fix: add AuthenticationOutput for configurable auth messaging (#80)

joshsmithxrm · claude · joshsmithxrm · commit 1be65e9e9799 · 2026-01-01T19:22:29.000-06:00
Addresses issues #7, #9, #15, #27 from code review: - #7: Add thread-safety remarks to ConsoleProgressReporter - #9: Add documentation for role mapping limitation in TieredImporter - #15: Replace Console.WriteLine with AuthenticationOutput in auth library - New AuthenticationOutput class allows consumers to redirect or suppress output - Set AuthenticationOutput.Writer = null to suppress, or provide custom Action<string> - #27: Add validation in CredentialProviderFactory before null-forgiveness - ValidateRequiredFields checks GitHubFederated, AzureDevOpsFederated, UsernamePassword 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/src/PPDS.Auth/AuthenticationOutput.cs b/src/PPDS.Auth/AuthenticationOutput.cs
@@ -0,0 +1,54 @@
+using System;
+
+namespace PPDS.Auth;
+
+/// <summary>
+/// Controls authentication status output for the auth library.
+/// </summary>
+/// <remarks>
+/// By default, authentication status messages are written to the console.
+/// Library consumers who don't want console output can set <see cref="Writer"/> to null
+/// or provide a custom action to redirect output.
+/// </remarks>
+public static class AuthenticationOutput
+{
+    private static Action<string>? _writer = Console.WriteLine;
+
+    /// <summary>
+    /// Gets or sets the action used to write authentication status messages.
+    /// Set to null to suppress all output, or provide a custom action to redirect.
+    /// Default: Console.WriteLine
+    /// </summary>
+    /// <example>
+    /// <code>
+    /// // Suppress all auth output
+    /// AuthenticationOutput.Writer = null;
+    ///
+    /// // Redirect to a logger
+    /// AuthenticationOutput.Writer = message => logger.LogInformation(message);
+    /// </code>
+    /// </example>
+    public static Action<string>? Writer
+    {
+        get => _writer;
+        set => _writer = value;
+    }
+
+    /// <summary>
+    /// Writes a status message using the configured writer.
+    /// Does nothing if Writer is null.
+    /// </summary>
+    /// <param name="message">The message to write.</param>
+    internal static void WriteLine(string message = "")
+    {
+        _writer?.Invoke(message);
+    }
+
+    /// <summary>
+    /// Resets the writer to the default (Console.WriteLine).
+    /// </summary>
+    public static void Reset()
+    {
+        _writer = Console.WriteLine;
+    }
+}
diff --git a/src/PPDS.Auth/Credentials/CredentialProviderFactory.cs b/src/PPDS.Auth/Credentials/CredentialProviderFactory.cs
@@ -14,6 +14,8 @@ public static class CredentialProviderFactory
     /// <param name="profile">The auth profile.</param>
     /// <param name="deviceCodeCallback">Optional callback for device code display (for DeviceCode auth in headless mode).</param>
     /// <returns>A credential provider for the profile's auth method.</returns>
+    /// <exception cref="ArgumentNullException">If profile is null.</exception>
+    /// <exception cref="ArgumentException">If required profile fields are missing for the auth method.</exception>
     /// <exception cref="NotSupportedException">If the auth method is not supported.</exception>
     public static ICredentialProvider Create(
         AuthProfile profile,
@@ -22,6 +24,9 @@ public static ICredentialProvider Create(
         if (profile == null)
             throw new ArgumentNullException(nameof(profile));
 
+        // Validate required fields based on auth method
+        ValidateRequiredFields(profile);
+
         return profile.AuthMethod switch
         {
             AuthMethod.InteractiveBrowser => InteractiveBrowserCredentialProvider.FromProfile(profile),
@@ -40,6 +45,41 @@ public static ICredentialProvider Create(
         };
     }
 
