Skip to content

alert for unsupported auth tokens#113

Open
skarim wants to merge 1 commit into
mainfrom
skarim/api-token-warning
Open

alert for unsupported auth tokens#113
skarim wants to merge 1 commit into
mainfrom
skarim/api-token-warning

Conversation

@skarim

@skarim skarim commented Jun 4, 2026

Copy link
Copy Markdown
Collaborator

When users authenticate the GitHub CLI with a personal access token (PAT) instead of OAuth (gh auth login), the cli_internal stacks API endpoints return 404. The CLI previously interpreted this as "Stacked PRs are not enabled for this repository," which is misleading — the feature may be enabled, but the token type simply cannot access the internal endpoints.

This is a recurring source of user confusion. The docs already note that PATs are not supported, but users don't always read them before hitting the error.

This change adds token-type detection by inspecting the gh auth token prefix:

  • gho_ → OAuth (supported)
  • ghs_ → GitHub App installation token (supported)
  • ghp_ → Classic PAT (NOT supported)
  • github_pat_ → Fine-grained PAT (NOT supported)

When a PAT is detected, the CLI now shows:

⚠ Personal access tokens are not supported by gh stack
Run gh auth login to authenticate with OAuth instead.

Instead of the misleading:

⚠ Stacked PRs are not enabled for this repository

Changes:

  • Add internal/config/auth.go with auth detection methods on Config: IsPersonalAccessToken(), WarnIfPAT(), and RepoHost(). Uses a TokenForHostFn field on Config for test overrides, following the same pattern as GitHubClientOverride.

  • Add a pre-flight PAT check in cmd/submit.go before the ListStacks call. If a PAT is detected, the command aborts early with a clear error instead of making a doomed API call.

  • Update all 404 handlers for cli_internal endpoints to check the token type and show the appropriate message:

    • cmd/submit.go (createNewStack)
    • cmd/link.go (listStacksSafe, createLink)
    • cmd/checkout.go (checkoutRemoteStack)

  • Add warnStacksUnavailableOrPAT() helper in cmd/utils.go that shows the PAT-specific warning when applicable, falling back to the generic "not enabled" message for non-PAT tokens.

  • Add unit tests in internal/config/auth_test.go for token prefix detection and warning output.

  • Add integration tests in cmd/submit_test.go verifying that both classic PATs (ghp_) and fine-grained PATs (github_pat_) trigger the pre-flight check and abort before any API calls.

  • Add warnStacksUnavailableOrPAT tests in cmd/utils_test.go verifying correct message selection based on token type.

  • Update existing 404 tests to explicitly set an OAuth token so they continue exercising the ListStacks 404 path.

@skarim skarim force-pushed the skarim/api-token-warning branch from 28d4490 to 51dfa0e Compare June 12, 2026 05:34
GitHub Advanced Security started work on behalf of skarim June 12, 2026 05:35 View session
GitHub Advanced Security finished work on behalf of skarim June 12, 2026 05:36
@skarim skarim marked this pull request as ready for review June 12, 2026 05:48
Copilot AI review requested due to automatic review settings June 12, 2026 05:48
Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds token-type detection to prevent misleading error messages when users authenticate with a Personal Access Token (PAT) instead of OAuth. Previously, PAT-authenticated requests to cli_internal endpoints returned 404, which was displayed as "Stacked PRs are not enabled for this repository" — now the CLI detects the token type upfront and shows a clear message directing users to authenticate with OAuth.

Changes:

  • Adds internal/config/auth.go with PAT detection methods (IsPersonalAccessToken, WarnIfPAT, RepoHost) plus test-injection hooks (TokenForHostFn, RepoOverride) on the Config struct.
  • Adds a pre-flight PAT check in cmd/submit.go and replaces all 404 warning messages in submit/link/checkout with warnStacksUnavailableOrPAT() which conditionally shows the PAT-specific or generic message.
  • Adds comprehensive tests for the new auth detection logic and the pre-flight check path.
Show a summary per file
File Description
internal/config/config.go Adds TokenForHostFn and RepoOverride fields to Config; Repo() respects RepoOverride
internal/config/auth.go New file with PAT detection logic and WarnIfPAT helper
internal/config/auth_test.go Unit tests for token prefix detection and WarnIfPAT output
cmd/utils.go Adds warnStacksUnavailableOrPAT helper that delegates to WarnIfPAT or generic message
cmd/utils_test.go Tests for the new helper and introduces setTestTokenForHost test utility
cmd/submit.go Adds pre-flight PAT check; replaces direct warning with warnStacksUnavailableOrPAT in 404 handlers
cmd/submit_test.go Integration tests for PAT pre-flight, plus existing 404 tests updated with OAuth token override
cmd/link.go Replaces direct warning with warnStacksUnavailableOrPAT in two 404 handlers
cmd/checkout.go Replaces direct error message with warnStacksUnavailableOrPAT in 404 handler

