Skip to content

auth status: explain why authentication failed instead of a bare "Unauthorized"#86

Open
jordanenglish wants to merge 1 commit into
hashicorp:mainfrom
jordanenglish:fix/auth-status-401-diagnostics
Open

auth status: explain why authentication failed instead of a bare "Unauthorized"#86
jordanenglish wants to merge 1 commit into
hashicorp:mainfrom
jordanenglish:fix/auth-status-401-diagnostics

Conversation

@jordanenglish

@jordanenglish jordanenglish commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

What

tfctl auth status currently prints a single opaque line — X Unauthorized for <host> — for three genuinely different failures:

  1. No token configured at all
  2. A token the server rejected (HTTP 401)
  3. The request never reached the server (network/DNS, or some other non-2xx HTTP status)

You can't tell an expired token from a network blip, and the message points at no remedy.

Change

Classify the /account/details error and print a cause-specific, actionable message. The go-tfe *APIError arrives wrapped in a *url.Error, so classification uses errors.As to walk the chain rather than matching the top-level type.

Cause Message
no token No token configured for <host>. Run 'tfctl auth login' to authenticate.
rejected (401) token may be expired/revoked (tfctl auth login), or an SSO session that has lapsed on SSO-protected Terraform Enterprise (re-authenticate in the browser, then retry)
other HTTP status <host> returned HTTP N (not an authentication problem).
unreachable Could not reach <host>: <err>

JSON/agent output gains a machine-readable reason field (no_token / rejected / server_error / unreachable) so scripts can branch on the cause.

The 401 message is the motivating case: on SAML-SSO Terraform Enterprise a user token is gated by the SSO session, so it 401s well before its own expiry — indistinguishable from a truly expired token under the old wording.

Tests

  • Updated TestStatus_Unauthorized / TestStatus_NoToken to assert the new cause-specific messages (drives a real 401 through the go-tfe client).
  • Added TestStatus_Unauthorized_JSON (asserts reason in JSON output) and TestClassifyAuthError (covers the 401 / wrapped-*url.Error / other-status / unreachable branches).
  • gofmt, go vet, and go test ./... clean.

PR Checklist

  • Run npx changie new or install changie to prepare a new changelog entry for the next set of release notes.
    • Added .changes/unreleased/ENHANCEMENTS-*.yaml (kind: ENHANCEMENTS).
  • Ensure any command changes are sensitive to these global flags:
    • --json — Force machine readable output to stdout. Does not apply to stderr.
    • --markdown — Force markdown output to stdout. Does not apply to stderr.
    • --dry-run — Don't make any actual writes or other mutations. Describe what would have changed to stderr.
    • --quiet — Don't render output to stdout.
    • auth status is read-only, so --dry-run is not applicable. The failure messages go to stderr (as before); JSON/agent output gains a machine-readable reason field on the existing inactive result. --quiet behavior is unchanged.
  • Get the logging interface from the context and add debug logging for interesting conditions and nonfatal situations.
    • No new silent nonfatal paths: the previously opaque failure causes are now surfaced to the user on stderr.
  • Run make gen/screenshot if the root command output changes.
    • Not required: only auth status output changes; the root command output is unchanged.
  • Add the Autocomplete field to positional arguments and flags to assist shell autocomplete.
    • N/A: no arguments or flags are added.

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.

  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

    • Reverting the PR fully removes the change; no additional revert steps or data migration.
  • If applicable, I've documented the impact of any changes to security controls.

    • N/A: this only improves diagnostic messaging for an existing auth failure. No auth, token handling, or permission behavior changes, and no secret material (e.g. token value or fingerprint) is printed.

…uthorized"

`auth status` collapsed three distinct failures into one opaque
"Unauthorized for <host>" line: no token configured, a token the server
rejected (401), and the request never reaching the server (network/DNS,
or some other HTTP status). Users could not tell an expired token from a
connectivity blip, and the message suggested no remedy.

Classify the /account/details error with errors.As on the go-tfe
*APIError (it arrives wrapped in a *url.Error) and print a cause-specific,
actionable message:

  - no token       -> run `tfctl auth login`
  - rejected (401) -> token expired/revoked (auth login), or an SSO
                      session that has lapsed on SSO-protected Terraform
                      Enterprise (re-authenticate in the browser)
  - other status   -> "<host> returned HTTP N" (not an auth problem)
  - unreachable    -> "could not reach <host>: <err>"

JSON/agent output gains a machine-readable `reason` field so scripts can
branch on the cause.
@jordanenglish
jordanenglish force-pushed the fix/auth-status-401-diagnostics branch from 5aac03f to 213cd0a Compare July 17, 2026 05:57
@jordanenglish
jordanenglish marked this pull request as ready for review July 17, 2026 05:59

@brandonc brandonc left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once again, a very useful and uncontroversial change. Thanks!

Comment on lines +210 to +212
fmt.Fprintf(w, "%s Token for %s was rejected (HTTP 401).\n", icon, hostname)
fmt.Fprintf(w, " - The token may be expired or revoked: run '%s auth login' to create a new one.\n", version.Name)
fmt.Fprintf(w, " - On SSO-protected Terraform Enterprise, your browser SSO session may have lapsed: re-authenticate in the browser, then retry.\n")

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to slightly reword this (unless you disagree) and add the Terraform Enterprise condition to simplify the message for HCP Terraform users.

Suggested change
fmt.Fprintf(w, "%s Token for %s was rejected (HTTP 401).\n", icon, hostname)
fmt.Fprintf(w, " - The token may be expired or revoked: run '%s auth login' to create a new one.\n", version.Name)
fmt.Fprintf(w, " - On SSO-protected Terraform Enterprise, your browser SSO session may have lapsed: re-authenticate in the browser, then retry.\n")
fmt.Fprintf(w, "%s Token for %s was invalid (HTTP 401).\n", icon, hostname)
fmt.Fprintf(w, " - The token may be expired, revoked, or disabled: run '%s auth login' to create a new one.\n", version.Name)
if !strings.HasSuffix(opts.Profile.GetHostname(), ".terraform.io") {
fmt.Fprintf(w, " - Your Terraform Enterprise SSO session may have expired: sign in again, then retry.\n")
}
fmt.Fprintf(w, " - Ensure you are using the intended token configuration by adding '--debug' to this command")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants