reportify-cli 0.1.47__tar.gz → 0.1.49__tar.gz

{reportify_cli-0.1.47 → reportify_cli-0.1.49}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: reportify-cli
-Version: 0.1.47
+Version: 0.1.49
 Summary: CLI wrapper for Reportify SDK - Access Reportify API through command line
 Project-URL: Homepage, https://reportify.ai
 Project-URL: Documentation, https://docs.reportify.ai

{reportify_cli-0.1.47 → reportify_cli-0.1.49}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "reportify-cli"
-version = "0.1.47"
+version = "0.1.49"
 description = "CLI wrapper for Reportify SDK - Access Reportify API through command line"
 readme = "README.md"
 requires-python = ">=3.10"

{reportify_cli-0.1.47 → reportify_cli-0.1.49}/src/auth_config.py

@@ -2,15 +2,26 @@
 
 存储位置：``~/.reportify/config`` (INI 格式)，权限 0600。
 
+新 OAuth flow (推荐)：
+
+```ini
+[default]
+access_token = eyJhbGciOiJIUzI1NiIs...    # JWT
+refresh_token = q9N1f...
+expires_at = 1716800000                   # epoch seconds
+user_id = 12345
+```
+
+老 API Key flow (向后兼容)：
+
 ```ini
 [default]
 api_key = 12345abcdef...
 user_id = 12345
-nickname = Foo
-email = foo@bar.com
-subscription_tier = plus
 ```
 
+两种字段可共存：CLI 读取时优先用未过期的 access_token，回退到 api_key。
+
 仅 first-party CLI 内部使用；Skill 不要直接读这个文件，应通过 ``reportify-cli`` 间接使用。
 """
 
@@ -30,16 +41,34 @@ CONFIG_PATH = CONFIG_DIR / "config"
 
 @dataclass
 class AuthCredential:
-    """单个 profile 下保存的凭证。"""
+    """单个 profile 下保存的凭证。
 
-    api_key: str
+    新 OAuth flow 用 access_token/refresh_token/expires_at；
+    老 flow 用 api_key（向后兼容）。
+    """
+
+    api_key: Optional[str] = None
+    access_token: Optional[str] = None
+    refresh_token: Optional[str] = None
+    expires_at: Optional[int] = None  # epoch seconds
+    client_id: Optional[str] = None  # DCR 拿到的, 30 天 TTL, 过期需重新注册
     user_id: Optional[str] = None
     nickname: Optional[str] = None
     email: Optional[str] = None
     subscription_tier: Optional[str] = None
 
     def to_dict(self) -> dict[str, str]:
-        d = {"api_key": self.api_key}
+        d: dict[str, str] = {}
+        if self.api_key:
+            d["api_key"] = self.api_key
+        if self.access_token:
+            d["access_token"] = self.access_token
+        if self.refresh_token:
+            d["refresh_token"] = self.refresh_token
+        if self.expires_at:
+            d["expires_at"] = str(self.expires_at)
+        if self.client_id:
+            d["client_id"] = self.client_id
         if self.user_id:
             d["user_id"] = str(self.user_id)
         if self.nickname:
@@ -66,16 +95,28 @@ def _load_parser() -> configparser.ConfigParser:
 
 
 def load_credential(profile: str = DEFAULT_PROFILE) -> Optional[AuthCredential]:
-    """读取指定 profile 的凭证；不存在或缺 api_key 时返回 None。"""
+    """读取指定 profile 的凭证；不存在或两类 token 都缺时返回 None。"""
     parser = _load_parser()
     if not parser.has_section(profile):
         return None
     section = parser[profile]
     api_key = section.get("api_key")
-    if not api_key:
+    access_token = section.get("access_token")
+    if not api_key and not access_token:
         return None
+    expires_at_raw = section.get("expires_at")
+    expires_at: Optional[int] = None
+    if expires_at_raw:
+        try:
+            expires_at = int(expires_at_raw)
+        except ValueError:
+            expires_at = None
     return AuthCredential(
         api_key=api_key,
+        access_token=access_token,
+        refresh_token=section.get("refresh_token"),
+        expires_at=expires_at,
+        client_id=section.get("client_id"),
         user_id=section.get("user_id"),
         nickname=section.get("nickname"),
         email=section.get("email"),

{reportify_cli-0.1.47 → reportify_cli-0.1.49}/src/commands/auth.py

@@ -1,23 +1,25 @@
 """Reportify CLI authentication commands.
 
