CLI-278 review auth tests; remove GET option for token submission; remove success HTML

[sophio-japharidze-sonarsource]

No description provided.

[hashicorp-vault-sonar-prod]

CLI-189

[sonar-review-alpha]

Summary

This PR simplifies the CLI's authentication flow by removing the GET-based token submission method and eliminating the HTML success page. The loopback server now only accepts POST requests with a JSON payload, improving both security (tokens no longer appear in query strings) and simplicity. The test harness is updated to deliver tokens via POST, better random ID generation is introduced, and integration tests gain coverage for edge cases (organization not found, large org lists, sonar-project.properties handling). Multiple unit test files are reorganized and consolidated under a new tests/unit/auth/ directory for better structure.

Files changed: 15 files

• 1 core module (token.ts: ~160 lines removed)
• 1 test harness (cli-runner.ts: refactored token delivery)
• 1 integration test file (new test cases for edge cases)
• 12 unit test files (reorganization and consolidation)

What reviewers should know

Start here: Review src/cli/commands/_common/token.ts to understand the core protocol changes:

• The createRequestHandler() now only routes POST requests to handlePostRequest()
• sendSuccessResponse() returns plain text/plain "OK" instead of HTML
• Removed: extractTokenFromQuery(), getSuccessHTML(), handleGetRequest()

Test harness changes: tests/integration/harness/cli-runner.ts shows how the test infrastructure adapts:

• New tryDeliverToken() helper extracts the loopback port and POSTs the token as JSON
• Replaces the previous GET query-string approach
• Uses crypto.randomUUID() for better entropy than Math.random()

Integration test additions: tests/integration/specs/auth/auth.test.ts adds edge-case coverage:

• Organization not found on SonarCloud
• Large organization list pagination
• Using sonar-project.properties as fallback for org selection
• Multi-organization token management

Test reorganization: Old unit test files (tests/unit/auth-*.test.ts, tests/unit/configure.test.ts) are consolidated under tests/unit/auth/ with the same logical grouping. This is a straightforward reorganization—verify the new files preserve all test coverage and no tests are unintentionally dropped.

Note: Token delivery is now POST-only. Any external tooling or documentation that assumes GET-based delivery will need updating.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

LGTM! ✅

The protocol change (GET → POST-only, plain-text response) is correctly implemented, and the test harness update mirrors it faithfully. One coverage gap introduced by the test reorganization needs attention before merge.

Uncovered function — configureTelemetry: configure.test.ts (143 lines) was deleted with no replacement. A search across the entire tests/ tree confirms configureTelemetry is now completely untested — no unit tests, no integration tests. It covered non-trivial paths: state mutation, success/info messaging, and InvalidOptionError on conflicting flags. This should either be migrated to a new location under tests/unit/ or the deletion should be explicitly justified.

🗣️ Give feedback

[damien-urruty-sonarsource]

I think this breaks the embedded server functionality. Also, but maybe it's a separate topic, but we have many auth-* test files. I wonder if we should consolidate them into a single file, or if we could have integration tests for some of them. But this is OK for now

[damien-urruty-sonarsource]

It's surprising, but requests coming from SQC/SQS are in fact GET requests. I think we implemented it like this back then because of CORS limitations. I'm not even sure we have POST requests, we would need to check

[damien-urruty-sonarsource]

Nitpick: I think there is a dedicated status for unsupported method