Skip to content

Webauth PAT names are truncated at the first hyphen #937

Description

@tomaskir

Describe the bug

Personal access tokens minted through the CLI webauth login flow get their name truncated at the first hyphen. The webauth approval page parses the request payload by splitting on - and taking a single field for the token name:

// frontend/app/webauth/[requestCode]/page.tsx
const params = hash.split(-)        // hash = "port-pubKeyHex-patName"
return { port: Number(params[0]), publicKey: params[1], requestedTokenName: params[2] }

port is numeric and pubKeyHex is hex, so the only field that can contain a hyphen is the name, which is last. The CLI builds the name as username@hostname (cli/src/cmd/auth_webauth.go, fmt.Sprintf("%s@%s", username, hostname)), and hostnames/usernames commonly contain hyphens, so params[2] keeps only the part before the first hyphen in the name.

Impact is limited to the token name (a label) - the token key material and authentication are unaffected. The token still works; it just shows up under a wrong, shortened name in the dashboard.

To Reproduce

Steps to reproduce the behavior:

  1. On a machine whose hostname contains a hyphen (e.g. johns-macbook), run the CLI webauth login (phase auth, default webauth mode).
  2. Complete the approval flow in the browser.
  3. Open the dashboard and view the newly created personal access token.
  4. See that the token name is truncated, e.g. john@johns instead of john@johns-macbook.

Payload trace: 8002-abcd-john@johns-macbook -> split(-) -> ['8002','abcd','john@johns','macbook'] -> name = params[2] = john@johns.

Expected behavior

The full token name is preserved, including any hyphens: john@johns-macbook.

Screenshots

N/A.

Platform you are having the issue on:

Console webauth page (frontend/app/webauth/[requestCode]/page.tsx), any browser. Triggered by the CLI webauth flow; reproducible on any host/user with a hyphen in the name.

Additional context

  • Root cause: getWebAuthRequestParams uses params[2] rather than rejoining the remaining fields. A parse-safe fix is to treat everything after the second hyphen as the name (params.slice(2).join('-')), or move the payload to a structured format.
  • This overlaps with feat: honor a CLI-requested token lifetime in the webauth login flow #928 (honoring a CLI-requested token lifetime), which reworks the same payload parsing - the truncation fix falls out of that change. Flagging it as a standalone bug so it is tracked independently of that feature.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions