Add auth command with login, logout, list, and switch

drewr · drewr · commit 01c3ab8617bf · 2026-03-27T15:51:41.000-05:00
- Add 'auth' subcommand to CLI with:
  - 'auth status': Show current authentication and selected context
  - 'auth login': Log in via browser OAuth with account picker
  - 'auth logout': Log out and clear credentials
  - 'auth list': Show current authenticated user
  - 'auth switch': Log out current user and prompt for new login

Also add is_authenticated(), login(), logout() methods to DatumCloudClient.
diff --git a/cli/src/main.rs b/cli/src/main.rs
@@ -50,6 +50,10 @@ enum Commands {
     #[clap(subcommand, alias = "ls")]
     Add(AddCommands),
 
+    /// Authenticate with Datum Cloud (login, logout, status).
+    #[clap(subcommand)]
+    Auth(AuthCommands),
+
     /// Manage tunnels (create, list, update, delete) that expose local services to public hostnames.
     #[clap(subcommand)]
     Tunnel(TunnelCommands),
@@ -184,6 +188,24 @@ pub enum DiscoveryModeArg {
     Hybrid,
 }
 
+#[derive(Subcommand, Debug)]
+pub enum AuthCommands {
+    /// Show current authentication status.
+    Status,
+
+    /// Log in to Datum Cloud (opens browser for OAuth).
+    Login,
+
+    /// Log out and clear stored credentials.
+    Logout,
+
+    /// List all locally authenticated users.
+    List,
+
+    /// Switch to a different authenticated user (clears current and prompts for new login).
+    Switch,
+}
+
 #[derive(Subcommand, Debug)]
 pub enum TunnelCommands {
     /// List all tunnels in the current project.
@@ -297,6 +319,50 @@ async fn main() -> n0_error::Result<()> {
                 .await?;
             println!("OK.");
         }
+        Commands::Auth(args) => {
+            let datum = DatumCloudClient::with_repo(ApiEnv::default(), repo.clone()).await?;
+            match args {
+                AuthCommands::Status => {
+                    if datum.is_authenticated().await? {
+                        println!("Authenticated");
+                        if let Some(ctx) = datum.selected_context() {
+                            println!("  org: {}", ctx.org_id);
+                            println!("  project: {}", ctx.project_id);
+                        }
+                    } else {
+                        println!("Not authenticated");
+                    }
+                }
+                AuthCommands::Login => {
+                    datum.login().await?;
+                    println!("Login successful");
+                }
+                AuthCommands::Logout => {
+                    datum.logout().await?;
+                    println!("Logged out");
+                }
+                AuthCommands::List => {
+                    let is_auth = datum.is_authenticated().await?;
+                    if is_auth {
+                        println!("Current user (active):");
+                        if let Some(ctx) = datum.selected_context() {
+                            println!("  org: {}", ctx.org_id);
+                            println!("  project: {}", ctx.project_id);
+                        }
+                    } else {
+                        println!("No authenticated users");
+                    }
+                    println!();
+                    println!("Note: Multi-user storage not yet implemented. Use 'auth switch' to log in as a different user.");
+                }
+                AuthCommands::Switch => {
+                    datum.logout().await?;
+                    println!("Switching users...");
+                    datum.login().await?;
+                    println!("Switched to new user");
+                }
+            }
+        }
         Commands::Serve => {
             let node = ListenNode::new(repo).await?;
             let endpoint_id = node.endpoint_id();
diff --git a/lib/src/datum_cloud.rs b/lib/src/datum_cloud.rs
@@ -96,6 +96,19 @@ impl DatumCloudClient {
         self.auth.load()
     }
 
+    pub async fn is_authenticated(&self) -> Result<bool> {
+        let state = self.auth.load_refreshed().await?;
+        Ok(state.get().is_ok())
+    }
+
+    pub async fn login(&self) -> Result<()> {
+        self.auth.login().await
+    }
+
+    pub async fn logout(&self) -> Result<()> {
+        self.auth.logout().await
+    }
+
     pub fn selected_context(&self) -> Option<SelectedContext> {
         self.session.selected_context()
     }
diff --git a/lib/src/datum_cloud/auth.rs b/lib/src/datum_cloud/auth.rs
@@ -190,6 +190,7 @@ impl StatelessClient {
             .add_scope(Scope::new("profile".to_string()))
             .add_scope(Scope::new("email".to_string()))
             .add_scope(Scope::new("offline_access".to_string()))
+            .add_extra_param("prompt", "select_account")
             .set_pkce_challenge(pkce_challenge)
             .url();
         debug!(auth_uri=%self.oidc.auth_uri(), "attempting login");
