Skip to content

feat: use remote scopes.json for login scope recommendations#1799

Open
dc-bytedance wants to merge 8 commits into
mainfrom
feat/optimize-auth-permission-strategy
Open

feat: use remote scopes.json for login scope recommendations#1799
dc-bytedance wants to merge 8 commits into
mainfrom
feat/optimize-auth-permission-strategy

Conversation

@dc-bytedance

@dc-bytedance dc-bytedance commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

auth login previously computed its recommended authorization scopes from a compiled-in local table (API catalog + priority scoring + auto-approve filtering), so different CLI versions could request different scope sets and drift from the platform's own scope computation. This PR switches the scope source to a remotely-published scopes.json fetched per-brand at login time, with silent fallback to the local full set on any fetch/timeout/validation failure. It also removes the terminal interactive domain-selection page (--recommend becomes equivalent to --domain all) and passes the authorization response's status_message through to the caller verbatim.

Changes

  • Add internal/auth/remote_scopes.go: per-brand remote scopes.json fetch (1s timeout, reuses transport.NewHTTPClient + core.ResolveOpenBaseURL) with binary validation — whole file usable (JSON parses + non-empty scopes object + each domain has a user_scopes array + every scope matches service:resource:action) or whole-file fallback to local; i18n / tenant_scopes / version are not validated
  • cmd/auth/login.go: authLoginRun resolves scopes remote-first / local-fallback via new resolveScopesForDomains + legalDomainsFor; remove the interactive-page branch; bare auth login and --recommend both request the full domain set (equivalent to --domain all)
  • Remove cmd/auth/login_interactive.go and the internal/registry auto-approve filter chain (FilterAutoApproveScopes and friends) plus orphaned interactive message fields
  • internal/auth/device_flow.go + cmd/auth/login_result.go: read and pass through status_message from the success response, verbatim (no parse / classify / truncate)
  • Retain the three flag entries (bare auth login / --recommend / --domain all) as behavior-equivalent transitional aliases

Test Plan

  • make unit-test passed
  • build / vet / unit / integration checks passed
  • end-to-end tests passed (5/5 scenarios: flag contract, unknown-domain rejection, --exclude guard, bare-login authorization, --recommend--domain all)
  • manual acceptance walkthrough passed (help-text clarity, unknown-domain error readability, --exclude dependency error, status_message passthrough)
  • manual verification: auth login --help reflects the recommend/bare-login semantics; auth login --domain bogusxyz returns a structured unknown-domain error with the available-domain list

Related Issues

N/A (tracked internally)

Summary by CodeRabbit

  • New Features
    • auth login now expands --recommend to cover all known business domains (same as --domain all).
    • Successful JSON login responses (including device-code) can now include an upstream status_message.
  • Bug Fixes
    • Improved scope/domain resolution and validation, including stricter handling of --domain all and explicit domain entries.
    • Device-code polling now preserves upstream status text into the final JSON output.
  • Breaking Changes
    • Interactive domain-selection UI was removed; non-interactive defaults now apply when no domain selection is provided.

@dc-bytedance dc-bytedance requested a review from liangshuo-1 as a code owner July 8, 2026 08:13
@github-actions github-actions Bot added the size/XL Architecture-level or global-impact change label Jul 8, 2026
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 31fc1bb9-e685-4452-a776-d3956b306375

📥 Commits

Reviewing files that changed from the base of the PR and between e81d3f7 and 05f4098.

📒 Files selected for processing (2)
  • internal/registry/registry_test.go
  • internal/registry/scopes.go

📝 Walkthrough

Walkthrough

The PR changes auth login to resolve domains and scopes from remote scopes.json with local fallback, removes interactive selection, propagates device-flow status messages into JSON output, and updates registry scope collection and helper APIs.

Changes

Auth login scope resolution and output

Layer / File(s) Summary
Remote scopes fetch and validation
internal/auth/remote_scopes.go, internal/auth/remote_scopes_test.go
Adds brand-specific fetching, validation, timeout and size limits, fallback handling, and tests.
Login domain and scope resolution
cmd/auth/login.go, cmd/auth/login_test.go
Resolves legal domains and candidate scopes from remote or local data, supports full-domain defaults, and tests deduplication and fallback behavior.
Login messaging and status propagation
cmd/auth/login_messages.go, cmd/auth/login_messages_test.go, internal/auth/device_flow.go, internal/auth/device_flow_test.go, cmd/auth/login_result.go, cmd/auth/login_result_test.go, cmd/auth/login.go, cmd/auth/login_test.go
Removes interactive message fields, preserves device-flow status messages, and includes them in JSON authorization results.

