fix(auth): trim whitespace from auth tokens

Fixes bounty issue #1630

Auth tokens are now trimmed of leading/trailing whitespace in:
- CORTEX_AUTH_TOKEN environment variable reading in cortex-engine
- API key storage via SecureAuthData::with_api_key() in cortex-login
- OAuth token storage via SecureAuthData::with_oauth() in cortex-login
- login_with_api_key() function in cortex-login

This prevents authentication failures when tokens accidentally include
extra whitespace (common when copying/pasting from web interfaces or
when environment variables are set with trailing newlines).

Author: factorydroid

cortex-engine/src/auth_token.rs

@@ -50,12 +50,13 @@ pub fn get_auth_token(instance_token: Option<&str>) -> Result<String> {
 
     // Priority 2: CORTEX_AUTH_TOKEN environment variable
     if let Ok(token) = std::env::var("CORTEX_AUTH_TOKEN") {
+        let token = token.trim();
         if !token.is_empty() {
             tracing::debug!(
                 source = "env_var",
                 "Using auth token from CORTEX_AUTH_TOKEN"
             );
-            return Ok(token);
+            return Ok(token.to_string());
         }
     }
 
@@ -90,7 +91,7 @@ pub fn is_authenticated(instance_token: Option<&str>) -> bool {
     }
 
     // Check env var
-    if std::env::var("CORTEX_AUTH_TOKEN").map_or(false, |t| !t.is_empty()) {
+    if std::env::var("CORTEX_AUTH_TOKEN").map_or(false, |t| !t.trim().is_empty()) {
         return true;
     }
 
@@ -135,4 +136,33 @@ mod tests {
         let header = auth_header(Some("my-token"));
         assert_eq!(header, Some("Bearer my-token".to_string()));
     }
+
+    #[test]
+    fn test_env_var_whitespace_trimmed() {
+        // Set env var with whitespace
+        std::env::set_var("CORTEX_AUTH_TOKEN", "  test-token  ");
+
+        // Call get_auth_token with no instance token
+        let result = get_auth_token(None);
+        assert!(result.is_ok());
+        assert_eq!(result.unwrap(), "test-token");
+
+        // Clean up
+        std::env::remove_var("CORTEX_AUTH_TOKEN");
+    }
+
+    #[test]
+    fn test_env_var_only_whitespace_is_empty() {
+        // Set env var with only whitespace
+        std::env::set_var("CORTEX_AUTH_TOKEN", "   ");
+
+        // Call is_authenticated - should return false since trimmed is empty
+        let is_auth = is_authenticated(None);
+
+        // Clean up before assertion
+        std::env::remove_var("CORTEX_AUTH_TOKEN");
+
+        // The env var with only whitespace should be treated as empty
+        assert!(!is_auth);
+    }
 }

cortex-login/src/lib.rs

@@ -112,10 +112,11 @@ pub struct SecureAuthData {
 
 impl SecureAuthData {
     /// Create new secure auth data with API key.
+    /// Whitespace is automatically trimmed from the API key.
     pub fn with_api_key(api_key: String) -> Self {
         Self {
             mode: AuthMode::ApiKey,
-            api_key: Some(SecretString::from(api_key)),
+            api_key: Some(SecretString::from(api_key.trim().to_string())),
             access_token: None,
             refresh_token: None,
             expires_at: None,
@@ -124,6 +125,7 @@ impl SecureAuthData {
     }
 
     /// Create new secure auth data with OAuth tokens.
+    /// Whitespace is automatically trimmed from tokens.
     pub fn with_oauth(
         access_token: String,
         refresh_token: Option<String>,
@@ -132,8 +134,8 @@ impl SecureAuthData {
         Self {
             mode: AuthMode::OAuth,
             api_key: None,
-            access_token: Some(SecretString::from(access_token)),
-            refresh_token: refresh_token.map(SecretString::from),
+            access_token: Some(SecretString::from(access_token.trim().to_string())),
+            refresh_token: refresh_token.map(|t| SecretString::from(t.trim().to_string())),
             expires_at,
             account_id: None,
         }
@@ -269,12 +271,13 @@ pub fn delete_auth(cortex_home: &Path, mode: CredentialsStoreMode) -> Result<boo
 }
 
 /// Login with API key (stores securely).
+/// Whitespace is automatically trimmed from the API key.
 pub fn login_with_api_key(
     cortex_home: &Path,
     api_key: &str,
     mode: CredentialsStoreMode,
 ) -> Result<()> {
-    let data = SecureAuthData::with_api_key(api_key.to_string());
+    let data = SecureAuthData::with_api_key(api_key.trim().to_string());
     save_auth(cortex_home, &data, mode)?;
     Ok(())
 }
@@ -768,6 +771,21 @@ mod tests {
         assert_eq!(data.get_token(), Some("test-key"));
     }
 
+    #[test]
+    fn test_secure_auth_data_api_key_trims_whitespace() {
+        // Test leading and trailing whitespace
+        let data = SecureAuthData::with_api_key("  test-key  ".to_string());
+        assert_eq!(data.get_token(), Some("test-key"));
+
+        // Test with newlines (common when pasting from clipboard)
+        let data = SecureAuthData::with_api_key("test-key\n".to_string());
+        assert_eq!(data.get_token(), Some("test-key"));
+
+        // Test with tabs
+        let data = SecureAuthData::with_api_key("\ttest-key\t".to_string());
+        assert_eq!(data.get_token(), Some("test-key"));
+    }
+
     #[test]
     fn test_secure_auth_data_oauth() {
         let data =
@@ -777,6 +795,18 @@ mod tests {
         assert_eq!(data.get_refresh_token(), Some("refresh"));
     }
 
+    #[test]
+    fn test_secure_auth_data_oauth_trims_whitespace() {
+        // Test leading and trailing whitespace on OAuth tokens
+        let data = SecureAuthData::with_oauth(
+            "  access  ".to_string(),
+            Some("  refresh  ".to_string()),
+            None,
+        );
+        assert_eq!(data.get_token(), Some("access"));
+        assert_eq!(data.get_refresh_token(), Some("refresh"));
+    }
+
     #[test]
     fn test_auth_data_metadata() {
         let data = SecureAuthData::with_api_key("test".to_string());