+    /// <summary>
+    /// Validates that required fields are present for the profile's auth method.
+    /// </summary>
+    private static void ValidateRequiredFields(AuthProfile profile)
+    {
+        switch (profile.AuthMethod)
+        {
+            case AuthMethod.GitHubFederated:
+            case AuthMethod.AzureDevOpsFederated:
+                RequireField(profile.ApplicationId, nameof(profile.ApplicationId), profile.AuthMethod);
+                RequireField(profile.TenantId, nameof(profile.TenantId), profile.AuthMethod);
+                break;
+
+            case AuthMethod.UsernamePassword:
+                RequireField(profile.Username, nameof(profile.Username), profile.AuthMethod);
+                RequireField(profile.Password, nameof(profile.Password), profile.AuthMethod);
+                break;
+
+            // Other auth methods validate in their FromProfile methods
+        }
+    }
+
+    /// <summary>
+    /// Throws if a required field is null or empty.
+    /// </summary>
+    private static void RequireField(string? value, string fieldName, AuthMethod authMethod)
+    {
+        if (string.IsNullOrWhiteSpace(value))
+        {
+            throw new ArgumentException(
+                $"Profile field '{fieldName}' is required for {authMethod} authentication.",
+                fieldName);
+        }
+    }
+
     /// <summary>
     /// Creates the appropriate interactive provider based on environment.
     /// Uses browser authentication by default, falls back to device code for headless environments.
diff --git a/src/PPDS.Auth/Credentials/DeviceCodeCredentialProvider.cs b/src/PPDS.Auth/Credentials/DeviceCodeCredentialProvider.cs
@@ -184,19 +184,15 @@ private async Task<string> GetTokenAsync(string environmentUrl, bool forceIntera
                 }
                 else
                 {
-                    // Default console output
-                    Console.WriteLine();
-                    Console.WriteLine("To sign in, use a web browser to open the page:");
-                    Console.ForegroundColor = ConsoleColor.Cyan;
-                    Console.WriteLine($"  {deviceCodeResult.VerificationUrl}");
-                    Console.ResetColor();
-                    Console.WriteLine();
-                    Console.WriteLine("Enter the code:");
-                    Console.ForegroundColor = ConsoleColor.Yellow;
-                    Console.WriteLine($"  {deviceCodeResult.UserCode}");
-                    Console.ResetColor();
-                    Console.WriteLine();
-                    Console.WriteLine("Waiting for authentication...");
+                    // Default output via AuthenticationOutput (can be redirected or suppressed)
+                    AuthenticationOutput.WriteLine();
+                    AuthenticationOutput.WriteLine("To sign in, use a web browser to open the page:");
+                    AuthenticationOutput.WriteLine($"  {deviceCodeResult.VerificationUrl}");
+                    AuthenticationOutput.WriteLine();
+                    AuthenticationOutput.WriteLine("Enter the code:");
+                    AuthenticationOutput.WriteLine($"  {deviceCodeResult.UserCode}");
+                    AuthenticationOutput.WriteLine();
+                    AuthenticationOutput.WriteLine("Waiting for authentication...");
                 }
                 return Task.CompletedTask;
             })
@@ -205,8 +201,8 @@ private async Task<string> GetTokenAsync(string environmentUrl, bool forceIntera
 
         if (_deviceCodeCallback == null)
         {
-            Console.WriteLine($"Authenticated as: {_cachedResult.Account.Username}");
-            Console.WriteLine();
+            AuthenticationOutput.WriteLine($"Authenticated as: {_cachedResult.Account.Username}");
+            AuthenticationOutput.WriteLine();
         }
 
         return _cachedResult.AccessToken;
diff --git a/src/PPDS.Auth/Credentials/InteractiveBrowserCredentialProvider.cs b/src/PPDS.Auth/Credentials/InteractiveBrowserCredentialProvider.cs
@@ -205,8 +205,8 @@ private async Task<string> GetTokenAsync(string environmentUrl, bool forceIntera
         }
 
         // Interactive browser authentication
-        Console.WriteLine();
-        Console.WriteLine("Opening browser for authentication...");
+        AuthenticationOutput.WriteLine();
+        AuthenticationOutput.WriteLine("Opening browser for authentication...");
 
         try
         {
@@ -222,8 +222,8 @@ private async Task<string> GetTokenAsync(string environmentUrl, bool forceIntera
             throw new OperationCanceledException("Authentication was canceled by the user.", ex);
         }
 
