feat: Support logout command (#635)

lukaszsocha2 · web-flow · commit 842e308f38af · 2026-03-10T18:12:27.000+01:00
diff --git a/README.md b/README.md
@@ -26,6 +26,7 @@ Among other features, Box CLI includes the following functionality:
       - [Linux & Node install](#linux--node-install)
     - [Quick Login with the Official Box CLI App](#quick-login-with-the-official-box-cli-app)
     - [CLI and Server Authentication with JWT](#cli-and-server-authentication-with-jwt)
+    - [Logout](#logout)
   - [Secure Storage](#secure-storage)
     - [What is Stored Securely](#what-is-stored-securely)
     - [Platform Support](#platform-support)
@@ -105,6 +106,15 @@ Successfully added CLI environment "ManualKey"
 [oauth-guide]: https://developer.box.com/guides/cli/quick-start/
 [jwt-guide]: https://developer.box.com/guides/cli/cli-docs/jwt-cli/
 
+### Logout
+
+To sign out from the current environment, run:
+
+```bash
+box logout
+```
+
+This revokes the access token on Box and clears the local token cache. For OAuth, run `box login` to authorize again. For CCG and JWT, a new token is fetched automatically on the next command. Use `-f` to skip the confirmation prompt, or `--on-revoke-failure=clear` / `--on-revoke-failure=abort` to control behavior when token revocation fails. See [`box logout`](docs/logout.md) for full details.
 
 ## Secure Storage
 
@@ -209,6 +219,7 @@ Avatar URL: 'https://app.box.com/api/avatar/large/77777'
 * [`box integration-mappings`](docs/integration-mappings.md) - List Slack integration mappings
 * [`box legal-hold-policies`](docs/legal-hold-policies.md) - List legal hold policies
 * [`box login`](docs/login.md) - Sign in with OAuth 2.0 and create a new environment (or update an existing one with --reauthorize).
+* [`box logout`](docs/logout.md) - Revoke the access token and clear local token cache.
 * [`box metadata-cascade-policies`](docs/metadata-cascade-policies.md) - List the metadata cascade policies on a folder
 * [`box metadata-query`](docs/metadata-query.md) - Create a search using SQL-like syntax to return items that match specific metadata
 * [`box metadata-templates`](docs/metadata-templates.md) - Get all metadata templates in your Enterprise
diff --git a/docs/logout.md b/docs/logout.md
@@ -0,0 +1,40 @@
+`box logout`
+============
+
+Revoke the access token and clear local token cache.
+
+For OAuth, run `box login` to authorize again.
+For CCG and JWT, a new token is fetched automatically on the next command.
+
+Use -f and --on-revoke-failure=clear or --on-revoke-failure=abort to skip the interactive prompt.
+
+* [`box logout`](#box-logout)
+
+## `box logout`
+
+Revoke the access token and clear local token cache.
+
+```
+USAGE
+  $ box logout [--no-color] [-h] [-v] [-q] [-f] [--on-revoke-failure clear|abort]
+
+FLAGS
+  -f, --force                       Skip confirmation prompt
+  -h, --help                        Show CLI help
+  -q, --quiet                       Suppress any non-error output to stderr
+  -v, --verbose                     Show verbose output, which can be helpful for debugging
+      --no-color                    Turn off colors for logging
+      --on-revoke-failure=<option>  On revoke failure: "clear" clears local cache only, "abort" exits without clearing.
+                                    Skips prompt.
+                                    <options: clear|abort>
+
+DESCRIPTION
+  Revoke the access token and clear local token cache.
+
+  For OAuth, run `box login` to authorize again.
+  For CCG and JWT, a new token is fetched automatically on the next command.
+
+  Use -f and --on-revoke-failure=clear or --on-revoke-failure=abort to skip the interactive prompt.
+```
+
+_See code: [src/commands/logout.js](https://github.com/box/boxcli/blob/v4.5.0/src/commands/logout.js)_
diff --git a/src/commands/login.js b/src/commands/login.js
@@ -24,6 +24,7 @@ const {
 const GENERIC_OAUTH_CLIENT_ID = 'udz8zp4yue87uk9dzq4xk425kkwvqvh1';
 const GENERIC_OAUTH_CLIENT_SECRET = 'iZ1MbvC3ZaF25nbJli7IsKdRHAxfu3fn';
 const SUPPORTED_DEFAULT_APP_PORTS = [3000, 3001, 4000, 5000, 8080];
+const DEFAULT_ENVIRONMENT_NAME = 'oauth';
 
