fix(cli): read Go Windows credentials via findCredentials (#5423)

Fixes #5415.

The Windows fallback added for Go-written credentials used
`Entry.withTarget(...).getPassword()`.

On Windows, that does not read the Go-shaped target credential
correctly. `findCredentials(service, target)` can read it, so this uses
that path for the Go Windows target while preserving the existing
default keyring and file fallback behavior.

The legacy credentials unit test now covers the target lookup path.

Tested with:

```bash
npx bun run .\node_modules\vitest\vitest.mjs run src/legacy/auth/legacy-credentials.layer.unit.test.ts --config vitest.config.ts
```

---------

Co-authored-by: Julien Goux <hi@jgoux.dev>

Author: Versa-Sync-Studios

apps/cli/src/legacy/auth/legacy-credentials.layer.ts

@@ -16,6 +16,7 @@ const INVALID_TOKEN_MESSAGE = "Invalid access token format. Must be like `sbp_01
 
 type KeyringModule = typeof import("@napi-rs/keyring");
 type KeyringEntry = InstanceType<KeyringModule["Entry"]>;
+type RuntimePlatform = NodeJS.Platform;
 
 const detectWsl = (fs: FileSystem.FileSystem): Effect.Effect<boolean> =>
   Effect.gen(function* () {
@@ -30,16 +31,21 @@ const detectWsl = (fs: FileSystem.FileSystem): Effect.Effect<boolean> =>
 const tryKeyringRead = (
   module: KeyringModule,
   account: string,
+  platform: RuntimePlatform,
 ): Effect.Effect<Option.Option<string>> =>
   Effect.try({
     try: () => {
-      for (const entry of [
-        new module.Entry(KEYRING_SERVICE, account),
-        module.Entry.withTarget(`${KEYRING_SERVICE}:${account}`, KEYRING_SERVICE, account),
-      ]) {
-        const value = readEntryPassword(entry);
-        if (value && value.length > 0) return Option.some(normalizeKeyringToken(value));
+      const entry = new module.Entry(KEYRING_SERVICE, account);
+      const value = readEntryPassword(entry);
+      if (value && value.length > 0) return Option.some(normalizeKeyringToken(value));
+
+      if (platform === "win32") {
+        const goWindowsValue = readGoWindowsTarget(module, account);
+        if (goWindowsValue && goWindowsValue.length > 0) {
+          return Option.some(normalizeKeyringToken(goWindowsValue));
+        }
       }
+
       return Option.none<string>();
     },
     catch: () => Option.none<string>(),
@@ -49,29 +55,41 @@ const tryKeyringWrite = (
   module: KeyringModule,
   account: string,
   token: string,
+  platform: RuntimePlatform,
 ): Effect.Effect<boolean> =>
   Effect.try({
     try: () => {
+      if (platform === "win32") {
+        return writeGoWindowsTarget(module, account, token);
+      }
+
       const entry = new module.Entry(KEYRING_SERVICE, account);
       entry.setPassword(token);
       return true;
     },
     catch: () => false,
   }).pipe(Effect.orElseSucceed(() => false));
 
-const tryKeyringDelete = (module: KeyringModule, account: string): Effect.Effect<boolean> =>
+const tryKeyringDelete = (
+  module: KeyringModule,
+  account: string,
+  platform: RuntimePlatform,
+): Effect.Effect<boolean> =>
   Effect.try({
     try: () => {
       let deleted = false;
-      for (const entry of [
-        new module.Entry(KEYRING_SERVICE, account),
-        module.Entry.withTarget(`${KEYRING_SERVICE}:${account}`, KEYRING_SERVICE, account),
-      ]) {
-        const value = readEntryPassword(entry);
-        if (!value) continue;
+
+      const entry = new module.Entry(KEYRING_SERVICE, account);
+      const value = readEntryPassword(entry);
+      if (value) {
         entry.deleteCredential();
         deleted = true;
       }
+
+      if (platform === "win32" && readGoWindowsTarget(module, account)) {
+        deleted = deleteGoWindowsTarget(module, account) || deleted;
+      }
+
       return deleted;
     },
     catch: () => false,
@@ -85,6 +103,64 @@ function readEntryPassword(entry: KeyringEntry): string | null {
   }
 }
 
