feat: auto-fetch WorkOS credentials via device auth #20
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add automatic credential fetching flow that: - Discovers existing credentials from .env files (with user consent) - Uses OAuth device authorization to authenticate users - Fetches staging credentials from WorkOS API - Falls back to manual entry if any step fails New modules: - credential-discovery.ts: env file scanning with consent - device-auth.ts: reusable OAuth device flow - staging-api.ts: WorkOS staging credentials API client State machine expansion: - gatheringCredentials now has 8 substates with priority-based resolution: CLI flags → env files → stored auth → device auth → manual Closes auto-credentials feature request.
Add test coverage for: - staging-api.ts: API response handling (camelCase/snake_case), HTTP error codes (401, 403, 404, 500), network errors, timeouts - credential-discovery.ts: env file detection, credential parsing, validation, priority order, quote handling - credentials.ts: staging credential cache (save/get/invalidation) Brings test count from 191 to 228.
Remove AI-generated slop: redundant catch block comments, unused runDeviceAuthFlow function, verbose test comments.
- Store envCredentialPath in context from DiscoveryResult.sourcePath - Emit correct source path instead of hardcoded '.env' - Throw DeviceAuthError on malformed JSON from auth server
Add logInfo/logError calls to credential-discovery, device-auth, and staging-api modules for easier debugging of auth flows. Also includes skill file updates and tanstack-start validation rules.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Eliminates manual credential entry by automatically fetching WorkOS staging credentials through OAuth 2.0 device authorization flow.
.envfiles for existingWORKOS_CLIENT_ID/WORKOS_API_KEY(with user consent)~/.workos/credentials.jsonwhen validCredential Resolution Priority
--api-key,--client-id) → Use directly.envfiles (with consent) → Ask user first, scan if approved~/.workos/credentials) → Fetch from staging APINew Modules
src/lib/device-auth.tssrc/lib/staging-api.tssrc/lib/credential-discovery.tsAPI Endpoint