fix: correct URL formatting in login --no-wait output

[JackZhao10086]

Summary

Fixed an issue where special characters in URLs were incorrectly HTML-escaped in JSON outputs. This ensures that the generated URLs from the login --no-wait command and other JSON responses are correctly formatted and directly usable.

Changes

• Updated cmd/auth/login.go to disable HTML escaping in JSON outputs for authentication commands.
• Updated cmd/root.go to disable HTML escaping for security policy error JSON responses.

Test Plan

• Unit tests passed
• Manually verified lark-cli auth login --no-wait returns the correct unescaped URL
• Manually verified lark-cli auth login --json returns the correct unescaped URL
• Triggered a Security Policy Error and verified the JSON output format is correct

Related Issues

Summary by CodeRabbit

• Refactor
  • JSON responses now stream directly to standard output rather than being fully buffered first.
  • HTML characters in JSON output are no longer escaped, preserving original characters.
  • JSON error envelopes are emitted with indentation for improved readability.
  • Failures to write JSON are reported to error output but do not alter existing command behavior (including no-wait flows).

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 970c6f5c-6e8e-47b0-b9ac-026a055f982d

📥 Commits

Reviewing files that changed from the base of the PR and between b2b0572 and 0ddf1a5.

📒 Files selected for processing (1)

• cmd/auth/login.go

✅ Files skipped from review due to trivial changes (1)

• cmd/auth/login.go

---

📝 Walkthrough

Walkthrough

Replaced direct json.Marshal/json.MarshalIndent usage with streaming json.NewEncoder output (SetEscapeHTML(false)). cmd/auth/login.go now encodes login JSON (both --no-wait and --json modes) via an encoder and logs encoder errors; cmd/root.go encodes the security policy error into a buffer with indentation before printing.

Changes

Cohort / File(s)	Summary
JSON output streaming cmd/auth/login.go, cmd/root.go	Replaced json.Marshal/json.MarshalIndent + printing with json.NewEncoder(...).SetEscapeHTML(false) usage. cmd/auth/login.go now streams --no-wait and --json payloads via Encode and writes encode errors to stderr; cmd/root.go writes indented JSON into a bytes.Buffer via an encoder before printing, preserving the fallback envelope on encode failure.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰
I nibble bytes where marshals grew,
Encoders hum and paint them true.
No HTML escapes to fray,
Neat indents line the rabbit way.
A tiny hop — the output's new.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: disabling HTML escaping in JSON outputs to ensure URLs are correctly formatted in login --no-wait and other JSON responses.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/login_no_wait

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR fixes HTML-escaping of special characters (e.g. &, <, >) in JSON outputs produced by login --no-wait, login --json, and security policy error responses, by switching from json.Marshal to json.NewEncoder with SetEscapeHTML(false). The fix is correct and well-targeted for the primary paths that contain URLs (where & is common in query strings).

Key changes:

• cmd/auth/login.go: --no-wait and --json device_authorization paths now use json.NewEncoder with HTML escaping disabled; encoder errors are surfaced to ErrOut rather than silently dropped.
• cmd/root.go: writeSecurityPolicyError uses a bytes.Buffer-backed encoder with SetEscapeHTML(false) and SetIndent; fmt.Fprintln → fmt.Fprint correctly avoids a double newline since Encode already appends one.

Outstanding gap: The authorization_failed and authorization_complete JSON payloads within the --json polling flow (lines 269–274 and 322–328 of login.go) were not updated and still use json.Marshal, meaning user_name or error messages with &/< characters would still be escaped in those outputs.

Confidence Score: 5/5

Safe to merge; the core fix is correct and the only remaining issue is a P2 consistency gap in two secondary JSON emit paths.

All P1+ concerns from the previous review thread have been addressed (error handling added for new encoder calls, root.go newline behavior preserved). The single remaining finding is P2: two JSON emit paths in the same function were not updated, which is a minor inconsistency rather than a blocking defect.

cmd/auth/login.go — lines 269–274 and 322–328 still use the old json.Marshal pattern without SetEscapeHTML(false).