 async function promptForClientCredentials(inquirerModule) {
 	const clientIdPrompt = {
@@ -75,14 +76,24 @@ class OAuthLoginCommand extends BoxCommand {
 		let environment;
 
 		if (this.flags.reauthorize) {
+			let targetEnvName = this.flags.name;
 			if (
 				!Object.hasOwn(environmentsObject.environments, this.flags.name)
 			) {
-				this.info(chalk`{red The "${this.flags.name}" environment does not exist}`);
-				return;
+				const currentEnv = environmentsObject.environments[environmentsObject.default];
+				if (
+					this.flags.name === DEFAULT_ENVIRONMENT_NAME &&
+					environmentsObject.default &&
+					currentEnv?.authMethod === 'oauth20'
+				) {
+					targetEnvName = environmentsObject.default;
+				} else {
+					this.info(chalk`{red The "${this.flags.name}" environment does not exist}`);
+					return;
+				}
 			}
 
-			environment = environmentsObject.environments[this.flags.name];
+			environment = environmentsObject.environments[targetEnvName];
 			if (environment.authMethod !== 'oauth20') {
 				this.info(chalk`{red The selected environment is not of type oauth20}`);
 				return;
@@ -366,7 +377,7 @@ OAuthLoginCommand.flags = {
 	name: Flags.string({
 		char: 'n',
 		description: 'Set a name for the environment',
-		default: 'oauth',
+		default: DEFAULT_ENVIRONMENT_NAME,
 	}),
 	port: Flags.integer({
 		char: 'p',
diff --git a/src/commands/logout.js b/src/commands/logout.js
@@ -0,0 +1,219 @@
+'use strict';
+
+const BoxCommand = require('../box-command');
+const BoxSDK = require('box-node-sdk').default;
+const CLITokenCache = require('../token-cache');
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+const pkg = require('../../package.json');
+const { Flags } = require('@oclif/core');
+
+const SDK_CONFIG = Object.freeze({
+	analyticsClient: { version: pkg.version },
+	request: {
+		headers: { 'User-Agent': `Box CLI v${pkg.version}` },
+	},
+});
+
+function isInvalidTokenResponse(response) {
+	return (
+		response?.statusCode === 400 &&
+		response?.body?.error === 'invalid_token'
+	);
+}
+
+function isSuccessResponse(response) {
+	return response?.statusCode === 200;
+}
+
+function getRevokeErrorMessage(thrownError, response) {
+	if (thrownError) {
+		return (
+			thrownError.message ||
+			'Unexpected error. Cannot connect to Box servers.'
+		);
+	}
+	return (
+		response?.body?.error_description ||
+		`Request failed with status ${response?.statusCode ?? response?.status}` ||
+		'Unknown error'
+	);
+}
+
+class OAuthLogoutCommand extends BoxCommand {
+	async run() {
+		const environmentsObj = await this.getEnvironments();
+		const currentEnv = environmentsObj?.default;
+
+		const environment = currentEnv
+			? environmentsObj.environments[currentEnv]
+			: null;
+
+		if (!currentEnv || !environment) {
+			this.error(
+				'No current environment found. Nothing to log out from.'
+			);
+		}
+
+		const tokenCache = new CLITokenCache(currentEnv);
+		const tokenInfo = await tokenCache.get();
+		const accessToken = tokenInfo?.accessToken;
+		if (!accessToken) {
+			this.info(
+				chalk`{green You are already logged out from "${currentEnv}" environment.}`
+			);
+			return;
+		}
+
+		if (!this.flags.force) {
+			const confirmed = await this.confirm(
+				`Do you want to logout from "${currentEnv}" environment?`,
+				false
+			);
+			if (!confirmed) {
+				this.info(chalk`{yellow Logout cancelled.}`);
+				return;
+			}
+		}
+
+		await this.revokeAndClearSession(
+			accessToken,
+			tokenCache,
+			currentEnv,
+			environment
+		);
+	}
+
+	async revokeAndClearSession(
