fix: reframe vmx_login() device-code prompt to match pre-filled URL (GEN-2378)#15
Merged
Merged
Conversation
…GEN-2378) httr2::oauth_flow_device() hard-codes "Copy <code> and paste when requested by the browser", but it opens verification_uri_complete (the URL that already embeds the user_code), so Authentik shows the code pre-filled and never asks the user to paste it. vmx_login() now prints its own guidance before the flow -- verify the code shown in the browser matches, then approve, with a note that you may not be prompted to paste it -- reframing httr2's misleading line, which we can't reword or suppress. The guidance is scoped to the interactive/browser branch; the non-interactive fallback (plain verification_uri, where entering the code IS the step) keeps httr2's accurate "Visit ... and enter code" line. Implements the owner's Option B (modified) decision on GEN-2378.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vmx_login()now prints its own device-code guidance before running the flow: "a browser will open; check the code it shows matches, then approve" + a note that you may not be prompted to paste the code (it's pre-filled in the URL). This reframes the misleadingCopy <code> and paste when requested by the browserline that upstreamhttr2::oauth_flow_device()hard-codes.verification_uriand printsVisit <url> and enter code <code>), entering the code is the real step, so vmxr stays silent and lets httr2's accurate line stand.vmx_login()shows the guidance before the flow).Closes GEN-2378
Why this shape (Option B, per the issue's decision comment)
A prior headless pass surfaced that vmxr doesn't own the prompt text —
.vmx_oidc_device_flow()is a one-line delegation tohttr2::oauth_flow_device(), and the "copy & paste" string is hard-coded inside httr2 with no override argument (it wraps a barereadline()). The owner's decision on the issue was Option B, modified: print vmxr's own verify-and-approve guidance around the httr2 call, adding "you may not be prompted for the code because it's in the URL" — since httr2's line can't be removed, this pre-frames it. That "may not" hedge is also what makes a single message correct across both httr2 branches without vmxr being able to see which one it took.This is copy-only — no change to the auth mechanism (device-code flow / token caching), which is WAI per GEN-2261 / GEN-2330 and explicitly out of scope.
Test plan
.vmx_oidc_device_prompt(interactive = TRUE)emits verify/approve/pre-filled guidance and no "paste when requested" text.vmx_oidc_device_prompt(interactive = FALSE)emits nothing (fallback branch left to httr2)vmx_login()invokes the guidance immediately before the device flow🤖 Generated with Claude Code