auth: handle token audience mismatch

changkun · changkun · commit c16dfe15f9f5 · 2026-05-04T01:18:38.000+02:00
diff --git a/internal/commands/auth.go b/internal/commands/auth.go
@@ -3,6 +3,7 @@ package commands
 import (
 	"bufio"
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -290,10 +291,14 @@ func runDeviceFlow(ctx context.Context, opts deviceFlowOpts) error {
 }
 
 // exchangeForCellaToken trades an auth-issued user JWT for a cella
-// bearer token. The CLI mints a short-TTL actor token at auth, then
-// exchanges it at cella's /v1/tokens/exchange. Either step may fail
-// (older auth without /actor-tokens, older cella without the token
-// catalog); the caller falls back to the auth token in that case.
+// bearer token. The preferred path mints a short-TTL actor token at
+// auth, then exchanges it at cella's /v1/tokens/exchange.
+//
+// Some deployed auth versions stamp device-code tokens with sandboxd's
+// audience, then reject those same tokens on /actor-tokens because the
+// auth middleware expects the auth issuer as audience. In that case the
+// device token is still accepted by sandboxd, so use it directly for the
+// cella exchange instead of persisting the short-lived auth token.
 func exchangeForCellaToken(ctx context.Context, opts deviceFlowOpts, authToken string) (string, error) {
 	authBase := opts.AuthURL
 	if authBase == "" {
@@ -324,6 +329,9 @@ func exchangeForCellaToken(ctx context.Context, opts deviceFlowOpts, authToken s
 	defer func() { _ = resp.Body.Close() }()
 	if resp.StatusCode/100 != 2 {
 		b, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<14))
+		if resp.StatusCode == http.StatusUnauthorized && strings.Contains(string(b), "audience mismatch") {
+			return exchangeAtCella(ctx, httpc, apiBase, authToken)
+		}
 		return "", fmt.Errorf("actor-tokens %d: %s", resp.StatusCode, b)
 	}
 	var actor struct {
@@ -334,17 +342,21 @@ func exchangeForCellaToken(ctx context.Context, opts deviceFlowOpts, authToken s
 	}
 
 	// 2. Exchange the actor token at cella.
+	return exchangeAtCella(ctx, httpc, apiBase, actor.ActorToken)
+}
+
+func exchangeAtCella(ctx context.Context, httpc *http.Client, apiBase, bearer string) (string, error) {
 	hostname, _ := os.Hostname()
 	if hostname == "" {
 		hostname = "CLI"
 	}
-	body, _ = json.Marshal(map[string]any{"label": "CLI on " + hostname})
+	body, _ := json.Marshal(map[string]any{"label": "CLI on " + hostname})
 	req2, err := http.NewRequestWithContext(ctx, http.MethodPost, apiBase+"/v1/tokens/exchange", strings.NewReader(string(body)))
 	if err != nil {
 		return "", err
 	}
 	req2.Header.Set("Content-Type", "application/json")
-	req2.Header.Set("Authorization", "Bearer "+actor.ActorToken)
+	req2.Header.Set("Authorization", "Bearer "+bearer)
 	resp2, err := httpc.Do(req2)
 	if err != nil {
 		return "", err
@@ -410,33 +422,137 @@ func newAuthWhoamiCmd() *cobra.Command {
 				Scopes        []string `json:"scopes"`
 				ClientID      string   `json:"client_id,omitempty"`
 			}
-			if err := req.GetJSON(cmd.Context(), "/tokeninfo", &info); err != nil {
-				return err
-			}
-			fmt.Printf("sub:           %s\n", info.Sub)
-			if info.Email != nil && *info.Email != "" {
-				fmt.Printf("email:         %s\n", *info.Email)
-			}
-			fmt.Printf("principal:     %s\n", info.PrincipalType)
-			if info.OrgID != nil && *info.OrgID != "" {
-				fmt.Printf("context:       org\n")
-				fmt.Printf("org_id:        %s\n", *info.OrgID)
+			if err := req.GetJSON(cmd.Context(), "/tokeninfo", &info); err == nil {
+				printPrincipal(principalInfo{
+					Sub:           info.Sub,
+					Email:         deref(info.Email),
+					PrincipalType: info.PrincipalType,
+					OrgID:         deref(info.OrgID),
+					Scopes:        info.Scopes,
+					ClientID:      info.ClientID,
+				})
+				return nil
 			} else {
-				fmt.Printf("context:       personal\n")
+				var apiErr *api.APIError
+				if !errors.As(err, &apiErr) || apiErr.Status != http.StatusUnauthorized {
+					return err
+				}
 			}
-			if info.ClientID != "" {
-				fmt.Printf("client_id:     %s\n", info.ClientID)
+
+			// Auth cannot introspect cella-issued tokens, and current
+			// auth deployments also reject sandbox-audience device
+			// tokens on /tokeninfo. Confirm sandboxd accepts the bearer,
+			// then print the identity claims embedded in the JWT.