+function goWindowsCredentialTarget(account: string): string {
+  return `${KEYRING_SERVICE}:${account}`;
+}
+
+function readGoWindowsTarget(module: KeyringModule, account: string): string | null {
+  try {
+    const credentials = module.findCredentials(KEYRING_SERVICE, goWindowsCredentialTarget(account));
+    const credential = credentials.find((item) => item.account === account);
+    return credential ? normalizeGoWindowsPassword(credential.password) : null;
+  } catch {
+    return null;
+  }
+}
+
+function normalizeGoWindowsPassword(value: string): string {
+  const direct = normalizeKeyringToken(value);
+  if (ACCESS_TOKEN_PATTERN.test(direct)) return direct;
+
+  // Go writes Windows CredentialBlob values as raw UTF-8 bytes. The TS keyring
+  // search API can surface those bytes packed into UTF-16 code units, so unpack
+  // each code unit back into the original byte sequence before validation.
+  const bytes: number[] = [];
+  for (let index = 0; index < value.length; index += 1) {
+    const code = value.charCodeAt(index);
+    bytes.push(code & 0xff);
+    const high = (code >> 8) & 0xff;
+    if (high !== 0) bytes.push(high);
+  }
+  return Buffer.from(bytes).toString("utf8");
+}
+
+function writeGoWindowsTarget(module: KeyringModule, account: string, token: string): boolean {
+  try {
+    const entry = module.Entry.withTarget(
+      goWindowsCredentialTarget(account),
+      KEYRING_SERVICE,
+      account,
+    );
+    entry.setSecret(Buffer.from(token, "utf8"));
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function deleteGoWindowsTarget(module: KeyringModule, account: string): boolean {
+  try {
+    const entry = module.Entry.withTarget(
+      goWindowsCredentialTarget(account),
+      KEYRING_SERVICE,
+      account,
+    );
+    return entry.deleteCredential();
+  } catch {
+    return false;
+  }
+}
+
 const makeLegacyCredentials = Effect.gen(function* () {
   const fs = yield* FileSystem.FileSystem;
   const path = yield* Path.Path;
@@ -108,9 +184,13 @@ const makeLegacyCredentials = Effect.gen(function* () {
 
   const readKeyring = Effect.gen(function* () {
     if (Option.isNone(keyringModule)) return Option.none<string>();
-    const profileResult = yield* tryKeyringRead(keyringModule.value, profileAccount);
+    const profileResult = yield* tryKeyringRead(
+      keyringModule.value,
+      profileAccount,
+      runtimeInfo.platform,
+    );
     if (Option.isSome(profileResult)) return profileResult;
-    return yield* tryKeyringRead(keyringModule.value, LEGACY_KEYRING_ACCOUNT);
+    return yield* tryKeyringRead(keyringModule.value, LEGACY_KEYRING_ACCOUNT, runtimeInfo.platform);
   });
 
   const readFile = Effect.gen(function* () {
@@ -150,7 +230,12 @@ const makeLegacyCredentials = Effect.gen(function* () {
       Effect.gen(function* () {
         yield* validate(token);
         if (Option.isSome(keyringModule)) {
-          const ok = yield* tryKeyringWrite(keyringModule.value, profileAccount, token);
+          const ok = yield* tryKeyringWrite(
+            keyringModule.value,
+            profileAccount,
+            token,
+            runtimeInfo.platform,
+          );
           if (ok) return;
         }
         yield* fs.makeDirectory(fallbackDir, { recursive: true, mode: 0o700 }).pipe(Effect.orDie);
@@ -160,8 +245,14 @@ const makeLegacyCredentials = Effect.gen(function* () {
     deleteAccessToken: Effect.gen(function* () {
       let anyDeleted = false;
       if (Option.isSome(keyringModule)) {
-        if (yield* tryKeyringDelete(keyringModule.value, profileAccount)) anyDeleted = true;
-        if (yield* tryKeyringDelete(keyringModule.value, LEGACY_KEYRING_ACCOUNT)) anyDeleted = true;
+        if (yield* tryKeyringDelete(keyringModule.value, profileAccount, runtimeInfo.platform)) {
+          anyDeleted = true;
+        }
+        if (
+          yield* tryKeyringDelete(keyringModule.value, LEGACY_KEYRING_ACCOUNT, runtimeInfo.platform)
+        ) {
+          anyDeleted = true;
+        }
       }
       const exists = yield* fs.exists(fallbackPath).pipe(Effect.orElseSucceed(() => false));
       if (exists) {

