getsentry
diff --git a/‎src/commands/auth/login.ts‎
Lines changed: 9 additions & 4 deletions b/‎src/commands/auth/login.ts‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎src/lib/api/infrastructure.ts‎
Lines changed: 24 additions & 0 deletions b/‎src/lib/api/infrastructure.ts‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎src/lib/db/auth.ts‎
Lines changed: 117 additions & 20 deletions b/‎src/lib/db/auth.ts‎
Lines changed: 117 additions & 20 deletions
diff --git a/‎test/commands/auth/login.test.ts‎
Lines changed: 18 additions & 14 deletions b/‎test/commands/auth/login.test.ts‎
Lines changed: 18 additions & 14 deletions
@@ -9,6 +9,7 @@ import { buildCommand, numberParser } from "../../lib/command.js";
 import {
   clearAuth,
   getActiveEnvVarName,
+  hasStoredAuthCredentials,
   isAuthenticated,
   isEnvTokenActive,
   setAuthToken,
@@ -71,11 +72,15 @@ type LoginFlags = {
 async function handleExistingAuth(force: boolean): Promise<boolean> {
   if (isEnvTokenActive()) {
     const envVar = getActiveEnvVarName();
-    log.info(
-      `Authentication is provided via ${envVar} environment variable. ` +
-        `Unset ${envVar} to use OAuth-based login instead.`
+    log.warn(
+      `${envVar} is set in your environment (likely from build tooling).\n` +
+        "  OAuth credentials will be stored separately and used for CLI commands."
     );
-    return false;
+    // If no stored OAuth token exists, proceed directly to login
+    if (!hasStoredAuthCredentials()) {
+      return true;
+    }
+    // Fall through to the re-auth confirmation logic below
   }
 
   if (!force) {
 
@@ -10,6 +10,7 @@
 import * as Sentry from "@sentry/node-core/light";
 import type { z } from "zod";
 
+import { getRawEnvToken } from "../db/auth.js";
 import { getEnv } from "../env.js";
 import { ApiError, AuthError, stringifyUnknown } from "../errors.js";
 import { resolveOrgRegion } from "../region.js";
@@ -57,6 +58,29 @@ export function throwApiError(
     error && typeof error === "object" && "detail" in error
       ? stringifyUnknown((error as { detail: unknown }).detail)
       : stringifyUnknown(error);
+
+  // When an env token is set and we get 401, the HTTP-layer fallback to
+  // stored OAuth already failed (no stored credentials). Convert to AuthError
+  // so the auto-login middleware in cli.ts can trigger interactive login.
+  if (status === 401 && getRawEnvToken()) {
+    throw new AuthError(
+      "not_authenticated",
+      `${context}: ${status} ${response.statusText ?? "Unknown"}.\n` +
+        "  SENTRY_AUTH_TOKEN is set but lacks permissions for this endpoint.\n" +
+        "  Run 'sentry auth login' to authenticate with OAuth."
+    );
+  }
+
+  // For 403 with env token, keep as ApiError but add guidance
+  if (status === 403 && getRawEnvToken()) {
+    throw new ApiError(
+      `${context}: ${status} ${response.statusText ?? "Unknown"}`,
+      status,
+      `${detail}\n\n  SENTRY_AUTH_TOKEN may lack permissions for this endpoint.\n` +
+        "  Run 'sentry auth login' to authenticate with OAuth."
+    );
+  }
+
   throw new ApiError(
     `${context}: ${status} ${response.statusText ?? "Unknown"}`,
     status,
 
@@ -36,10 +36,34 @@ export type AuthConfig = {
   source: AuthSource;
 };
 
+/**
+ * Read the raw token string from environment variables, ignoring all filters.
+ *
+ * Unlike {@link getEnvToken}, this always returns the env token if set, even
+ * when stored OAuth credentials would normally take priority. Used by the HTTP
+ * layer to check "was an env token provided?" independent of whether it's being
+ * used, and by the per-endpoint permission cache.
+ */
+export function getRawEnvToken(): string | undefined {
+  const authToken = getEnv().SENTRY_AUTH_TOKEN?.trim();
+  if (authToken) {
+    return authToken;
+  }
+  const sentryToken = getEnv().SENTRY_TOKEN?.trim();
+  if (sentryToken) {
+    return sentryToken;
+  }
+  return;
+}
+
 /**
  * Read token from environment variables.
  * `SENTRY_AUTH_TOKEN` takes priority over `SENTRY_TOKEN` (matches legacy sentry-cli).
  * Empty or whitespace-only values are treated as unset.
+ *
+ * This function is intentionally pure (no DB access). The "prefer stored OAuth
+ * over env token" logic lives in {@link getAuthToken} and {@link getAuthConfig}
+ * which check the DB first when `SENTRY_FORCE_ENV_TOKEN` is not set.
  */
 function getEnvToken(): { token: string; source: AuthSource } | undefined {
   const authToken = getEnv().SENTRY_AUTH_TOKEN?.trim();
@@ -62,28 +86,39 @@ export function isEnvTokenActive(): boolean {
 }
 
 /**
- * Get the name of the active env var providing authentication.
+ * Get the name of the env var providing a token, for error messages.
  * Returns the specific variable name (e.g. "SENTRY_AUTH_TOKEN" or "SENTRY_TOKEN").
  *
- * **Important**: Call only after checking {@link isEnvTokenActive} returns true.
- * Falls back to "SENTRY_AUTH_TOKEN" if no env source is active, which is a safe
- * default for error messages but may be misleading if used unconditionally.
+ * Uses {@link getRawEnvToken} (not {@link getEnvToken}) so the result is
+ * independent of whether stored OAuth takes priority.
+ * Falls back to "SENTRY_AUTH_TOKEN" if no env var is set.
  */
 export function getActiveEnvVarName(): string {
-  const env = getEnvToken();
-  if (env) {
-    return env.source.slice(ENV_SOURCE_PREFIX.length);
+  const authToken = getEnv().SENTRY_AUTH_TOKEN?.trim();
+  if (authToken) {
+    return "SENTRY_AUTH_TOKEN";
+  }
+  const sentryToken = getEnv().SENTRY_TOKEN?.trim();
+  if (sentryToken) {
+    return "SENTRY_TOKEN";
   }
   return "SENTRY_AUTH_TOKEN";
 }
 
 export function getAuthConfig(): AuthConfig | undefined {
-  const envToken = getEnvToken();
-  if (envToken) {
-    return { token: envToken.token, source: envToken.source };
+  // When SENTRY_FORCE_ENV_TOKEN is set, check env first (old behavior).
+  // Otherwise, check the DB first — stored OAuth takes priority over env tokens.
+  // This is the core fix for #646: wizard-generated build tokens no longer
+  // silently override the user's interactive login.
+  const forceEnv = getEnv().SENTRY_FORCE_ENV_TOKEN?.trim();
+  if (forceEnv) {
+    const envToken = getEnvToken();
+    if (envToken) {
+      return { token: envToken.token, source: envToken.source };
+    }
   }
 
-  return withDbSpan("getAuthConfig", () => {
+  const dbConfig = withDbSpan("getAuthConfig", () => {
     const db = getDatabase();
     const row = db.query("SELECT * FROM auth WHERE id = 1").get() as
       | AuthRow
@@ -101,16 +136,34 @@ export function getAuthConfig(): AuthConfig | undefined {
       source: "oauth" as const,
     };
   });
-}
+  if (dbConfig) {
+    return dbConfig;
+  }
 
-/** Get the active auth token. Checks env vars first, then falls back to SQLite. */
-export function getAuthToken(): string | undefined {
+  // No stored OAuth — fall back to env token
   const envToken = getEnvToken();
   if (envToken) {
-    return envToken.token;
+    return { token: envToken.token, source: envToken.source };
+  }
+  return;
+}
+
+/**
+ * Get the active auth token.
+ *
+ * Default: checks the DB first (stored OAuth wins), then falls back to env vars.
+ * With `SENTRY_FORCE_ENV_TOKEN=1`: checks env vars first (old behavior).
+ */
+export function getAuthToken(): string | undefined {
+  const forceEnv = getEnv().SENTRY_FORCE_ENV_TOKEN?.trim();
+  if (forceEnv) {
+    const envToken = getEnvToken();
+    if (envToken) {
+      return envToken.token;
+    }
   }
 
-  return withDbSpan("getAuthToken", () => {
+  const dbToken = withDbSpan("getAuthToken", () => {
     const db = getDatabase();
     const row = db.query("SELECT * FROM auth WHERE id = 1").get() as
       | AuthRow
@@ -126,6 +179,16 @@ export function getAuthToken(): string | undefined {
 
     return row.token;
   });
+  if (dbToken) {
+    return dbToken;
+  }
+
+  // No stored OAuth — fall back to env token
+  const envToken = getEnvToken();
+  if (envToken) {
+    return envToken.token;
+  }
+  return;
 }
 
 export function setAuthToken(
@@ -179,6 +242,32 @@ export function isAuthenticated(): boolean {
   return !!token;
 }
 
+/**
+ * Check if usable OAuth credentials are stored in the database.
+ *
+ * Returns true when the `auth` table has either:
+ * - A non-expired token, or
+ * - An expired token with a refresh token (will be refreshed on next use)
+ *
+ * Used by the login command to decide whether to prompt for re-authentication
+ * when an env token is present.
+ */
+export function hasStoredAuthCredentials(): boolean {
+  const db = getDatabase();
+  const row = db.query("SELECT * FROM auth WHERE id = 1").get() as
+    | AuthRow
+    | undefined;
+  if (!row?.token) {
+    return false;
+  }
+  // Non-expired token
+  if (!row.expires_at || Date.now() <= row.expires_at) {
+    return true;
+  }
+  // Expired but has refresh token — will be refreshed on next use
+  return !!row.refresh_token;
+}
+
 export type RefreshTokenOptions = {
   /** Bypass threshold check and always refresh */
   force?: boolean;
@@ -229,10 +318,13 @@ async function performTokenRefresh(
 export async function refreshToken(
   options: RefreshTokenOptions = {}
 ): Promise<RefreshTokenResult> {
-  // Env var tokens are assumed valid — no refresh, no expiry check
-  const envToken = getEnvToken();
-  if (envToken) {
-    return { token: envToken.token, refreshed: false };
+  // With SENTRY_FORCE_ENV_TOKEN, env token takes priority (no refresh needed).
+  const forceEnv = getEnv().SENTRY_FORCE_ENV_TOKEN?.trim();
+  if (forceEnv) {
+    const envToken = getEnvToken();
+    if (envToken) {
+      return { token: envToken.token, refreshed: false };
+    }
   }
 
   const { force = false } = options;
@@ -244,6 +336,11 @@ export async function refreshToken(
     | undefined;
 
   if (!row?.token) {
+    // No stored token — try env token as fallback
+    const envToken = getEnvToken();
+    if (envToken) {
+      return { token: envToken.token, refreshed: false };
+    }
     throw new AuthError("not_authenticated");
   }
 
 
@@ -86,6 +86,7 @@ describe("loginCommand.func --token path", () => {
   let getCurrentUserSpy: ReturnType<typeof spyOn>;
   let setUserInfoSpy: ReturnType<typeof spyOn>;
   let runInteractiveLoginSpy: ReturnType<typeof spyOn>;
+  let hasStoredAuthCredentialsSpy: ReturnType<typeof spyOn>;
   let func: LoginFunc;
 
   beforeEach(async () => {
@@ -97,7 +98,9 @@ describe("loginCommand.func --token path", () => {
     getCurrentUserSpy = spyOn(apiClient, "getCurrentUser");
     setUserInfoSpy = spyOn(dbUser, "setUserInfo");
     runInteractiveLoginSpy = spyOn(interactiveLogin, "runInteractiveLogin");
+    hasStoredAuthCredentialsSpy = spyOn(dbAuth, "hasStoredAuthCredentials");
     isEnvTokenActiveSpy.mockReturnValue(false);
+    hasStoredAuthCredentialsSpy.mockReturnValue(false);
     func = (await loginCommand.loader()) as unknown as LoginFunc;
   });
 
