fix(auth): address PR review comments on openBrowser

mrdailey99 · claude · mrdailey99 · commit 9376fbcf4cbf · 2026-04-14T22:06:54.000-07:00
- Add explicit ChildProcess type to suppress implicit-any lint warning
- Add no-op error handler to prevent unhandled EventEmitter crash on ENOENT
- Extract getBrowserCommand() pure function for testability
- Add unit tests covering all platforms and URL passthrough

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/services/auth/loginFlow.ts b/src/services/auth/loginFlow.ts
@@ -9,7 +9,7 @@
 import crypto from 'node:crypto';
 import http from 'node:http';
 import https from 'node:https';
-import { spawn } from 'node:child_process';
+import { spawn, type ChildProcess } from 'node:child_process';
 import { URL } from 'node:url';
 
 // All three ports must be pre-registered in the Cognito App Client.
@@ -76,24 +76,32 @@ function isPortFree(port: number): Promise<boolean> {
  * Open a URL in the system browser. The URL is passed as an argument — not
  * interpolated into a shell string — to avoid command injection.
  */
-export function openBrowser(url: string): void {
-  // detached:true + stdio:'ignore' + unref() is the standard Node.js pattern for
-  // fire-and-forget child processes — the event loop will not wait for them to exit.
-  const spawnOpts = { detached: true, stdio: 'ignore' as const };
-  let child;
-  switch (process.platform) {
+/**
+ * Return the platform-specific command and argument list for opening a URL
+ * in the system browser. Exported so tests can assert the correct command is
+ * chosen for each platform without actually spawning a process.
+ */
+export function getBrowserCommand(url: string, platform: NodeJS.Platform = process.platform): { cmd: string; args: string[] } {
+  switch (platform) {
     case 'darwin':
-      child = spawn('open', [url], spawnOpts);
-      break;
+      return { cmd: 'open', args: [url] };
     case 'win32':
       // Pass the URL via $args[0] so it is never interpolated into the -Command
       // string — avoids quote-breaking and injection risk from special characters.
-      child = spawn('powershell.exe', ['-NoProfile', '-Command', 'Start-Process $args[0]', '-args', url], spawnOpts);
-      break;
+      return { cmd: 'powershell.exe', args: ['-NoProfile', '-Command', 'Start-Process $args[0]', '-args', url] };
     default:
-      child = spawn('xdg-open', [url], spawnOpts);
-      break;
+      return { cmd: 'xdg-open', args: [url] };
   }
+}
+
+export function openBrowser(url: string): void {
+  // detached:true + stdio:'ignore' + unref() is the standard Node.js pattern for
+  // fire-and-forget child processes — the event loop will not wait for them to exit.
+  const { cmd, args } = getBrowserCommand(url);
+  const child: ChildProcess = spawn(cmd, args, { detached: true, stdio: 'ignore' });
+  // Suppress unhandled-error crashes if the browser executable is not found.
+  // The login URL is already printed to the terminal so the user can open it manually.
+  child.on('error', () => { /* intentional no-op */ });
   child.unref();
 }
 
diff --git a/test/unit/commands/provar/auth/login.test.ts b/test/unit/commands/provar/auth/login.test.ts
@@ -15,6 +15,7 @@ import { describe, it, beforeEach, afterEach } from 'mocha';
 import sinon from 'sinon';
 import {
   generatePkce,
+  getBrowserCommand,
   loginFlowClient,
   type CognitoTokens,
   CALLBACK_PORTS,
@@ -59,6 +60,45 @@ function restoreHome(): void {
   fs.rmSync(tempDir, { recursive: true, force: true });
 }
 
+// ── getBrowserCommand ─────────────────────────────────────────────────────────
+
+describe('getBrowserCommand', () => {
+  const url = 'https://example.com/login?code=abc&state=xyz';
+
+  it('uses "open" on macOS', () => {
+    const { cmd, args } = getBrowserCommand(url, 'darwin');
+    assert.equal(cmd, 'open');
+    assert.deepEqual(args, [url]);
+  });
+
+  it('uses powershell.exe with Start-Process on Windows', () => {
+    const { cmd, args } = getBrowserCommand(url, 'win32');
+    assert.equal(cmd, 'powershell.exe');
+    assert.ok(args.includes('-NoProfile'), 'should pass -NoProfile');
+    assert.ok(args.includes('Start-Process $args[0]') || args.join(' ').includes('Start-Process'), 'should use Start-Process');
+    // URL is passed as a separate arg — never interpolated into the command string
+    assert.equal(args[args.length - 1], url, 'URL must be the last argument');
+  });
+
+  it('uses "xdg-open" on Linux', () => {
+    const { cmd, args } = getBrowserCommand(url, 'linux');
+    assert.equal(cmd, 'xdg-open');
+    assert.deepEqual(args, [url]);
+  });
+
+  it('uses "xdg-open" for unknown platforms', () => {
+    const { cmd } = getBrowserCommand(url, 'freebsd');
+    assert.equal(cmd, 'xdg-open');
+  });
+
+  it('includes the full URL in args for all platforms', () => {
+    for (const platform of ['darwin', 'win32', 'linux'] as NodeJS.Platform[]) {
+      const { args } = getBrowserCommand(url, platform);
+      assert.ok(args.includes(url), `URL must appear in args for platform ${platform}`);
+    }
+  });
+});
+
 // ── generatePkce ──────────────────────────────────────────────────────────────
 
 describe('generatePkce', () => {
