@plosson/agentio 0.8.1 → 0.8.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@plosson/agentio",
-  "version": "0.8.1",
+  "version": "0.8.2",
   "description": "CLI for LLM agents to interact with communication and tracking services",
   "type": "module",
   "license": "MIT",

package/src/server/oauth.test.ts

@@ -809,6 +809,29 @@ describe('handleAuthorizePost — happy path', () => {
     expect(url.searchParams.get('state')).toBe('STATE_XYZ');
   });
 
+  test('api_key with trailing whitespace still authorizes (trim)', async () => {
+    // Regression: operators often paste the key with a trailing newline
+    // from terminals. Byte-for-byte compare would silently reject.
+    const ctx = makeCtx();
+    const clientId = await registerTestClient(ctx);
+    for (const suffix of [' ', '\n', '\r\n', '  \t']) {
+      const res = await handleAuthorizePost(
+        authorizePost({
+          client_id: clientId,
+          redirect_uri: 'http://localhost:53682/callback',
+          response_type: 'code',
+          code_challenge: 'CHAL',
+          code_challenge_method: 'S256',
+          state: '',
+          scope: 'gchat:default',
+          api_key: TEST_API_KEY + suffix,
+        }),
+        ctx
+      );
+      expect(res.status).toBe(302);
+    }
+  });
+
   test('issued code is consumable from the store', async () => {
     const ctx = makeCtx();
     const clientId = await registerTestClient(ctx);

package/src/server/oauth.ts

@@ -539,7 +539,10 @@ export async function handleAuthorizePost(
 
   const params = result.params;
   const client = ctx.oauthStore.findClient(params.clientId);
-  const apiKey = form.get('api_key') ?? '';
+  // Trim pasted whitespace — same UX issue as setup-page.ts: a stray
+  // newline or trailing space from copy-paste would otherwise fail the
+  // byte-for-byte compare with a confusing error.
+  const apiKey = (form.get('api_key') ?? '').trim();
 
   if (!apiKey || !constantTimeEquals(apiKey, ctx.apiKey)) {
     // Re-render the form with an error. We deliberately do NOT redirect

package/src/server/setup-page.test.ts

@@ -160,6 +160,23 @@ describe('POST / — login', () => {
     expect(res.headers.get('set-cookie')).toBeNull();
   });
 
+  test('correct api_key with trailing whitespace (newline/space) → 302', async () => {
+    // Regression: operators routinely paste the key with a trailing
+    // newline from terminals. Byte-for-byte compare would silently
+    // reject an otherwise-valid key; trim makes it forgiving.
+    for (const suffix of [' ', '\n', '\r\n', '  \t']) {
+      const res = await handleRequest(
+        req('POST', '/', {
+          contentType: FORM,
+          body: formBody({ api_key: API_KEY + suffix }),
+        }),
+        ctx
+      );
+      expect(res.status).toBe(302);
+      expect(res.headers.get('set-cookie')).toContain(expectedCookieValue(API_KEY));
+    }
+  });
+
   test('correct api_key → 302 to /, sets cookie with expected attributes', async () => {
     const res = await handleRequest(
       req('POST', '/', {

package/src/server/setup-page.ts

@@ -338,7 +338,11 @@ async function handleSetupPost(
     });
   }
 
-  const apiKey = form.get('api_key') ?? '';
+  // Trim: operators routinely paste the key with a trailing newline or
+  // space from terminals / password managers. constantTimeEquals is a
+  // byte-for-byte compare, so an extra whitespace character silently
+  // fails the login with a confusing "Invalid API key" error.
+  const apiKey = (form.get('api_key') ?? '').trim();
   if (!apiKey || !constantTimeEquals(apiKey, ctx.apiKey)) {
     return new Response(loginFormHtml('Invalid API key.'), {
       status: 401,