coder
diff --git a/‎cli/clitest/clitest.go‎
Lines changed: 5 additions & 0 deletions b/‎cli/clitest/clitest.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎cli/login.go‎
Lines changed: 17 additions & 6 deletions b/‎cli/login.go‎
Lines changed: 17 additions & 6 deletions
diff --git a/‎cli/logout.go‎
Lines changed: 3 additions & 3 deletions b/‎cli/logout.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎cli/root.go‎
Lines changed: 32 additions & 7 deletions b/‎cli/root.go‎
Lines changed: 32 additions & 7 deletions
diff --git a/‎cli/sessionstore/sessionstore.go‎
Lines changed: 166 additions & 0 deletions b/‎cli/sessionstore/sessionstore.go‎
Lines changed: 166 additions & 0 deletions
@@ -21,6 +21,7 @@ import (
 	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/v2/cli"
 	"github.com/coder/coder/v2/cli/config"
+	"github.com/coder/coder/v2/cli/sessionstore"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/provisioner/echo"
 	"github.com/coder/coder/v2/testutil"
@@ -32,6 +33,10 @@ import (
 func New(t testing.TB, args ...string) (*serpent.Invocation, config.Root) {
 	var root cli.RootCmd
 
+	// Always store the session token in a file to simplify tests that aren't
+	// explicitly exercising or need to depend on the operating system keyring.
+	root.WithSessionStorageBackend(sessionstore.File{})
+
 	cmd, err := root.Command(root.AGPL())
 	require.NoError(t, err)
 
 
@@ -19,6 +19,7 @@ import (
 	"github.com/coder/pretty"
 
 	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/coder/v2/cli/sessionstore"
 	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/serpent"
@@ -115,9 +116,12 @@ func (r *RootCmd) loginWithPassword(
 
 	sessionToken := resp.SessionToken
 	config := r.createConfig()
-	err = config.Session().Write(sessionToken)
-	if err != nil {
-		return xerrors.Errorf("write session token: %w", err)
+	location, werr := r.tokenBackend.Write(config, client.URL, sessionToken)
+	if werr != nil {
+		return xerrors.Errorf("write session token: %w", werr)
+	}
+	if r.tokenBackend.PreferredLocation() == sessionstore.LocationKeyring && location == sessionstore.LocationFile {
+		cliui.Warn(inv.Stderr, "⚠️ Token stored in PLAIN TEXT because keyring access failed.")
 	}
 
 	client.SetSessionToken(sessionToken)
@@ -149,8 +153,12 @@ func (r *RootCmd) login() *serpent.Command {
 		useTokenForSession bool
 	)
 	cmd := &serpent.Command{
-		Use:        "login [<url>]",
-		Short:      "Authenticate with Coder deployment",
+		Use:   "login [<url>]",
+		Short: "Authenticate with Coder deployment",
+		Long: "Stores the session token in the operating system keyring, with a fallback " +
+			"to plain text if the keyring is not available. The security command is used " +
+			"on macOS. Windows Credential Manager API is used on Windows. The session " +
+			"is only stored in plain text on Linux.",
 		Middleware: serpent.RequireRangeArgs(0, 1),
 		Handler: func(inv *serpent.Invocation) error {
 			ctx := inv.Context()
@@ -394,10 +402,13 @@ func (r *RootCmd) login() *serpent.Command {
 			}
 
 			config := r.createConfig()
-			err = config.Session().Write(sessionToken)
+			location, err := r.tokenBackend.Write(config, client.URL, sessionToken)
 			if err != nil {
 				return xerrors.Errorf("write session token: %w", err)
 			}
+			if r.tokenBackend.PreferredLocation() == sessionstore.LocationKeyring && location == sessionstore.LocationFile {
+				cliui.Warn(inv.Stderr, "⚠️ Token stored in PLAIN TEXT because keyring access failed.")
+			}
 			err = config.URL().Write(serverURL.String())
 			if err != nil {
 				return xerrors.Errorf("write server url: %w", err)
 
