Add support for fetching gh app user. (#30)

cmd/server.go

@@ -61,6 +61,7 @@ const (
 	GHUserFlag                 = "gh-user"
 	GHAppIDFlag                = "gh-app-id"
 	GHAppKeyFileFlag           = "gh-app-key-file"
+	GHAppSlugFlag              = "gh-app-slug"
 	GHOrganizationFlag         = "gh-org"
 	GHWebhookSecretFlag        = "gh-webhook-secret" // nolint: gosec
 	GitlabHostnameFlag         = "gitlab-hostname"
@@ -181,6 +182,9 @@ var stringFlags = map[string]stringFlag{
 		description:  "A path to a file containing the GitHub App's private key",
 		defaultValue: "",
 	},
+	GHAppSlugFlag: {
+		description: "The Github app slug (ie. the URL-friendly name of your GitHub App)",
+	},
 	GHOrganizationFlag: {
 		description:  "The name of the GitHub organization to use during the creation of a Github App for Atlantis",
 		defaultValue: "",

cmd/server_test.go

@@ -72,6 +72,7 @@ var testFlags = map[string]interface{}{
 	GHUserFlag:                 "user",
 	GHAppIDFlag:                int64(0),
 	GHAppKeyFileFlag:           "",
+	GHAppSlugFlag:              "atlantis",
 	GHOrganizationFlag:         "",
 	GHWebhookSecretFlag:        "secret",
 	GitlabHostnameFlag:         "gitlab-hostname",

go.mod

@@ -36,7 +36,7 @@ require (
 	github.com/nlopes/slack v0.1.0
 	github.com/onsi/ginkgo v1.9.0 // indirect
 	github.com/onsi/gomega v1.4.3 // indirect
-	github.com/petergtz/pegomock v2.8.0+incompatible
+	github.com/petergtz/pegomock v2.9.0+incompatible
 	github.com/pkg/errors v0.9.1
 	github.com/remeh/sizedwaitgroup v1.0.0
 	github.com/shurcooL/githubv4 v0.0.0-20191127044304-8f68eb5628d0

go.sum

@@ -269,8 +269,8 @@ github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFSt
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/petergtz/pegomock v2.8.0+incompatible h1:xRKfBK+COYde7M4WzWPJM2nuIwO387NkFivWuxiBRxI=
-github.com/petergtz/pegomock v2.8.0+incompatible/go.mod h1:nuBLWZpVyv/fLo56qTwt/AUau7jgouO1h7bEvZCq82o=
+github.com/petergtz/pegomock v2.9.0+incompatible h1:BKfb5XfkJfehe5T+O1xD4Zm26Sb9dnRj7tHxLYwUPiI=
+github.com/petergtz/pegomock v2.9.0+incompatible/go.mod h1:nuBLWZpVyv/fLo56qTwt/AUau7jgouO1h7bEvZCq82o=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -317,7 +317,6 @@ github.com/spf13/cobra v0.0.0-20170905172051-b78744579491/go.mod h1:1l0Ry5zgKvJa
 github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -327,7 +326,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
@@ -344,7 +342,6 @@ github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6Ac
 github.com/xanzy/go-gitlab v0.34.1 h1:Dtqla2gWIQIevfZVS6FY4qjgrKf+5LYLzW6XBNstGSw=
 github.com/xanzy/go-gitlab v0.34.1/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
-github.com/zclconf/go-cty v1.1.0 h1:uJwc9HiBOCpoKIObTQaLR+tsEXx1HBHnOsOOpcdhZgw=
 github.com/zclconf/go-cty v1.1.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s=
 github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
 github.com/zclconf/go-cty v1.5.1 h1:oALUZX+aJeEBUe2a1+uD2+UTaYfEjnKFDEMRydkGvWE=
@@ -364,7 +361,6 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200403201458-baeed622b8d8 h1:fpnn/HnJONpIu6hkXi1u/7rR0NzilgWr4T0JmWkEitk=
 golang.org/x/crypto v0.0.0-20200403201458-baeed622b8d8/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200414173820-0848c9571904 h1:bXoxMPcSLOq08zI3/c5dEBT6lE4eh+jOh886GHrn6V8=
 golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -411,7 +407,6 @@ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAG
 golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191122200657-5d9234df094c h1:HjRaKPaiWks0f5tA6ELVF7ZfqSppfPwOEEAvsrKUTO4=
 golang.org/x/oauth2 v0.0.0-20191122200657-5d9234df094c/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -440,7 +435,6 @@ golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfru
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -472,7 +466,6 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0 h1:jbyannxz0XFD3zdjgrSUsaJbgpH4eTrkdhRChkHPfO8=
 google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
 google.golang.org/api v0.13.0 h1:Q3Ui3V3/CVinFWFiW39Iw0kMuVrRzYX0wN6OPFp0lTA=
 google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
@@ -489,7 +482,6 @@ google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRn
 google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
 google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a h1:Ob5/580gVHBJZgXnff1cZDbG+xLtMVE5mDRTe+nIsX4=
@@ -517,7 +509,6 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkep
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

