[GH-ISSUE #272] Auth: Warn when credentials are mixed from multiple sources #85

New issue

Closed

opened 2026-02-26 21:33:16 +03:00 by kerem · 1 comment

kerem commented 2026-02-26 21:33:16 +03:00

Owner

Copy link

Originally created by @rudrankriyam on GitHub (Jan 28, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/272

Problem

The current credential resolution logic in cmd/shared.go can silently mix credentials from different sources. For example, if a user has a Key ID stored in the keychain but provides an Issuer ID via environment variable, the CLI will combine them without warning. This can create invalid credential combinations that fail at API call time with confusing errors.

Current behavior:

if actualKeyID == "" { actualKeyID = envCreds.keyID }
if actualIssuerID == "" { actualIssuerID = envCreds.issuerID }
if actualKeyPath == "" { actualKeyPath = envCreds.keyPath }

This silent merging violates the principle of least surprise and makes debugging auth issues difficult.

Affected Code

• cmd/shared.go:203-220 - The credential resolution and merging logic
• cmd/shared.go:148-200 - The getASCClient function that orchestrates credential loading

Proposed Solution

1. Track the source of each credential component (keychain, config file, environment variable, command-line flag)
2. If credentials come from multiple sources, emit a warning to stderr
3. Consider adding a strict mode (--strict-auth or ASC_STRICT_AUTH=1) that fails instead of warns when mixing occurs

Implementation approach:

type CredentialSource struct {
    KeyID    string // "keychain", "config", "env", "flag"
    IssuerID string
    KeyPath  string
}

func resolveCredentialsWithSource(profile string) (creds Credentials, sources CredentialSource, err error) {
    // ... resolution logic ...
    
    // Check for mixed sources
    if sources.KeyID != sources.IssuerID || sources.IssuerID != sources.KeyPath {
        fmt.Fprintf(os.Stderr, "Warning: credentials loaded from multiple sources:\n")
        fmt.Fprintf(os.Stderr, "  Key ID: %s\n", sources.KeyID)
        fmt.Fprintf(os.Stderr, "  Issuer ID: %s\n", sources.IssuerID)
        fmt.Fprintf(os.Stderr, "  Private Key: %s\n", sources.KeyPath)
    }
    
    return creds, sources, nil
}

4. Document the credential precedence rules clearly in --help output

Acceptance Criteria

• Warning is emitted when credentials come from different sources
• Warning includes which source provided each credential component
• Add --strict-auth flag or ASC_STRICT_AUTH env var to fail on mixed credentials
• Update help text to document credential precedence
• Add tests for mixed credential scenarios

Originally created by @rudrankriyam on GitHub (Jan 28, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/272 ## Problem The current credential resolution logic in `cmd/shared.go` can silently mix credentials from different sources. For example, if a user has a Key ID stored in the keychain but provides an Issuer ID via environment variable, the CLI will combine them without warning. This can create invalid credential combinations that fail at API call time with confusing errors. Current behavior: ```go if actualKeyID == "" { actualKeyID = envCreds.keyID } if actualIssuerID == "" { actualIssuerID = envCreds.issuerID } if actualKeyPath == "" { actualKeyPath = envCreds.keyPath } ``` This silent merging violates the principle of least surprise and makes debugging auth issues difficult. ## Affected Code - `cmd/shared.go:203-220` - The credential resolution and merging logic - `cmd/shared.go:148-200` - The `getASCClient` function that orchestrates credential loading ## Proposed Solution 1. Track the source of each credential component (keychain, config file, environment variable, command-line flag) 2. If credentials come from multiple sources, emit a warning to stderr 3. Consider adding a strict mode (`--strict-auth` or `ASC_STRICT_AUTH=1`) that fails instead of warns when mixing occurs Implementation approach: ```go type CredentialSource struct { KeyID string // "keychain", "config", "env", "flag" IssuerID string KeyPath string } func resolveCredentialsWithSource(profile string) (creds Credentials, sources CredentialSource, err error) { // ... resolution logic ... // Check for mixed sources if sources.KeyID != sources.IssuerID || sources.IssuerID != sources.KeyPath { fmt.Fprintf(os.Stderr, "Warning: credentials loaded from multiple sources:\n") fmt.Fprintf(os.Stderr, " Key ID: %s\n", sources.KeyID) fmt.Fprintf(os.Stderr, " Issuer ID: %s\n", sources.IssuerID) fmt.Fprintf(os.Stderr, " Private Key: %s\n", sources.KeyPath) } return creds, sources, nil } ``` 4. Document the credential precedence rules clearly in `--help` output ## Acceptance Criteria - Warning is emitted when credentials come from different sources - Warning includes which source provided each credential component - Add `--strict-auth` flag or `ASC_STRICT_AUTH` env var to fail on mixed credentials - Update help text to document credential precedence - Add tests for mixed credential scenarios

kerem closed this issue 2026-02-26 21:33:17 +03:00

kerem commented 2026-02-26 21:33:17 +03:00

Author

Owner

Copy link

@rudrankriyam commented on GitHub (Jan 28, 2026):

Closing per request. Reopen if any auth issues remain.

<!-- gh-comment-id:3813564475 --> @rudrankriyam commented on GitHub (Jan 28, 2026): Closing per request. Reopen if any auth issues remain.

kerem referenced this issue 2026-02-26 21:34:26 +03:00

[PR #104] [MERGED] App store review submissions #288

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.1.0

1.0.1

1.0.0

0.49.1

0.49.0

0.48.1

0.48.0

0.47.1

0.47.0

0.46.2

0.46.1

0.46.0

0.45.4

0.45.3

0.45.2

0.45.1

0.45.0

0.44.2

0.44.1

0.44.0

0.43.0

0.42.0

0.41.4

0.41.3

0.41.2

0.41.1

0.41.0

0.40.1

0.40.0

0.39.1

0.39.0

0.38.3

0.38.2

0.38.1

0.38.0

0.37.3

0.37.2

0.37.1

0.37.0

0.36.3

0.36.2

0.36.1

0.36.0

0.35.3

0.35.2

0.35.1

0.35.0

0.34.1

0.34.0

0.33.2

0.33.1

0.33.0

0.32.0

0.31.3

0.31.2

0.31.1

0.31.0

0.30.0

0.29.3

0.29.2

0.29.1

0.29.0

0.28.14

0.28.13

0.28.12

0.28.11

0.28.10

0.28.9

0.28.8

0.28.7

0.28.6

0.28.5

0.28.4

0.28.3

0.28.2

0.28.1

0.28.0

0.27.0

0.26.4

0.26.3

0.26.2

0.26.1

0.26.0

0.25.4

0.25.3

0.25.1

0.25.0

0.24.3

0.24.2

0.24.1

0.24.0

0.23.5

0.23.4

0.23.3

0.23.2

0.23.1

0.23.0

0.22.1

0.22.0

0.21.0

0.20.2

0.20.1

0.20.0

0.19.3

0.19.2

0.19.1

0.19.0

0.18.2

0.18.1

0.18.0

0.17.0

0.16.0

0.15.0

0.14.0

0.13.0

0.12.4

0.12.3

0.12.2

0.12.1

0.12.0

0.11.0

0.10.2

0.10.1

0.10.0

0.9.0

0.8.1

0.8.0

0.7.0

0.6.0

0.5.0

0.3.1

0.3.0

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Labels

Clear labels   

bug

  

bug

  

documentation

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

bug

documentation

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/App-Store-Connect-CLI#85

No description provided.