 15:24:48 -05:00
Author
Owner
Copy link

Synced from todu comment by @todu on 2026-05-22T20:24:16.419Z

=== Task Close Gate: Task #task-b8374859 ===

Task: Add slug login browser flow

Acceptance Criteria:

  • slug login opens or prints the browser auth URL — met — Implemented CLI login flow; PR #60 includes browser open/printed fallback URL and opener failure handling.
  • /cli/auth requires an authenticated admin session before generating an API key — met — Added protected /cli/auth route using admin session middleware.
  • Unauthenticated /cli/auth redirects through login and returns after successful magic-link verification — met — Login redirect preservation added and covered by route tests.
  • Authenticated /cli/auth creates an API key and displays the raw key once — met — Route creates API key via API key service and renders one-time raw key page.
  • CLI verifies the pasted API key before saving config — met — Added protected /api/v1/auth/check; CLI verifies pasted key before writing config.
  • Saved CLI config redacts API key output in existing config display commands — met — Config show tests verify raw key is not printed.
  • Tests cover login URL derivation, missing config/prompt behavior where practical, key verification failure, key verification success, and API key redaction — met — CLI and route/API tests added.
  • Relevant lint/test checks pass — met — make check, ./scripts/pre-pr.sh, and Forgejo CI passed.

Readiness: READY

Closing Summary:
Merged PR #60 into main at merge commit 06d5d4d. Added slug login browser auth flow, /cli/auth, /api/v1/auth/check, YAML CLI config with --config, and Makefile dev helpers (make dev-config, make slug ARGS="...").

Next Action: close-task

_Synced from todu comment by @todu on 2026-05-22T20:24:16.419Z_ === Task Close Gate: Task #task-b8374859 === Task: Add slug login browser flow Acceptance Criteria: - [x] `slug login` opens or prints the browser auth URL — met — Implemented CLI login flow; PR #60 includes browser open/printed fallback URL and opener failure handling. - [x] `/cli/auth` requires an authenticated admin session before generating an API key — met — Added protected `/cli/auth` route using admin session middleware. - [x] Unauthenticated `/cli/auth` redirects through login and returns after successful magic-link verification — met — Login redirect preservation added and covered by route tests. - [x] Authenticated `/cli/auth` creates an API key and displays the raw key once — met — Route creates API key via API key service and renders one-time raw key page. - [x] CLI verifies the pasted API key before saving config — met — Added protected `/api/v1/auth/check`; CLI verifies pasted key before writing config. - [x] Saved CLI config redacts API key output in existing config display commands — met — Config show tests verify raw key is not printed. - [x] Tests cover login URL derivation, missing config/prompt behavior where practical, key verification failure, key verification success, and API key redaction — met — CLI and route/API tests added. - [x] Relevant lint/test checks pass — met — `make check`, `./scripts/pre-pr.sh`, and Forgejo CI passed. Readiness: READY Closing Summary: Merged PR #60 into main at merge commit `06d5d4d`. Added `slug login` browser auth flow, `/cli/auth`, `/api/v1/auth/check`, YAML CLI config with `--config`, and Makefile dev helpers (`make dev-config`, `make slug ARGS="..."`). Next Action: close-task
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
release/slug-cli-v0.5.0
release/slug-cli-v0.4.0
release/slug-cli-v0.3.0
release/slug-cli-v0.2.0
release/slug-cli-v0.1.2
release/slug-cli-v0.1.1
feat/task-47be19ea-api-meta-route
feat/task-51eaa27f-swagger-api-docs
feat/task-0dbd25d3-site-config-homepage
feat/task-69937fe4-sqlite-migrations
feat/task-a3cd5595-cli-foundation
feat/task-c272cbda-openapi-health
feat/task-d6397b57-template-foundation
v0.5.0
v0.4.0
v0.3.0
v0.2.0
v0.1.2
v0.1.1
Labels
Clear labels   
activitypub

   
admin

   
api

   
articles

   
auth

   
bug

   
cleanup

   
cli

   
comments

   
compatibility

   
config

   
contacts

   
database

   
deployment

   
design

   
dev-env

   
docs

   
documentation

   
email

   
enhancement

   
feature

   
federation

   
feed

   
homepage

   
implementation

   
integration

   
media

   
openapi

   
priority:high

   
priority:low

   
priority:medium

   
proof

   
public-routes

   
public-ui

   
release

   
safety

   
social

   
sources

   
status:active

   
status:canceled

   
status:done

   
status:inprogress

   
status:waiting

   
syndication

   
tailwind

   
template

   
test

   
web
No labels
activitypub
admin
api
articles
auth
bug
cleanup
cli
comments
compatibility
config
contacts
database
deployment
design
dev-env
docs
documentation
email
enhancement
feature
federation
feed
homepage
implementation
integration
media
openapi
priority:high
priority:low
priority:medium
proof
public-routes
public-ui
release
safety
social
sources
status:active
status:canceled
status:done
status:inprogress
status:waiting
syndication
tailwind
template
test
web
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
erik/slugkit#57
No description provided.