[GH-ISSUE #273] Auth: Add auth doctor command for diagnosing configuration issues #89

New issue

Closed

opened 2026-02-26 21:33:18 +03:00 by kerem · 1 comment

kerem commented 2026-02-26 21:33:18 +03:00

Owner

Copy link

Originally created by @rudrankriyam on GitHub (Jan 28, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/273

Problem

When users encounter authentication issues, debugging requires understanding multiple interacting systems: keychain availability, config file state, environment variables, file permissions, and credential validity. Users often struggle to identify the root cause because there is no single command that provides a comprehensive diagnostic view of the authentication configuration.

Proposed Solution

Add a new auth doctor subcommand that performs a comprehensive health check of the authentication configuration, similar to brew doctor or flutter doctor.

Command signature:

asc auth doctor [--fix]

The command should check:

1. Storage backend status

   • Is system keychain available?
   • Is config file present and readable?
   • Config file permissions check

2. Credential inventory

   • List all configured profiles
   • Check for incomplete profiles (missing key ID, issuer ID, or key path)
   • Check for duplicate profiles

3. Private key health

   • Do referenced key files exist?
   • Are key file permissions secure (0600)?
   • Can keys be parsed as valid PEM?
   • Are keys the correct type (ECDSA P-256)?

4. Environment variable status

   • Which ASC_* environment variables are set?
   • Do environment variables conflict with stored credentials?

5. Potential issues

   • Credentials in config file when keychain is available (less secure)
   • Key files with overly permissive permissions
   • Orphaned temp key files in /tmp

Example output:

Auth Doctor

Storage:
  [OK] System keychain is available
  [OK] Config file exists at ~/.asc/config.json
  [WARN] Config file contains credentials (consider migrating to keychain)

Profiles:
  [OK] default - complete
  [OK] work - complete
  [WARN] staging - missing private key path

Private Keys:
  [OK] /path/to/default.p8 - valid ECDSA key, permissions 0600
  [OK] /path/to/work.p8 - valid ECDSA key, permissions 0600
  [FAIL] /path/to/staging.p8 - file not found

Environment:
  [INFO] ASC_KEY_ID is set
  [WARN] ASC_KEY_ID conflicts with default profile key ID

Recommendations:
  1. Set private key path for staging profile: asc auth login --profile staging
  2. Consider clearing ASC_KEY_ID or using --profile to avoid conflicts
  3. Run 'asc auth migrate' to move config credentials to keychain

Found 2 warnings and 1 error.

With --fix flag, automatically fix issues where possible:

• Fix file permissions on key files
• Remove orphaned temp files
• Migrate credentials from config to keychain

Implementation Location

• cmd/auth.go - Add the new doctor subcommand
• internal/auth/doctor.go (new file) - Diagnostic check logic

Acceptance Criteria

• auth doctor performs all documented checks
• Clear output with OK/WARN/FAIL indicators
• Actionable recommendations for each issue found
• --fix flag auto-repairs fixable issues with user confirmation
• Returns non-zero exit code if errors are found
• Add tests for each diagnostic check

