Skip to content

add cloud auth commands#52

Merged
sdairs merged 5 commits intomainfrom
add-device-auth
Apr 1, 2026
Merged

add cloud auth commands#52
sdairs merged 5 commits intomainfrom
add-device-auth

Conversation

@kcmannem
Copy link
Copy Markdown
Collaborator

@kcmannem kcmannem commented Mar 19, 2026
edited
Loading

I don't know rust. All vibe code

We'll need a better token store strategy as well. Right now its a plaintext json file under Tokens saved to /Users/k/work/clickhousectl/.clickhouse/tokens.json

Screen.Recording.2026-03-24.at.3.50.25.PM.mov

@kcmannem kcmannem requested a review from iskakaushik March 19, 2026 17:43
@sdairs
Copy link
Copy Markdown
Collaborator

sdairs commented Mar 21, 2026
edited
Loading

Does the regular ClickHouse binary create a .clickhouse dir? I'm not aware of it doing that, just tried the installer and it doesn't create one. If not, we should revert to .clickhouse. We can think about that decision separately to Auth.

@sdairs
Copy link
Copy Markdown
Collaborator

sdairs commented Mar 21, 2026

Also, we'll need to make a call on Auth scope. I had deliberately made Auth project-local, so two projects weren't accidentally authd to the same workspace without being intentional. I think this is safer than making Auth global in the users home dir, as agents will likely just see that they have Auth and not question it.

@sdairs sdairs self-requested a review March 22, 2026 17:27
@kcmannem kcmannem marked this pull request as ready for review March 24, 2026 19:53
@kcmannem
Copy link
Copy Markdown
Collaborator Author

kcmannem commented Mar 24, 2026

@sdairs makes sense! I've updated the changes to reflect your comments. I do think we should reach out in the #dev channel to ensure we don't confuse/collide on the dot files.

I think this change is now reflective of whats required for cloud auth login. The rest of changes need to happen on control-plane.

@sdairs
Copy link
Copy Markdown
Collaborator

sdairs commented Mar 24, 2026

thanks @kcmannem looking good!

before we merge, one thing I want to consider for a moment is the command surface. I'm going to research how some other CLIs structure this.

e.g. gh is just gh auth login for oauth device, and then gh auth login --with-token to paste a PAT.

@kcmannem
Copy link
Copy Markdown
Collaborator Author

kcmannem commented Mar 26, 2026

Looks like the strip CLI does this too:

https://docs.stripe.com/stripe-cli/install#login-account

They provide a flag to login that allows you to use tokens with non-human flows

iskakaushik
iskakaushik approved these changes Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@iskakaushik iskakaushik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code LGTM

@sdairs
Copy link
Copy Markdown
Collaborator

sdairs commented Mar 28, 2026

@kcmannem I think I like that direction, seems pretty consistent

login (device flow)
login --interactive (current behaviour of interactive prompt for API keys)
login --api-key X --api-secret Y (both required, if one supplied and other is missed, warn that the missing one is needed as well)
logout (deletes all credential files)
signup (future signup flow)

Thoughts - do we nest under auth or not?

@sdairs sdairs temporarily deployed to cloud-integration March 29, 2026 12:12 — with GitHub Actions Inactive
@sdairs
Copy link
Copy Markdown
Collaborator

sdairs commented Mar 29, 2026

Updated the command structure

kcmannem and others added 4 commits April 1, 2026 10:19
@kcmannem
add cloud auth commands
49c5413
@kcmannem
use right client ids and revert back to using .clickhouse dot dir
039cade
@sdairs @claude @kcmannem
Restructure auth commands under cloud auth login
fbe726e 
- login (default): OAuth device flow
- login --interactive: prompt for API key/secret
- login --api-key X --api-secret Y: non-interactive API key login
- logout: clears all credentials (tokens + API keys)
- Remove standalone "keys" subcommand

Update help text, agent context, CLAUDE.md, and README.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@kcmannem
use clickhousectl and fmt
173685a
@kcmannem kcmannem temporarily deployed to cloud-integration April 1, 2026 14:27 — with GitHub Actions Inactive
@sdairs @claude
Fix URL host matching to prevent token theft via spoofed domains
cef72da 
auth_config_for_url used substring matching, so a URL like
api.clickhouse.cloud.evil.com would match the production config and
cause real OAuth tokens to be sent to an attacker's server. Now uses
the url crate to parse and compare the exact hostname.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@sdairs sdairs had a problem deploying to cloud-integration April 1, 2026 15:13 — with GitHub Actions Failure
@sdairs
Copy link
Copy Markdown
Collaborator

sdairs commented Apr 1, 2026

pushed a small change, otherwise LGTM can merge when tests pass

@sdairs sdairs temporarily deployed to cloud-integration April 1, 2026 15:37 — with GitHub Actions Inactive
@kcmannem kcmannem requested a review from sdairs April 1, 2026 15:48
@sdairs sdairs merged commit 096769d into main Apr 1, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iskakaushik iskakaushik iskakaushik approved these changes

@sdairs sdairs sdairs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kcmannem @sdairs @iskakaushik