+			var ignored any
+			if err := c.GetJSON(cmd.Context(), "/v1/sandboxes", &ignored); err != nil {
+				return err
 			}
-			if len(info.Scopes) > 0 {
-				fmt.Printf("scopes:        %s\n", strings.Join(info.Scopes, " "))
+			local, err := principalFromJWT(c.Token)
+			if err != nil {
+				return err
 			}
+			printPrincipal(local)
 			return nil
 		},
 	}
 	cmd.Flags().StringVar(&apiURL, "api-url", "", "override sandboxd base URL")
 	return cmd
 }
 
+type principalInfo struct {
+	Sub           string
+	Email         string
+	PrincipalType string
+	OrgID         string
+	Scopes        []string
+	ClientID      string
+}
+
+func printPrincipal(info principalInfo) {
+	fmt.Printf("sub:           %s\n", info.Sub)
+	if info.Email != "" {
+		fmt.Printf("email:         %s\n", info.Email)
+	}
+	fmt.Printf("principal:     %s\n", info.PrincipalType)
+	if info.OrgID != "" {
+		fmt.Printf("context:       org\n")
+		fmt.Printf("org_id:        %s\n", info.OrgID)
+	} else {
+		fmt.Printf("context:       personal\n")
+	}
+	if info.ClientID != "" {
+		fmt.Printf("client_id:     %s\n", info.ClientID)
+	}
+	if len(info.Scopes) > 0 {
+		fmt.Printf("scopes:        %s\n", strings.Join(info.Scopes, " "))
+	}
+}
+
+func deref(s *string) string {
+	if s == nil {
+		return ""
+	}
+	return *s
+}
+
+func principalFromJWT(raw string) (principalInfo, error) {
+	parts := strings.Split(raw, ".")
+	if len(parts) < 2 {
+		return principalInfo{}, errors.New("saved token is not a JWT")
+	}
+	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return principalInfo{}, fmt.Errorf("decode token payload: %w", err)
+	}
+	var claims map[string]any
+	if err := json.Unmarshal(payload, &claims); err != nil {
+		return principalInfo{}, fmt.Errorf("parse token payload: %w", err)
+	}
+	info := principalInfo{
+		Sub:           stringClaim(claims, "sub"),
+		Email:         stringClaim(claims, "email"),
+		PrincipalType: stringClaim(claims, "principal_type"),
+		OrgID:         stringClaim(claims, "org_id"),
+		Scopes:        scopesClaim(claims),
+		ClientID:      stringClaim(claims, "client_id"),
+	}
+	if info.Sub == "" {
+		return principalInfo{}, errors.New("saved token is missing sub")
+	}
+	if info.PrincipalType == "" {
+		info.PrincipalType = "user"
+	}
+	return info, nil
+}
+
+func stringClaim(claims map[string]any, key string) string {
+	v, _ := claims[key].(string)
+	return v
+}
+
+func scopesClaim(claims map[string]any) []string {
+	if scope, _ := claims["scope"].(string); scope != "" {
+		return strings.Fields(scope)
+	}
+	raw, ok := claims["scp"]
+	if !ok {
+		return nil
+	}
+	switch v := raw.(type) {
+	case string:
+		return strings.Fields(v)
+	case []any:
+		out := make([]string, 0, len(v))
+		for _, item := range v {
+			if s, ok := item.(string); ok && s != "" {
+				out = append(out, s)
+			}
+		}
+		return out
+	}
+	return nil
+}
+
 func newAuthLogoutCmd() *cobra.Command {
 	return &cobra.Command{
 		Use:   "logout",
diff --git a/internal/commands/auth_test.go b/internal/commands/auth_test.go
@@ -0,0 +1,145 @@
+package commands
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/latere-ai/latere-cli/internal/api"
+)
+
+func TestExchangeForCellaTokenFallsBackToDirectExchangeOnActorAudienceMismatch(t *testing.T) {
+	authSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/actor-tokens" {
+			http.NotFound(w, r)
+			return
+		}
+		if got := r.Header.Get("Authorization"); got != "Bearer auth-token" {
+			t.Errorf("auth Authorization = %q", got)
+		}
+		w.WriteHeader(http.StatusUnauthorized)
+		_, _ = w.Write([]byte(`{"error":"unauthorized","message":"invalid token: audience mismatch"}`))
+	}))
+	defer authSrv.Close()
+
+	apiSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/v1/tokens/exchange" {
+			http.NotFound(w, r)
+			return
+		}
+		if got := r.Header.Get("Authorization"); got != "Bearer auth-token" {
+			t.Errorf("cella Authorization = %q", got)
+		}
+		var body map[string]any
+		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+			t.Errorf("decode body: %v", err)
+		}
+		if label, _ := body["label"].(string); !strings.HasPrefix(label, "CLI on ") {
+			t.Errorf("label = %q", label)
+		}
+		_, _ = w.Write([]byte(`{"access_token":"cella-token"}`))
+	}))
+	defer apiSrv.Close()
+
+	got, err := exchangeForCellaToken(context.Background(), deviceFlowOpts{
+		AuthURL: authSrv.URL,
+		APIURL:  apiSrv.URL,
+	}, "auth-token")
+	if err != nil {
+		t.Fatalf("exchangeForCellaToken: %v", err)
+	}
+	if got != "cella-token" {
+		t.Fatalf("token = %q, want cella-token", got)
+	}
+}
+
+func TestAuthWhoamiFallsBackToVerifiedJWTClaims(t *testing.T) {
+	token := fakeJWT(t, map[string]any{
+		"sub":            "user-123",
+		"email":          "dev@example.com",
+		"principal_type": "user",
+		"org_id":         "org-456",
+		"client_id":      "latere-cli",
+		"scp":            []string{"read:sandbox", "write:sandbox"},
+	})
+	tokenPath := filepath.Join(t.TempDir(), "token.json")
+	t.Setenv("LATERE_TOKEN_FILE", tokenPath)
+	if err := api.SaveToken(tokenPath, api.Token{AccessToken: token, TokenType: "Bearer"}); err != nil {
+		t.Fatalf("SaveToken: %v", err)
+	}
+
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if got := r.Header.Get("Authorization"); got != "Bearer "+token {
+			t.Errorf("Authorization = %q", got)
+		}
+		switch r.URL.Path {
+		case "/tokeninfo":
+			w.WriteHeader(http.StatusUnauthorized)
+			_, _ = w.Write([]byte(`{"error":"unauthorized","message":"invalid token: audience mismatch"}`))
+		case "/v1/sandboxes":
+			_, _ = w.Write([]byte(`[]`))
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer srv.Close()
+
+	cmd := newAuthWhoamiCmd()
+	cmd.SetArgs([]string{"--api-url", srv.URL})
+	out, err := captureStdout(func() error { return cmd.Execute() })
+	if err != nil {
+		t.Fatalf("whoami: %v", err)
+	}
+	for _, want := range []string{
+		"sub:           user-123",
+		"email:         dev@example.com",
+		"principal:     user",
+		"context:       org",
+		"org_id:        org-456",
+		"client_id:     latere-cli",
+		"scopes:        read:sandbox write:sandbox",
+	} {
+		if !strings.Contains(out, want) {
+			t.Fatalf("output missing %q:\n%s", want, out)
+		}
+	}
+}
+
+func fakeJWT(t *testing.T, payload map[string]any) string {
+	t.Helper()
+	enc := func(v any) string {
+		b, err := json.Marshal(v)
+		if err != nil {
+			t.Fatalf("marshal JWT part: %v", err)
+		}
+		return base64.RawURLEncoding.EncodeToString(b)
+	}
+	return enc(map[string]any{"alg": "none"}) + "." + enc(payload) + ".sig"
+}
+
+func captureStdout(fn func() error) (string, error) {
+	orig := os.Stdout
+	r, w, err := os.Pipe()
+	if err != nil {
+		return "", err
+	}
+	os.Stdout = w
+	runErr := fn()
+	_ = w.Close()
+	os.Stdout = orig
+	var buf bytes.Buffer
+	_, copyErr := io.Copy(&buf, r)
+	_ = r.Close()
+	if runErr != nil {
+		return buf.String(), runErr
+	}
+	return buf.String(), copyErr
+}
