Skip to content

feat(cli): device-code flow is now the default for ctx7 login#2720

Merged
fahreddinozcan merged 1 commit into
masterfrom
ctx7-1684-device-flow-default
Jun 4, 2026
Merged

feat(cli): device-code flow is now the default for ctx7 login#2720
fahreddinozcan merged 1 commit into
masterfrom
ctx7-1684-device-flow-default

Conversation

@fahreddinozcan

@fahreddinozcan fahreddinozcan commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

After shipping 0.5.0 we realized the auto-detection heuristic (`SSH_CONNECTION` / `$DISPLAY`) was the wrong call — local users on macOS / Linux still saw the broken localhost-callback flow because the heuristic didn't fire for them. The right answer is to make device flow the only flow.

  • `performLogin` directly drives the device-code flow. No more `performDeviceLogin` / `performLogin` split.
  • Dropped the `--device` flag (it was the opt-in for what's now the default).
  • Removed the dead localhost-callback machinery from `utils/auth.ts`: `generatePKCE`, `generateState`, `createCallbackServer`, `exchangeCodeForTokens`, `buildAuthorizationUrl`, `shouldUseDeviceFlow`, and the success/error HTML pages. ~680 lines deleted.
  • Old CLIs (≤ 0.5.0) keep working — the backend's `/api/oauth/authorize`, `/api/oauth/token`, and refresh-token endpoints are untouched.

Changeset is `patch` — no API surface change for users, just a UX flip.

Test plan

  • `npx tsc --noEmit` clean
  • `npx vitest run` — 211/211 pass (the legacy-flow tests removed along with the code they covered)
  • `npx eslint` clean
  • `npm run build` clean
  • Smoke test: built binary against `https://context7.com/api/oauth/device/code\` — boxed prompt renders, polling starts, exact response shape received
  • Post-merge: `npx ctx7@next login` on a local Mac shows the boxed device prompt (was showing legacy callback in 0.5.0)

@linear-code

linear-code Bot commented Jun 4, 2026

Copy link
Copy Markdown

CTX7-1684

@fahreddinozcan
feat(cli): device-code flow is now the default for ctx7 login
e7f08d6 
The localhost-callback path is gone. Every install — laptop, SSH,
Codespace, Docker, CI — goes through the same boxed prompt and
verification page. Three reasons to make this the default:

- The localhost flow was broken anywhere the browser couldn't reach
  127.0.0.1:52417 (SSH, Docker, Codespaces). Auto-detection via
  SSH_CONNECTION / $DISPLAY was a half-fix that depended on env
  vars users don't always set.
- Device flow works everywhere, has no random port-binding behavior,
  and still ends in the same long-lived ctx7sk- API key.
- One UX path is simpler to support than two.

Drops the --device flag (it was the opt-in for what's now the
default). Older CLI versions (<= 0.5.0) continue to work against the
unchanged auth endpoints, so pinned installs are unaffected.

The legacy localhost machinery in utils/auth.ts is left in place
for now — nothing imports it from commands/auth.ts anymore, and a
follow-up can delete it once we're confident no rollback is needed.
@fahreddinozcan fahreddinozcan force-pushed the ctx7-1684-device-flow-default branch from 35ee90c to e7f08d6 Compare June 4, 2026 12:07
@fahreddinozcan fahreddinozcan merged commit ea91d7d into master Jun 4, 2026
3 checks passed
@fahreddinozcan fahreddinozcan deleted the ctx7-1684-device-flow-default branch June 4, 2026 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@enesgules enesgules enesgules approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fahreddinozcan @enesgules