[GH-ISSUE #270] Auth: Validate credentials at login time #87

New issue

Closed

opened 2026-02-26 21:33:16 +03:00 by kerem · 1 comment

kerem commented 2026-02-26 21:33:16 +03:00

Owner

Copy link

Originally created by @rudrankriyam on GitHub (Jan 28, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/270

Problem

The auth login command currently validates only the PEM format and file permissions of the private key. It does not verify that the credentials actually work with the App Store Connect API. Users only discover invalid credentials when they attempt their first API call, which leads to a poor developer experience.

Common failure modes that go undetected at login:

1. Mismatched Key ID and private key file
2. Expired or revoked API keys
3. Wrong Issuer ID for the key
4. Malformed private key content that passes basic PEM parsing but fails JWT signing

Affected Code

• cmd/auth.go - The login command and credential storage logic
• internal/auth/keychain.go:98-108 - Private key loading and validation
• internal/asc/client_http.go:44-63 - JWT generation (this logic should be testable standalone)

Proposed Solution

1. After storing credentials, attempt to generate a JWT token to verify the private key can be used for signing
2. Optionally, make a lightweight API call (such as listing apps with a limit of 1) to verify the credentials work end-to-end
3. Provide clear error messages if validation fails, explaining which part failed (key loading, JWT signing, or API authentication)

Implementation approach:

func validateCredentials(keyID, issuerID, keyPath string) error {
    // Step 1: Load the private key
    privateKey, err := auth.LoadPrivateKey(keyPath)
    if err != nil {
        return fmt.Errorf("failed to load private key: %w", err)
    }

    // Step 2: Attempt JWT generation
    token, err := generateTestJWT(keyID, issuerID, privateKey)
    if err != nil {
        return fmt.Errorf("failed to generate JWT: %w", err)
    }

    // Step 3 (optional): Make a test API call
    // This confirms the key is registered with Apple
    return nil
}

4. Add a --skip-validation flag for users who want to store credentials without network access

Acceptance Criteria

• auth login validates that JWT generation succeeds before storing credentials
• Clear error messages indicate whether the issue is with the key file, key format, or credential mismatch
• Add --skip-validation flag to bypass validation when needed
• Add tests for the validation logic

Originally created by @rudrankriyam on GitHub (Jan 28, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/270 ## Problem The `auth login` command currently validates only the PEM format and file permissions of the private key. It does not verify that the credentials actually work with the App Store Connect API. Users only discover invalid credentials when they attempt their first API call, which leads to a poor developer experience. Common failure modes that go undetected at login: 1. Mismatched Key ID and private key file 2. Expired or revoked API keys 3. Wrong Issuer ID for the key 4. Malformed private key content that passes basic PEM parsing but fails JWT signing ## Affected Code - `cmd/auth.go` - The login command and credential storage logic - `internal/auth/keychain.go:98-108` - Private key loading and validation - `internal/asc/client_http.go:44-63` - JWT generation (this logic should be testable standalone) ## Proposed Solution 1. After storing credentials, attempt to generate a JWT token to verify the private key can be used for signing 2. Optionally, make a lightweight API call (such as listing apps with a limit of 1) to verify the credentials work end-to-end 3. Provide clear error messages if validation fails, explaining which part failed (key loading, JWT signing, or API authentication) Implementation approach: ```go func validateCredentials(keyID, issuerID, keyPath string) error { // Step 1: Load the private key privateKey, err := auth.LoadPrivateKey(keyPath) if err != nil { return fmt.Errorf("failed to load private key: %w", err) } // Step 2: Attempt JWT generation token, err := generateTestJWT(keyID, issuerID, privateKey) if err != nil { return fmt.Errorf("failed to generate JWT: %w", err) } // Step 3 (optional): Make a test API call // This confirms the key is registered with Apple return nil } ``` 4. Add a `--skip-validation` flag for users who want to store credentials without network access ## Acceptance Criteria - `auth login` validates that JWT generation succeeds before storing credentials - Clear error messages indicate whether the issue is with the key file, key format, or credential mismatch - Add `--skip-validation` flag to bypass validation when needed - Add tests for the validation logic

kerem closed this issue 2026-02-26 21:33:17 +03:00

kerem commented 2026-02-26 21:33:17 +03:00

Author

Owner

Copy link

@rudrankriyam commented on GitHub (Jan 28, 2026):

Closing per request. Reopen if any auth issues remain.

<!-- gh-comment-id:3813564122 --> @rudrankriyam commented on GitHub (Jan 28, 2026): Closing per request. Reopen if any auth issues remain.

kerem referenced this issue 2026-02-26 21:34:23 +03:00

[PR #87] [MERGED] Migrate legacy keychain credentials #271

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.1.0

1.0.1

1.0.0

0.49.1

0.49.0

0.48.1

0.48.0

0.47.1

0.47.0

0.46.2

0.46.1

0.46.0

0.45.4

0.45.3

0.45.2

0.45.1

0.45.0

0.44.2

0.44.1

0.44.0

0.43.0

0.42.0

0.41.4

0.41.3

0.41.2

0.41.1

0.41.0

0.40.1

0.40.0

0.39.1

0.39.0

0.38.3

0.38.2

0.38.1

0.38.0

0.37.3

0.37.2

0.37.1

0.37.0

0.36.3

0.36.2

0.36.1

0.36.0

0.35.3

0.35.2

0.35.1

0.35.0

0.34.1

0.34.0

0.33.2

0.33.1

0.33.0

0.32.0

0.31.3

0.31.2

0.31.1

0.31.0

0.30.0

0.29.3

0.29.2

0.29.1

0.29.0

0.28.14

0.28.13

0.28.12

0.28.11

0.28.10

0.28.9

0.28.8

0.28.7

0.28.6

0.28.5

0.28.4

0.28.3

0.28.2

0.28.1

0.28.0

0.27.0

0.26.4

0.26.3

0.26.2

0.26.1

0.26.0

0.25.4

0.25.3

0.25.1

0.25.0

0.24.3

0.24.2

0.24.1

0.24.0

0.23.5

0.23.4

0.23.3

0.23.2

0.23.1

0.23.0

0.22.1

0.22.0

0.21.0

0.20.2

0.20.1

0.20.0

0.19.3

0.19.2

0.19.1

0.19.0

0.18.2

0.18.1

0.18.0

0.17.0

0.16.0

0.15.0

0.14.0

0.13.0

0.12.4

0.12.3

0.12.2

0.12.1

0.12.0

0.11.0

0.10.2

0.10.1

0.10.0

0.9.0

0.8.1

0.8.0

0.7.0

0.6.0

0.5.0

0.3.1

0.3.0

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Labels

Clear labels   

bug

  

bug

  

documentation

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

bug

documentation

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/App-Store-Connect-CLI#87

No description provided.