|
1 | | -package project |
2 | | - |
3 | | -import ( |
4 | | - "errors" |
5 | | - "fmt" |
6 | | - |
7 | | - "github.com/hookdeck/hookdeck-cli/pkg/config" |
8 | | - "github.com/hookdeck/hookdeck-cli/pkg/hookdeck" |
9 | | -) |
10 | | - |
11 | | -// ErrCIScopedCredentials is returned when the stored CLI key is valid but not |
12 | | -// associated with a user (for example after hookdeck ci). |
13 | | -var ErrCIScopedCredentials = errors.New( |
14 | | - "listing projects requires a user-associated CLI key; keys from hookdeck ci are scoped to a single project; " + |
15 | | - "run hookdeck login in an interactive terminal, hookdeck login --cli-key with a product CLI key, or hookdeck_login via MCP for full account access", |
16 | | -) |
17 | | - |
18 | | -// ValidateCredentials calls GET /cli-auth/validate without sending X-Team-ID. |
19 | | -func ValidateCredentials(config *config.Config) (*hookdeck.ValidateAPIKeyResponse, error) { |
20 | | - return config.GetAPIClient().ValidateAPIKey() |
21 | | -} |
22 | | - |
23 | | -// EnsureUserAssociatedCredentials rejects CI-scoped keys before cross-project calls. |
24 | | -func EnsureUserAssociatedCredentials(config *config.Config) error { |
25 | | - response, err := ValidateCredentials(config) |
26 | | - if err != nil { |
27 | | - return err |
28 | | - } |
29 | | - if response.UserID == "" { |
30 | | - return ErrCIScopedCredentials |
31 | | - } |
32 | | - return nil |
33 | | -} |
34 | | - |
35 | | -// EnsureUserAssociatedClient rejects CI-scoped keys for an in-memory API client (MCP). |
36 | | -func EnsureUserAssociatedClient(client *hookdeck.Client) error { |
37 | | - if client == nil || client.APIKey == "" { |
38 | | - return fmt.Errorf("not authenticated") |
39 | | - } |
40 | | - response, err := client.ValidateAPIKey() |
41 | | - if err != nil { |
42 | | - return err |
43 | | - } |
44 | | - if response.UserID == "" { |
45 | | - return ErrCIScopedCredentials |
46 | | - } |
47 | | - return nil |
48 | | -} |
49 | | - |
50 | | -// CredentialsLackUserAssociation reports whether validate succeeded without a user_id. |
51 | | -func CredentialsLackUserAssociation(client *hookdeck.Client) (bool, error) { |
52 | | - if client == nil || client.APIKey == "" { |
53 | | - return false, nil |
54 | | - } |
55 | | - response, err := client.ValidateAPIKey() |
56 | | - if err != nil { |
57 | | - return false, err |
58 | | - } |
59 | | - return response.UserID == "", nil |
60 | | -} |
| 1 | +package project |
| 2 | + |
| 3 | +import ( |
| 4 | + "errors" |
| 5 | + "fmt" |
| 6 | + |
| 7 | + "github.com/hookdeck/hookdeck-cli/pkg/config" |
| 8 | + "github.com/hookdeck/hookdeck-cli/pkg/hookdeck" |
| 9 | +) |
| 10 | + |
| 11 | +// ErrProjectScopedCredentials is returned when the stored CLI key is valid but |
| 12 | +// limited to a single project (for example after hookdeck ci). |
| 13 | +var ErrProjectScopedCredentials = errors.New( |
| 14 | + "this credential is scoped to a single project and cannot list all projects; " + |
| 15 | + "keys from hookdeck ci are project-scoped; " + |
| 16 | + "run hookdeck login in an interactive terminal, hookdeck login --cli-key with a product CLI key, or hookdeck_login via MCP for account-wide access", |
| 17 | +) |
| 18 | + |
| 19 | +// ErrCIScopedCredentials is an alias for ErrProjectScopedCredentials. |
| 20 | +var ErrCIScopedCredentials = ErrProjectScopedCredentials |
| 21 | + |
| 22 | +// ValidateCredentials calls GET /cli-auth/validate without sending X-Team-ID. |
| 23 | +func ValidateCredentials(config *config.Config) (*hookdeck.ValidateAPIKeyResponse, error) { |
| 24 | + return config.GetAPIClient().ValidateAPIKey() |
| 25 | +} |
| 26 | + |
| 27 | +// EnsureUserAssociatedCredentials rejects project-scoped keys before cross-project calls. |
| 28 | +func EnsureUserAssociatedCredentials(config *config.Config) error { |
| 29 | + response, err := ValidateCredentials(config) |
| 30 | + if err != nil { |
| 31 | + return err |
| 32 | + } |
| 33 | + if response.UserID == "" { |
| 34 | + return ErrProjectScopedCredentials |
| 35 | + } |
| 36 | + return nil |
| 37 | +} |
| 38 | + |
| 39 | +// EnsureUserAssociatedClient rejects project-scoped keys for an in-memory API client (MCP). |
| 40 | +func EnsureUserAssociatedClient(client *hookdeck.Client) error { |
| 41 | + if client == nil || client.APIKey == "" { |
| 42 | + return fmt.Errorf("not authenticated") |
| 43 | + } |
| 44 | + response, err := client.ValidateAPIKey() |
| 45 | + if err != nil { |
| 46 | + return err |
| 47 | + } |
| 48 | + if response.UserID == "" { |
| 49 | + return ErrProjectScopedCredentials |
| 50 | + } |
| 51 | + return nil |
| 52 | +} |
| 53 | + |
| 54 | +// CredentialsLackUserAssociation reports whether validate succeeded for a project-scoped key |
| 55 | +// (no user_id — our proxy for single-project credential scope today). |
| 56 | +func CredentialsLackUserAssociation(client *hookdeck.Client) (bool, error) { |
| 57 | + if client == nil || client.APIKey == "" { |
| 58 | + return false, nil |
| 59 | + } |
| 60 | + response, err := client.ValidateAPIKey() |
| 61 | + if err != nil { |
| 62 | + return false, err |
| 63 | + } |
| 64 | + return response.UserID == "", nil |
| 65 | +} |
0 commit comments