fix(context): add validation and HTTP timeout to prevent hangs

- Add 30-second HTTP timeout to API client to prevent infinite hangs
- Add connection validation during context create
- Verify server connectivity and token validity before saving context
- Verify gateway group exists if specified
- Add --skip-validation flag for advanced users
- Provide clear error messages for auth failures and connection issues

Fixes issue where invalid credentials were silently accepted and
subsequent commands would hang indefinitely when connecting to
unreachable servers.

Author: moonming

pkg/api/client.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"time"
 )
 
 // Client is a thin wrapper around net/http for the API7 EE Admin API.
@@ -30,7 +31,10 @@ func NewAuthenticatedClient(apiKey string, tlsSkipVerify bool, caCert string) *h
 		apiKey: apiKey,
 		base:   defaultTransport(tlsSkipVerify, caCert),
 	}
-	return &http.Client{Transport: transport}
+	return &http.Client{
+		Transport: transport,
+		Timeout:   30 * time.Second,
+	}
 }
 
 // apiKeyTransport injects the X-API-KEY header into every request.

pkg/cmd/context/create/create.go

@@ -1,11 +1,14 @@
 package create
 
 import (
+	"errors"
 	"fmt"
+	"net/http"
 
 	"github.com/spf13/cobra"
 
 	"github.com/api7/a7/internal/config"
+	"github.com/api7/a7/pkg/api"
 	cmd "github.com/api7/a7/pkg/cmd"
 	"github.com/api7/a7/pkg/cmdutil"
 )
@@ -14,13 +17,14 @@ import (
 type Options struct {
 	Config func() (config.Config, error)
 
-	Name          string
-	Server        string
-	Token         string
-	GatewayGroup  string
-	TLSSkipVerify bool
-	CACert        string
-	Use           bool
+	Name           string
+	Server         string
+	Token          string
+	GatewayGroup   string
+	TLSSkipVerify  bool
+	CACert         string
+	Use            bool
+	SkipValidation bool
 }
 
 // NewCmd creates the "context create" command.
@@ -45,12 +49,50 @@ func NewCmd(f *cmd.Factory) *cobra.Command {
 	c.Flags().BoolVar(&opts.TLSSkipVerify, "tls-skip-verify", false, "Skip TLS certificate verification")
 	c.Flags().StringVar(&opts.CACert, "ca-cert", "", "Path to CA certificate")
 	c.Flags().BoolVar(&opts.Use, "use", false, "Set as current context after creation")
+	c.Flags().BoolVar(&opts.SkipValidation, "skip-validation", false, "Skip connectivity validation")
 
 	_ = c.MarkFlagRequired("server")
 
 	return c
 }
 
+func validateContext(ctx config.Context) error {
+	httpClient := api.NewAuthenticatedClient(ctx.Token, ctx.TLSSkipVerify, ctx.CACert)
+	client := api.NewClient(httpClient, ctx.Server)
+
+	// Test connectivity with lightweight API call
+	_, err := client.Get("/api/gateway_groups?page_size=1", nil)
+	if err != nil {
+		var apiErr *api.APIError
+		if errors.As(err, &apiErr) {
+			switch apiErr.StatusCode {
+			case 401:
+				return fmt.Errorf("authentication failed: invalid token")
+			case 403:
+				return fmt.Errorf("permission denied: check token permissions")
+			default:
+				return fmt.Errorf("server error: %s", cmdutil.FormatAPIError(err))
+			}
+		}
+		// Network error (DNS, connection refused, timeout, etc.)
+		return fmt.Errorf("cannot connect to server: %w", err)
+	}
+
+	// If gateway-group is specified, verify it exists
+	if ctx.GatewayGroup != "" {
+		_, err := client.Get("/api/gateway_groups/"+ctx.GatewayGroup, nil)
+		if err != nil {
+			var apiErr *api.APIError
+			if errors.As(err, &apiErr) && apiErr.StatusCode == http.StatusNotFound {
+				return fmt.Errorf("gateway group %q not found", ctx.GatewayGroup)
+			}
+			return fmt.Errorf("failed to verify gateway group: %w", err)
+		}
+	}
+
+	return nil
+}
+
 func createRun(opts *Options, f *cmd.Factory) error {
 	cfg, err := opts.Config()
 	if err != nil {
@@ -66,6 +108,14 @@ func createRun(opts *Options, f *cmd.Factory) error {
 		CACert:        opts.CACert,
 	}
 
+	// Validate context before saving (unless --skip-validation is set)
+	if !opts.SkipValidation {
+		fmt.Fprintf(f.IOStreams.Out, "Validating connection to %s...\n", ctx.Server)
+		if err := validateContext(ctx); err != nil {
+			return fmt.Errorf("validation failed: %w\nUse --skip-validation to bypass this check", err)
+		}
+	}
+
 	if err := cfg.AddContext(ctx); err != nil {
 		return &cmdutil.FlagError{Err: err}
 	}