Skip to content

[bug] tg-sai: session generation ignores env creds and leaks wrapper output #17

Description

@Unique-Divine

Summary

tg-sai profile add --login is buggy in the session-generation path. The wrapper does not honor some documented credential sources, and the Python session helper is too interactive/noisy when invoked by the CLI wrapper.

Findings

  1. profile add --login ignores process environment credentials.

Command shape:

TELEGRAM_API_ID=123 TELEGRAM_API_HASH=fakehash \
  bun main.ts profile add --name debug --login --qr

Observed output:

--login requires apiId and apiHash from flags, --src, env, or .env discovery

The error says env, but inputFromProfileAddOptions only merges explicit CLI flags and --src values. It does not merge process.env.

  1. profile add --login does not auto-use the user-local ~/.tg-sai/.env / TG_SAI_DIR/.env path.

A temp TG_SAI_DIR/.env containing TELEGRAM_API_ID and TELEGRAM_API_HASH still produces the same failure unless the user first runs discovery and passes --src explicitly.

  1. Explicit flags do reach the Python helper.

Command shape:

bun main.ts profile add \
  --name debug \
  --api-id 123 \
  --api-hash fakehash \
  --login \
  --qr

This launches session_string_generator.py and then fails later with fake credentials:

Error: The api_id/api_hash combination is invalid

So the spawn path works once credentials are passed as flags.

  1. The Python helper prompts for account label even in wrapper mode.

Even with --qr --session-output <path> --no-env-write, it prompts:

Account label (optional, e.g. 'work', 'personal'; leave empty for default):

Wrapper mode should not prompt for an env-var label because tg-sai profile add --login stores the session in the named tg-sai profile.

  1. The Python helper prints sensitive values in wrapper mode.

On success, session_string_generator.py prints the generated session string and a command containing the API hash. generateSessionString() uses inherited stdout/stderr, so tg-sai profile add --login would also print those values even though it already captures the session through --session-output.

  1. Success guidance still references the repo-local development shim.

The helper prints just tg-sai profile add ...; distributed usage should say tg-sai profile add ....

Expected behavior

  • tg-sai profile add --login should use documented credential sources consistently.
  • Wrapper mode should only require interaction for login itself: QR scan, phone code, or 2FA password.
  • Wrapper mode should not print the session string or API hash to the terminal.
  • Distributed guidance should use tg-sai, not just tg-sai.

Candidate fix areas

  • Merge process env credential values into profile add credential resolution.
  • Decide whether --login should auto-use exactly one discovered partial credential source, or require explicit --src and update docs/error text.
  • Add a wrapper/quiet mode to session_string_generator.py that suppresses the account-label prompt and sensitive success output while still writing --session-output.
  • Update helper success guidance from just tg-sai to tg-sai.
  • Add CLI integration tests for env creds and wrapper mode.

Verification already run

uv run pytest -q session_string_generator_test.py
# 13 passed

bun main.ts profile add --help
uv run python session_string_generator.py --help

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions