From 7eed5ac558b247a4fc3349bf87d76946aa6d241b Mon Sep 17 00:00:00 2001 From: Johnny Fredheim Horvi Date: Tue, 17 Feb 2026 10:25:01 +0100 Subject: [PATCH] fix: fall back to ~/.config/nais for credentials on macOS On macOS, getCredentialsFilePath respects XDG_CONFIG_HOME, but processes without this env var (e.g. MCP servers) fail to find credentials written to ~/.config/nais/. Add a fallback in readCredentialsFile to check ~/.config/nais/ when the primary path does not exist. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- internal/naisapi/auth/oidcuser.go | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/internal/naisapi/auth/oidcuser.go b/internal/naisapi/auth/oidcuser.go index ce6b778a..9e43a855 100644 --- a/internal/naisapi/auth/oidcuser.go +++ b/internal/naisapi/auth/oidcuser.go @@ -102,12 +102,12 @@ func storeOIDCUser(tok *oauth2.Token, consoleURL string) (*oidcUser, error) { return user, nil } -func getCredentialsFilePath() (string, error) { - const ( - naisConfigDir = "nais" - credentialsFileName = "nais-credentials.json.enc" - ) +const ( + naisConfigDir = "nais" + credentialsFileName = "nais-credentials.json.enc" +) +func getCredentialsFilePath() (string, error) { userConfigDir, err := os.UserConfigDir() if err != nil { return "", fmt.Errorf("get user config dir: %w", err) @@ -129,14 +129,15 @@ func readCredentialsFile(encryptionKey []byte) ([]byte, error) { return nil, err } - _, err = os.Stat(credentialsPath) - if err != nil { - return nil, err - } - ciphertext, err := os.ReadFile(credentialsPath) + if errors.Is(err, os.ErrNotExist) && runtime.GOOS == "darwin" { + // Fallback for macOS: credentials may have been written by a process + // with a different XDG_CONFIG_HOME setting (e.g. shell vs MCP server). + home, _ := os.UserHomeDir() + ciphertext, err = os.ReadFile(filepath.Join(home, ".config", naisConfigDir, credentialsFileName)) + } if err != nil { - return nil, fmt.Errorf("read credentials file: %w", err) + return nil, err } plaintext, err := decryptCredentials(ciphertext, encryptionKey)