From ff74f1443d996b371aa99b9eb95f9c0a6c9bfe42 Mon Sep 17 00:00:00 2001 From: EfeDurmaz16 Date: Thu, 14 May 2026 23:52:33 +0300 Subject: [PATCH] fix(auth): prefer api-key flag over env var --- pkg/cmd/whoami.go | 5 ++++- pkg/cmd/whoami_test.go | 23 +++++++++++++++++++++++ pkg/config/profile.go | 14 +++++++------- pkg/config/profile_test.go | 22 ++++++++++++++++++++++ 4 files changed, 56 insertions(+), 8 deletions(-) diff --git a/pkg/cmd/whoami.go b/pkg/cmd/whoami.go index c17fa5cdb..07fd82fd8 100644 --- a/pkg/cmd/whoami.go +++ b/pkg/cmd/whoami.go @@ -184,10 +184,13 @@ func resolveKeyInfo(profile *config.Profile, livemode bool) whoamiKeyInfo { // command, if any. These are the sources that GetAPIKey checks before the // persisted config/keyring, and which are mode-agnostic in that function. func overrideAPIKey(profile *config.Profile) string { + if profile.APIKey != "" { + return profile.APIKey + } if key := os.Getenv("STRIPE_API_KEY"); key != "" { return key } - return profile.APIKey + return "" } // apiKeyIsLivemode reports whether a key's prefix indicates live mode. diff --git a/pkg/cmd/whoami_test.go b/pkg/cmd/whoami_test.go index 24971b803..15cccea9d 100644 --- a/pkg/cmd/whoami_test.go +++ b/pkg/cmd/whoami_test.go @@ -130,6 +130,29 @@ func TestWhoamiWithEnvVarKey(t *testing.T) { assert.False(t, result.LiveModeKey.Available) } +func TestWhoamiFlagKeyTakesPrecedenceOverEnvVar(t *testing.T) { + config.KeyRing = keyring.NewArrayKeyring([]keyring.Item{}) + t.Setenv("STRIPE_API_KEY", "sk_test_envvar1234567890") + + wc := newWhoamiCmd() + wc.profile = &config.Profile{ + ProfileName: "default", + DeviceName: "test-device", + APIKey: "rk_live_flag1234567890", + } + wc.format = "json" + + out, err := runWhoami(t, wc) + require.NoError(t, err) + + var result whoamiOutput + require.NoError(t, json.Unmarshal([]byte(out), &result)) + + assert.True(t, result.Authenticated) + assert.False(t, result.TestModeKey.Available) + assert.True(t, result.LiveModeKey.Available) +} + func TestAPIKeyIsLivemode(t *testing.T) { assert.False(t, apiKeyIsLivemode("sk_test_abc123")) assert.True(t, apiKeyIsLivemode("sk_live_abc123")) diff --git a/pkg/config/profile.go b/pkg/config/profile.go index 42b4d3854..4199c244b 100644 --- a/pkg/config/profile.go +++ b/pkg/config/profile.go @@ -219,23 +219,23 @@ func (p *Profile) GetAccountID() (string, error) { // GetAPIKey will return the existing key for the given profile func (p *Profile) GetAPIKey(livemode bool) (string, error) { - envKey := os.Getenv("STRIPE_API_KEY") - if envKey != "" { - err := validators.APIKey(envKey) + if p.APIKey != "" { + err := validators.APIKey(p.APIKey) if err != nil { return "", err } - return envKey, nil + return p.APIKey, nil } - if p.APIKey != "" { - err := validators.APIKey(p.APIKey) + envKey := os.Getenv("STRIPE_API_KEY") + if envKey != "" { + err := validators.APIKey(envKey) if err != nil { return "", err } - return p.APIKey, nil + return envKey, nil } var key string diff --git a/pkg/config/profile_test.go b/pkg/config/profile_test.go index 61d3ab32c..64ee95077 100644 --- a/pkg/config/profile_test.go +++ b/pkg/config/profile_test.go @@ -283,6 +283,28 @@ func TestLiveModeAPIKeyKeychainItemReplaced(t *testing.T) { cleanUp(c.ProfilesFile) } +func TestGetAPIKeyFlagTakesPrecedenceOverEnvVar(t *testing.T) { + t.Setenv("STRIPE_API_KEY", "sk_test_envvar1234567890") + + p := Profile{ + APIKey: "rk_live_flag1234567890", + } + + key, err := p.GetAPIKey(false) + require.NoError(t, err) + require.Equal(t, "rk_live_flag1234567890", key) +} + +func TestGetAPIKeyFallsBackToEnvVar(t *testing.T) { + t.Setenv("STRIPE_API_KEY", "sk_test_envvar1234567890") + + p := Profile{} + + key, err := p.GetAPIKey(false) + require.NoError(t, err) + require.Equal(t, "sk_test_envvar1234567890", key) +} + func helperLoadBytes(t *testing.T, name string) []byte { bytes, err := os.ReadFile(name) if err != nil {