fix: replace OAuth callback server with copy/paste flow#35
Conversation
Remove the localhost HTTP callback server from the OAuth init flow and replace it with a manual copy/paste approach (matching the pattern used by google-readonly). The callback server, browser-opening code, and --no-browser flag triggered Windows SmartScreen/Defender heuristic detection, causing winget validation to fail with "Installer failed security check". The redirect URL remains http://localhost:8080/callback so existing Connected App configurations are unaffected. Closes #34
Test Coverage AssessmentSummaryThis PR replaces the OAuth callback server with a manual copy/paste flow. The test coverage for the changed code is adequate. The changes are primarily deletion of code (net -151 lines), so the main risk surface is small, and the tests that exist target it well. What's covered
This is the function most likely to see unexpected user input, and the edge cases are solid.
What's not covered (and whether it matters)
Deleted code ( VerdictNo test gaps that warrant blocking this PR. The critical parsing logic ( |
Summary
internal/auth/callback.go) from the OAuth init flowgoogle-readonly(gro)openBrowser()function and--no-browserflaghttp://localhost:8080/callback— existing Connected App configs unaffectedWhy
The callback server, browser-opening code (
os/exec), and local HTTP server (net.Listen,http.Server) triggered Windows SmartScreen/Defender heuristic detection, causing winget validation to repeatedly fail with "Installer failed security check" (microsoft/winget-pkgs#335819).Other CLIs (jtk, cfl, slack-chat-cli) pass winget validation clean because they don't run a local server.
Changes
internal/auth/callback.goStartCallbackServer,CallbackResult, all server codeinternal/auth/auth.goDefaultCallbackPort→CallbackURLconstant (no morefmt.Sprintf)internal/cmd/initcmd/init.goos/exec,runtime,timeimportsinternal/cmd/initcmd/init_test.go--no-browserflag test, added URL parsing edge casesNet: -151 lines (39 added, 190 removed)
Test plan
go build ./...— compiles cleango test ./...— all 25 packages passgo vet ./...— no issuesgolangci-lint run— 0 issuessfdc initprints URL, accepts pasted code, exchanges tokenCloses #34