Unify token management under a new fastly auth command#1676
Open
jedisct1 wants to merge 21 commits intofastly:mainfrom
Open
Unify token management under a new fastly auth command#1676jedisct1 wants to merge 21 commits intofastly:mainfrom
jedisct1 wants to merge 21 commits intofastly:mainfrom
Conversation
Small additions needed by the auth system: an env var and helper for disabling auth commands, a new token-source constant, and error unwrapping on the undocumented API client.
New [auth] config section with named token entries, automatic migration from legacy profiles, and CRUD helpers for reading/writing tokens.
When FASTLY_DISABLE_AUTH_COMMAND is set, remediation messages now reference FASTLY_API_TOKEN instead of interactive CLI commands.
Gives MockGlobalData a default Auth config, switches to errors.As for unwrapping remediation errors, and adds a WantRemediation field to CLIScenario so tests can assert on remediation output.
Mechanical replacement of "(profile: user)" with "(auth: user)" in run.go's displayToken output and all corresponding test expectations.
New `fastly auth` subcommands: login, add, delete, list, show, use. Includes SSO flow via the existing auth server, token metadata enrichment from the Fastly API, and comprehensive test coverage.
Register the auth command tree and gate all authentication commands behind FASTLY_DISABLE_AUTH_COMMAND. Rewrite Token() to resolve from the auth config (manifest profile, then default token) and add AuthTokenName() for display and SSO refresh.
Replace profile-based token logic with the auth config: SSO refresh, interactive first-run prompts, and profile migration now go through [auth] tokens. Conditionally hide --token when FASTLY_DISABLE_AUTH_COMMAND is set and deprecate --profile in favor of 'fastly auth use'.
Mark legacy commands as deprecated with warnings pointing to the new 'fastly auth' equivalents and hide them from help output. The commands remain functional but will be removed in a future release.
Show inline warnings in 'auth list' and 'auth show' for expired or soon-to-expire tokens, and add a pre-command hook that warns about expiring tokens on every CLI invocation. Includes CHANGELOG entries, metadata examples, and the cli-auth help page.
Migrate all profile commands (create, delete, list, switch, update, token) and the SSO command from the legacy Config.Profiles / pkg/profile package to Config.Auth.Tokens. This consolidates token storage into the [auth] config section and removes the intermediate pkg/profile layer.
SSO login no longer falls back to the hardcoded name "sso". Users must now pass --token to explicitly name the stored token, preventing accidental overwrites in multi-user SSO workflows.
Scoped tokens (e.g. purge-only) may lack permission to call /current_user, which previously caused auth add to fail with a 403. Add FetchTokenMetadataLenient, used only by auth add, which treats GetCurrentUser as best-effort but still requires at least one of /current_user or /tokens/self to succeed. auth login and the startup token prompt retain strict validation via FetchTokenMetadata.
jedisct1
changed the title
And add a test case that verifies this behavior with an empty config.
anthony-gomez-fastly
approved these changes
Mar 5, 2026
Contributor
anthony-gomez-fastly
left a comment
anthony-gomez-fastly
left a comment
There was a problem hiding this comment.
LGTM, this looks great!! I'll fix the lint errors when i update the golangci-lint version
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change summary
This PR replaces the old patchwork of
fastly profile,fastly sso, andfastly auth-tokencommands with a single, unifiedfastly authcommand tree.The goal is to make token management feel straightforward: one place to log in, store tokens, check expiration, and switch between accounts.
Under the hood, the config file gets a new
[auth]section that replaces the old[profile]block. Tokens are now stored as named entries with rich metadata (account info, scopes, expiration timestamps) and come in two flavors:staticfor long-lived API tokens andssofor OIDC-backed sessions that can refresh themselves.Existing profiles are migrated automatically on first run, so users don't have to do anything manually.
The new commands:
auth login,auth add,auth delete,auth list,auth show, andauth usecover the full token lifecycle.auth loginhandles both interactive token paste and browser-based SSO (via--sso --token <name>).An explicit token name is required for SSO to prevent silently overwriting a stored token in multi-account setups.
Token resolution got reworked too.
The
--tokenflag now first checks whether its value matches a stored token name before treating it as a raw token, followed by the usualFASTLY_API_TOKENenv var,fastly.tomlprofile field, and default token fallbacks.One of the nicer quality-of-life additions: the CLI now tracks token expiration and warns you before running a command if your active token is about to expire or already has.
auth listshows color-coded expiry status inline, andauth showgives you the full breakdown.Error messages are now context-aware. In managed environments where
FASTLY_DISABLE_AUTH_COMMANDis set, remediation text points users toward environment variables instead of CLI commands they can't run.The old
profile,sso, andauth-tokencommands still work but are hidden from help and print deprecation notices. They can be removed in a future release.That global diff is pretty large, but individual commits are not, and most of the added code is tests, or code removal (the legacy commands are now implemented as thin wrappers over the new one).
New Feature Submissions:
Changes to Core Features:
User Impact
Day-to-day, users get a cleaner way to manage tokens through fastly auth.
Existing workflows keep working. Legacy config entries migrate automatically and old commands still function with deprecation warnings.
The main behavioral shift is that SSO login now requires
--token <name>to name the stored credential, so scripts using the old implicit naming will need a small update.Token expiration is now surfaced proactively, which should cut down on confusing "401" errors from silently expired tokens.
Are there any considerations that need to be addressed for release?
The old profile, sso, and auth-token commands are soft-deprecated: they work but are hidden.