Add auth pre-flight validation for agents (Azure#7236)

spboyer · Copilot · jongio · commit 1403d56bf6fb · 2026-03-27T12:05:50.000-07:00
* Add auth pre-flight validation for agents (Azure#7234) Add --check flag to 'azd auth token' for lightweight auth validation. Agents can call 'azd auth token --check' to validate authentication state with exit code 0 (valid) or non-zero (invalid) without producing standard output. This prevents costly retry loops where agents speculatively call auth token and parse errors. Enhance 'azd auth status --output json' to include expiresOn field, giving agents machine-readable token expiry information for proactive re-authentication. Improve LoginGuardMiddleware to wrap ErrNoCurrentUser with actionable ErrorWithSuggestion guidance, while preserving original error types for cancellations and transient failures. Changes: - cmd/auth_token.go: Add --check flag with early-exit validation - cmd/auth_token_test.go: Add 3 test cases (check success/failure/not-logged-in) - cmd/auth_status.go: Populate ExpiresOn from token validation - pkg/contracts/auth.go: Add ExpiresOn field to StatusResult - cmd/middleware/login_guard.go: Wrap ErrNoCurrentUser with suggestion Fixes Azure#7234 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address review feedback: remove redundant branches, add expiresOn tests - Remove redundant 'if a.flags.check' branches in auth_token.go that duplicated the same return (Copilot review comment #2) - Add StatusResult JSON serialization tests verifying expiresOn is present when authenticated and omitted when unauthenticated (Copilot review comment #3) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Refactor: replace auth token --check with auth status exit code (Azure#7234) Instead of adding a --check flag to the hidden 'auth token' command, make the existing 'auth status --output json' command agent-friendly: - Exit non-zero when unauthenticated in machine-readable mode, so agents can rely on exit code without parsing output - expiresOn field already added to StatusResult in this PR - Remove --check flag and its tests (net -90 lines) Agents can now validate auth with: azd auth status --output json # exit 0 + JSON with expiresOn = valid # exit 1 + JSON with status:unauthenticated = invalid This is more discoverable than a hidden flag on a hidden command. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Remove tmp/ from tracking, add to .gitignore Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Revert "Remove tmp/ from tracking, add to .gitignore" This reverts commit 7253f21. * Remove tmp/ files from PR (not part of Azure#7234) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address review: exit non-zero in both modes, fix double output Per @JeffreyCA feedback: - Return auth.ErrNoCurrentUser when unauthenticated in both JSON and interactive modes (exit non-zero in all cases) - In JSON mode, format output before returning error to avoid double-print - In interactive mode, show status UX then exit non-zero Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Revert non-zero exit for unauthenticated status Per @vhvb1989 feedback: unauthenticated is a valid result, not a command failure. Non-zero exit should only be for unexpected errors. The expiresOn and LoginGuardMiddleware improvements remain. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/cli/azd/cmd/auth_status.go b/cli/azd/cmd/auth_status.go
@@ -96,10 +96,13 @@ func (a *authStatusAction) Run(ctx context.Context) (*actions.ActionResult, erro
 		res.Status = contracts.AuthStatusUnauthenticated
 	} else {
 		res.Status = contracts.AuthStatusAuthenticated
-		_, err := a.verifyLoggedIn(ctx, scopes)
+		token, err := a.verifyLoggedIn(ctx, scopes)
 		if err != nil {
 			res.Status = contracts.AuthStatusUnauthenticated
 			log.Printf("error: verifying logged in status: %v", err)
+		} else if token != nil {
+			expiresOn := contracts.RFC3339Time(token.ExpiresOn)
+			res.ExpiresOn = &expiresOn
 		}
 
 		switch details.LoginType {
diff --git a/cli/azd/cmd/middleware/login_guard.go b/cli/azd/cmd/middleware/login_guard.go
@@ -5,9 +5,11 @@ package middleware
 
 import (
 	"context"
+	"errors"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/azure/azure-dev/cli/azd/cmd/actions"
+	"github.com/azure/azure-dev/cli/azd/internal"
 	"github.com/azure/azure-dev/cli/azd/internal/tracing/resource"
 	"github.com/azure/azure-dev/cli/azd/pkg/auth"
 	"github.com/azure/azure-dev/cli/azd/pkg/cloud"
@@ -53,6 +55,14 @@ func (l *LoginGuardMiddleware) Run(ctx context.Context, next NextFn) (*actions.A
 