-实现 OAuth 2.0 Device Authorization Grant (RFC 8628) 客户端：
+实现 OAuth 2.1 Device Authorization Grant (RFC 8628) 客户端：
 
-    reportify-cli auth login       # 跑 device flow, 拿 api_key, 写本地配置
+    reportify-cli auth login       # 跑 device flow, 保存 JWT, 写本地配置
     reportify-cli auth logout      # 删除本地配置
     reportify-cli auth status      # 显示当前登录状态
 
-后端契约：
-    POST {base}/v1/cli-oauth/device/code   (form: client_id, scope?)
-    POST {base}/v1/cli-oauth/device/token  (form: grant_type, device_code, client_id)
-    POST {base}/v1/api-keys/ensure         (json: {client_id, source}, Bearer access_token)
+后端契约（新 oauth_server 端点）：
+    POST {base}/v1/oauth/device/code  (form: client_id, resource, scope?)
+    POST {base}/v1/oauth/token        (form: grant_type, device_code, client_id, resource)
+    POST {base}/v1/oauth/token        (form: grant_type=refresh_token, refresh_token, client_id, resource)
+
+返回的 access_token 是 **JWT**（aud=https://api.reportify.cn），客户端把它当
+Bearer 直接发给主 API；主 API 的 TokenMiddleware 会本地验签校验 audience。
 """
 
 from __future__ import annotations
 
-import sys
 import time
 import webbrowser
-from typing import Annotated, Optional
+from typing import Annotated
 
 import httpx
 import typer
@@ -32,14 +34,19 @@ from src.settings import get_api_base_url
 
 app = typer.Typer(help="Authentication", rich_markup_mode="rich")
 
+# Reportify CLI 是 first-party 客户端, 用预注册的稳定 client_id (后端配置在
+# OAUTH_FIRSTPARTY_CLIENTS 里), 不走 DCR. 这样可以拿到 api 域的 token (DCR
+# 注册的客户端默认只能拿 mcp 域).
+#
+# Public client (PKCE 防 code 截获), client_id 公开不构成安全风险.
 CLIENT_ID = "reportify-cli"
-SCOPE = "profile api_key"
-GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code"
+RESOURCE = "https://api.reportify.cn"
+SCOPE = "api"
+GRANT_TYPE_DEVICE = "urn:ietf:params:oauth:grant-type:device_code"
+GRANT_TYPE_REFRESH = "refresh_token"
 
-# 端点路径（统一 /v1 前缀，与 SDK 同源）
-ENDPOINT_DEVICE_CODE = "/v1/cli-oauth/device/code"
-ENDPOINT_DEVICE_TOKEN = "/v1/cli-oauth/device/token"
-ENDPOINT_API_KEY_ENSURE = "/api-keys/ensure"
+ENDPOINT_DEVICE_CODE = "/v1/oauth/device/code"
+ENDPOINT_TOKEN = "/v1/oauth/token"
 
 
 # ------------------------------------------------------------------ #
@@ -53,16 +60,11 @@ def _err(msg: str, exit_code: int = 1) -> None:
 
 
 def _oauth_error(response: httpx.Response) -> tuple[str, str]:
-    """Extract RFC 8628 OAuth error from a 4xx response.
-
-    Server returns ``{"detail": {"error": ..., "error_description": ...}}``.
-    """
+    """Extract OAuth error from a 4xx response."""
     try:
         body = response.json()
     except Exception:
         return ("unknown_error", response.text or "")
-
-    # FastAPI HTTPException 的 detail 嵌在 'detail' 里
     detail = body.get("detail", body)
     if isinstance(detail, dict):
         return (
@@ -72,10 +74,10 @@ def _oauth_error(response: httpx.Response) -> tuple[str, str]:
     return ("unknown_error", str(detail))
 
 
-def _request_device_code(client: httpx.Client) -> dict:
+def _request_device_code(client: httpx.Client, client_id: str) -> dict:
     resp = client.post(
         ENDPOINT_DEVICE_CODE,
-        data={"client_id": CLIENT_ID, "scope": SCOPE},
+        data={"client_id": client_id, "resource": RESOURCE, "scope": SCOPE},
     )
     if resp.status_code != 200:
         err, desc = _oauth_error(resp)
@@ -83,8 +85,10 @@ def _request_device_code(client: httpx.Client) -> dict:
     return resp.json()
 
