From 000187472ae1a4d8d313adfc10ad79088bc4a57f Mon Sep 17 00:00:00 2001
From: Will Vedder <will.vedder@okta.com>
Date: Tue, 6 Dec 2022 16:12:08 -0500
Subject: [PATCH] Cleaning up messaging

---
 internal/cli/cli.go   | 15 ++++++++++-----
 internal/cli/login.go | 26 ++++++++------------------
 2 files changed, 18 insertions(+), 23 deletions(-)

diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index 927d7223c..acf8c6104 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -207,18 +207,23 @@ func (c *cli) prepareTenant(ctx context.Context) (Tenant, error) {
 		return Tenant{}, err
 	}
 
-	if t.AccessToken == "" || (scopesChanged(t) && t.authenticatedWithDeviceCodeFlow()) {
-		return RunLoginAsUser(ctx, c, true)
+	if scopesChanged(t) && t.authenticatedWithDeviceCodeFlow() {
+		c.renderer.Warnf("Required scopes have changed. Please sign in to re-authorize the CLI.")
+		return RunLoginAsUser(ctx, c)
 	}
 
-	if !t.hasExpiredToken() {
+	if t.AccessToken != "" && !t.hasExpiredToken() {
 		return t, nil
 	}
 
 	if err := t.regenerateAccessToken(ctx, c); err != nil {
 		// Ask and guide the user through the login process.
-		c.renderer.Errorf("failed to renew access token, %s", err)
-		return RunLoginAsUser(ctx, c, true)
+		if t.authenticatedWithDeviceCodeFlow() {
+			c.renderer.Warnf("Failed to renew access token. Please sign in to re-authenticate the CLI.")
+			return RunLoginAsUser(ctx, c)
+		}
+
+		return t, fmt.Errorf("Failed to renew access token. This may occur if the designated application has been deleted or client secret has been rotated. Please re-authenticate by running `auth0 login --as-machine`")
 	}
 
 	if err := c.addTenant(t); err != nil {
diff --git a/internal/cli/login.go b/internal/cli/login.go
index 7be564b1c..12ef40d5a 100644
--- a/internal/cli/login.go
+++ b/internal/cli/login.go
@@ -66,7 +66,12 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl
 					return err
 				}
 			} else {
-				if _, err := RunLoginAsUser(ctx, cli, false); err != nil {
+				cli.renderer.Output(fmt.Sprintf(
+					"%s\n\n%s\n\n",
+					"✪ Welcome to the Auth0 CLI 🎊",
+					"If you don't have an account, please create one here: https://auth0.com/signup.",
+				))
+				if _, err := RunLoginAsUser(ctx, cli); err != nil {
 					return err
 				}
 			}
@@ -95,28 +100,13 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl
 
 // RunLoginAsUser runs the login flow guiding the user through the process
 // by showing the login instructions, opening the browser.
-// Use `expired` to run the login from other commands setup:
-// this will only affect the messages.
-func RunLoginAsUser(ctx context.Context, cli *cli, expired bool) (Tenant, error) {
-	message := fmt.Sprintf(
-		"%s\n\n%s\n\n",
-		"✪ Welcome to the Auth0 CLI 🎊",
-		"If you don't have an account, please create one here: https://auth0.com/signup.",
-	)
-
-	if expired {
-		message = "Please sign in to re-authorize the CLI."
-		cli.renderer.Warnf(message)
-	} else {
-		cli.renderer.Output(message)
-	}
-
+func RunLoginAsUser(ctx context.Context, cli *cli) (Tenant, error) {
 	state, err := cli.authenticator.Start(ctx)
 	if err != nil {
 		return Tenant{}, fmt.Errorf("Failed to start the authentication process: %w.", err)
 	}
 
-	message = fmt.Sprintf("Your device confirmation code is: %s\n\n", ansi.Bold(state.UserCode))
+	message := fmt.Sprintf("Your device confirmation code is: %s\n\n", ansi.Bold(state.UserCode))
 	cli.renderer.Output(message)
 
 	if cli.noInput {