Important Files Changed

Filename	Overview
cmd/auth/login.go	Switches --no-wait and --json device_authorization paths to json.NewEncoder with SetEscapeHTML(false); two remaining JSON emit sites (authorization_failed, authorization_complete) are not updated and still use json.Marshal with HTML escaping.
cmd/root.go	writeSecurityPolicyError migrated to buffered json.NewEncoder with SetEscapeHTML(false) and SetIndent; fmt.Fprintln → fmt.Fprint correctly compensates for the newline that Encode already appends.

_{Reviews (4): Last reviewed commit: "docs(cmd/auth): add comment for authLogi..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

cmd/auth/login.go (1)

264-268: Consider aligning JSON output style for consistency.

This authorization_failed event (and authorization_complete at lines 317-323) still uses json.Marshal, while the other paths now use json.NewEncoder with SetEscapeHTML(false). While these payloads don't contain URLs, aligning the approach improves maintainability and ensures consistent output formatting (e.g., trailing newline behavior).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/auth/login.go` around lines 264 - 268, Replace the json.Marshal +
fmt.Fprintln pattern used for the "authorization_failed" payload (and the
similar "authorization_complete" payload at lines ~317-323) with a json.Encoder
that sets SetEscapeHTML(false) and calls Encode(...) to write the object
directly to f.IOStreams.Out; specifically, locate the map[string]interface{}
creation for the "event" and "error" fields and swap the Marshal+Fprintln
sequence for: enc := json.NewEncoder(f.IOStreams.Out); enc.SetEscapeHTML(false);
enc.Encode(<the map>), doing the same replacement for the authorization_complete
block to keep JSON output style and newline/escaping behavior consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/auth/login.go`:
- Around line 249-251: The call to encoder.Encode(data) is currently ignoring
its returned error; update the code in the login flow to capture and handle that
error from json.NewEncoder(...).Encode(data) (the encoder variable and Encode
method) — e.g., check the error, return it or log/propagate an appropriate
wrapped error that includes context (writing JSON to f.IOStreams.Out failed) so
I/O failures are surfaced consistently with other handlers.
- Around line 234-236: The call to encoder.Encode(data) in cmd/auth/login.go
ignores its returned error; update the code to capture and handle that error
(e.g., err := encoder.Encode(data)); if non-nil, log or write a clear message to
the command's error stream (f.IOStreams.Err or process logger) and propagate the
error from the command (return fmt.Errorf(...) or appropriate error return) so
I/O failures like broken pipes are not silently ignored; locate the encoder
usage and the surrounding command handler (the login command Run/RunE function)
and add the check and return/log accordingly.

---

Nitpick comments:
In `@cmd/auth/login.go`:
- Around line 264-268: Replace the json.Marshal + fmt.Fprintln pattern used for
the "authorization_failed" payload (and the similar "authorization_complete"
payload at lines ~317-323) with a json.Encoder that sets SetEscapeHTML(false)
and calls Encode(...) to write the object directly to f.IOStreams.Out;
specifically, locate the map[string]interface{} creation for the "event" and
"error" fields and swap the Marshal+Fprintln sequence for: enc :=
json.NewEncoder(f.IOStreams.Out); enc.SetEscapeHTML(false); enc.Encode(<the
map>), doing the same replacement for the authorization_complete block to keep
JSON output style and newline/escaping behavior consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8ef5d904-673d-41b3-bfdd-23e3e45dd46a

📥 Commits

Reviewing files that changed from the base of the PR and between c4851a5 and 4db7a72.

📒 Files selected for processing (2)

• cmd/auth/login.go
• cmd/root.go

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@0ddf1a52dcc7cd91958ccaf934aec4c83ac455cf

🧩 Skill update

npx skills add larksuite/cli#fix/login_no_wait -y -g

[coderabbitai]

🧹 Nitpick comments (2)

cmd/auth/login.go (2)

320-327: Inconsistent: authorization_complete JSON also uses json.Marshal.

