cmd/cue: reject login --token=""

mvdan · mvdan · commit 6ada21c30e7e · 2025-01-21T12:06:12.000Z
Don't go straight into the OAuth device flow as if the flag had not been given at all, because that can be rather confusing in the case where a developer used --token=${UNSET_VAR}. An alternative would have been a custom pflag.Value implementaion that recorded whether the string value was set via a boolean field. However, that feels unnecessary given that looping over the set flags is pretty easy and works with any flag of any type already. The linear looping is fine given that we don't expect CLI users to set more than a dozen or so flags at any time. Fixes #3665. Signed-off-by: Daniel Martí <mvdan@mvdan.cc> Change-Id: I7de34e3b3503d6fd495e10ec9f64851f2a6ddd11 Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1207558 Unity-Result: CUE porcuepine <cue.porcuepine@gmail.com> Reviewed-by: Paul Jolly <paul@myitcv.io> TryBot-Result: CUEcueckoo <cueckoo@cuelang.org>
diff --git a/cmd/cue/cmd/flags.go b/cmd/cue/cmd/flags.go
@@ -130,6 +130,19 @@ func (f flagName) ensureAdded(cmd *Command) {
 	}
 }
 
+// IsSet reports whether f was provided by the user, which is useful to tell
+// `cue` apart from `cue --flag=` when the flag's default value is the zero value.
+func (f flagName) IsSet(cmd *Command) bool {
+	f.ensureAdded(cmd)
+	found := false
+	cmd.Flags().Visit(func(pf *pflag.Flag) {
+		if pf.Name == string(f) {
+			found = true
+		}
+	})
+	return found
+}
+
 func (f flagName) Bool(cmd *Command) bool {
 	f.ensureAdded(cmd)
 	v, _ := cmd.Flags().GetBool(string(f))
diff --git a/cmd/cue/cmd/login.go b/cmd/cue/cmd/login.go
@@ -91,6 +91,11 @@ inside $CUE_CONFIG_DIR; see 'cue help environment'.
 			switch tokenStr := flagToken.String(cmd); {
 			case tokenStr == "":
 				// By default, we perform the OAuth 2.0 device flow to obtain a new token.
+				// Note that we refuse to continue if the user set --token="",
+				// because that can be an easy mistake to make via --token=${UNSET_VAR}.
+				if flagToken.IsSet(cmd) {
+					return fmt.Errorf("the --token flag needs a non-empty string")
+				}
 
 				ctx := backgroundContext()
 				// Cause the oauth2 logic to log HTTP requests when logging is enabled.
diff --git a/cmd/cue/cmd/testdata/script/login_token.txtar b/cmd/cue/cmd/testdata/script/login_token.txtar
@@ -7,6 +7,10 @@ oauthregistry device-code-expired
 ! exec cue login --token=unrecognized_token_format_1234
 stderr -count=1 'unknown token format, expected an appv1_ prefix'
 
+# An empty token is rejected, to prevent issues like --token=${UNSET_VAR}.
+! exec cue login --token=
+stderr -count=1 'the --token flag needs a non-empty string'
+
 # Ensure that only one token is stored when starting from an empty logins.json file.
 exec cue login --token=appv1_validtoken1234
 grep -count=1 '"registries": {' cueconfig/logins.json
