识别代码中的令牌、凭证与远程主机认证流程并辅助处理鉴权问题
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "auth" 技能: 1. 下载 https://raw.githubusercontent.com/microsoft/apm/main/.apm/skills/auth/SKILL.md 2. 保存为 ~/.claude/skills/auth/SKILL.md 3. 装好后重载技能,告诉我可以用了
请检查这段代码中的鉴权流程,重点关注 token 管理、凭证解析、AuthResolver 和 AuthContext 的使用,指出潜在问题并给出修复建议。
给出鉴权流程分析、风险点说明,以及可执行的修复建议或重构方案。
帮我分析这个项目的 Git 远程认证实现,看看是否正确处理了 GITHUB_APM_PAT、ADO_APM_PAT 和主机信息匹配逻辑。
输出对环境变量、主机匹配和认证回退机制的检查结果与改进建议。
请从安全性和可维护性角度评审这段远程主机认证相关代码,包括 HostInfo、凭证缓存和异常处理流程。
返回代码评审意见,涵盖安全隐患、边界情况和优化建议。
Auth expert persona
src/apm_cli/core/auth.py or src/apm_cli/core/token_manager.pyGITHUB_APM_PAT, GITHUB_TOKEN, GH_TOKEN, ADO_APM_PATgit ls-remote, git clone, or GitHub/ADO API callsgithub_downloader.py auth pathsAll auth flows MUST go through AuthResolver. No direct os.getenv() for token variables in application code.
The full per-org -> global -> credential-fill -> fallback resolution flow is in (mermaid flowchart). Treat it as the single source of truth; if behavior diverges, fix the diagram in the same PR.
docs/src/content/docs/getting-started/authentication.mdADO hosts (dev.azure.com, *.visualstudio.com) resolve auth in this order:
ADO_APM_PAT env var if setaz account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 if az is installed and az account show succeedsbuild_error_contextADO_APM_PAT is the env var name used by the auth flow. The AAD bearer source constant lives in src/apm_cli/core/token_manager.py as GitHubTokenManager.ADO_BEARER_SOURCE = "AAD_BEARER_AZ_CLI".
Stale-PAT silent fallback: if ADO_APM_PAT is rejected with HTTP 401, APM retries with the az bearer and emits:
[!] ADO_APM_PAT was rejected for {host} (HTTP 401); fell back to az cli bearer.
[!] Consider unsetting the stale variable.
Verbose source line (one per host, emitted under --verbose):
[i] dev.azure.com -- using bearer from az cli (source: AAD_BEARER_AZ_CLI)
[i] dev.azure.com -- token from ADO_APM_PAT
Diagnostic cases (_emit_stale_pat_diagnostic + build_error_context in src/apm_cli/core/auth.py):
az: No ADO_APM_PAT was set and az CLI is not installed. -> install az, run az login --tenant <tenant>, or set ADO_APM_PAT.az not signed in: az CLI is installed but no active session was found. -> run az login --tenant <tenant> against the tenant that owns the org, or set ADO_APM_PAT.az CLI returned a token but the org does not accept it (likely a tenant mismatch). -> run az login --tenant <correct-tenant>, or set ADO_APM_PAT.az fallback: ADO_APM_PAT was rejected (HTTP 401) and no az cli fallback was available. -> rotate the PAT, or install az and run az login --tenant <tenant>.为 OpenClaw 代理创建的 GitHub PR 或议题自动添加脱敏执行记录。