@@ -131,6 +131,7 @@ func TestGet_RefreshesExpiredToken(t *testing.T) {
131131 // Real auth seam: GetValidToken refreshes via the stubbed client and
132132 // succeeds, so the browser flow is never reached.
133133 EnsureAuthenticated : auth .EnsureAuthenticated ,
134+ WithAccessToken : true ,
134135 }
135136
136137 out , err := test .Execute (cmdWithOpts (opts ), "--output ndjson" , out )
@@ -139,13 +140,45 @@ func TestGet_RefreshesExpiredToken(t *testing.T) {
139140 // Identity preserved from the pre-refresh token (refresh response has no user).
140141 assert .Contains (t , out .String (), `"user_id":"42"` )
141142 assert .Contains (t , out .String (), `"email":"user@example.com"` )
142- assert .NotContains (t , out .String (), "new-access" )
143+ // Refreshed access token is surfaced in the identity output.
144+ assert .Contains (t , out .String (), `"token":"new-access"` )
143145
144146 // Refreshed token was persisted.
145147 assert .Equal (t , "new-access" , auth .LoadToken ().AccessToken )
146148}
147149
148- func TestGet_PrintsIdentityWithoutTokens (t * testing.T ) {
150+ func TestGet_PrintsIdentityWithAccessToken (t * testing.T ) {
151+ keyring .MockInit ()
152+ t .Cleanup (auth .ClearToken )
153+ require .NoError (t , auth .SaveToken (& dashboard.OAuthTokenResponse {
154+ AccessToken : "secret-access" ,
155+ RefreshToken : "secret-refresh" ,
156+ CreatedAt : time .Now ().Unix (),
157+ ExpiresIn : 3600 ,
158+ User : & dashboard.User {
159+ ID : 42 ,
160+ Email : "user@example.com" ,
161+ Name : "Test User" ,
162+ },
163+ }))
164+
165+ f , out := test .NewFactory (false , nil , nil , "" )
166+ cmd := NewGetCmd (f )
167+ out , err := test .Execute (cmd , "--with-access-token --output ndjson" , out )
168+ require .NoError (t , err )
169+
170+ assert .Contains (t , out .String (), `"user_id":"42"` )
171+ assert .Contains (t , out .String (), `"email":"user@example.com"` )
172+ assert .Contains (t , out .String (), `"name":"Test User"` )
173+ // Access token is surfaced under the "token" field.
174+ assert .Contains (t , out .String (), `"token":"secret-access"` )
175+ // Refresh token is never exposed.
176+ assert .NotContains (t , out .String (), "secret-refresh" )
177+ assert .NotContains (t , out .String (), "refresh_token" )
178+ }
179+
180+ // Without --with-access-token, no token of any kind appears in the output.
181+ func TestGet_OmitsAccessTokenByDefault (t * testing.T ) {
149182 keyring .MockInit ()
150183 t .Cleanup (auth .ClearToken )
151184 require .NoError (t , auth .SaveToken (& dashboard.OAuthTokenResponse {
@@ -168,8 +201,8 @@ func TestGet_PrintsIdentityWithoutTokens(t *testing.T) {
168201 assert .Contains (t , out .String (), `"user_id":"42"` )
169202 assert .Contains (t , out .String (), `"email":"user@example.com"` )
170203 assert .Contains (t , out .String (), `"name":"Test User"` )
204+ // No token surfaced by default.
171205 assert .NotContains (t , out .String (), "secret-access" )
172206 assert .NotContains (t , out .String (), "secret-refresh" )
173- assert .NotContains (t , out .String (), "access_token" )
174- assert .NotContains (t , out .String (), "refresh_token" )
207+ assert .NotContains (t , out .String (), `"token"` )
175208}
0 commit comments