 
-def _poll_token(client: httpx.Client, device_code: str, interval: int, expires_in: int) -> dict:
-    """轮询 /device/token，直到拿到 access_token 或超时 / 用户拒绝。"""
+def _poll_token(
+    client: httpx.Client, device_code: str, client_id: str, interval: int, expires_in: int
+) -> dict:
+    """轮询 /v1/oauth/token (grant_type=device_code)，直到拿到 JWT 或超时/被拒。"""
     deadline = time.monotonic() + expires_in
     current_interval = max(interval, 1)
     typer.echo("Waiting for authorization", nl=False)
@@ -97,11 +101,12 @@ def _poll_token(client: httpx.Client, device_code: str, interval: int, expires_i
         typer.echo(".", nl=False)
 
         resp = client.post(
-            ENDPOINT_DEVICE_TOKEN,
+            ENDPOINT_TOKEN,
             data={
-                "grant_type": GRANT_TYPE,
+                "grant_type": GRANT_TYPE_DEVICE,
                 "device_code": device_code,
-                "client_id": CLIENT_ID,
+                "client_id": client_id,
+                "resource": RESOURCE,
             },
         )
 
@@ -118,30 +123,42 @@ def _poll_token(client: httpx.Client, device_code: str, interval: int, expires_i
         if err == "access_denied":
             typer.echo("")
             _err("authorization was denied in the browser")
-        if err == "expired_token":
+        if err in ("expired_token", "invalid_grant"):
             typer.echo("")
             _err("device code expired before authorization; please try `auth login` again")
 
-        # Any other error → fail loud
         typer.echo("")
         _err(f"failed to obtain access token ({err}): {desc}")
 
 
-def _ensure_api_key(client: httpx.Client, access_token: str) -> dict:
-    # reportify 的 TokenMiddleware 用 `X-Reportify-Token` 识别 web 登录态 token；
-    # `Authorization: Bearer` 那个 slot 给长期 api_key 用的。两个 header 不能混。
-    resp = client.post(
-        ENDPOINT_API_KEY_ENSURE,
-        headers={"X-Reportify-Token": access_token},
-        json={"client_id": CLIENT_ID, "source": "cli"},
+def _credential_from_token_response(token_resp: dict) -> AuthCredential:
+    expires_in = int(token_resp.get("expires_in", 3600))
+    return AuthCredential(
+        access_token=token_resp["access_token"],
+        refresh_token=token_resp.get("refresh_token"),
+        expires_at=int(time.time()) + expires_in,
     )
-    if resp.status_code != 200:
-        try:
-            detail = resp.json().get("detail", resp.text)
-        except Exception:
-            detail = resp.text
-        _err(f"failed to obtain api key (HTTP {resp.status_code}): {detail}")
-    return resp.json()
+
+
+def refresh_access_token(refresh_token: str, client_id: str) -> AuthCredential:
+    """刷新 access_token；返回新的 AuthCredential（含轮转后的 refresh_token）。"""
+    base_url = get_api_base_url().rstrip("/")
+    with httpx.Client(base_url=base_url, timeout=30.0) as client:
+        resp = client.post(
+            ENDPOINT_TOKEN,
+            data={
+                "grant_type": GRANT_TYPE_REFRESH,
+                "refresh_token": refresh_token,
+                "client_id": client_id,
+                "resource": RESOURCE,
+            },
+        )
+        if resp.status_code != 200:
+            err, desc = _oauth_error(resp)
+            _err(f"refresh failed ({err}): {desc}. Please run `reportify-cli auth login` again.")
+    cred = _credential_from_token_response(resp.json())
+    cred.client_id = client_id  # 保持原 client_id
+    return cred
 
 
 # ------------------------------------------------------------------ #
@@ -159,14 +176,18 @@ def login(
         ),
     ] = False,
 ) -> None:
-    """Authenticate to Reportify via the device authorization flow.
+    """Authenticate to Reportify via the OAuth 2.1 device flow.
 
     Opens the browser to a verification page. After you approve the request,
-    the CLI fetches a long-lived API key and stores it in ``~/.reportify/config``.
+    the CLI stores a short-lived access token (JWT) + refresh token in
+    ``~/.reportify/config``. Subsequent CLI commands use the access token
+    automatically; expired tokens are silently refreshed.
     """
     base_url = get_api_base_url().rstrip("/")
+    client_id = CLIENT_ID  # first-party 预注册, 不走 DCR
+
     with httpx.Client(base_url=base_url, timeout=30.0) as client:
-        device_resp = _request_device_code(client)
+        device_resp = _request_device_code(client, client_id)
 
         verification_uri_complete = device_resp.get("verification_uri_complete")
         verification_uri = device_resp.get("verification_uri")
@@ -185,28 +206,16 @@ def login(
             try:
                 webbrowser.open(verification_uri_complete)
             except Exception:
-                # 浏览器打开失败不影响主流程，用户可以自己复制链接
                 pass
 
-        token_resp = _poll_token(client, device_code, interval, expires_in)
-        access_token = token_resp["access_token"]
-        user = token_resp.get("user") or {}
+        token_resp = _poll_token(client, device_code, client_id, interval, expires_in)
 
-        key_resp = _ensure_api_key(client, access_token)
-
-    credential = AuthCredential(
-        api_key=key_resp["key"],
-        user_id=str(user.get("user_id") or ""),
-        nickname=user.get("nickname") or None,
-        email=user.get("email") or None,
-        subscription_tier=user.get("subscription_tier") or None,
-    )
+    credential = _credential_from_token_response(token_resp)
+    credential.client_id = client_id
     path = save_credential(credential)
 
     typer.echo("")
-    who = credential.nickname or credential.email or credential.user_id or "unknown"
-    tier = credential.subscription_tier or "free"
-    typer.echo(f"Logged in as {who} (plan: {tier})")
+    typer.echo("Logged in successfully")
     typer.echo(f"Credential saved to {path}")
 
 
@@ -214,8 +223,8 @@ def login(
 def logout() -> None:
     """Remove the locally stored Reportify credential.
 
-    Does **not** revoke the API key on the server side. If you want the key
-    invalidated, also delete it from your Reportify settings page.
+    Does **not** revoke the token on the server side. If you want the token
+    invalidated, also revoke it from your Reportify account settings.
     """
     removed = delete_credential()
     if removed:
@@ -236,7 +245,9 @@ def status() -> None:
         typer.echo("Not logged in. Run `reportify-cli auth login`.")
         raise typer.Exit(1)
 
-    who = cred.nickname or cred.email or cred.user_id or "unknown"
-    tier = cred.subscription_tier or "unknown"
-    typer.echo(f"Logged in as {who} (plan: {tier})")
+    if cred.access_token:
+        remaining = (cred.expires_at or 0) - int(time.time())
+        typer.echo(f"Logged in (OAuth, token expires in {max(remaining, 0)}s)")
+    elif cred.api_key:
+        typer.echo("Logged in (legacy API Key)")
     typer.echo(f"API base: {get_api_base_url()}")

reportify_cli-0.1.49/src/settings.py

@@ -0,0 +1,87 @@
+"""Settings and configuration for Reportify API CLI."""
+
+import os
+import sys
+import time
+
+# Try to load .env file if python-dotenv is available
+try:
+    from dotenv import load_dotenv
+
+    load_dotenv()
+except ImportError:
+    # python-dotenv not installed, skip loading .env file
+    pass
+
+from src.auth_config import load_credential, save_credential
+
+# Default API base URL. SDK 默认也是这个；CLI 自己的 auth 命令也走它。
+DEFAULT_API_BASE_URL = "https://api.reportify.cn"
+
+# 距过期多少秒以内强制刷新（防止用户长时间 CLI 跑批时半路过期）
+_REFRESH_LEEWAY_SEC = 60
+
+
+def get_api_base_url() -> str:
+    """API 基础 URL。优先级: REPORTIFY_BASE_URL > 默认值。
+
+    与 reportify-sdk 的 Reportify 客户端保持一致，便于 dev / staging 切换。
+    """
+    return os.getenv("REPORTIFY_BASE_URL") or DEFAULT_API_BASE_URL
+
+
+def _is_token_fresh(expires_at: int | None) -> bool:
+    if not expires_at:
+        return False
+    return expires_at - int(time.time()) > _REFRESH_LEEWAY_SEC
+
+
+def get_api_key() -> str:
+    """Get a bearer credential, in priority order:
+
+    1. ``REPORTIFY_API_KEY`` environment variable（可以是 api_key 或 JWT）
+    2. 本地配置文件中未过期的 OAuth access_token (JWT)
+    3. OAuth refresh_token 自动续期后的新 access_token
+    4. 本地配置文件中的老 api_key（向后兼容）
+
+    主 API 的 TokenMiddleware 同时接受这两种凭证形态。
+
+    Raises:
+        SystemExit: If none of the above is available.
+    """
+    env_key = os.getenv("REPORTIFY_API_KEY")
+    if env_key:
+        return env_key
+
+    cred = load_credential()
+    if cred:
+        # 1. 未过期的 JWT 直接用
+        if cred.access_token and _is_token_fresh(cred.expires_at):
+            return cred.access_token
+
+        # 2. JWT 过期但有 refresh_token，自动续期
+        if cred.refresh_token and cred.client_id:
+            # 延迟 import 避开 circular（commands/auth.py 反过来 import settings）
+            from src.commands.auth import refresh_access_token
+
+            refreshed = refresh_access_token(cred.refresh_token, cred.client_id)
+            cred.access_token = refreshed.access_token
+            cred.refresh_token = refreshed.refresh_token or cred.refresh_token
+            cred.expires_at = refreshed.expires_at
+            save_credential(cred)
+            return cred.access_token
+
+        # 3. 老 api_key fallback
+        if cred.api_key:
+            return cred.api_key
+
+    print("Error: no Reportify credential found.", file=sys.stderr)
+    print(
+        "  - Run `reportify-cli auth login` to authenticate, or",
+        file=sys.stderr,
+    )
+    print(
+        "  - Set the REPORTIFY_API_KEY environment variable manually.",
+        file=sys.stderr,
+    )
+    sys.exit(1)

{reportify_cli-0.1.47 → reportify_cli-0.1.49}/tests/test_commands/test_auth_commands.py

@@ -66,30 +66,31 @@ def _device_code_payload() -> dict:
     }
 
 
-def _token_payload() -> dict:
+def _register_payload() -> dict:
+    """RFC 7591 DCR 响应（CLI login 首次调用时拿 client_id）。"""
     return {
-        "access_token": "fake-access-token",
-        "token_type": "Bearer",
-        "expires_in": 3600,
-        "scope": "profile api_key",
-        "user": {
-            "user_id": "12345",
-            "nickname": "Foo",
-            "email": "foo@bar.com",
-            "subscription_tier": "plus",
-        },
-        "entitlements": ["official_skills"],
+        "client_id": "dyn_cli_test_123",
+        "client_id_issued_at": 0,
+        "client_name": "Reportify CLI",
+        "redirect_uris": [],
+        "grant_types": ["urn:ietf:params:oauth:grant-type:device_code", "refresh_token"],
+        "response_types": [],
+        "token_endpoint_auth_method": "none",
+        "scope": "api",
     }
 
 
-def _api_key_payload() -> dict:
+def _token_payload() -> dict:
+    """oauth_server /v1/oauth/token (grant_type=device_code) 的响应。
+
+    JWT 格式不重要（CLI 不解码），随便给个 header.payload.signature。
+    """
     return {
-        "id": 99,
-        "key": "raw-api-key-12345",
-        "name": "Reportify CLI",
-        "client_id": "reportify-cli",
-        "source": "cli",
-        "created_at": 0,
+        "access_token": "header.payload.signature",
+        "token_type": "Bearer",
+        "expires_in": 3600,
+        "refresh_token": "refresh-token-abc",
+        "scope": "api",
     }
 
 
@@ -122,14 +123,25 @@ class TestStatus:
         assert result.exit_code == 1
         assert "Not logged in" in result.stdout
 
-    def test_logged_in_exits_zero(self, tmp_config):
+    def test_logged_in_with_legacy_api_key(self, tmp_config):
+        save_credential(AuthCredential(api_key="x"))
+        result = runner.invoke(app, ["status"])
+        assert result.exit_code == 0
+        assert "legacy API Key" in result.stdout
+
+    def test_logged_in_with_oauth_token(self, tmp_config):
+        import time as _time
+
         save_credential(
-            AuthCredential(api_key="x", nickname="Foo", subscription_tier="plus")
+            AuthCredential(
+                access_token="header.payload.signature",
+                refresh_token="rt",
+                expires_at=int(_time.time()) + 3600,
+            )
         )
         result = runner.invoke(app, ["status"])
         assert result.exit_code == 0
-        assert "Foo" in result.stdout
-        assert "plus" in result.stdout
+        assert "OAuth" in result.stdout
 
 
 class TestLogout:
@@ -154,46 +166,66 @@ class TestLoginHappyPath:
         self, tmp_config, fast_sleep, patch_client
     ):
         patch_client.post.side_effect = [
-            _ok(_device_code_payload()),       # /device/code
-            _ok(_token_payload()),             # /device/token (approved)
-            _ok(_api_key_payload()),           # /api-keys/ensure
+            _ok(_register_payload()),          # /v1/oauth/register (DCR)
+            _ok(_device_code_payload()),       # /v1/oauth/device/code
+            _ok(_token_payload()),             # /v1/oauth/token (approved)
         ]
 
         result = runner.invoke(app, ["login", "--no-browser"])
         assert result.exit_code == 0, result.stdout
         assert "WDJB-MJHT" in result.stdout
-        assert "Logged in as Foo" in result.stdout
+        assert "Logged in successfully" in result.stdout
 
         cred = load_credential()
         assert cred is not None
-        assert cred.api_key == "raw-api-key-12345"
-        assert cred.user_id == "12345"
-        assert cred.nickname == "Foo"
-        assert cred.email == "foo@bar.com"
-        assert cred.subscription_tier == "plus"
+        assert cred.client_id == "dyn_cli_test_123"
+        assert cred.access_token == "header.payload.signature"
+        assert cred.refresh_token == "refresh-token-abc"
+        assert cred.expires_at is not None and cred.expires_at > 0
+
+    def test_reuses_existing_client_id_skipping_dcr(
+        self, tmp_config, fast_sleep, patch_client
+    ):
+        """有本地 client_id 时不应重复 DCR，直接进 device flow。"""
+        # 模拟用户之前登录过(有 client_id + 旧 token)
+        save_credential(
+            AuthCredential(
+                client_id="cached_client",
+                access_token="old.access.token",
+                refresh_token="old-refresh",
+                expires_at=0,  # 过期
+            )
+        )
+        patch_client.post.side_effect = [
+            _ok(_device_code_payload()),       # 直接 device flow, 跳过 DCR
+            _ok(_token_payload()),
+        ]
+        result = runner.invoke(app, ["login", "--no-browser"])
+        assert result.exit_code == 0, result.stdout
+        assert load_credential().client_id == "cached_client"
 
     def test_authorization_pending_then_approved(
         self, tmp_config, fast_sleep, patch_client
     ):
         patch_client.post.side_effect = [
+            _ok(_register_payload()),
             _ok(_device_code_payload()),
             _oauth_err("authorization_pending"),
             _oauth_err("authorization_pending"),
             _ok(_token_payload()),
-            _ok(_api_key_payload()),
         ]
         result = runner.invoke(app, ["login", "--no-browser"])
         assert result.exit_code == 0, result.stdout
-        assert load_credential().api_key == "raw-api-key-12345"
+        assert load_credential().access_token == "header.payload.signature"
 
     def test_slow_down_increments_interval_but_succeeds(
         self, tmp_config, fast_sleep, patch_client
     ):
         patch_client.post.side_effect = [
+            _ok(_register_payload()),
             _ok(_device_code_payload()),
             _oauth_err("slow_down"),
             _ok(_token_payload()),
-            _ok(_api_key_payload()),
         ]
         result = runner.invoke(app, ["login", "--no-browser"])
         assert result.exit_code == 0, result.stdout
@@ -205,6 +237,7 @@ class TestLoginHappyPath:
 class TestLoginFailurePaths:
     def test_access_denied_aborts(self, tmp_config, fast_sleep, patch_client):
         patch_client.post.side_effect = [
+            _ok(_register_payload()),
             _ok(_device_code_payload()),
             _oauth_err("access_denied"),
         ]
@@ -215,6 +248,7 @@ class TestLoginFailurePaths:
 
     def test_expired_token_aborts(self, tmp_config, fast_sleep, patch_client):
         patch_client.post.side_effect = [
+            _ok(_register_payload()),
             _ok(_device_code_payload()),
             _oauth_err("expired_token"),
         ]
@@ -222,34 +256,45 @@ class TestLoginFailurePaths:
         assert result.exit_code == 1
         assert "expired" in _all_output(result)
 