+		accessToken,
+		tokenCache,
+		currentEnv,
+		environment
+	) {
+		while (true) {
+			let response;
+			let thrownError;
+			const { clientId, clientSecret } =
+				this.getClientCredentials(environment);
+			if (!clientId || !clientSecret) {
+				thrownError = new Error('Invalid client credentials.');
+				response = undefined;
+			} else {
+				const sdk = new BoxSDK({
+					clientID: clientId,
+					clientSecret,
+					...SDK_CONFIG,
+				});
+				try {
+					response = await sdk.revokeTokens(accessToken);
+				} catch (error) {
+					thrownError = error;
+				}
+			}
+
+			if (isSuccessResponse(response)) {
+				break;
+			}
+
+			if (isInvalidTokenResponse(response)) {
+				this.info(
+					chalk`{yellow Access token is already invalid. Clearing local session.}`
+				);
+				break;
+			}
+
+			const action = await this.promptRevokeFailureAction(
+				thrownError,
+				response
+			);
+
+			if (action === 'abort') {
+				this.info(
+					chalk`{yellow Logout aborted. Token was not revoked and remains cached.}`
+				);
+				return;
+			}
+			if (action === 'clear') {
+				break;
+			}
+		}
+
+		await new Promise((resolve, reject) => {
+			tokenCache.clear((err) => (err ? reject(err) : resolve()));
+		});
+		this.info(
+			chalk`{green Successfully logged out from "${currentEnv}" environment.}`
+		);
+	}
+
+	getClientCredentials(environment) {
+		if (environment.boxConfigFilePath) {
+			try {
+				const fs = require('node:fs');
+				const configObj = JSON.parse(
+					fs.readFileSync(environment.boxConfigFilePath)
+				);
+				return {
+					clientId: configObj?.boxAppSettings?.clientID ?? '',
+					clientSecret: configObj?.boxAppSettings?.clientSecret ?? '',
+				};
+			} catch {
+				// fall through to environment
+			}
+		}
+		return {
+			clientId: environment.clientId ?? '',
+			clientSecret: environment.clientSecret ?? '',
+		};
+	}
+
+	async promptRevokeFailureAction(thrownError, response) {
+		const onRevokeFailure = this.flags['on-revoke-failure'];
+		if (onRevokeFailure) {
+			return onRevokeFailure;
+		}
+		const result = await inquirer.prompt([
+			{
+				type: 'list',
+				name: 'action',
+				message: chalk`Could not revoke token: {red ${getRevokeErrorMessage(thrownError, response)}}\nWhat would you like to do?`,
+				choices: [
+					{ name: 'Try revoking again', value: 'retry' },
+					{
+						name: 'Clear local session only (token remains valid on Box)',
+						value: 'clear',
+					},
+					{ name: 'Abort', value: 'abort' },
+				],
+			},
+		]);
+		return result.action;
+	}
+}
+
+// @NOTE: This command skips client setup, since it may be used when token is expired
+OAuthLogoutCommand.noClient = true;
+
+OAuthLogoutCommand.description = [
+	'Revoke the access token and clear local token cache.',
+	'',
+	'For OAuth, run `box login` to authorize again.',
+	'For CCG and JWT, a new token is fetched automatically on the next command.',
+	'',
+	'Use -f and --on-revoke-failure=clear or --on-revoke-failure=abort to skip the interactive prompt.',
+].join('\n');
+
+OAuthLogoutCommand.flags = {
+	...BoxCommand.minFlags,
+	force: Flags.boolean({
+		char: 'f',
+		description: 'Skip confirmation prompt',
+	}),
+	'on-revoke-failure': Flags.string({
+		description:
+			'On revoke failure: "clear" clears local cache only, "abort" exits without clearing. Skips prompt.',
+		options: ['clear', 'abort'],
+	}),
+};
+
+module.exports = OAuthLogoutCommand;
diff --git a/test/commands/login.test.js b/test/commands/login.test.js
diff --git a/test/commands/logout.test.js b/test/commands/logout.test.js
