Pin AuthBaseURL default to https://us.auth.entire.io#1297
Merged
Conversation
ENT-733: the CLI is split-host by default. AuthBaseURL() previously fell back to BaseURL() when ENTIRE_AUTH_BASE_URL was unset — useful when v1 auth lived on the same host as the data API. With v1 auth going away, collapsing onto the data host gives you a URL that doesn't speak OAuth, so the fallback now points at the production us.auth.entire.io. This implicitly flips effectiveProviderVersion() to v2 on a fresh install (split-host auto-detect fires), which matches the OIDC surface us.auth.entire.io serves. Local-dev and explicit single-host deployments must now set both ENTIRE_API_BASE_URL and ENTIRE_AUTH_BASE_URL — same-host inheritance is no longer meaningful. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Entire-Checkpoint: 0449adcb2a80
Contributor
There was a problem hiding this comment.
Pull request overview
Pins the default AuthBaseURL() to https://us.auth.entire.io instead of inheriting from BaseURL(), making fresh installs split-host and provider-v2 by default. Tests and surrounding comments are updated to reflect the new fallback semantics.
Changes:
AuthBaseURL()falls back to a newDefaultAuthBaseURLconstant instead ofBaseURL().- Provider auto-detect now resolves to v2 for unset env vars (split-host default); related tests/comments updated.
- Tests for
IsSplitHost,AuthBaseURL, andLookupCurrentTokenupdated to set both URLs explicitly where needed.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| cmd/entire/cli/api/base_url.go | Adds DefaultAuthBaseURL and changes AuthBaseURL() fallback to it |
| cmd/entire/cli/api/base_url_test.go | Updates fallback and split-host expectations to new defaults |
| cmd/entire/cli/auth/provider.go | Updates comment explaining v2 as the new default |
| cmd/entire/cli/auth/provider_test.go | Renames and inverts default-version test from v1 to v2 |
| cmd/entire/cli/auth/store.go | Updates doc comment for LookupCurrentToken |
| cmd/entire/cli/auth/store_test.go | Sets both API and auth base URLs in TestLookupCurrentToken |
| cmd/entire/cli/auth.go | Updates comment on requireSecureBaseURL |
ENT-733 follow-up: AuthBaseURL no longer inherits from BaseURL, so any caller that only sets ENTIRE_API_BASE_URL silently reaches for the production us.auth.entire.io for the device flow. Pin both env vars in the integration test, the smoke script, and the README local-dev example so login stays on the intended host. The integration TestLogin_* suite previously hung for two minutes here (login dialed the public us.auth.entire.io instead of the in-process httptest server) — confirmed by reproducing the timeout before the fix and passing in ~4s after. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Entire-Checkpoint: cc42c745d3a1
evjan
approved these changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://entire.io/gh/entireio/cli/trails/453
Closes ENT-733.
Summary
AuthBaseURL()now defaults tohttps://us.auth.entire.iowhenENTIRE_AUTH_BASE_URLis unset, instead of inheriting fromBaseURL().effectiveProviderVersion()tov2for fresh installs — the OIDC surfaceus.auth.entire.ioserves and the existing split-host auto-detect already maps to.BaseURL()was only meaningful in the v1 world where a single host served both data and auth. With v1 going away, the fallback would have pointed auth at a URL that doesn't speak OAuth.Behaviour change
entire.io(v1)entire.io, authus.auth.entire.io(v2)ENTIRE_API_BASE_URL=http://localhost:8787onlyus.auth.entire.ioLocal-dev and explicit single-host deployments must now set both
ENTIRE_API_BASE_URLandENTIRE_AUTH_BASE_URL.Test plan
go test ./...passesmise run lintpassesentire loginagainst production talks tous.auth.entire.io🤖 Generated with Claude Code
Note
High Risk
Changes default login/OAuth endpoints and provider version for all installs without env overrides; local-dev setups that only set ENTIRE_API_BASE_URL will point auth at production until both vars are set.
Overview
Default auth host is now
https://us.auth.entire.iowhenENTIRE_AUTH_BASE_URLis unset, instead of reusing the data API base fromBaseURL(). Production defaults are split-host: data onentire.io, auth onus.auth.entire.io.That makes unset-env installs split-host (
IsSplitHost()true) andeffectiveProviderVersion()→ v2 (OIDC paths on the auth host). v1 remains only when both origins are explicitly the same host. Local dev or single-host setups must set bothENTIRE_API_BASE_URLandENTIRE_AUTH_BASE_URL(setting only the data URL no longer collapses auth onto that host).Tests and comments were updated for the new fallback, split-host defaults, and keyring lookup keyed by
AuthBaseURL().Reviewed by Cursor Bugbot for commit 54d7515. Configure here.