chore(loo-4744): verify api key when running auth status (#14)

notnmeyer · web-flow · commit 36f26821da1c · 2026-03-19T18:44:39.000-07:00
diff --git a/cmd/auth_status.go b/cmd/auth_status.go
@@ -2,7 +2,9 @@ package cmd
 
 import (
 	"fmt"
+	"strings"
 
+	"github.com/loops-so/cli/internal/api"
 	"github.com/loops-so/cli/internal/config"
 	"github.com/spf13/cobra"
 )
@@ -11,23 +13,45 @@ var statusCmd = &cobra.Command{
 	Use:   "status",
 	Short: "Print the resolved configuration",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		cfg, err := runAuthStatus()
+		cfg, keyResp, err := runAuthStatus()
 		if err != nil {
 			return err
 		}
 
+		masked := maskKey(cfg.APIKey)
+
 		if isJSONOutput() {
-			return printJSON(cmd.OutOrStdout(), cfg)
+			return printJSON(cmd.OutOrStdout(), struct {
+				APIKey      string `json:"apiKey"`
+				EndpointURL string `json:"endpointUrl"`
+				TeamName    string `json:"teamName"`
+			}{masked, cfg.EndpointURL, keyResp.TeamName})
 		}
 
-		fmt.Fprintf(cmd.OutOrStdout(), "API Key:  %s\n", cfg.APIKey)
+		fmt.Fprintf(cmd.OutOrStdout(), "API Key:  %s\n", masked)
 		fmt.Fprintf(cmd.OutOrStdout(), "Endpoint: %s\n", cfg.EndpointURL)
+		fmt.Fprintf(cmd.OutOrStdout(), "Team:     %s\n", keyResp.TeamName)
 		return nil
 	},
 }
 
-func runAuthStatus() (*config.Config, error) {
-	return config.Load()
+func runAuthStatus() (*config.Config, *api.APIKeyResponse, error) {
+	cfg, err := config.Load()
+	if err != nil {
+		return nil, nil, err
+	}
+	keyResp, err := api.NewClient(cfg.EndpointURL, cfg.APIKey).GetAPIKey()
+	if err != nil {
+		return nil, nil, fmt.Errorf("API key verification failed: %w", err)
+	}
+	return cfg, keyResp, nil
+}
+
+func maskKey(key string) string {
+	if len(key) <= 4 {
+		return "****"
+	}
+	return fmt.Sprintf("%s%s", strings.Repeat("*", len(key)-4), key[len(key)-4:])
 }
 
 func init() {
diff --git a/cmd/auth_status_test.go b/cmd/auth_status_test.go
@@ -8,9 +8,9 @@ import (
 )
 
 func TestRunAuthStatus(t *testing.T) {
-	t.Run("returns config", func(t *testing.T) {
-		serveJSON(t, http.StatusOK, `{}`)
-		cfg, err := runAuthStatus()
+	t.Run("returns config and team name", func(t *testing.T) {
+		serveJSON(t, http.StatusOK, `{"teamName":"Acme"}`)
+		cfg, keyResp, err := runAuthStatus()
 		if err != nil {
 			t.Fatalf("unexpected error: %v", err)
 		}
@@ -20,11 +20,22 @@ func TestRunAuthStatus(t *testing.T) {
 		if cfg.EndpointURL == "" {
 			t.Error("expected EndpointURL to be set")
 		}
+		if keyResp.TeamName != "Acme" {
+			t.Errorf("got team %q, want %q", keyResp.TeamName, "Acme")
+		}
 	})
 
 	t.Run("returns error when no key set", func(t *testing.T) {
 		keyring.MockInit()
-		_, err := runAuthStatus()
+		_, _, err := runAuthStatus()
+		if err == nil {
+			t.Fatal("expected error, got nil")
+		}
+	})
+
+	t.Run("returns error on api failure", func(t *testing.T) {
+		serveJSON(t, http.StatusUnauthorized, `{"error":"Invalid API key"}`)
+		_, _, err := runAuthStatus()
 		if err == nil {
 			t.Fatal("expected error, got nil")
 		}