server/events/vcs/fixtures/fixtures.go

@@ -332,7 +332,7 @@ var githubAppInstallationJSON = `[
 
 // nolint: gosec
 var githubAppTokenJSON = `{
-	"token":      "v1.1f699f1069f60xx%d",
+	"token":      "some-token",
 	"expires_at": "2050-01-01T00:00:00Z",
 	"permissions": {
 		"issues":   "write",
@@ -452,6 +452,48 @@ var githubAppTokenJSON = `{
 	]
 }`
 
+var githubAppJSON = `{
+	"id": 1,
+	"slug": "octoapp",
+	"node_id": "MDExOkludGVncmF0aW9uMQ==",
+	"owner": {
+	  "login": "github",
+	  "id": 1,
+	  "node_id": "MDEyOk9yZ2FuaXphdGlvbjE=",
+	  "url": "https://api.github.com/orgs/github",
+	  "repos_url": "https://api.github.com/orgs/github/repos",
+	  "events_url": "https://api.github.com/orgs/github/events",
+	  "avatar_url": "https://github.com/images/error/octocat_happy.gif",
+	  "gravatar_id": "",
+	  "html_url": "https://github.com/octocat",
+	  "followers_url": "https://api.github.com/users/octocat/followers",
+	  "following_url": "https://api.github.com/users/octocat/following{/other_user}",
+	  "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
+	  "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
+	  "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
+	  "organizations_url": "https://api.github.com/users/octocat/orgs",
+	  "received_events_url": "https://api.github.com/users/octocat/received_events",
+	  "type": "User",
+	  "site_admin": true
+	},
+	"name": "Octocat App",
+	"description": "",
+	"external_url": "https://example.com",
+	"html_url": "https://github.com/apps/octoapp",
+	"created_at": "2017-07-08T16:18:44-04:00",
+	"updated_at": "2017-07-08T16:18:44-04:00",
+	"permissions": {
+	  "metadata": "read",
+	  "contents": "read",
+	  "issues": "write",
+	  "single_file": "write"
+	},
+	"events": [
+	  "push",
+	  "pull_request"
+	]
+  }`
+
 func validateGithubToken(tokenString string) error {
 	key, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(GithubPrivateKey))
 	if err != nil {
@@ -499,6 +541,17 @@ func GithubAppTestServer(t *testing.T) (string, error) {
 
 				w.Write([]byte(githubAppInstallationJSON)) // nolint: errcheck
 				return
+			case "/api/v3/apps/some-app":
+				token := strings.Replace(r.Header.Get("Authorization"), "token ", "", 1)
+
+				// token is taken from githubAppTokenJSON
+				if token != "some-token" {
+					w.WriteHeader(403)
+					w.Write([]byte("Invalid installation token")) // nolint: errcheck
+					return
+				}
+				w.Write([]byte(githubAppJSON)) // nolint: errcheck
+				return
 			case "/api/v3/app/installations/1/access_tokens":
 				token := strings.Replace(r.Header.Get("Authorization"), "Bearer ", "", 1)
 				if err := validateGithubToken(token); err != nil {

server/events/vcs/github_client.go

@@ -91,8 +91,15 @@ func NewGithubClient(hostname string, credentials GithubCredentials, logger *log
 		transport,
 		graphql.WithHeader("Accept", "application/vnd.github.queen-beryl-preview+json"),
 	)
+
+	user, err := credentials.GetUser()
+	logger.Debug("GH User: %s", user)
+
+	if err != nil {
+		return nil, errors.Wrap(err, "getting user")
+	}
 	return &GithubClient{
-		user:           credentials.GetUser(),
+		user:           user,
 		client:         client,
 		v4MutateClient: v4MutateClient,
 		ctx:            context.Background(),
@@ -173,7 +180,7 @@ func (g *GithubClient) HidePrevPlanComments(repo models.Repo, pullNum int) error
 			ListOptions: github.ListOptions{Page: nextPage},
 		})
 		if err != nil {
-			return err
+			return errors.Wrap(err, "listing comments")
 		}
 		allComments = append(allComments, comments...)
 		if resp.NextPage == 0 {

server/events/vcs/github_credentials.go

@@ -18,7 +18,7 @@ import (
 type GithubCredentials interface {
 	Client() (*http.Client, error)
 	GetToken() (string, error)
-	GetUser() string
+	GetUser() (string, error)
 }
 
