fix: getCliClient() token not passed through (#688)

Author: rexxars

packages/@sanity/cli/src/actions/exec/configClient.worker.ts

@@ -1,6 +1,9 @@
 import {spawn} from 'node:child_process'
 import path from 'node:path'
 
+import {CLIError} from '@oclif/core/errors'
+import {getCliToken} from '@sanity/cli-core'
+
 interface ExecScriptOptions {
   extraArguments: string[]
   flags: {
@@ -19,7 +22,6 @@ export async function execScript(options: ExecScriptOptions): Promise<void> {
   const resolvedScriptPath = path.resolve(scriptPath)
 
   const browserEnvPath = new URL('registerBrowserEnv.worker.js', import.meta.url).href
-  const configClientPath = new URL('configClient.worker.js', import.meta.url).href
 
   // Use tsx loader for TypeScript support in the spawned child process
   // We need to resolve the tsx loader path from the CLI's node_modules since the child
@@ -30,17 +32,33 @@ export async function execScript(options: ExecScriptOptions): Promise<void> {
     throw new Error('@sanity/cli not able to resolve tsx loader')
   }
 
+  // When --with-user-token is specified, resolve the token in the parent process
+  // and pass it via environment variable. This avoids a module-instance mismatch where
+  // the worker's `getCliClient` import resolves to a different module than the script's
+  // `import {getCliClient} from 'sanity/cli'`, causing the __internal__getToken mutation
+  // to not propagate.
+  let tokenEnv: Record<string, string> = {}
+  if (withUserToken) {
+    const token = await getCliToken()
+    if (!token) {
+      throw new CLIError(
+        '--with-user-token specified, but no auth token could be found. Run `sanity login`',
+      )
+    }
+    tokenEnv = {SANITY_AUTH_TOKEN: token}
+  }
+
   const baseArgs = mockBrowserEnv
     ? ['--import', tsxLoaderPath, '--import', browserEnvPath]
     : ['--import', tsxLoaderPath]
-  const tokenArgs = withUserToken ? ['--import', configClientPath] : []
 
-  const nodeArgs = [...baseArgs, ...tokenArgs, resolvedScriptPath, ...extraArguments]
+  const nodeArgs = [...baseArgs, resolvedScriptPath, ...extraArguments]
 
   const proc = spawn(process.argv[0], nodeArgs, {
     env: {
       ...process.env,
       SANITY_BASE_PATH: workDir,
+      ...tokenEnv,
     },
     stdio: 'inherit',
   })