+    def test_register_failure_aborts(self, tmp_config, patch_client):
+        """DCR 失败时直接 abort, 不进入 device flow。"""
+        patch_client.post.side_effect = [
+            _oauth_err("invalid_redirect_uri", "bad uri"),
+        ]
+        result = runner.invoke(app, ["login", "--no-browser"])
+        assert result.exit_code == 1
+        assert "register" in _all_output(result).lower()
+
     def test_device_code_endpoint_failure(self, tmp_config, patch_client):
         patch_client.post.side_effect = [
+            _ok(_register_payload()),
             _oauth_err("invalid_client", "unknown client_id"),
         ]
         result = runner.invoke(app, ["login", "--no-browser"])
         assert result.exit_code == 1
         assert "invalid_client" in _all_output(result)
 
-    def test_api_key_ensure_failure(
+    def test_invalid_grant_treated_as_expired(
         self, tmp_config, fast_sleep, patch_client
     ):
+        """新 flow: invalid_grant 视同 expired_token，提示用户重跑 login。"""
         patch_client.post.side_effect = [
+            _ok(_register_payload()),
             _ok(_device_code_payload()),
-            _ok(_token_payload()),
-            httpx.Response(status_code=500, json={"detail": "server error"}),
+            _oauth_err("invalid_grant", "device_code already used"),
         ]
         result = runner.invoke(app, ["login", "--no-browser"])
         assert result.exit_code == 1
-        assert "api key" in _all_output(result).lower()
-        assert load_credential() is None
+        assert "expired" in _all_output(result).lower()
 
     def test_unknown_oauth_error_aborts(
         self, tmp_config, fast_sleep, patch_client
     ):
         patch_client.post.side_effect = [
+            _ok(_register_payload()),
             _ok(_device_code_payload()),
-            _oauth_err("invalid_grant", "device_code already used"),
+            _oauth_err("invalid_target", "resource is not allowed"),
         ]
         result = runner.invoke(app, ["login", "--no-browser"])
         assert result.exit_code == 1
-        assert "invalid_grant" in _all_output(result)
+        assert "invalid_target" in _all_output(result)

{reportify_cli-0.1.47 → reportify_cli-0.1.49}/uv.lock

@@ -426,7 +426,7 @@ wheels = [
 
 [[package]]
 name = "reportify-cli"
-version = "0.1.44"
+version = "0.1.46"
 source = { editable = "." }
 dependencies = [
     { name = "pandas" },
@@ -445,7 +445,7 @@ dev = [
 requires-dist = [
     { name = "pandas", specifier = ">=2.0.0" },
     { name = "python-dotenv", specifier = ">=1.2.1" },
-    { name = "reportify-sdk", specifier = ">=0.3.46" },
+    { name = "reportify-sdk", specifier = ">=0.3.49" },
     { name = "tabulate", specifier = ">=0.9.0" },
     { name = "typer", specifier = ">=0.21.1" },
 ]

reportify_cli-0.1.47/src/settings.py

@@ -1,55 +0,0 @@
-"""Settings and configuration for Reportify API CLI."""
-
-import os
-import sys
-
-# Try to load .env file if python-dotenv is available
-try:
-    from dotenv import load_dotenv
-
-    load_dotenv()
-except ImportError:
-    # python-dotenv not installed, skip loading .env file
-    pass
-
-from src.auth_config import load_credential
-
-# Default API base URL. SDK 默认也是这个；CLI 自己的 auth 命令也走它。
-DEFAULT_API_BASE_URL = "https://api.reportify.cn"
-
-
-def get_api_base_url() -> str:
-    """API 基础 URL。优先级: REPORTIFY_BASE_URL > 默认值。
-
-    与 reportify-sdk 的 Reportify 客户端保持一致，便于 dev / staging 切换。
-    """
-    return os.getenv("REPORTIFY_BASE_URL") or DEFAULT_API_BASE_URL
-
-
-def get_api_key() -> str:
-    """Get API key, in priority order:
-
-    1. ``REPORTIFY_API_KEY`` environment variable
-    2. ``~/.reportify/config`` [default] profile (written by ``reportify-cli auth login``)
-
-    Raises:
-        SystemExit: If neither source has a key.
-    """
-    api_key = os.getenv("REPORTIFY_API_KEY")
-    if api_key:
-        return api_key
-
-    cred = load_credential()
-    if cred and cred.api_key:
-        return cred.api_key
-
-    print("Error: no Reportify API key found.", file=sys.stderr)
-    print(
-        "  - Run `reportify-cli auth login` to authenticate, or",
-        file=sys.stderr,
-    )
-    print(
-        "  - Set the REPORTIFY_API_KEY environment variable manually.",
-        file=sys.stderr,
-    )
-    sys.exit(1)