Skip to content

fix: reframe vmx_login() device-code prompt to match pre-filled URL (GEN-2378)#15

Merged
ericnovik merged 1 commit into
mainfrom
feature/gen-2378-login-prompt-copy
Jul 10, 2026
Merged

fix: reframe vmx_login() device-code prompt to match pre-filled URL (GEN-2378)#15
ericnovik merged 1 commit into
mainfrom
feature/gen-2378-login-prompt-copy

Conversation

@agentic-task-writer

Copy link
Copy Markdown
Contributor

Summary

  • vmx_login() now prints its own device-code guidance before running the flow: "a browser will open; check the code it shows matches, then approve" + a note that you may not be prompted to paste the code (it's pre-filled in the URL). This reframes the misleading Copy <code> and paste when requested by the browser line that upstream httr2::oauth_flow_device() hard-codes.
  • Guidance is scoped to the interactive/browser branch only. In the non-interactive fallback (httr2 opens the plain verification_uri and prints Visit <url> and enter code <code>), entering the code is the real step, so vmxr stays silent and lets httr2's accurate line stand.
  • NEWS entry + unit tests (verify-and-approve wording present, misleading copy/paste absent, silent in the fallback branch, and vmx_login() shows the guidance before the flow).

Closes GEN-2378

Why this shape (Option B, per the issue's decision comment)

A prior headless pass surfaced that vmxr doesn't own the prompt text.vmx_oidc_device_flow() is a one-line delegation to httr2::oauth_flow_device(), and the "copy & paste" string is hard-coded inside httr2 with no override argument (it wraps a bare readline()). The owner's decision on the issue was Option B, modified: print vmxr's own verify-and-approve guidance around the httr2 call, adding "you may not be prompted for the code because it's in the URL" — since httr2's line can't be removed, this pre-frames it. That "may not" hedge is also what makes a single message correct across both httr2 branches without vmxr being able to see which one it took.

This is copy-only — no change to the auth mechanism (device-code flow / token caching), which is WAI per GEN-2261 / GEN-2330 and explicitly out of scope.

Test plan

  • .vmx_oidc_device_prompt(interactive = TRUE) emits verify/approve/pre-filled guidance and no "paste when requested" text
  • .vmx_oidc_device_prompt(interactive = FALSE) emits nothing (fallback branch left to httr2)
  • vmx_login() invokes the guidance immediately before the device flow
  • CI green (R CMD check + testthat)

🤖 Generated with Claude Code

…GEN-2378)

httr2::oauth_flow_device() hard-codes "Copy <code> and paste when requested
by the browser", but it opens verification_uri_complete (the URL that already
embeds the user_code), so Authentik shows the code pre-filled and never asks
the user to paste it. vmx_login() now prints its own guidance before the flow
-- verify the code shown in the browser matches, then approve, with a note that
you may not be prompted to paste it -- reframing httr2's misleading line, which
we can't reword or suppress. The guidance is scoped to the interactive/browser
branch; the non-interactive fallback (plain verification_uri, where entering
the code IS the step) keeps httr2's accurate "Visit ... and enter code" line.

Implements the owner's Option B (modified) decision on GEN-2378.
@ericnovik
ericnovik merged commit 5f5df85 into main Jul 10, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant