[Feat] CLI Login

[HeshamHM28]

Fixes cf-841

Screen.Recording.2025-11-18.at.12.05.33.AM.mov

PR Type

Enhancement

---

Description

• Add OAuth PKCE login flow

• CLI prompt supports login or API key

• Save OAuth token as API key

• Improve auth success/error UX

---

Diagram Walkthrough

flowchart LR
  CLI["CLI init: prompt_api_key"] -- "Choose Login" --> OAuth["perform_oauth_signin()"]
  CLI -- "Choose API key" --> Manual["enter_api_key_and_save_to_rc()"]
  OAuth -- "Start local server" --> Server["HTTP /callback + /status"]
  OAuth -- "Open browser" --> AuthPage["CodeFlash OAuth page"]
  AuthPage -- "Redirect with code/state" --> Server
  Server -- "Provide status" --> Browser["Loading/Success/Error UI"]
  OAuth -- "Exchange code for token" --> Token["API key (access_token)"]
  Token -- "Save to RC + env" --> CLI

Loading

File Walkthrough

Relevant files

Enhancement

cmd_init.py CLI prompt adds OAuth login path                                                  codeflash/cli_cmds/cmd_init.py Add OAuth signin option to API key prompt Integrate perform_oauth_signin and save token Preserve existing manual API key flow Telemetry events for both auth paths +54/-3    oauth_handler.py New OAuth handler with PKCE and local HTTP                              codeflash/code_utils/oauth_handler.py Implement OAuth PKCE flow with local server Serve callback and status endpoints with HTML UX Exchange auth code for API token via cfwebapp Expose perform_oauth_signin helper for CLI +744/-0

---

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Open redirect/callback exposure: The local server’s /status endpoint sets "Access-Control-Allow-Origin: *" which allows any web page to poll local auth status. While data is minimal, it could leak success state. Consider restricting CORS or removing the header.

⚡ Recommended focus areas for review Typo/UX The auth choice label says "Login in with Codeflash" which seems grammatically off; consider "Log in with CodeFlash" or "Sign in with CodeFlash" to avoid user confusion. auth_choices = [ "🔐 Login in with Codeflash", "🔑 Use Codeflash API key" ] questions = [ Port Binding Local HTTP server binds to "localhost" only; some systems/browsers may resolve to IPv6 (::1) causing callback issues. Consider binding to 127.0.0.1 explicitly and ensuring the redirect URI matches, or support dual-stack. handler_class = self.create_callback_handler() httpd = http.server.HTTPServer(("localhost", port), handler_class) def serve_forever_wrapper(): httpd.serve_forever() Error Messaging Token exchange sets a generic "Unauthorized" for most failures, discarding server-provided details. Preserve and surface specific error messages to improve debugging and UX, and reflect them via /status for the browser UI. except requests.exceptions.HTTPError as e: error_msg = f"HTTP {e.response.status_code}" try: error_data = e.response.json() error_msg = error_data.get("error_description", error_data.get("error", error_msg)) except: pass self.token_error = "Unauthorized" click.echo(f"❌ {self.token_error}") return None except Exception as e: self.token_error = "Unauthorized" click.echo(f"❌ {self.token_error}") return None

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Bind port to localhost only Bind explicitly to localhost to avoid selecting an interface that's not loopback. This prevents the auth server from being unreachable when the browser is redirected to 127.0.0.1 while the server listens on 0.0.0.0 or another interface. It also reduces surface area by not exposing the callback server on all interfaces. codeflash/code_utils/oauth_handler.py [591-595] def get_free_port() -> int: - """Find an available port""" + """Find an available port bound to localhost""" with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: - s.bind(("", 0)) + s.bind(("127.0.0.1", 0)) return s.getsockname()[1] Suggestion importance[1-10]: 7 __ Why: Correctly narrows the bind to loopback which improves security and aligns with the redirect to localhost; a modest but meaningful improvement with low risk.	Medium
Possible issue	Use loopback and reuse address Use the same explicit loopback address consistently and enable socket reuse to avoid race conditions and "address already in use" errors on quick retries. This improves reliability of starting the local callback server across platforms. codeflash/code_utils/oauth_handler.py [608-620] def start_local_server(self, port: int) -> http.server.HTTPServer: """Start local HTTP server for OAuth callback""" handler_class = self.create_callback_handler() - httpd = http.server.HTTPServer(("localhost", port), handler_class) + http.server.HTTPServer.allow_reuse_address = True + httpd = http.server.HTTPServer(("127.0.0.1", port), handler_class) def serve_forever_wrapper(): httpd.serve_forever() - server_thread = threading.Thread(target=serve_forever_wrapper) + server_thread = threading.Thread(target=serve_forever_wrapper, name="cf-oauth-http") server_thread.daemon = True server_thread.start() return httpd Suggestion importance[1-10]: 6 __ Why: Consistently using 127.0.0.1 and enabling address reuse can reduce bind errors and exposure; helpful but not critical.	Low
General	Surface OAuth error details Include the actual OAuth error details in the CLI output to aid debugging and user remediation. Currently the message hides oauth.error, leaving users without actionable information. codeflash/code_utils/oauth_handler.py [721-724] if oauth.error: httpd.shutdown() - click.echo(f"❌ Authentication failed:") + click.echo(f"❌ Authentication failed: {oauth.error}") return None Suggestion importance[1-10]: 6 __ Why: Including oauth.error in the message improves diagnosability with minimal change and no downside, but is not critical to functionality.	Low

[aseembits93]

screenshots if possible @HeshamHM28

[misrasaurabh1]

why do we have html in the cli?

[HeshamHM28]

That is for the local server used on local machines.

[misrasaurabh1]

is generating this in the cli side where the user can modify this generation logic a security vulnerability? what is user has full control of the generation string, would that degrade the security somehow?

[HeshamHM28]

It is safe because we ensure the user is authenticated in cf-webapp before exchanging the code. Even if the user overrides this value, they will still receive their own API key.

[misrasaurabh1]

wait, we are doing local server way of authentication? this won't work in remote machines.
why are we not doing polling?

[HeshamHM28]

I implemented remote-machine logic in the last commit.

[codeflash-ai]

This PR is now faster! 🚀 HeshamHM28 accepted my code suggestion above.

[codeflash-ai]

⚡️ Codeflash found optimizations for this PR

📄 11% (0.11x) speedup for should_attempt_browser_launch in codeflash/code_utils/oauth_handler.py

⏱️ Runtime : 248 microseconds → 224 microseconds (best of 63 runs)

A dependent PR with the suggested changes has been created. Please review:

• ⚡️ Speed up function should_attempt_browser_launch by 11% in PR #928 (feat/cli/login) #933

If you approve, it will be merged into this PR (branch feat/cli/login).

[aseembits93]

waiting for #931 to be merged @KRRT7 @HeshamHM28

[misrasaurabh1]

why do we want TUI to be merged for this? we should merge this first

[HeshamHM28]

why do we want TUI to be merged for this? we should merge this first

Because this change will require additional updates to TUI, so @KRRT7 suggested merging it after TUI.

[misrasaurabh1]

merge this first for the CLI init. we still need to experiment more with TUI to make a decision to see if it is going to be better than the cli init for the users.

[KRRT7]

let's merge it in now, the TUI flow currently requires a bit more testing before merging it in