packages/@sanity/cli/src/actions/exec/execScript.ts

@@ -0,0 +1,97 @@
+// Separate file from exec.test.ts because getCliToken() in @sanity/cli-core caches the resolved
+// token at module level. A separate file gives us a fresh module scope, so the "no token" error
+// test isn't order-dependent on tests that successfully resolve a token.
+import {type SpawnOptions} from 'node:child_process'
+import {copyFile, mkdir, rm} from 'node:fs/promises'
+import {tmpdir} from 'node:os'
+import {join, resolve} from 'node:path'
+
+import {CLIError} from '@oclif/core/errors'
+import {setCliUserConfig} from '@sanity/cli-core'
+import {testCommand, testFixture} from '@sanity/cli-test'
+import {afterEach, beforeEach, describe, expect, test, vi} from 'vitest'
+
+import {ExecCommand} from '../exec.js'
+
+const TEST_CONFIG_DIR = join(tmpdir(), 'sanity-cli-test-exec-token')
+const TEST_CONFIG_PATH = join(TEST_CONFIG_DIR, 'config.json')
+
+const fixtureDir = resolve(import.meta.dirname, '../../../test/__fixtures__')
+
+// Mock spawn to capture output instead of inheriting
+vi.mock('node:child_process', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('node:child_process')>()
+  return {
+    ...actual,
+    spawn: (command: string, args: string[], options: SpawnOptions) => {
+      const proc = actual.spawn(command, args, {
+        ...options,
+        stdio: ['inherit', 'pipe', 'pipe'],
+      })
+
+      proc.stdout?.pipe(process.stdout)
+      proc.stderr?.pipe(process.stderr)
+
+      return proc
+    },
+  }
+})
+
+async function setupTestAuth(token: string): Promise<{cleanup: () => Promise<void>}> {
+  await mkdir(TEST_CONFIG_DIR, {recursive: true})
+  vi.stubEnv('SANITY_CLI_CONFIG_PATH', TEST_CONFIG_PATH)
+  // Clear SANITY_AUTH_TOKEN so getCliToken() reads from the config file
+  // instead of picking up an env var (e.g. set in CI)
+  vi.stubEnv('SANITY_AUTH_TOKEN', '')
+  await setCliUserConfig('authToken', token)
+
+  return {cleanup: () => rm(TEST_CONFIG_DIR, {force: true, recursive: true})}
+}
+
+describe('exec --with-user-token', {timeout: 15 * 1000}, () => {
+  let exampleDir: string
+  let scriptPath: string
+
+  beforeEach(async () => {
+    exampleDir = await testFixture('basic-studio')
+    process.chdir(exampleDir)
+
+    scriptPath = join(exampleDir, 'test-script.ts')
+    await copyFile(join(fixtureDir, 'exec-script.ts'), scriptPath)
+  })
+
+  afterEach(() => {
+    vi.unstubAllEnvs()
+  })
+
+  test('errors when no auth token is found', async () => {
+    // Ensure no token is available from any source
+    vi.stubEnv('SANITY_AUTH_TOKEN', '')
+    vi.stubEnv('SANITY_CLI_CONFIG_PATH', join(tmpdir(), 'sanity-cli-nonexistent', 'config.json'))
+
+    const {error} = await testCommand(ExecCommand, [scriptPath, '--with-user-token'])
+
+    expect(error).toBeInstanceOf(CLIError)
+    expect(error?.message).toContain('--with-user-token specified')
+    expect(error?.message).toContain('sanity login')
+  })
+
+  test('passes token to getCliClient()', async () => {
+    const tokenScriptPath = join(exampleDir, 'test-token-script.ts')
+    await copyFile(join(fixtureDir, 'exec-get-user-token.ts'), tokenScriptPath)
+
+    const {cleanup} = await setupTestAuth('test-fake-token-abc123')
+
+    try {
+      const {error, stdout} = await testCommand(ExecCommand, [tokenScriptPath, '--with-user-token'])
+
+      if (error) throw error
+
+      const data = JSON.parse(stdout.trim())
+      expect(data.success).toBe(true)
+      expect(data.token).toBe('test-fake-token-abc123')
+    } finally {
+      await cleanup()
+    }
+  })
+})

packages/@sanity/cli/src/commands/__tests__/exec-with-user-token.test.ts

@@ -101,8 +101,6 @@ describe('#exec', {timeout: 15 * 1000}, () => {
       const data = JSON.parse(stdout.trim())
       expect(data.success).toBe(true)
       expect(data.env.SANITY_BASE_PATH).toBe(exampleDir)
-      // Without token, API returns empty object rather than throwing error
-      expect(data.user).toEqual({})
     })
 
     test.skipIf(!TEST_TOKEN)('executes script with --with-user-token flag', async () => {

packages/@sanity/cli/src/commands/__tests__/exec.test.ts

@@ -9,16 +9,23 @@ vi.mock('@sanity/client')
 
 describe('getCliClient', () => {
   const mockClient = {withConfig: vi.fn()} as unknown as SanityClient
-  let originalProcessEnv: NodeJS.ProcessEnv
+  const originalAuthToken = process.env.SANITY_AUTH_TOKEN
 
   beforeEach(() => {
     vi.clearAllMocks()
     vi.mocked(createClient).mockReturnValue(mockClient)
-    originalProcessEnv = process.env
+    // Ensure SANITY_AUTH_TOKEN doesn't leak into tests that expect no token
+    delete process.env.SANITY_AUTH_TOKEN
   })
 
