fix(cli): warn when auth validation falls back to API

codecarbon/cli/auth.py

@@ -6,6 +6,7 @@
 """
 
 import json
+import logging
 import os
 import webbrowser
 from http.server import BaseHTTPRequestHandler, HTTPServer
@@ -31,6 +32,7 @@
 _REDIRECT_PORT = 8090
 _REDIRECT_URI = f"http://localhost:{_REDIRECT_PORT}/callback"
 _CREDENTIALS_FILE = Path("./credentials.json")
+logger = logging.getLogger(__name__)
 
 
 # ── OAuth callback server ───────────────────────────────────────────
@@ -112,7 +114,12 @@ def _validate_access_token(access_token: str) -> bool:
         claims = jose_jwt.decode(access_token, keyset)
         claims.validate()
         return True
-    except requests.RequestException:
+    except requests.RequestException as exc:
+        logger.warning(
+            "Skipping local access token validation because the auth server is "
+            "unreachable; the API will validate the token. Error: %s",
+            exc,
+        )
         return True  # Can't reach auth server — let the API handle it
     except Exception:
         return False

tests/cli/test_cli_auth.py

@@ -112,7 +112,10 @@ def test_validate_access_token_valid(
     def test_validate_access_token_network_error_returns_true(
         self, mock_get, mock_discover
     ):
-        self.assertTrue(auth._validate_access_token("token"))
+        with self.assertLogs("codecarbon.cli.auth", level="WARNING") as logs:
+            self.assertTrue(auth._validate_access_token("token"))
+
+        self.assertIn("Skipping local access token validation", logs.output[0])
 
     @patch("codecarbon.cli.auth._discover_endpoints", return_value={"jwks_uri": "jwks"})
     @patch("codecarbon.cli.auth.requests.get")