@@ -46,11 +46,11 @@ func (r *RootCmd) logout() *serpent.Command {
 				errors = append(errors, xerrors.Errorf("remove URL file: %w", err))
 			}
 
-			err = config.Session().Delete()
+			err = r.tokenBackend.Delete(config, client.URL)
 			// Only throw error if the session configuration file is present,
 			// otherwise the user is already logged out, and we proceed
-			if err != nil && !os.IsNotExist(err) {
-				errors = append(errors, xerrors.Errorf("remove session file: %w", err))
+			if err != nil && !xerrors.Is(err, os.ErrNotExist) {
+				errors = append(errors, xerrors.Errorf("remove session token: %w", err))
 			}
 
 			err = config.Organization().Delete()
 
@@ -37,6 +37,7 @@ import (
 	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/cli/config"
 	"github.com/coder/coder/v2/cli/gitauth"
+	"github.com/coder/coder/v2/cli/sessionstore"
 	"github.com/coder/coder/v2/cli/telemetry"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
@@ -382,6 +383,14 @@ func (r *RootCmd) Command(subcommands []*serpent.Command) (*serpent.Command, err
 	if r.clientURL == nil {
 		r.clientURL = new(url.URL)
 	}
+	if r.tokenBackend == nil {
+		switch runtime.GOOS {
+		case "windows", "darwin":
+			r.tokenBackend = sessionstore.NewKeyringWithFileFallback()
+		default:
+			r.tokenBackend = sessionstore.File{}
+		}
+	}
 
 	globalGroup := &serpent.Group{
 		Name:        "Global",
@@ -508,6 +517,7 @@ func (r *RootCmd) Command(subcommands []*serpent.Command) (*serpent.Command, err
 type RootCmd struct {
 	clientURL     *url.URL
 	token         string
+	tokenBackend  sessionstore.Backend
 	globalConfig  string
 	header        []string
 	headerCommand string
@@ -549,14 +559,20 @@ func (r *RootCmd) InitClient(inv *serpent.Invocation) (*codersdk.Client, error)
 			return nil, err
 		}
 	}
-	// Read the token stored on disk.
 	if r.token == "" {
-		r.token, err = conf.Session().Read()
+		tok, location, err := r.tokenBackend.Read(conf, r.clientURL)
 		// Even if there isn't a token, we don't care.
 		// Some API routes can be unauthenticated.
-		if err != nil && !os.IsNotExist(err) {
+		if err != nil && !xerrors.Is(err, os.ErrNotExist) {
 			return nil, err
 		}
+		if tok != "" {
+			r.token = tok
+		}
+		if r.tokenBackend.PreferredLocation() == sessionstore.LocationKeyring && location == sessionstore.LocationFile {
+			_, _ = fmt.Fprintln(inv.Stderr, pretty.Sprint(cliui.DefaultStyles.Warn,
+				"⚠️ Token read from PLAIN TEXT. Consider logging in again to use keyring storage."))
+		}
 	}
 
 	// Configure HTTP client with transport wrappers
@@ -588,7 +604,6 @@ func (r *RootCmd) InitClient(inv *serpent.Invocation) (*codersdk.Client, error)
 // This allows commands to run without requiring authentication, but still use auth if available.
 func (r *RootCmd) TryInitClient(inv *serpent.Invocation) (*codersdk.Client, error) {
 	conf := r.createConfig()
-	var err error
 	// Read the client URL stored on disk.
 	if r.clientURL == nil || r.clientURL.String() == "" {
 		rawURL, err := conf.URL().Read()
@@ -605,14 +620,20 @@ func (r *RootCmd) TryInitClient(inv *serpent.Invocation) (*codersdk.Client, erro
 			}
 		}
 	}
-	// Read the token stored on disk.
 	if r.token == "" {
-		r.token, err = conf.Session().Read()
+		tok, location, err := r.tokenBackend.Read(conf, r.clientURL)
 		// Even if there isn't a token, we don't care.
 		// Some API routes can be unauthenticated.
-		if err != nil && !os.IsNotExist(err) {
+		if err != nil && !xerrors.Is(err, os.ErrNotExist) {
 			return nil, err
 		}
+		if tok != "" {
+			r.token = tok
+		}
+		if r.tokenBackend.PreferredLocation() == sessionstore.LocationKeyring && location == sessionstore.LocationFile {
+			_, _ = fmt.Fprintln(inv.Stderr, pretty.Sprint(cliui.DefaultStyles.Warn,
+				"⚠️ Token read from PLAIN TEXT. Login again to use keyring storage."))
+		}
 	}
 