   afterEach(() => {
-    process.env = originalProcessEnv
+    // Restore original SANITY_AUTH_TOKEN value (may have been set in CI)
+    if (originalAuthToken === undefined) {
+      delete process.env.SANITY_AUTH_TOKEN
+    } else {
+      process.env.SANITY_AUTH_TOKEN = originalAuthToken
+    }
+    vi.unstubAllEnvs()
   })
 
   test('should throw error if not called from node.js', () => {
@@ -85,7 +92,7 @@ describe('getCliClient', () => {
   test('should use SANITY_BASE_PATH env var as cwd if set', async () => {
     const {findProjectRootSync, getCliConfigSync} = await import('@sanity/cli-core')
 
-    process.env.SANITY_BASE_PATH = '/custom/path'
+    vi.stubEnv('SANITY_BASE_PATH', '/custom/path')
 
     const mockProjectRoot = {
       directory: '/custom/path',
@@ -238,6 +245,48 @@ describe('getCliClient', () => {
     getCliClient.__internal__getToken = () => undefined
   })
 
+  test('should use SANITY_AUTH_TOKEN env var as fallback', () => {
+    vi.stubEnv('SANITY_AUTH_TOKEN', 'env-token')
+
+    const options = {
+      dataset: 'test-dataset',
+      projectId: 'test-project',
+    }
+
+    getCliClient(options)
+
+    expect(createClient).toHaveBeenCalledWith({
+      apiVersion: '2022-06-06',
+      dataset: 'test-dataset',
+      projectId: 'test-project',
+      token: 'env-token',
+      useCdn: false,
+    })
+  })
+
+  test('should prioritize __internal__getToken over SANITY_AUTH_TOKEN env var', () => {
+    vi.stubEnv('SANITY_AUTH_TOKEN', 'env-token')
+    getCliClient.__internal__getToken = () => 'internal-token'
+
+    const options = {
+      dataset: 'test-dataset',
+      projectId: 'test-project',
+    }
+
+    getCliClient(options)
+
+    expect(createClient).toHaveBeenCalledWith({
+      apiVersion: '2022-06-06',
+      dataset: 'test-dataset',
+      projectId: 'test-project',
+      token: 'internal-token',
+      useCdn: false,
+    })
+
+    // Reset
+    getCliClient.__internal__getToken = () => undefined
+  })
+
   test('should pass through additional ClientConfig options', () => {
     const options = {
       dataset: 'test-dataset',

packages/@sanity/cli/src/util/__tests__/cliClient.test.ts

@@ -29,7 +29,7 @@ export const getCliClient: CliClientGetter = (options: CliClientOptions = {}): S
     cwd = process.env.SANITY_BASE_PATH || process.cwd(),
     dataset,
     projectId,
-    token = getCliClient.__internal__getToken(),
+    token = getCliClient.__internal__getToken() ?? (process.env.SANITY_AUTH_TOKEN || undefined),
     useCdn = false,
     ...restOfOptions
   } = options

packages/@sanity/cli/src/util/cliClient.ts

@@ -0,0 +1,28 @@
+// Test script for `sanity exec --with-user-token`
+// Verifies that the token is available in the client config
+
+import {getCliClient} from 'sanity/cli'
+
+try {
+  const client = getCliClient()
+  const config = client.config()
+
+  // Output whether the token was received
+  // eslint-disable-next-line no-console
+  console.log(
+    JSON.stringify({
+      hasToken: typeof config.token === 'string' && config.token.length > 0,
+      token: config.token,
+      success: true,
+    }),
+  )
+} catch (error) {
+  // eslint-disable-next-line no-console
+  console.error(
+    JSON.stringify({
+      error: error instanceof Error ? error.message : String(error),
+      success: false,
+    }),
+  )
+  process.exit(1)
+}