 	_, err = auth.EnsureLoggedInCredential(ctx, cred, l.authManager.Cloud())
 	if err != nil {
+		// Only wrap auth-specific errors with login guidance.
+		// Let cancellations, network errors, and transient failures propagate unchanged.
+		if errors.Is(err, auth.ErrNoCurrentUser) {
+			return nil, &internal.ErrorWithSuggestion{
+				Err:        err,
+				Suggestion: "Run 'azd auth login' to sign in before running this command.",
+			}
+		}
 		return nil, err
 	}
 
diff --git a/cli/azd/pkg/contracts/auth.go b/cli/azd/pkg/contracts/auth.go
@@ -59,4 +59,7 @@ type StatusResult struct {
 
 	// The client ID of the service principal. Only set when Type is AccountTypeServicePrincipal.
 	ClientID string `json:"clientId,omitempty"`
+
+	// When authenticated, the time at which the current access token expires.
+	ExpiresOn *RFC3339Time `json:"expiresOn,omitempty"`
 }
diff --git a/cli/azd/pkg/contracts/auth_token_test.go b/cli/azd/pkg/contracts/auth_token_test.go
@@ -26,3 +26,47 @@ func TestRFC3339TimeJson(t *testing.T) {
 	assert.Equal(t, `"2023-01-09T06:39:00.313323855Z"`, string(stdRes))
 	assert.Equal(t, `"2023-01-09T06:39:00Z"`, string(cusRes))
 }
+
+func TestStatusResultJsonWithExpiresOn(t *testing.T) {
+	tm, err := time.Parse(time.RFC3339, "2026-03-22T14:30:00Z")
+	require.NoError(t, err)
+
+	expiresOn := RFC3339Time(tm)
+	res := StatusResult{
+		Status:    AuthStatusAuthenticated,
+		Type:      AccountTypeUser,
+		Email:     "user@example.com",
+		ExpiresOn: &expiresOn,
+	}
+
+	data, err := json.Marshal(res)
+	require.NoError(t, err)
+
+	var parsed StatusResult
+	err = json.Unmarshal(data, &parsed)
+	require.NoError(t, err)
+
+	assert.Equal(t, AuthStatusAuthenticated, parsed.Status)
+	assert.Equal(t, AccountTypeUser, parsed.Type)
+	assert.Equal(t, "user@example.com", parsed.Email)
+	require.NotNil(t, parsed.ExpiresOn)
+	assert.Equal(t, tm, time.Time(*parsed.ExpiresOn))
+}
+
+func TestStatusResultJsonWithoutExpiresOn(t *testing.T) {
+	res := StatusResult{
+		Status: AuthStatusUnauthenticated,
+	}
+
+	data, err := json.Marshal(res)
+	require.NoError(t, err)
+
+	assert.NotContains(t, string(data), "expiresOn")
+
+	var parsed StatusResult
+	err = json.Unmarshal(data, &parsed)
+	require.NoError(t, err)
+
+	assert.Equal(t, AuthStatusUnauthenticated, parsed.Status)
+	assert.Nil(t, parsed.ExpiresOn)
+}

Original file line number	Diff line number	Diff line change
`@@ -59,4 +59,7 @@ type StatusResult struct {`
`59`	`59`
`60`	`60`	`// The client ID of the service principal. Only set when Type is AccountTypeServicePrincipal.`
`61`	`61`	ClientID string `json:"clientId,omitempty"`
	`62`	`+`
	`63`	`+ // When authenticated, the time at which the current access token expires.`
	`64`	+ ExpiresOn *RFC3339Time `json:"expiresOn,omitempty"`
`62`	`65`	`}`