Registry helper consolidation

Layer / File(s) Summary
Auto-approve cache and scope collection
internal/registry/loader.go, internal/registry/scopes.go, internal/registry/registry_test.go, internal/registry/remote_test.go
Unifies auto-approve caches, removes obsolete exported helpers, honors required scope conjunctions, and updates cache-reset and test coverage.
Service description helper
internal/registry/service_desc.go
Adds localized GetServiceDescription and removes title and detail-description helpers.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant authLoginRun
  participant FetchRemoteScopes
  participant resolveScopesForDomains
  participant PollDeviceToken
  participant authorizationCompletePayload
  User->>authLoginRun: login options
  authLoginRun->>FetchRemoteScopes: fetch scopes.json
  FetchRemoteScopes-->>authLoginRun: remote scopes or local fallback
  authLoginRun->>resolveScopesForDomains: selected domains
  resolveScopesForDomains-->>authLoginRun: candidate scopes
  PollDeviceToken-->>authLoginRun: token and status_message
  authLoginRun->>authorizationCompletePayload: status_message
Loading

Possibly related PRs

Suggested reviewers: albertnusouo, xingjiansun, liangshuo-1

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 36.36% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the main change: using remote scopes.json for login scope recommendations.
Description check ✅ Passed The description follows the required sections and includes summary, changes, test plan, and related issues.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/optimize-auth-permission-strategy

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 74.75728% with 26 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.75%. Comparing base (37d490a) to head (05f4098).

Files with missing lines Patch % Lines
cmd/auth/login.go 57.69% 20 Missing and 2 partials ⚠️
internal/auth/remote_scopes.go 90.47% 2 Missing and 2 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1799      +/-   ##
==========================================
+ Coverage   74.66%   74.75%   +0.09%     
==========================================
  Files         877      877              
  Lines       91731    91624     -107     
==========================================
+ Hits        68494    68497       +3     
+ Misses      17926    17816     -110     
  Partials     5311     5311              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@05f4098a5a997ad60cf66ca942903c2ee3a543ed

🧩 Skill update

npx skills add larksuite/cli#feat/optimize-auth-permission-strategy -y -g

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
cmd/auth/login.go (1)

595-613: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add direct tests for legalDomainsFor The existing resolveScopesForDomains coverage doesn’t exercise this wrapper’s remote-key extraction/sort or the local fallback; add a minimal test for each branch.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/auth/login.go` around lines 595 - 613, Add direct unit tests for
legalDomainsFor to cover both branches explicitly, since resolveScopesForDomains
does not verify this wrapper’s behavior. Create one test with remoteOK true that
asserts the returned membership set uses the remote map keys and the slice is
sorted, and another with remoteOK false that asserts it falls back to
allKnownDomains and sortedKnownDomains for the given core.LarkBrand. Keep the
tests focused on the legalDomainsFor symbol so the remote-key extraction,
sorting, and local fallback are all exercised directly.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@cmd/auth/login.go`:
- Around line 595-613: Add direct unit tests for legalDomainsFor to cover both
branches explicitly, since resolveScopesForDomains does not verify this
wrapper’s behavior. Create one test with remoteOK true that asserts the returned
membership set uses the remote map keys and the slice is sorted, and another
with remoteOK false that asserts it falls back to allKnownDomains and
sortedKnownDomains for the given core.LarkBrand. Keep the tests focused on the
legalDomainsFor symbol so the remote-key extraction, sorting, and local fallback
are all exercised directly.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 307cabaa-5785-49ad-aedc-d99271e3de15

📥 Commits

Reviewing files that changed from the base of the PR and between 9413e7c and 20c2a2d.

📒 Files selected for processing (14)
  • cmd/auth/login.go
  • cmd/auth/login_interactive.go
  • cmd/auth/login_messages.go
  • cmd/auth/login_messages_test.go
  • cmd/auth/login_result.go
  • cmd/auth/login_result_test.go
  • cmd/auth/login_test.go
  • internal/auth/device_flow.go
  • internal/auth/device_flow_test.go
  • internal/auth/remote_scopes.go
  • internal/auth/remote_scopes_test.go
  • internal/registry/loader.go
  • internal/registry/registry_test.go
  • internal/registry/remote_test.go
💤 Files with no reviewable changes (5)
  • cmd/auth/login_interactive.go
  • internal/registry/loader.go
  • cmd/auth/login_messages.go
  • internal/registry/registry_test.go
  • internal/registry/remote_test.go

@dc-bytedance dc-bytedance force-pushed the feat/optimize-auth-permission-strategy branch from 29b0fe6 to e81d3f7 Compare July 14, 2026 03:26
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown

PR Quality Summary

CI did not complete successfully. Use the failed check links below to decide whether this PR needs a code change or a rerun.

Failed checks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

feature size/XL Architecture-level or global-impact change

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant