hashicorp · lursu · Apr 18, 2023 · Apr 6, 2023 · Apr 6, 2023 · Apr 12, 2023
@@ -0,0 +1,3 @@
+```release-note:improvement
+Added option to NewHCPConfig to fail rather than auto login with web browser
+```
@@ -14,7 +14,8 @@ import (
 
 // UserSession implements the auth package's Session interface
 type UserSession struct {
-	browser Browser
+	browser        Browser
+	NoBrowserLogin bool
 }
 
 // GetToken returns an access token obtained from either an existing session or new browser login.
@@ -32,7 +33,6 @@ func (s *UserSession) GetToken(ctx context.Context, conf *oauth2.Config) (*oauth
 	// Check the session expiry of the retrieved token.
 	// If session expiry has passed, then reauthenticate with browser login and reassign token.
 	if readErr != nil || cache.SessionExpiry.Before(time.Now()) {
-
 		// Login with browser.
 		log.Print("No credentials found, proceeding with browser login.")
 

@@ -14,6 +14,10 @@ import (
 	"golang.org/x/oauth2/clientcredentials"
 )
 
+const (
+	NoOathClient = "N/A"
+)
+
 // HCPConfig provides configuration values that are useful to interact with HCP.
 type HCPConfig interface {
 

@@ -5,6 +5,7 @@ package config
 
 import (
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -17,6 +18,11 @@ import (
 	"golang.org/x/oauth2/clientcredentials"
 )
 
+var (
+	// ErrorNoValidAuthFound is returned if no local auth methods were found and the invoker created the config with the option WithoutBrowserLogin
+	ErrorNoValidAuthFound = errors.New("there were no valid auth methods found")
+)
+
 const (
 	// defaultAuthURL is the URL of the production auth endpoint.
 	defaultAuthURL = "https://auth.idp.hashicorp.com"
@@ -115,7 +121,7 @@ func NewHCPConfig(opts ...HCPConfigOption) (HCPConfig, error) {
 		// Create token source from the client credentials configuration.
 		config.tokenSource = config.clientCredentialsConfig.TokenSource(tokenContext)
 
-	} else { // Set access token via browser login or use token from existing session.
+	} else if config.oauth2Config.ClientID != NoOathClient { // Set access token via browser login or use token from existing session.
 
 		tok, err := config.session.GetToken(tokenContext, &config.oauth2Config)
 		if err != nil {
@@ -124,6 +130,9 @@ func NewHCPConfig(opts ...HCPConfigOption) (HCPConfig, error) {
 
 		// Update HCPConfig with most current token values.
 		config.tokenSource = config.oauth2Config.TokenSource(tokenContext, tok)
+	} else {
+		// if the WithoutBrowserLogin option is passed in and there is no valid login already present return typed error
+		return nil, ErrorNoValidAuthFound
 	}
 
 	if err := config.validate(); err != nil {

@@ -137,3 +137,12 @@ func WithProfile(p *profile.UserProfile) HCPConfigOption {
 		return nil
 	}
 }
+
+// WithoutBrowserLogin disables the automatic opening of the browser login if no valid auth method is found
+// instead force the return of a typed error for users to catch
+func WithoutBrowserLogin() HCPConfigOption {
+	return func(config *hcpConfig) error {
+		config.oauth2Config.ClientID = NoOathClient
+		return nil
+	}
+}
@@ -123,3 +123,14 @@ func TestWith_Profile(t *testing.T) {
 	require.Equal("project-id-1234", config.Profile().ProjectID)
 
 }
+
+func TestWithout_BrowserLogin(t *testing.T) {
+	require := requirepkg.New(t)
+
+	// Exercise
+	config := &hcpConfig{}
+	require.NoError(apply(config, WithoutBrowserLogin()))
+
+	// Ensure  browser login is disabled
+	require.Equal(NoOathClient, config.oauth2Config.ClientID)
+}