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 9/9 changed files
  • Comments generated: 3

Comment thread cmd/link.go
Comment thread cmd/checkout.go
Comment thread internal/config/auth.go
@skarim
alert for unsupported auth tokens
7fc120f 
When users authenticate the GitHub CLI with a personal access token
(PAT) instead of OAuth (`gh auth login`), the `cli_internal` stacks
API endpoints return 404. The CLI previously interpreted this as
"Stacked PRs are not enabled for this repository," which is misleading
— the feature may be enabled, but the token type simply cannot access
the internal endpoints.

This is a recurring source of user confusion. The docs already note
that PATs are not supported, but users don't always read them before
hitting the error.

This change adds token-type detection by inspecting the `gh` auth
token prefix:

  - `gho_`        → OAuth (supported)
  - `ghs_`        → GitHub App installation token (supported)
  - `ghp_`        → Classic PAT (NOT supported)
  - `github_pat_` → Fine-grained PAT (NOT supported)

When a PAT is detected, the CLI now shows:

  ⚠ Personal access tokens are not supported by gh stack
    Run `gh auth login` to authenticate with OAuth instead.

Instead of the misleading:

  ⚠ Stacked PRs are not enabled for this repository

Changes:

- Add `internal/config/auth.go` with auth detection methods on Config:
  `IsPersonalAccessToken()`, `WarnIfPAT()`, and `RepoHost()`. Uses a
  `TokenForHostFn` field on Config for test overrides, following the
  same pattern as `GitHubClientOverride`.

- Add a pre-flight PAT check in `cmd/submit.go` before the
  `ListStacks` call. If a PAT is detected, the command aborts early
  with a clear error instead of making a doomed API call.

- Update all 404 handlers for `cli_internal` endpoints to check the
  token type and show the appropriate message:
  - `cmd/submit.go` (createNewStack)
  - `cmd/link.go` (listStacksSafe, createLink)
  - `cmd/checkout.go` (checkoutRemoteStack)

- Add `warnStacksUnavailableOrPAT()` helper in `cmd/utils.go` that
  shows the PAT-specific warning when applicable, falling back to the
  generic "not enabled" message for non-PAT tokens.

- Add unit tests in `internal/config/auth_test.go` for token prefix
  detection and warning output.

- Add integration tests in `cmd/submit_test.go` verifying that both
  classic PATs (`ghp_`) and fine-grained PATs (`github_pat_`) trigger
  the pre-flight check and abort before any API calls.

- Add `warnStacksUnavailableOrPAT` tests in `cmd/utils_test.go`
  verifying correct message selection based on token type.

- Update existing 404 tests to explicitly set an OAuth token so they
  continue exercising the ListStacks 404 path.
@skarim skarim force-pushed the skarim/api-token-warning branch from 51dfa0e to 7fc120f Compare June 12, 2026 06:17
GitHub Advanced Security started work on behalf of skarim June 12, 2026 06:17 View session
GitHub Advanced Security finished work on behalf of skarim June 12, 2026 06:18
Lukeghenco
Lukeghenco reviewed Jun 15, 2026
View reviewed changes
Comment thread cmd/checkout.go
var httpErr *api.HTTPError
if errors.As(err, &httpErr) && httpErr.StatusCode == 404 {
cfg.Errorf("Stacked PRs are not enabled for this repository")
warnStacksUnavailableOrPAT(cfg)

@Lukeghenco Lukeghenco Jun 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice cleanup here.

Lukeghenco
Lukeghenco reviewed Jun 15, 2026
View reviewed changes
Comment thread cmd/submit.go
Comment on lines +103 to +105
if cfg.WarnIfPAT() {
return ErrStacksUnavailable
}

@Lukeghenco Lukeghenco Jun 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Lukeghenco
Lukeghenco approved these changes Jun 15, 2026
View reviewed changes

@Lukeghenco Lukeghenco left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solution is clean and clear. I see no issues with this going out as is. I also appreciate the failure warning clean up to prevent the need of passing the same string around throughout the codebase with the new warnStacksUnavailableOrPAT func.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Lukeghenco Lukeghenco Lukeghenco approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@skarim @Lukeghenco