apps/cli/src/legacy/auth/legacy-credentials.layer.unit.test.ts

@@ -20,9 +20,20 @@ import { LegacyInvalidAccessTokenError } from "./legacy-errors.ts";
 
 const passwords = new Map<string, string>();
 let throwOnSetPassword = false;
+let throwOnSetSecret = false;
 const throwOnGetPasswordAccounts = new Set<string>();
+const withTargetCalls: string[] = [];
 
 vi.mock("@napi-rs/keyring", () => ({
+  findCredentials: (service: string, target?: string) =>
+    Array.from(passwords.entries())
+      .filter(([key]) =>
+        target === undefined ? key.startsWith(`${service}/`) : key.startsWith(`${target}/`),
+      )
+      .map(([key, password]) => ({
+        account: key.split("/").at(-1)!,
+        password,
+      })),
   Entry: class Entry {
     service: string;
     account: string;
@@ -33,6 +44,7 @@ vi.mock("@napi-rs/keyring", () => ({
       this.target = target;
     }
     static withTarget(target: string, service: string, account: string) {
+      withTargetCalls.push(`${target}/${service}/${account}`);
       return new this(service, account, target);
     }
     key(): string {
@@ -51,6 +63,10 @@ vi.mock("@napi-rs/keyring", () => ({
       if (throwOnSetPassword) throw new Error("Keyring unavailable");
       passwords.set(this.key(), value);
     }
+    setSecret(value: Uint8Array): void {
+      if (throwOnSetSecret) throw new Error("Keyring unavailable");
+      passwords.set(this.key(), Buffer.from(value).toString("utf8"));
+    }
     deleteCredential(): boolean {
       const key = this.key();
       if (!passwords.has(key)) throw new Error("not found");
@@ -66,10 +82,20 @@ vi.mock("@napi-rs/keyring", () => ({
 
 let tempHome: string;
 
-function makeLayer(opts: { env?: Record<string, string | undefined>; home?: string } = {}) {
+function makeLayer(
+  opts: {
+    env?: Record<string, string | undefined>;
+    home?: string;
+    platform?: NodeJS.Platform;
+  } = {},
+) {
   const home = opts.home ?? tempHome;
   const env = { HOME: home, ...opts.env };
-  const runtimeInfoLayer = mockRuntimeInfo({ homeDir: home, cwd: home });
+  const runtimeInfoLayer = mockRuntimeInfo({
+    homeDir: home,
+    cwd: home,
+    platform: opts.platform,
+  });
   const cliConfigLayer = legacyCliConfigLayer.pipe(
     Layer.provide(Layer.succeed(LegacyProfileFlag, "supabase")),
     Layer.provide(Layer.succeed(LegacyWorkdirFlag, Option.none<string>())),
@@ -88,7 +114,9 @@ function makeLayer(opts: { env?: Record<string, string | undefined>; home?: stri
 beforeEach(() => {
   passwords.clear();
   throwOnSetPassword = false;
+  throwOnSetSecret = false;
   throwOnGetPasswordAccounts.clear();
+  withTargetCalls.length = 0;
   tempHome = mkdtempSync(join(tmpdir(), "supabase-legacy-creds-"));
 });
 
