Handle grant scope mismatches in login
Detect the Gitea different scope authorize failure as a dedicated auth error, show the revoke URL and client ID, and retry login once after manual grant revocation without forcing a second full authentication. Expand the requested scope set to include read:organization, add the revoke-grant helper path and setup auto-yes flag in the scaffold, document the recovery flow, and cover revoke prompting and retry behavior in forge_auth tests.
This commit is contained in:
FanaticPythoner (Nathan Trudeau)
@@ -217,6 +217,7 @@ with a browser to populate a valid refresh token before running
|
||||
| Git prompts for a password on pull/push | Refresh token expired. Run `just relogin`. |
|
||||
| `just status` shows `live: False` | Run `just refresh`; also happens automatically on the next git op. |
|
||||
| `just clone-orchestrator` prints `already cloned` | Intended; idempotent. |
|
||||
| `just login` exits with `Gitea server_error: "a grant exists with different scope"` | Run `just revoke-grant` (opens `<FORGE_GITEA_URL>/user/settings/applications` and prints the matching `FSDGG_CLI_CLIENT_ID`). Revoke the matching app, then re-run `just login`. Required only once after a scope-set change. Full reference: `docs/oauth-grant-scope-mismatch.md`. |
|
||||
| Reset local state | `just uninstall`. |
|
||||
|
||||
## Security properties
|
||||
|
||||
Reference in New Issue
Block a user