Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions src/commands/project.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -664,6 +664,39 @@ describe('runCreate', () => {
).rejects.toMatchObject({ exitCode: 5, code: 'VALIDATION_ERROR' });
expect(fetchImpl).not.toHaveBeenCalled();
});

it('rejects a missing --password-file with VALIDATION_ERROR (exit 5), no network', async () => {
const { credentialsPath } = makeCreds();
const missingPasswordFile = join(mkdtempSync(join(tmpdir(), 'cli-pwfile-')), 'password.txt');
const fetchImpl = vi.fn(async () => {
throw new Error('should not hit network - validation must fire client-side');
});

await expect(
runCreate(
{
profile: 'default',
output: 'json',
debug: false,
type: 'frontend',
name: 'Password File Guard Project',
targetUrl: 'https://example.com',
passwordFile: missingPasswordFile,
},
{
credentialsPath,
fetchImpl: fetchImpl as unknown as typeof fetch,
stdout: () => {},
stderr: () => {},
},
),
).rejects.toMatchObject({
exitCode: 5,
code: 'VALIDATION_ERROR',
details: expect.objectContaining({ field: 'password-file' }),
});
expect(fetchImpl).not.toHaveBeenCalled();
});
});

// ---------------------------------------------------------------------------
Expand Down Expand Up @@ -790,6 +823,38 @@ describe('runUpdate', () => {
).rejects.toMatchObject({ code: 'VALIDATION_ERROR', exitCode: 5 });
expect(fetchImpl).not.toHaveBeenCalled();
});

it('rejects a missing --password-file with VALIDATION_ERROR (exit 5), no network', async () => {
const { credentialsPath } = makeCreds();
const missingPasswordFile = join(mkdtempSync(join(tmpdir(), 'cli-pwfile-')), 'password.txt');
const fetchImpl = vi.fn(async () => {
throw new Error('should not be called');
});

await expect(
runUpdate(
{
profile: 'default',
output: 'json',
debug: false,
projectId: 'proj_abc',
passwordFile: missingPasswordFile,
},
{
credentialsPath,
fetchImpl: fetchImpl as unknown as typeof fetch,
stdout: () => {},
stderr: () => {},
},
),
).rejects.toMatchObject({
code: 'VALIDATION_ERROR',
exitCode: 5,
details: expect.objectContaining({ field: 'password-file' }),
});
expect(fetchImpl).not.toHaveBeenCalled();
});

it('P7 — dry-run returns canned shape without network call', async () => {
resetDryRunBannerForTesting();
const { credentialsPath } = makeCreds();
Expand Down
32 changes: 30 additions & 2 deletions src/commands/project.ts
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,7 @@ export async function runCreate(
// Resolve password: flag > file > none
let password = opts.password;
if (password === undefined && opts.passwordFile !== undefined) {
password = readFileSync(opts.passwordFile, 'utf8').trim();
password = readPasswordFile(opts.passwordFile);
}

const idempotencyKey = opts.idempotencyKey ?? `cli-proj-create-${randomUUID()}`;
Expand Down Expand Up @@ -323,7 +323,7 @@ export async function runUpdate(
// filesystem, even when --password-file is present.
let password = opts.password;
if (password === undefined && opts.passwordFile !== undefined) {
password = readFileSync(opts.passwordFile, 'utf8').trim();
password = readPasswordFile(opts.passwordFile);
}

const idempotencyKey = opts.idempotencyKey ?? `cli-proj-update-${randomUUID()}`;
Expand Down Expand Up @@ -629,3 +629,31 @@ function localValidationError(message: string): ApiError {
},
});
}

function passwordFileValidationError(path: string, reason: string): ApiError {
return ApiError.fromEnvelope({
error: {
code: 'VALIDATION_ERROR',
message: 'Invalid request.',
nextAction: reason,
requestId: 'local',
details: { field: 'password-file', path, reason },
},
});
}

function readPasswordFile(path: string): string {
try {
return readFileSync(path, 'utf8').trim();
} catch (err) {
const code = (err as NodeJS.ErrnoException).code;
if (code === 'ENOENT') {
throw passwordFileValidationError(path, `file does not exist: ${path}`);
}
if (code === 'EACCES') {
throw passwordFileValidationError(path, `permission denied reading ${path}`);
}
const reason = err instanceof Error ? err.message : 'unknown error';
throw passwordFileValidationError(path, `cannot read ${path}: ${reason}`);
}
}
Loading