CLOUDP-333260: Delete api key from profile on logout (#4094)

blva · web-flow · commit eb92a2689092 · 2025-08-07T09:56:16.000+01:00
diff --git a/internal/cli/auth/logout.go b/internal/cli/auth/logout.go
@@ -36,8 +36,11 @@ type ConfigDeleter interface {
 	Delete() error
 	SetAccessToken(string)
 	SetRefreshToken(string)
+	SetPublicAPIKey(string)
+	SetPrivateAPIKey(string)
 	SetProjectID(string)
 	SetOrgID(string)
+	AuthType() config.AuthMechanism
 	Save() error
 }
 
@@ -62,16 +65,30 @@ func (opts *logoutOpts) initFlow() error {
 }
 
 func (opts *logoutOpts) Run(ctx context.Context) error {
-	// revoking a refresh token revokes the access token
-	if _, err := opts.flow.RevokeToken(ctx, config.RefreshToken(), "refresh_token"); err != nil {
-		return err
+	authType := opts.config.AuthType()
+
+	// Handle OAuth authentication - revoke tokens
+	if authType == config.OAuth {
+		if _, err := opts.flow.RevokeToken(ctx, config.RefreshToken(), "refresh_token"); err != nil {
+			return err
+		}
 	}
 
 	if !opts.keepConfig {
 		return opts.Delete(opts.config.Delete)
 	}
-	opts.config.SetAccessToken("")
-	opts.config.SetRefreshToken("")
+
+	// Clear credentials based on auth type
+	switch authType {
+	case config.OAuth:
+		opts.config.SetAccessToken("")
+		opts.config.SetRefreshToken("")
+	case config.APIKeys:
+		opts.config.SetPublicAPIKey("")
+		opts.config.SetPrivateAPIKey("")
+	case config.NotLoggedIn:
+	}
+
 	opts.config.SetProjectID("")
 	opts.config.SetOrgID("")
 	return opts.config.Save()
@@ -94,14 +111,23 @@ func LogoutBuilder() *cobra.Command {
 			return opts.initFlow()
 		},
 		RunE: func(cmd *cobra.Command, _ []string) error {
-			if config.RefreshToken() == "" {
+			authType := config.AuthType()
+			var accountIdentifier string
+			var err error
+
+			switch authType {
+			case config.OAuth:
+				accountIdentifier, err = config.AccessTokenSubject()
+				if err != nil {
+					return err
+				}
+			case config.APIKeys:
+				accountIdentifier = config.PublicAPIKey()
+			case config.NotLoggedIn:
 				return ErrUnauthenticated
 			}
-			s, err := config.AccessTokenSubject()
-			if err != nil {
-				return err
-			}
-			opts.Entry = s
+
+			opts.Entry = accountIdentifier
 			if err := opts.PromptWithMessage("Are you sure you want to log out of account %s?"); err != nil || !opts.Confirm {
 				return err
 			}
diff --git a/internal/cli/auth/logout_mock_test.go b/internal/cli/auth/logout_mock_test.go
diff --git a/internal/cli/auth/logout_test.go b/internal/cli/auth/logout_test.go
@@ -19,11 +19,12 @@ import (
 	"testing"
 
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/cli"
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/config"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
 )
 
-func Test_logoutOpts_Run(t *testing.T) {
+func Test_logoutOpts_Run_OAuth(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	mockFlow := NewMockRevoker(ctrl)
 	mockConfig := NewMockConfigDeleter(ctrl)
@@ -39,6 +40,12 @@ func Test_logoutOpts_Run(t *testing.T) {
 		},
 	}
 	ctx := t.Context()
+
+	mockConfig.
+		EXPECT().
+		AuthType().
+		Return(config.OAuth).
+		Times(1)
 	mockFlow.
 		EXPECT().
 		RevokeToken(ctx, gomock.Any(), gomock.Any()).
@@ -52,7 +59,38 @@ func Test_logoutOpts_Run(t *testing.T) {
 	require.NoError(t, opts.Run(ctx))
 }
 
-func Test_logoutOpts_Run_Keep(t *testing.T) {
+func Test_logoutOpts_Run_APIKeys(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	mockFlow := NewMockRevoker(ctrl)
+	mockConfig := NewMockConfigDeleter(ctrl)
+
+	buf := new(bytes.Buffer)
+
+	opts := logoutOpts{
+		OutWriter: buf,
+		config:    mockConfig,
+		flow:      mockFlow,
+		DeleteOpts: &cli.DeleteOpts{
+			Confirm: true,
+		},
+	}
+	ctx := t.Context()
+
+	mockConfig.
+		EXPECT().
+		AuthType().
+		Return(config.APIKeys).
+		Times(1)
+	// No token revocation expected for API keys
+	mockConfig.
+		EXPECT().
+		Delete().
+		Return(nil).
+		Times(1)
+	require.NoError(t, opts.Run(ctx))
+}
+
+func Test_logoutOpts_Run_Keep_OAuth(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	mockFlow := NewMockRevoker(ctrl)
 	mockConfig := NewMockConfigDeleter(ctrl)
@@ -69,6 +107,12 @@ func Test_logoutOpts_Run_Keep(t *testing.T) {
 		keepConfig: true,
 	}
 	ctx := t.Context()
+
+	mockConfig.
+		EXPECT().
+		AuthType().
+		Return(config.OAuth).
+		Times(1)
 	mockFlow.
 		EXPECT().
 		RevokeToken(ctx, gomock.Any(), gomock.Any()).
@@ -99,3 +143,53 @@ func Test_logoutOpts_Run_Keep(t *testing.T) {
 
 	require.NoError(t, opts.Run(ctx))
 }
+
+func Test_logoutOpts_Run_Keep_APIKeys(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	mockFlow := NewMockRevoker(ctrl)
+	mockConfig := NewMockConfigDeleter(ctrl)
+
+	buf := new(bytes.Buffer)
+
+	opts := logoutOpts{
+		OutWriter: buf,
+		config:    mockConfig,
+		flow:      mockFlow,
+		DeleteOpts: &cli.DeleteOpts{
+			Confirm: true,
+		},
+		keepConfig: true,
+	}
+	ctx := t.Context()
+
+	mockConfig.
+		EXPECT().
+		AuthType().
+		Return(config.APIKeys).
+		Times(1)
+	// No token revocation for API keys
+
+	mockConfig.
+		EXPECT().
+		SetPublicAPIKey("").
+		Times(1)
+	mockConfig.
+		EXPECT().
+		SetPrivateAPIKey("").
+		Times(1)
+	mockConfig.
+		EXPECT().
+		SetProjectID("").
+		Times(1)
+	mockConfig.
+		EXPECT().
+		SetOrgID("").
+		Times(1)
+	mockConfig.
+		EXPECT().
+		Save().
+		Return(nil).
+		Times(1)
+
+	require.NoError(t, opts.Run(ctx))
+}