@@ -101,6 +129,14 @@ const VALID_OAUTH_TOKEN = "sbp_oauth_" + "b".repeat(40);
 const encodeGoKeyringBase64 = (token: string) =>
   `go-keyring-base64:${Buffer.from(token).toString("base64")}`;
 const goWindowsKey = (account: string) => `Supabase CLI:${account}/Supabase CLI/${account}`;
+const encodeGoWindowsPassword = (token: string) => {
+  const bytes = Buffer.from(token, "utf8");
+  let encoded = "";
+  for (let index = 0; index < bytes.length; index += 2) {
+    encoded += String.fromCharCode(bytes[index]! | ((bytes[index + 1] ?? 0) << 8));
+  }
+  return encoded;
+};
 
 const expectSomeToken = (token: Option.Option<Redacted.Redacted<string>>, expected: string) => {
   expect(Option.isSome(token)).toBe(true);
@@ -138,12 +174,23 @@ describe("legacyCredentialsLayer.getAccessToken", () => {
   });
 
   it.effect("reads Windows credentials created by Go keyring", () => {
-    passwords.set(goWindowsKey("supabase"), VALID_TOKEN);
+    passwords.set(goWindowsKey("supabase"), encodeGoWindowsPassword(VALID_TOKEN));
     return Effect.gen(function* () {
       const { getAccessToken } = yield* LegacyCredentials;
       const token = yield* getAccessToken;
       expectSomeToken(token, VALID_TOKEN);
-    }).pipe(Effect.provide(makeLayer()));
+      expect(withTargetCalls).toEqual([]);
+    }).pipe(Effect.provide(makeLayer({ platform: "win32" })));
+  });
+
+  it.effect("does not search Go Windows targets on other platforms", () => {
+    passwords.set(goWindowsKey("supabase"), VALID_TOKEN);
+    return Effect.gen(function* () {
+      const { getAccessToken } = yield* LegacyCredentials;
+      const token = yield* getAccessToken;
+      expect(token).toEqual(Option.none());
+      expect(withTargetCalls).toEqual([]);
+    }).pipe(Effect.provide(makeLayer({ platform: "linux" })));
   });
 
   it.effect("falls through to the legacy access-token keyring entry", () => {
@@ -222,6 +269,27 @@ describe("legacyCredentialsLayer.saveAccessToken", () => {
     }).pipe(Effect.provide(makeLayer())),
   );
 
+  it.effect("writes Windows credentials where Go keyring reads them", () =>
+    Effect.gen(function* () {
+      const { saveAccessToken } = yield* LegacyCredentials;
+      yield* saveAccessToken(VALID_TOKEN);
+      expect(passwords.get(goWindowsKey("supabase"))).toBe(VALID_TOKEN);
+      expect(passwords.has("Supabase CLI/supabase")).toBe(false);
+    }).pipe(Effect.provide(makeLayer({ platform: "win32" }))),
+  );
+
+  it.effect("falls back to the shared token file when Windows target writes fail", () => {
+    throwOnSetSecret = true;
+    return Effect.gen(function* () {
+      const { saveAccessToken } = yield* LegacyCredentials;
+      yield* saveAccessToken(VALID_TOKEN);
+      expect(passwords.has(goWindowsKey("supabase"))).toBe(false);
+      expect(passwords.has("Supabase CLI/supabase")).toBe(false);
+      const content = readFileSync(join(tempHome, ".supabase", "access-token"), "utf-8");
+      expect(content).toBe(VALID_TOKEN);
+    }).pipe(Effect.provide(makeLayer({ platform: "win32" })));
+  });
+
   it.effect("falls back to the filesystem when the keyring write throws", () => {
     throwOnSetPassword = true;
     return Effect.gen(function* () {
@@ -255,7 +323,7 @@ describe("legacyCredentialsLayer.deleteAccessToken", () => {
       expect(passwords.has("Supabase CLI/access-token")).toBe(false);
       expect(passwords.has(goWindowsKey("supabase"))).toBe(false);
       expect(existsSync(join(supaDir, "access-token"))).toBe(false);
-    }).pipe(Effect.provide(makeLayer()));
+    }).pipe(Effect.provide(makeLayer({ platform: "win32" })));
   });
 });