-        Console.WriteLine($"Authenticated as: {_cachedResult.Account.Username}");
-        Console.WriteLine();
+        AuthenticationOutput.WriteLine($"Authenticated as: {_cachedResult.Account.Username}");
+        AuthenticationOutput.WriteLine();
 
         return _cachedResult.AccessToken;
     }
diff --git a/src/PPDS.Auth/Discovery/GlobalDiscoveryService.cs b/src/PPDS.Auth/Discovery/GlobalDiscoveryService.cs
@@ -168,7 +168,7 @@ private Func<string, Task<string>> CreateTokenProviderFunction(
             {
                 if (_deviceCodeCallback == null)
                 {
-                    Console.WriteLine("Opening browser for authentication...");
+                    AuthenticationOutput.WriteLine("Opening browser for authentication...");
                 }
 
                 result = await _msalClient!
@@ -192,18 +192,14 @@ private Func<string, Task<string>> CreateTokenProviderFunction(
                         }
                         else
                         {
-                            Console.WriteLine();
-                            Console.WriteLine("To sign in, use a web browser to open the page:");
-                            Console.ForegroundColor = ConsoleColor.Cyan;
-                            Console.WriteLine($"  {deviceCodeResult.VerificationUrl}");
-                            Console.ResetColor();
-                            Console.WriteLine();
-                            Console.WriteLine("Enter the code:");
-                            Console.ForegroundColor = ConsoleColor.Yellow;
-                            Console.WriteLine($"  {deviceCodeResult.UserCode}");
-                            Console.ResetColor();
-                            Console.WriteLine();
-                            Console.WriteLine("Waiting for authentication...");
+                            AuthenticationOutput.WriteLine();
+                            AuthenticationOutput.WriteLine("To sign in, use a web browser to open the page:");
+                            AuthenticationOutput.WriteLine($"  {deviceCodeResult.VerificationUrl}");
+                            AuthenticationOutput.WriteLine();
+                            AuthenticationOutput.WriteLine("Enter the code:");
+                            AuthenticationOutput.WriteLine($"  {deviceCodeResult.UserCode}");
+                            AuthenticationOutput.WriteLine();
+                            AuthenticationOutput.WriteLine("Waiting for authentication...");
                         }
                         return Task.CompletedTask;
                     })
@@ -213,8 +209,8 @@ private Func<string, Task<string>> CreateTokenProviderFunction(
 
             if (_deviceCodeCallback == null)
             {
-                Console.WriteLine($"Authenticated as: {result.Account.Username}");
-                Console.WriteLine();
+                AuthenticationOutput.WriteLine($"Authenticated as: {result.Account.Username}");
+                AuthenticationOutput.WriteLine();
             }
 
             return result.AccessToken;
diff --git a/src/PPDS.Migration/Import/TieredImporter.cs b/src/PPDS.Migration/Import/TieredImporter.cs
@@ -872,6 +872,20 @@ private async Task<Dictionary<string, Guid>> BuildRoleNameCacheAsync(Cancellatio
             return cache;
         }
 
+        /// <summary>
+        /// Attempts to find a matching role in the target environment by ID.
+        /// </summary>
+        /// <remarks>
+        /// <para>
+        /// This method only succeeds when the source and target environments share the same role IDs
+        /// (e.g., same tenant or restored from backup). For cross-environment migrations where role IDs
+        /// differ, this returns null because we don't have the source role name to look up by name.
+        /// </para>
+        /// <para>
+        /// Known limitation: Proper role mapping requires exporting role names alongside IDs in the
+        /// migration schema. This is tracked for future enhancement.
+        /// </para>
+        /// </remarks>
         private async Task<Guid?> LookupRoleByIdAsync(
             Guid sourceRoleId,
             Dictionary<string, Guid> roleNameCache,
diff --git a/src/PPDS.Migration/Progress/ConsoleProgressReporter.cs b/src/PPDS.Migration/Progress/ConsoleProgressReporter.cs
@@ -9,6 +9,10 @@ namespace PPDS.Migration.Progress
     /// <summary>
     /// Progress reporter that writes human-readable output to the console.
     /// </summary>
+    /// <remarks>
+    /// This class is not thread-safe. It is designed for single-threaded CLI usage
+    /// where progress events are reported sequentially.
+    /// </remarks>
     public class ConsoleProgressReporter : IProgressReporter
     {
         private const int MaxErrorsToDisplay = 10;