Same issue as above—this should use json.NewEncoder with SetEscapeHTML(false) for consistency.

Proposed fix

 	if opts.JSON {
-		b, _ := json.Marshal(map[string]interface{}{
+		encoder := json.NewEncoder(f.IOStreams.Out)
+		encoder.SetEscapeHTML(false)
+		data := map[string]interface{}{
 			"event":        "authorization_complete",
 			"user_open_id": openId,
 			"user_name":    userName,
 			"scope":        result.Token.Scope,
-		})
-		fmt.Fprintln(f.IOStreams.Out, string(b))
+		}
+		if err := encoder.Encode(data); err != nil {
+			fmt.Fprintf(f.IOStreams.ErrOut, "error: failed to write JSON output: %v\n", err)
+		}
 	} else {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/auth/login.go` around lines 320 - 327, The JSON branch in the
authorization completion path uses json.Marshal and fmt.Fprintln (checking
opts.JSON and building the map with keys
"event","user_open_id","user_name","scope"), which is inconsistent with other
places; replace the json.Marshal + fmt.Fprintln usage with a json.NewEncoder
targeted at f.IOStreams.Out, call SetEscapeHTML(false) on the encoder and then
Encode the same map (handle or return any encode error), removing the
fmt.Fprintln call so output is written via the encoder.

---

267-272: Inconsistent: still using json.Marshal with default HTML escaping.

This code path and the one at lines 320-327 still use json.Marshal, which HTML-escapes special characters. For consistency with the PR objective ("disable HTML escaping in JSON outputs for authentication commands"), consider using the same json.NewEncoder pattern here.

Proposed fix for consistency

 		if !result.OK {
 			if opts.JSON {
-				b, _ := json.Marshal(map[string]interface{}{
+				encoder := json.NewEncoder(f.IOStreams.Out)
+				encoder.SetEscapeHTML(false)
+				data := map[string]interface{}{
 					"event": "authorization_failed",
 					"error": result.Message,
-				})
-				fmt.Fprintln(f.IOStreams.Out, string(b))
+				}
+				if err := encoder.Encode(data); err != nil {
+					fmt.Fprintf(f.IOStreams.ErrOut, "error: failed to write JSON output: %v\n", err)
+				}
 				return output.ErrBare(output.ExitAuth)
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/auth/login.go` around lines 267 - 272, Replace the json.Marshal usage in
the JSON error output branch (the block that checks opts.JSON and writes the
authorization_failed payload) with a json.NewEncoder writing to f.IOStreams.Out
and call SetEscapeHTML(false) on the encoder to disable HTML escaping; build the
same map or struct used now (event, error/result.Message) and encode it via
encoder.Encode(...) instead of fmt.Fprintln(...), keeping the same output stream
and handling any encode error via the existing logging/error flow.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@cmd/auth/login.go`:
- Around line 320-327: The JSON branch in the authorization completion path uses
json.Marshal and fmt.Fprintln (checking opts.JSON and building the map with keys
"event","user_open_id","user_name","scope"), which is inconsistent with other
places; replace the json.Marshal + fmt.Fprintln usage with a json.NewEncoder
targeted at f.IOStreams.Out, call SetEscapeHTML(false) on the encoder and then
Encode the same map (handle or return any encode error), removing the
fmt.Fprintln call so output is written via the encoder.
- Around line 267-272: Replace the json.Marshal usage in the JSON error output
branch (the block that checks opts.JSON and writes the authorization_failed
payload) with a json.NewEncoder writing to f.IOStreams.Out and call
SetEscapeHTML(false) on the encoder to disable HTML escaping; build the same map
or struct used now (event, error/result.Message) and encode it via
encoder.Encode(...) instead of fmt.Fprintln(...), keeping the same output stream
and handling any encode error via the existing logging/error flow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 52165158-55ca-4a58-9ac0-f20d7376ed22

📥 Commits

Reviewing files that changed from the base of the PR and between b7aa40b and b2b0572.

📒 Files selected for processing (1)

• cmd/auth/login.go