Originally created by @rudrankriyam on GitHub (Jan 28, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/273 ## Problem When users encounter authentication issues, debugging requires understanding multiple interacting systems: keychain availability, config file state, environment variables, file permissions, and credential validity. Users often struggle to identify the root cause because there is no single command that provides a comprehensive diagnostic view of the authentication configuration. ## Proposed Solution Add a new `auth doctor` subcommand that performs a comprehensive health check of the authentication configuration, similar to `brew doctor` or `flutter doctor`. Command signature: ``` asc auth doctor [--fix] ``` The command should check: 1. Storage backend status - Is system keychain available? - Is config file present and readable? - Config file permissions check 2. Credential inventory - List all configured profiles - Check for incomplete profiles (missing key ID, issuer ID, or key path) - Check for duplicate profiles 3. Private key health - Do referenced key files exist? - Are key file permissions secure (0600)? - Can keys be parsed as valid PEM? - Are keys the correct type (ECDSA P-256)? 4. Environment variable status - Which ASC_* environment variables are set? - Do environment variables conflict with stored credentials? 5. Potential issues - Credentials in config file when keychain is available (less secure) - Key files with overly permissive permissions - Orphaned temp key files in /tmp Example output: ``` Auth Doctor Storage: [OK] System keychain is available [OK] Config file exists at ~/.asc/config.json [WARN] Config file contains credentials (consider migrating to keychain) Profiles: [OK] default - complete [OK] work - complete [WARN] staging - missing private key path Private Keys: [OK] /path/to/default.p8 - valid ECDSA key, permissions 0600 [OK] /path/to/work.p8 - valid ECDSA key, permissions 0600 [FAIL] /path/to/staging.p8 - file not found Environment: [INFO] ASC_KEY_ID is set [WARN] ASC_KEY_ID conflicts with default profile key ID Recommendations: 1. Set private key path for staging profile: asc auth login --profile staging 2. Consider clearing ASC_KEY_ID or using --profile to avoid conflicts 3. Run 'asc auth migrate' to move config credentials to keychain Found 2 warnings and 1 error. ``` With `--fix` flag, automatically fix issues where possible: - Fix file permissions on key files - Remove orphaned temp files - Migrate credentials from config to keychain ## Implementation Location - `cmd/auth.go` - Add the new doctor subcommand - `internal/auth/doctor.go` (new file) - Diagnostic check logic ## Acceptance Criteria - `auth doctor` performs all documented checks - Clear output with OK/WARN/FAIL indicators - Actionable recommendations for each issue found - `--fix` flag auto-repairs fixable issues with user confirmation - Returns non-zero exit code if errors are found - Add tests for each diagnostic check

kerem closed this issue 2026-02-26 21:33:18 +03:00

kerem commented 2026-02-26 21:33:19 +03:00

Author

Owner

Copy link

@rudrankriyam commented on GitHub (Jan 28, 2026):

Closing per request. Reopen if any auth issues remain.

<!-- gh-comment-id:3813564732 --> @rudrankriyam commented on GitHub (Jan 28, 2026): Closing per request. Reopen if any auth issues remain.

kerem referenced this issue 2026-02-26 21:34:23 +03:00

[PR #89] [MERGED] Document finance report type mapping (UI vs API) #272

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.1.0

1.0.1

1.0.0

0.49.1

0.49.0

0.48.1

0.48.0

0.47.1

0.47.0

0.46.2

0.46.1

0.46.0

0.45.4

0.45.3

0.45.2

0.45.1

0.45.0

0.44.2

0.44.1

0.44.0

0.43.0

0.42.0

0.41.4

0.41.3

0.41.2

0.41.1

0.41.0

0.40.1

0.40.0

0.39.1

0.39.0

0.38.3

0.38.2

0.38.1

0.38.0

0.37.3

0.37.2

0.37.1

0.37.0

0.36.3

0.36.2

0.36.1

0.36.0

0.35.3

0.35.2

0.35.1

0.35.0

0.34.1

0.34.0

0.33.2

0.33.1

0.33.0

0.32.0

0.31.3

0.31.2

0.31.1

0.31.0

0.30.0

0.29.3

0.29.2

0.29.1

0.29.0

0.28.14

0.28.13

0.28.12

0.28.11

0.28.10

0.28.9

0.28.8

0.28.7

0.28.6

0.28.5

0.28.4

0.28.3

0.28.2

0.28.1

0.28.0

0.27.0

0.26.4

0.26.3

0.26.2

0.26.1

0.26.0

0.25.4

0.25.3

0.25.1

0.25.0

0.24.3

0.24.2

0.24.1

0.24.0

0.23.5

0.23.4

0.23.3

0.23.2

0.23.1

0.23.0

0.22.1

0.22.0

0.21.0

0.20.2

0.20.1

0.20.0

0.19.3

0.19.2

0.19.1

0.19.0

0.18.2

0.18.1

0.18.0

0.17.0

0.16.0

0.15.0

0.14.0

0.13.0

0.12.4

0.12.3

0.12.2

0.12.1

0.12.0

0.11.0

0.10.2

0.10.1

0.10.0

0.9.0

0.8.1

0.8.0

0.7.0

0.6.0

0.5.0

0.3.1

0.3.0

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Labels

Clear labels   

bug

  

bug

  

documentation

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

bug

documentation

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/App-Store-Connect-CLI#89

No description provided.