Original file line number	Diff line number	Diff line change
`@@ -205,8 +205,8 @@ private async Task<string> GetTokenAsync(string environmentUrl, bool forceIntera`
`205`	`205`	`}`
`206`	`206`
`207`	`207`	`// Interactive browser authentication`
`208`		`- Console.WriteLine();`
`209`		`- Console.WriteLine("Opening browser for authentication...");`
	`208`	`+ AuthenticationOutput.WriteLine();`
	`209`	`+ AuthenticationOutput.WriteLine("Opening browser for authentication...");`
`210`	`210`
`211`	`211`	`try`
`212`	`212`	`{`
`@@ -222,8 +222,8 @@ private async Task<string> GetTokenAsync(string environmentUrl, bool forceIntera`
`222`	`222`	`throw new OperationCanceledException("Authentication was canceled by the user.", ex);`
`223`	`223`	`}`
`224`	`224`
`225`		`- Console.WriteLine($"Authenticated as: {_cachedResult.Account.Username}");`
`226`		`- Console.WriteLine();`
	`225`	`+ AuthenticationOutput.WriteLine($"Authenticated as: {_cachedResult.Account.Username}");`
	`226`	`+ AuthenticationOutput.WriteLine();`
`227`	`227`
`228`	`228`	`return _cachedResult.AccessToken;`
`229`	`229`	`}`
Original file line number	Diff line number	Diff line change
`@@ -168,7 +168,7 @@ private Func<string, Task<string>> CreateTokenProviderFunction(`
`168`	`168`	`{`
`169`	`169`	`if (_deviceCodeCallback == null)`
`170`	`170`	`{`
`171`		`- Console.WriteLine("Opening browser for authentication...");`
	`171`	`+ AuthenticationOutput.WriteLine("Opening browser for authentication...");`
`172`	`172`	`}`
`173`	`173`
`174`	`174`	`result = await _msalClient!`
`@@ -192,18 +192,14 @@ private Func<string, Task<string>> CreateTokenProviderFunction(`
`192`	`192`	`}`
`193`	`193`	`else`
`194`	`194`	`{`
`195`		`- Console.WriteLine();`
`196`		`- Console.WriteLine("To sign in, use a web browser to open the page:");`
`197`		`- Console.ForegroundColor = ConsoleColor.Cyan;`
`198`		`- Console.WriteLine($" {deviceCodeResult.VerificationUrl}");`
`199`		`- Console.ResetColor();`
`200`		`- Console.WriteLine();`
`201`		`- Console.WriteLine("Enter the code:");`
`202`		`- Console.ForegroundColor = ConsoleColor.Yellow;`
`203`		`- Console.WriteLine($" {deviceCodeResult.UserCode}");`
`204`		`- Console.ResetColor();`
`205`		`- Console.WriteLine();`
`206`		`- Console.WriteLine("Waiting for authentication...");`
	`195`	`+ AuthenticationOutput.WriteLine();`
	`196`	`+ AuthenticationOutput.WriteLine("To sign in, use a web browser to open the page:");`
	`197`	`+ AuthenticationOutput.WriteLine($" {deviceCodeResult.VerificationUrl}");`
	`198`	`+ AuthenticationOutput.WriteLine();`
	`199`	`+ AuthenticationOutput.WriteLine("Enter the code:");`
	`200`	`+ AuthenticationOutput.WriteLine($" {deviceCodeResult.UserCode}");`
	`201`	`+ AuthenticationOutput.WriteLine();`
	`202`	`+ AuthenticationOutput.WriteLine("Waiting for authentication...");`
`207`	`203`	`}`
`208`	`204`	`return Task.CompletedTask;`
`209`	`205`	`})`
`@@ -213,8 +209,8 @@ private Func<string, Task<string>> CreateTokenProviderFunction(`
`213`	`209`
`214`	`210`	`if (_deviceCodeCallback == null)`
`215`	`211`	`{`
`216`		`- Console.WriteLine($"Authenticated as: {result.Account.Username}");`
`217`		`- Console.WriteLine();`
	`212`	`+ AuthenticationOutput.WriteLine($"Authenticated as: {result.Account.Username}");`
	`213`	`+ AuthenticationOutput.WriteLine();`
`218`	`214`	`}`
`219`	`215`
`220`	`216`	`return result.AccessToken;`