 // GithubAnonymousCredentials expose no credentials.
@@ -31,8 +31,8 @@ func (c *GithubAnonymousCredentials) Client() (*http.Client, error) {
 }
 
 // GetUser returns the username for these credentials.
-func (c *GithubAnonymousCredentials) GetUser() string {
-	return "anonymous"
+func (c *GithubAnonymousCredentials) GetUser() (string, error) {
+	return "anonymous", nil
 }
 
 // GetToken returns an empty token.
@@ -56,8 +56,8 @@ func (c *GithubUserCredentials) Client() (*http.Client, error) {
 }
 
 // GetUser returns the username for these credentials.
-func (c *GithubUserCredentials) GetUser() string {
-	return c.User
+func (c *GithubUserCredentials) GetUser() (string, error) {
+	return c.User, nil
 }
 
 // GetToken returns the user token.
@@ -73,6 +73,7 @@ type GithubAppCredentials struct {
 	apiURL         *url.URL
 	installationID int64
 	tr             *ghinstallation.Transport
+	AppSlug        string
 }
 
 // Client returns a github app installation client.
@@ -85,8 +86,29 @@ func (c *GithubAppCredentials) Client() (*http.Client, error) {
 }
 
 // GetUser returns the username for these credentials.
-func (c *GithubAppCredentials) GetUser() string {
-	return ""
+func (c *GithubAppCredentials) GetUser() (string, error) {
+	// Keeping backwards compatibility since this flag is optional
+	if c.AppSlug == "" {
+		return "", nil
+	}
+	client, err := c.Client()
+
+	if err != nil {
+		return "", errors.Wrap(err, "initializing client")
+	}
+
+	ghClient := github.NewClient(client)
+	ghClient.BaseURL = c.getAPIURL()
+	ctx := context.Background()
+
+	app, _, err := ghClient.Apps.Get(ctx, c.AppSlug)
+
+	if err != nil {
+		return "", errors.Wrap(err, "getting app details")
+	}
+	// Currently there is no way to get the bot's login info, so this is a
+	// hack until Github exposes that.
+	return fmt.Sprintf("%s[bot]", app.GetName()), nil
 }
 
 // GetToken returns a fresh installation token.

server/events/vcs/github_credentials_test.go

@@ -9,6 +9,36 @@ import (
 	. "github.com/runatlantis/atlantis/testing"
 )
 
+func TestGithubClient_GetUser_AppSlug(t *testing.T) {
+	defer disableSSLVerification()()
+	testServer, err := fixtures.GithubAppTestServer(t)
+	Ok(t, err)
+
+	anonCreds := &vcs.GithubAnonymousCredentials{}
+	anonClient, err := vcs.NewGithubClient(testServer, anonCreds, nil)
+	Ok(t, err)
+	tempSecrets, err := anonClient.ExchangeCode("good-code")
+	Ok(t, err)
+
+	tmpDir, cleanup := DirStructure(t, map[string]interface{}{
+		"key.pem": tempSecrets.Key,
+	})
+	defer cleanup()
+	keyPath := fmt.Sprintf("%v/key.pem", tmpDir)
+
+	appCreds := &vcs.GithubAppCredentials{
+		AppID:    tempSecrets.ID,
+		KeyPath:  keyPath,
+		Hostname: testServer,
+		AppSlug:  "some-app",
+	}
+
+	user, err := appCreds.GetUser()
+	Ok(t, err)
+
+	Assert(t, user == "Octocat App[bot]", "user should not empty")
+}
+
 func TestGithubClient_AppAuthentication(t *testing.T) {
 	defer disableSSLVerification()()
 	testServer, err := fixtures.GithubAppTestServer(t)
@@ -40,6 +70,11 @@ func TestGithubClient_AppAuthentication(t *testing.T) {
 	newToken, err := appCreds.GetToken()
 	Ok(t, err)
 
+	user, err := appCreds.GetUser()
+	Ok(t, err)
+
+	Assert(t, user == "", "user should be empty")
+
 	if token != newToken {
 		t.Errorf("app token was not cached: %q != %q", token, newToken)
 	}