Refactor Auth

packages/cli/src/commands/mpp/index.tsx

@@ -1,8 +1,8 @@
 import type { ISpendRequestResource } from '@stripe/link-sdk';
-import { storage } from '@stripe/link-sdk';
 import { Cli, z } from 'incur';
 import { render } from 'ink';
 import React from 'react';
+import { requireAuth } from '../../utils/require-auth';
 import { decodeStripeChallenge } from './decode';
 import { DecodeChallengeView } from './decode-view';
 import { MppPay, runMppPay } from './pay';
@@ -22,19 +22,8 @@ export function createMppCli(repository: ISpendRequestResource) {
     options: payOptions,
     alias: { method: 'X', data: 'd', header: 'H' },
     outputPolicy: 'agent-only' as const,
+    middleware: [requireAuth],
     async run(c) {
-      if (!storage.isAuthenticated()) {
-        return c.error({
-          code: 'NOT_AUTHENTICATED',
-          message: 'Not authenticated. Run "link-cli auth login" first.',
-          cta: {
-            commands: [
-              { command: 'auth login', description: 'Log in to Link' },
-            ],
-          },
-        });
-      }
-
       const url = c.args.url;
       const opts = c.options;
       const method = opts.method;

packages/cli/src/commands/payment-methods/index.tsx

@@ -1,8 +1,8 @@
 import type { IPaymentMethodsResource } from '@stripe/link-sdk';
-import { storage } from '@stripe/link-sdk';
 import { Cli } from 'incur';
 import { render } from 'ink';
 import React from 'react';
+import { requireAuth } from '../../utils/require-auth';
 import { AddPaymentMethod, WALLET_URL } from './add';
 import { PaymentMethodsList } from './list';
 
@@ -16,19 +16,8 @@ export function createPaymentMethodsCli(
   cli.command('list', {
     description: 'List all payment methods on your account',
     outputPolicy: 'agent-only' as const,
+    middleware: [requireAuth],
     async run(c) {
-      if (!storage.isAuthenticated()) {
-        return c.error({
-          code: 'NOT_AUTHENTICATED',
-          message: 'Not authenticated. Run "link-cli auth login" first.',
-          cta: {
-            commands: [
-              { command: 'auth login', description: 'Log in to Link' },
-            ],
-          },
-        });
-      }
-
       const resource = createResource();
 
       if (!c.agent && !c.formatExplicit) {
@@ -49,19 +38,8 @@ export function createPaymentMethodsCli(
   cli.command('add', {
     description: 'Open the Link wallet to add a new payment method',
     outputPolicy: 'agent-only' as const,
+    middleware: [requireAuth],
     async run(c) {
-      if (!storage.isAuthenticated()) {
-        return c.error({
-          code: 'NOT_AUTHENTICATED',
-          message: 'Not authenticated. Run "link-cli auth login" first.',
-          cta: {
-            commands: [
-              { command: 'auth login', description: 'Log in to Link' },
-            ],
-          },
-        });
-      }
-
       if (!c.agent && !c.formatExplicit) {
         return new Promise((resolve) => {
           const { waitUntilExit } = render(<AddPaymentMethod />);

packages/cli/src/commands/spend-request/index.tsx

@@ -5,7 +5,6 @@ import type {
   SpendRequest,
   Total,
 } from '@stripe/link-sdk';
-import { storage } from '@stripe/link-sdk';
 import { Cli, z } from 'incur';
 import { render } from 'ink';
 import React from 'react';
@@ -14,7 +13,7 @@ import {
   parseLineItemFlag,
   parseTotalFlag,
 } from '../../utils/line-item-parser';
-import { requireAuth } from '../../utils/require-auth';
+import { requireAuth, requireAuthGuard } from '../../utils/require-auth';
 import { CancelSpendRequest } from './cancel';
 import { CreateSpendRequest } from './create';
 import { RequestApproval } from './request-approval';
@@ -56,17 +55,7 @@ export function createSpendRequestCli(repository: ISpendRequestResource) {
     alias: { merchantName: 'm' },
     outputPolicy: 'agent-only' as const,
     async *run(c) {
-      if (!storage.isAuthenticated()) {
-        return c.error({
-          code: 'NOT_AUTHENTICATED',
-          message: 'Not authenticated. Run "link-cli auth login" first.',
-          cta: {
-            commands: [
-              { command: 'auth login', description: 'Log in to Link' },
-            ],
-          },
-        });
-      }
+      requireAuthGuard(c);
 