 	// Only configure the client if we have a URL
@@ -688,6 +709,10 @@ func (r *RootCmd) createUnauthenticatedClient(ctx context.Context, serverURL *ur
 	return client, nil
 }
 
+func (r *RootCmd) WithSessionStorageBackend(backend sessionstore.Backend) {
+	r.tokenBackend = backend
+}
+
 type AgentAuth struct {
 	// Agent Client config
 	agentToken     string
 
@@ -0,0 +1,166 @@
+// Package sessionstore provides CLI session token storage mechanisms.
+package sessionstore
+
+import (
+	"errors"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/zalando/go-keyring"
+
+	"github.com/coder/coder/v2/cli/config"
+)
+
+// Backend is a storage backend for session tokens. It's similar to keyring.Keyring
+// but intended to allow more flexible types and avoid global behaviors in the keyring
+// package (e.g. using the keyring package mock modifies a package global).
+type Backend interface {
+	// Read returns the session token and where it is stored for the given server URL,
+	// or an error, if any.
+	Read(conf config.Root, serverURL *url.URL) (string, Location, error)
+	// Write stores the session token for the given server URL. It returns where the
+	// token was stored or an error, if any.
+	Write(conf config.Root, serverURL *url.URL, token string) (Location, error)
+	// Delete removes any stored session token or an error, if any. It will return
+	// os.ErrNotExist error if no token exists to delete.
+	Delete(conf config.Root, serverURL *url.URL) error
+	// PreferredLocation returns the preferred token storage Location of this Backend.
+	PreferredLocation() Location
+}
+
+// keyringProvider is an interface alias to prevent leaking the go-keyring package
+// outside this package.
+type keyringProvider = keyring.Keyring
+
+type operatingSystemKeyring struct{}
+
+func (operatingSystemKeyring) Set(service, user, password string) error {
+	return keyring.Set(service, user, password)
+}
+
+func (operatingSystemKeyring) Get(service, user string) (string, error) {
+	return keyring.Get(service, user)
+}
+
+func (operatingSystemKeyring) Delete(service, user string) error {
+	return keyring.Delete(service, user)
+}
+
+const (
+	servicePrefix  = "coder-cli:"
+	keyringAccount = "session"
+)
+
+// Location represents where a session token is stored.
+type Location string
+
+const (
+	LocationNone    Location = "none"
+	LocationFile    Location = "file"
+	LocationKeyring Location = "keyring"
+)
+
+func serviceName(u *url.URL) string {
+	if u == nil || u.Host == "" {
+		return servicePrefix + "default"
+	}
+	host := strings.TrimSpace(strings.ToLower(u.Host))
+	return servicePrefix + host
+}
+
+// KeyringWithFallback is a Backend that prefers keyring storage and falls back to file
+// storage if the operating system keyring is unavailable. Happy path usage of this
+// type should start with NewKeyringWithFileFallback.
+type KeyringWithFallback struct {
+	keyringProvider keyringProvider
+}
+
+func NewKeyringWithFileFallback() KeyringWithFallback {
+	return NewKeyringProviderWithFileFallback(operatingSystemKeyring{})
+}
+
+func NewKeyringProviderWithFileFallback(provider keyringProvider) KeyringWithFallback {
+	return KeyringWithFallback{keyringProvider: provider}
+}
+
+// Read prefers reading the token from the operating system keyring and falls back
+// to file storage if the operating system keyring is unavailable.
+func (o KeyringWithFallback) Read(conf config.Root, serverURL *url.URL) (string, Location, error) {
