Skip to content

CLI emdash login fails against remote instances #54

Open
#72
Open
CLI emdash login fails against remote instances#54
#72
@tprovick

Description

@tprovick
tprovick
opened on Apr 2, 2026

The CLI emdash login command fails against remote EmDash instances due to two distinct issues.

Issue 1: Response envelope mismatch (device flow)

The server's OAuth device flow endpoints wrap responses in {"data": {...}}, but the CLI expects the fields at the top level.

Affected endpoints:

  • POST /_emdash/api/oauth/device/code — returns {"data": {"device_code": ..., "verification_uri": ..., "user_code": ...}}
  • POST /_emdash/api/oauth/device/token — returns {"data": {"access_token": ..., "expires_in": ...}}

Symptoms:

  • verification_uri and user_code display as undefined during login
  • After authorizing in the browser, login fails with ERROR Invalid time value (because expires_in is undefined)

These were verified independently — patching only the device code response allowed login to proceed to the token exchange, which then failed with the same wrapping issue.

Fix: Unwrap the .data property when parsing these responses in the CLI

Issue 2: Device flow token lacks admin scope

Separately from the envelope issue, the CLI's device code request does not include a scope parameter:

{"client_id": "emdash-cli"}

The resulting token is issued without admin scope, so all subsequent CLI commands fail with INSUFFICIENT_SCOPE / Token lacks required scope: admin — even when the authorizing user is an admin.

This was verified by patching issue 1, completing a successful login, then running emdash whoami which returned a 403.

Fix: Adding "scope": "admin" to the device code request resolved this for me.

Steps to reproduce

  1. Deploy an EmDash site to Cloudflare (with or without Cloudflare Access)
  2. Run npx emdash login --url https://<your-site>
  3. Observe undefined for the verification URL and user code (issue 1)
  4. If issue 1 is patched locally, complete the browser authorization
  5. Observe ERROR Invalid time value (issue 1, token endpoint)
  6. If both envelope issues are patched, complete login and run npx emdash whoami
  7. Observe Failed to fetch user info: 403 / INSUFFICIENT_SCOPE (issue 2)

Environment

  • EmDash v0.1.0 (both server and CLI)
  • Deployed to Cloudflare Workers with D1
  • Tested with and without Cloudflare Access (Access auth itself works correctly; the issues are in the subsequent EmDash device flow)

Workaround

I patchednode_modules/emdash/dist/cli/index.mjs with the unwrap fix and scope addition described above. Patches need to be re-applied after any npm install.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions