Add CLI auth code fallback#41
Conversation
…li-auth-codes # Conflicts: # src/main.rs
|
Claude finished @cloud9c's task in 3m 57s —— View job Code Review — Add CLI auth code fallbackReviewed the full diff against Findings (posted inline)
Smaller notes (not posted inline)
Not verifiedI did not compile or run the suite — the QA steps require Doppler-managed env vars ( |
a9528c1 to
282b16b
Compare
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 282b16b. Configure here.
|
@cursor review |
|
@cursor review |
|
@cursor review |
|
@cursor review |
|
Claude finished @cloud9c's task in 3m 15s —— View job Code Review — Add CLI auth code fallbackRe-reviewed the current branch (through
Verified fixes from earlier rounds ✅
Finding (posted inline)
Smaller notes (not blocking)
Not verifiedI did not compile or run the suite — the QA steps require Doppler-managed env vars ( |
| && self.upload_dir.is_none() | ||
| && self.engine.is_none() | ||
| && self.engine_version.is_none() | ||
| && !self.force |
There was a problem hiding this comment.
--force alone silently routes wavedash init to the scripted (non-interactive) path. Because is_interactive() returns false whenever force is set, wavedash init --force (with no --team-*/--game-* flags) is dispatched to handle_init_scripted, which immediately bail!s with "Non-interactive init requires --team-id …".
The interactive path already prompts to overwrite an existing wavedash.toml, so a user who just wants to re-init interactively and overwrite has no way to use --force for that — it's effectively scripted-only. Consider dropping !self.force from is_interactive() so --force only controls overwrite behavior, and let the presence of the team/game flags (or --json) be what selects the scripted path.
| && !self.force | |
| && self.engine_version.is_none() | |
| && !self.json |
|
Claude finished @cloud9c's task in 3m 57s —— View job Code Review — Add CLI auth code fallbackRe-reviewed the current branch (through
SummaryThis is a clean, well-structured change and a genuine security improvement over the previous Verified good ✅
Non-blocking notes (all previously acknowledged by the author)
Not verifiedI did not compile or run the suite — the QA steps require Doppler-managed env vars ( |
|
ok just confirming that I liked the previous PRs changes too fwiw, with the json stuffz |
|
gotcha -- then im thinking ill add them in a different PR? just didnt want u to have to review out of scope stuff |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 9c79eaf. Configure here.
| if is_browser_login_unavailable() { | ||
| anyhow::bail!( | ||
| "Browser login isn't available in this environment.\n\nCreate an API key at https://wavedash.com/dev-portal/keys. Then set WAVEDASH_TOKEN or pipe the key into wavedash auth login --token-stdin." | ||
| ); |
There was a problem hiding this comment.
Hardcoded keys URL in error
Medium Severity
The browser login unavailable error message hardcodes the dev portal URL (https://wavedash.com/dev-portal/keys). This URL doesn't respect the configured SITE_HOST, which means users on staging or local builds might be directed to the wrong environment.
Reviewed by Cursor Bugbot for commit 9c79eaf. Configure here.
|
yeah great call |
franzwarning
left a comment
There was a problem hiding this comment.
looks good, don't merge til wavedash pr merged tho 🙂


Summary
c to copyshortcutCompanion Wavedash PR: https://github.com/wvdsh/wavedash/pull/809
QA
SITE_HOST=wavedash.lvh.me CONVEX_HTTP_URL=https://adjoining-schnauzer-809.convex.site PLAYSITE_HOST=wavedash.localtest.me cargo testrustfmt --check --edition 2021 src/auth.rsNote
High Risk
Rewrites CLI authentication (PKCE, code redemption, localhost callback) and changes how API keys are obtained—security-critical behavior that must stay aligned with the companion server PR.
Overview
Browser login no longer receives the API key on the redirect. It now uses PKCE (random state + verifier/challenge), a localhost
/callbackserver (replacingtiny_http), and redeems a one-time code viaPOST /cli/auth/redeem.If the callback fails or takes too long, the CLI shows a manual sign-in URL (without the broken copy shortcut) and, after a short delay, a paste-code prompt; invalid pasted codes retry in the terminal.
wavedash auth logingains--token-stdin, refuses browser login in CI or non-interactive stdin (with guidance to use env/stdin), and background update checks are skipped during login so prompts are not interrupted.Unit tests cover PKCE S256 and callback query parsing.
Reviewed by Cursor Bugbot for commit 9c79eaf. Bugbot is set up for automated code reviews on this repo. Configure here.