feat: add Personal Access Token (PAT) support#80
Merged
Conversation
Add a non-interactive authentication path using PATs as a Bearer-token alternative to the existing PKCE OAuth flow. - New command group: add, list, remove - Registry file at ~/.config/gddy/pat.toml with restrictive permissions - Env-var sourcing: GDDY_PAT_<ENV> > GDDY_PAT > stored PAT > OAuth - GoDaddyAuthProvider prefers PAT over PKCE when available - PAT format validation and user guide Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR adds Personal Access Token (PAT) authentication to the GoDaddy CLI as a non-interactive alternative to the existing browser-based OAuth PKCE flow, including a new gddy pat command group and runtime PAT resolution in the auth provider.
Changes:
- Introduces
gddy pat add|list|removecommands, a TOML-backed PAT registry, and PAT format validation. - Updates
GoDaddyAuthProviderto prefer PAT credentials (env var or registry) before falling back to PKCE OAuth. - Adds an authentication guide documenting PAT creation, storage, and credential precedence.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| rust/src/pat/mod.rs | Implements PAT registry, validation, and the gddy pat command group. |
| rust/src/pat/guides/auth.md | Adds end-user documentation for PAT-based authentication and precedence rules. |
| rust/src/auth.rs | Prefers PAT credentials during auth resolution and deletes stored PATs on logout. |
| rust/src/main.rs | Registers the new pat module and updates the top-level CLI help text. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Move OAuth debug-log doc comment back above
- Update doc comment to match behaviour
- Warn on PAT registry load errors instead of silently swallowing them
- Fix -> {
"data": {
"description": "GoDaddy developer CLI",
"version": "0.1.0"
},
"next_actions": [
{
"command": "auth status",
"description": "Check authentication status"
},
{
"command": "env get",
"description": "Get the current active environment"
},
{
"command": "application list",
"description": "List all applications"
},
{
"command": "tree",
"description": "Display the full command tree"
}
]
} typo in PAT auth guide
Co-Authored-By: Claude <noreply@anthropic.com>
- resolve_pat now validates tokens from the registry, not just env vars. - Refactor resolve_pat into testable resolve_pat_with helper. - Add unit tests covering env-var precedence and malformed-token fallback. Co-Authored-By: Claude <noreply@anthropic.com>
resolve_pat now consults GDDY_PAT* env vars before reading the registry, so the registry-load warning accurately reflects that env vars have already been ruled out and the CLI is falling back to OAuth. Co-Authored-By: Claude <noreply@anthropic.com>
Adds explicit coverage that `redact` and `PatEntry` Debug formatting use character boundaries and do not panic on multi-byte tokens. Co-Authored-By: Claude <noreply@anthropic.com>
…orm-specific docs Switches `registry_path` to use `dirs::config_dir()` and `gddy/pat.toml`, matching `contacts.toml`, `quotes.json`, and `environments.toml`. Updates the module docs and the `gddy guide auth` page to describe the location as platform-specific rather than hard-coding `~/.config/gddy/pat.toml`. Co-Authored-By: Claude <noreply@anthropic.com>
…ments - `gddy pat remove --env` now validates the environment the same way `pat add` does, producing a clear error for typos instead of silent "not found". - Added `pat::registry_envs()` and updated `GoDaddyAuthProvider::list_environments` to include environments that only have a stored PAT, so PAT-only envs are visible in `auth status` and similar credential-enumeration flows. Co-Authored-By: Claude <noreply@anthropic.com>
- `GoDaddyAuthProvider::list_environments` now warns and continues if the PAT registry cannot be loaded, keeping credential enumeration best-effort. - `is_valid_pat` uses the new `PAT_PREFIX_BODY` constant instead of the hard-coded string literal `gd_pat`. Co-Authored-By: Claude <noreply@anthropic.com>
The `gddy pat add --token` path was not trimming whitespace/newlines, so tokens copied with trailing whitespace were rejected as malformed. Stdin input was already trimmed; this makes both input paths consistent. Co-Authored-By: Claude <noreply@anthropic.com>
`gddy pat add` without --token now tells the user to pass --token or pipe the PAT when stdin is empty/EOF or whitespace-only, instead of the generic "does not look like a GoDaddy PAT" validation message. Co-Authored-By: Claude <noreply@anthropic.com>
axburgess-godaddy
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a non-interactive authentication path for the GoDaddy CLI using Personal Access Tokens (PATs) as a Bearer-token alternative to the browser-based PKCE OAuth flow.
What changed
gddy patcommand group:gddy pat add --env <ENV> [--token <TOKEN>] <NAME>— store a PAT (reads from stdin by default)gddy pat list— show stored PATs (last-four only)gddy pat remove --env <ENV>— delete a stored PAT~/.config/gddy/pat.tomlwith owner-only (0600) permissions viacli-engine::fs::write_string_atomic.GDDY_PAT_<ENV>→GDDY_PAT→ stored PAT → PKCE OAuth.GoDaddyAuthProvidernow prefers PAT over PKCE OAuth when available.gd_pat_<base62>_<8-hex-crc>) and a user guide (gddy guide auth).Review-driven fixes
gddy pat add --tokenvalues are trimmed before validation, matching stdin input.gddy pat addwithout--tokensurfaces an actionable error when stdin is empty/EOF or whitespace-only.Verification
cargo check,cargo clippy -- -D warnings,cargo test, andcargo fmt --checkall pass.pat add,pat list,pat remove, andauth status --env prodwith both stored and env-var PATs.Files changed
rust/src/pat/mod.rsrust/src/pat/guides/auth.mdrust/src/auth.rsrust/src/main.rs