       const opts = c.options;
       const requestApproval = !!opts.requestApproval;
@@ -193,19 +182,8 @@ export function createSpendRequestCli(repository: ISpendRequestResource) {
     }),
     options: updateOptions,
     outputPolicy: 'agent-only' as const,
+    middleware: [requireAuth],
     async run(c) {
-      if (!storage.isAuthenticated()) {
-        return c.error({
-          code: 'NOT_AUTHENTICATED',
-          message: 'Not authenticated. Run "link-cli auth login" first.',
-          cta: {
-            commands: [
-              { command: 'auth login', description: 'Log in to Link' },
-            ],
-          },
-        });
-      }
-
       const id = c.args.id;
       const opts = c.options;
 
@@ -257,17 +235,7 @@ export function createSpendRequestCli(repository: ISpendRequestResource) {
     }),
     outputPolicy: 'agent-only' as const,
     async *run(c) {
-      if (!storage.isAuthenticated()) {
-        return c.error({
-          code: 'NOT_AUTHENTICATED',
-          message: 'Not authenticated. Run "link-cli auth login" first.',
-          cta: {
-            commands: [
-              { command: 'auth login', description: 'Log in to Link' },
-            ],
-          },
-        });
-      }
+      requireAuthGuard(c);
 
       const id = c.args.id;
 
@@ -311,17 +279,7 @@ export function createSpendRequestCli(repository: ISpendRequestResource) {
     options: retrieveOptions,
     outputPolicy: 'agent-only' as const,
     async *run(c) {
-      if (!storage.isAuthenticated()) {
-        return c.error({
-          code: 'NOT_AUTHENTICATED',
-          message: 'Not authenticated. Run "link-cli auth login" first.',
-          cta: {
-            commands: [
-              { command: 'auth login', description: 'Log in to Link' },
-            ],
-          },
-        });
-      }
+      requireAuthGuard(c);
 
       const id = c.args.id;
       const opts = c.options;
@@ -423,10 +381,8 @@ export function createSpendRequestCli(repository: ISpendRequestResource) {
       id: z.string().describe('Spend request ID'),
     }),
     outputPolicy: 'agent-only' as const,
+    middleware: [requireAuth],
     async run(c) {
-      const authError = requireAuth(c);
-      if (authError) return authError;
-
       const id = c.args.id;
 
       if (!c.agent && !c.formatExplicit) {

packages/cli/src/utils/require-auth.ts

@@ -1,22 +1,43 @@
 import { storage } from '@stripe/link-sdk';
+import type { MiddlewareHandler } from 'incur';
 
 interface AuthErrorOptions {
   code: string;
   message: string;
   cta?: { commands: { command: string; description: string }[] };
 }
 
-const NOT_AUTHENTICATED_ERROR: AuthErrorOptions = {
+export const NOT_AUTHENTICATED_ERROR: AuthErrorOptions = {
   code: 'NOT_AUTHENTICATED',
   message: 'Not authenticated. Run "link-cli auth login" first.',
   cta: {
     commands: [{ command: 'auth login', description: 'Log in to Link' }],
   },
 };
 
-export function requireAuth(c: { error: (err: AuthErrorOptions) => never }) {
+/**
+ * Incur middleware that short-circuits with NOT_AUTHENTICATED if no auth tokens exist.
+ * Use via `middleware: [requireAuth]` on command definitions.
+ *
+ * NOTE: Due to an incur limitation, this cannot be used on `async *run` (generator)
+ * commands that call `c.error()` within the generator body. For those, use
+ * `requireAuthGuard(c)` inside the handler instead.
+ */
+export const requireAuth: MiddlewareHandler = (c, next) => {
   if (!storage.isAuthenticated()) {
     return c.error(NOT_AUTHENTICATED_ERROR);
   }
-  return null;
+  return next();
+};
+
+/**
+ * Inline auth guard for generator commands where middleware doesn't work.
+ * Call at the top of `async *run(c)` handlers.
+ */
+export function requireAuthGuard(c: {
+  error: (err: AuthErrorOptions) => never;
+}) {
+  if (!storage.isAuthenticated()) {
+    c.error(NOT_AUTHENTICATED_ERROR);
+  }
 }