Documentation
¶
Index ¶
- Constants
- func ClearToken(environment string) error
- func CredentialsPath() (string, error)
- func GetToken(environment string) (string, error)
- func ResolveEnvironment(cmd *cli.Command) string
- func Revoke(ctx context.Context, config *OAuthConfig, token, tokenTypeHint string) error
- func SaveToken(environment string, tokens *TokenSet) (insecure bool, err error)
- type OAuthConfig
- type TokenSet
Constants ¶
const ( // OAuth client IDs per environment (public clients, no secret). ProductionOAuthClientID = "d6a5310d-f441-4a36-b12a-2fc09c380936" SandboxOAuthClientID = "da707cac-28d3-4003-bbc6-c7384ca6557a" // OAuth endpoints per environment. ProductionAuthURL = "https://oauth2.mercury.com/oauth2/auth" ProductionTokenURL = "https://oauth2.mercury.com/oauth2/token" ProductionRevokeURL = "https://oauth2.mercury.com/oauth2/revoke" SandboxAuthURL = "https://oauth2-sandbox.mercury.com/oauth2/auth" SandboxTokenURL = "https://oauth2-sandbox.mercury.com/oauth2/token" SandboxRevokeURL = "https://oauth2-sandbox.mercury.com/oauth2/revoke" // OAuthScopes requested during login. OAuthScopes = "offline_access openid read write" )
Variables ¶
This section is empty.
Functions ¶
func ClearToken ¶ added in v0.6.0
ClearToken removes stored tokens for the given environment from both the keyring and the plaintext fallback. A missing keyring entry is not an error; other keyring failures propagate so a failed logout does not look successful while the tokens remain readable on the next LoadToken.
func CredentialsPath ¶
func GetToken ¶
GetToken returns a valid OAuth access token for the given environment. Returns ("", nil) if no credentials are stored (no-op — the API will return 401). Automatically refreshes expired tokens when a refresh token is available.
func ResolveEnvironment ¶
ResolveEnvironment determines the target environment from the CLI command flags. Defaults to "production" if not specified.
func Revoke ¶ added in v0.6.2
func Revoke(ctx context.Context, config *OAuthConfig, token, tokenTypeHint string) error
Revoke revokes a token per RFC 7009. Revoking a refresh token cascades to access tokens derived from it, so callers should prefer the refresh token.
func SaveToken ¶ added in v0.6.0
SaveToken persists tokens for the given environment. It tries the system keyring first; if that fails or times out, it writes to a plaintext file at ~/.config/mercury/credentials.json with 0600 permissions. The returned bool is true when the plaintext fallback was used.
Types ¶
type OAuthConfig ¶
OAuthConfig holds the OAuth configuration for a specific environment.
func DefaultOAuthConfig ¶
func DefaultOAuthConfig(environment string) *OAuthConfig
DefaultOAuthConfig returns the OAuth configuration for the given environment.
type TokenSet ¶
type TokenSet struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token,omitempty"`
TokenType string `json:"token_type"`
Expiry time.Time `json:"expiry"`
}
TokenSet holds OAuth tokens for a single environment.
func LoadToken ¶ added in v0.6.0
LoadToken returns the stored token set for the given environment. It checks the system keyring first, then the plaintext fallback file. Returns (nil, nil) if no tokens are stored in either location.
func Login ¶
func Login(ctx context.Context, config *OAuthConfig) (*TokenSet, error)
Login performs the OAuth Authorization Code + PKCE flow. It starts a localhost server, opens the browser for authorization, waits for the callback, and exchanges the code for tokens.
func RefreshToken ¶
RefreshToken exchanges a refresh token for new tokens. The caller controls cancellation via ctx; doTokenRequest also imposes a hard per-request cap so a stalled token endpoint can't hang the CLI indefinitely.
Source Files