+	svc := serviceName(serverURL)
+	tok, err := o.keyringProvider.Get(svc, keyringAccount)
+	if err == nil && tok != "" {
+		return tok, LocationKeyring, nil
+	}
+	// Fallback to file storage.
+	return File{}.Read(conf, serverURL)
+}
+
+// Write prefers storing the token in the operating system keyring and falls back
+// to file storage if the keyring operation fails.
+func (o KeyringWithFallback) Write(conf config.Root, serverURL *url.URL, token string) (Location, error) {
+	svc := serviceName(serverURL)
+	err := o.keyringProvider.Set(svc, keyringAccount, token)
+	if err == nil {
+		// Best effort: remove plaintext file if it exists.
+		_ = conf.Session().Delete()
+		return LocationKeyring, nil
+	}
+	// Fallback to file storage.
+	return File{}.Write(conf, serverURL, token)
+}
+
+// Delete removes any stored session token from both the keyring and file.
+func (o KeyringWithFallback) Delete(conf config.Root, serverURL *url.URL) error {
+	svc := serviceName(serverURL)
+
+	keyringErr := o.keyringProvider.Delete(svc, keyringAccount)
+	if keyringErr != nil {
+		if errors.Is(keyringErr, keyring.ErrNotFound) {
+			// Make the error handling for keyring/file backends uniform for the caller.
+			keyringErr = os.ErrNotExist
+		}
+	}
+
+	fileErr := File{}.Delete(conf, serverURL)
+	switch {
+	case fileErr != nil && keyringErr == nil:
+		// Happy path when using the keyring. We could drill down into fileErr, but for
+		// simplicity we will assume the error is because use of the keyring means the
+		// file didn't exist.
+		return nil
+	case fileErr == nil && keyringErr != nil:
+		// Deleted the file because of a problem with the OS keyring. The file may have
+		// been created as a result of falling back to disk, or it may have already
+		// existed.
+		return nil
+	default:
+		return errors.Join(keyringErr, fileErr)
+	}
+}
+
+func (KeyringWithFallback) PreferredLocation() Location { return LocationKeyring }
+
+// File is a Backend that exclusively stores the session token in a file on disk.
+type File struct{}
+
+func (File) Read(conf config.Root, _ *url.URL) (string, Location, error) {
+	tok, err := conf.Session().Read()
+	if err != nil {
+		return "", LocationNone, err
+	}
+	return tok, LocationFile, nil
+}
+
+func (File) Write(conf config.Root, _ *url.URL, token string) (Location, error) {
+	if err := conf.Session().Write(token); err != nil {
+		return LocationNone, err
+	}
+	return LocationFile, nil
+}
+
+func (File) Delete(conf config.Root, _ *url.URL) error {
+	return conf.Session().Delete()
+}
+
+func (File) PreferredLocation() Location { return LocationFile }
Original file line number	Diff line number	Diff line change
`@@ -46,11 +46,11 @@ func (r RootCmd) logout() serpent.Command {`
`46`	`46`	`errors = append(errors, xerrors.Errorf("remove URL file: %w", err))`
`47`	`47`	`}`
`48`	`48`
`49`		`- err = config.Session().Delete()`
	`49`	`+ err = r.tokenBackend.Delete(config, client.URL)`
`50`	`50`	`// Only throw error if the session configuration file is present,`
`51`	`51`	`// otherwise the user is already logged out, and we proceed`
`52`		`- if err != nil && !os.IsNotExist(err) {`
`53`		`- errors = append(errors, xerrors.Errorf("remove session file: %w", err))`
	`52`	`+ if err != nil && !xerrors.Is(err, os.ErrNotExist) {`
	`53`	`+ errors = append(errors, xerrors.Errorf("remove session token: %w", err))`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`err = config.Organization().Delete()`