Auto logout if current credentials are invalid

isaacroldan · isaacroldan · commit 53c819816cd6 · 2025-09-12T14:39:32.000+02:00
diff --git a/packages/cli-kit/src/private/node/session.test.ts b/packages/cli-kit/src/private/node/session.test.ts
@@ -14,7 +14,7 @@ import {
   InvalidGrantError,
 } from './session/exchange.js'
 import {allDefaultScopes} from './session/scopes.js'
-import {store as secureStore, fetch as secureFetch} from './session/store.js'
+import {store as secureStore, fetch as secureFetch, remove as secureRemove} from './session/store.js'
 
 import {ApplicationToken, IdentityToken, Session} from './session/schema.js'
 import {validateSession} from './session/validate.js'
@@ -151,18 +151,18 @@ describe('ensureAuthenticated when previous session is invalid', () => {
     expect(secureFetch).toHaveBeenCalledOnce()
   })
 
-  test('throws an error if there is no session and prompting is disabled', async () => {
+  test('throws an error and logs out if there is no session and prompting is disabled,', async () => {
     // Given
     vi.mocked(validateSession).mockResolvedValueOnce('needs_full_auth')
     vi.mocked(secureFetch).mockResolvedValue(undefined)
 
     // When
-    // eslint-disable-next-line @typescript-eslint/no-floating-promises
-    expect(ensureAuthenticated(defaultApplications, process.env, {noPrompt: true})).rejects.toThrow(
+    await expect(ensureAuthenticated(defaultApplications, process.env, {noPrompt: true})).rejects.toThrow(
       `The currently available CLI credentials are invalid.
 
 The CLI is currently unable to prompt for reauthentication.`,
     )
+    expect(secureRemove).toHaveBeenCalled()
 
     // Then
     await expect(getLastSeenAuthMethod()).resolves.toEqual('none')
diff --git a/packages/cli-kit/src/private/node/session.ts b/packages/cli-kit/src/private/node/session.ts
@@ -18,7 +18,7 @@ import {firstPartyDev, themeToken} from '../../public/node/context/local.js'
 import {AbortError, BugError} from '../../public/node/error.js'
 import {normalizeStoreFqdn, identityFqdn} from '../../public/node/context/fqdn.js'
 import {getIdentityTokenInformation, getPartnersToken} from '../../public/node/environment.js'
-import {AdminSession} from '../../public/node/session.js'
+import {AdminSession, logout} from '../../public/node/session.js'
 import {nonRandomUUID} from '../../public/node/crypto.js'
 
 /**
@@ -197,8 +197,9 @@ ${outputToken.json(applications)}
 
   let newSession = {}
 
-  function throwOnNoPrompt() {
+  async function throwOnNoPrompt() {
     if (!noPrompt) return
+    await logout()
     throw new AbortError(
       `The currently available CLI credentials are invalid.
 
@@ -208,7 +209,7 @@ The CLI is currently unable to prompt for reauthentication.`,
   }
 
   if (validationResult === 'needs_full_auth') {
-    throwOnNoPrompt()
+    await throwOnNoPrompt()
     outputDebug(outputContent`Initiating the full authentication flow...`)
     newSession = await executeCompleteFlow(applications, fqdn)
   } else if (validationResult === 'needs_refresh' || forceRefresh) {
@@ -217,7 +218,7 @@ The CLI is currently unable to prompt for reauthentication.`,
       newSession = await refreshTokens(fqdnSession.identity, applications, fqdn)
     } catch (error) {
       if (error instanceof InvalidGrantError) {
-        throwOnNoPrompt()
+        await throwOnNoPrompt()
         newSession = await executeCompleteFlow(applications, fqdn)
       } else if (error instanceof InvalidRequestError) {
         await secureStore.remove()