@@ -110,6 +113,7 @@ describe("loginCommand.func --token path", () => {
     getCurrentUserSpy.mockRestore();
     setUserInfoSpy.mockRestore();
     runInteractiveLoginSpy.mockRestore();
+    hasStoredAuthCredentialsSpy.mockRestore();
   });
 
   test("already authenticated (non-TTY, no --force): prints re-auth message with --force hint", async () => {
@@ -122,33 +126,31 @@ describe("loginCommand.func --token path", () => {
     expect(getCurrentUserSpy).not.toHaveBeenCalled();
   });
 
-  test("already authenticated (env token SENTRY_AUTH_TOKEN): tells user to unset specific var", async () => {
+  test("already authenticated (env token SENTRY_AUTH_TOKEN): warns and proceeds to OAuth login", async () => {
     isAuthenticatedSpy.mockReturnValue(true);
     isEnvTokenActiveSpy.mockReturnValue(true);
-    // Need to also spy on getAuthConfig for the specific env var name
-    const getAuthConfigSpy = spyOn(dbAuth, "getAuthConfig");
-    getAuthConfigSpy.mockReturnValue({
-      token: "sntrys_env_123",
-      source: "env:SENTRY_AUTH_TOKEN",
-    });
+    hasStoredAuthCredentialsSpy.mockReturnValue(false);
+    runInteractiveLoginSpy.mockResolvedValue(null);
 
     const { context } = createContext();
     await func.call(context, { force: false, timeout: 900 });
 
-    expect(setAuthTokenSpy).not.toHaveBeenCalled();
-    getAuthConfigSpy.mockRestore();
+    // With no stored OAuth, login proceeds directly (no clearAuth needed)
+    expect(runInteractiveLoginSpy).toHaveBeenCalled();
   });
 
-  test("already authenticated (env token SENTRY_TOKEN): shows specific var name", async () => {
+  test("already authenticated (env token SENTRY_TOKEN): warns and proceeds to OAuth login", async () => {
     isAuthenticatedSpy.mockReturnValue(true);
     isEnvTokenActiveSpy.mockReturnValue(true);
+    hasStoredAuthCredentialsSpy.mockReturnValue(false);
     // Set env var directly — getActiveEnvVarName() reads env vars via getEnvToken()
     process.env.SENTRY_TOKEN = "sntrys_token_456";
+    runInteractiveLoginSpy.mockResolvedValue(null);
 
     const { context } = createContext();
     await func.call(context, { force: false, timeout: 900 });
 
-    expect(setAuthTokenSpy).not.toHaveBeenCalled();
+    expect(runInteractiveLoginSpy).toHaveBeenCalled();
     delete process.env.SENTRY_TOKEN;
   });
 
@@ -315,14 +317,16 @@ describe("loginCommand.func --token path", () => {
     expect(getStdout()).toContain("Authenticated");
   });
 
-  test("--force with env token: still blocks (env var case unchanged)", async () => {
+  test("--force with env token: proceeds to OAuth login (no longer blocks)", async () => {
     isAuthenticatedSpy.mockReturnValue(true);
     isEnvTokenActiveSpy.mockReturnValue(true);
+    hasStoredAuthCredentialsSpy.mockReturnValue(false);
+    runInteractiveLoginSpy.mockResolvedValue(null);
 
     const { context } = createContext();
     await func.call(context, { force: true, timeout: 900 });
 
-    expect(clearAuthSpy).not.toHaveBeenCalled();
-    expect(runInteractiveLoginSpy).not.toHaveBeenCalled();
+    // Env token no longer blocks — login proceeds
+    expect(runInteractiveLoginSpy).toHaveBeenCalled();
   });
 });