auth

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 9, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DefaultConfigDir

func DefaultConfigDir() (string, error)

DefaultConfigDir returns the config directory: $BASETEN_CONFIG_DIR > os.UserConfigDir()/baseten

func OAuthContext

func OAuthContext(ctx context.Context, base http.RoundTripper) context.Context

OAuthContext returns a context that carries an oauth2 HTTP client which stamps the Baseten User-Agent on every request, layered over base.

Types

type AuthFile

type AuthFile struct {
	Version int `json:"version"`
	// Current is the name of the profile used when no profile is selected via
	// flag or environment.
	Current  string             `json:"current,omitempty"`
	Profiles map[string]Profile `json:"profiles"`
}

AuthFile is the on-disk auth.json structure. Unrecognized keys are ignored on read and dropped on the next write.

type AuthType

type AuthType string

AuthType identifies how a credential was obtained.

const (
	AuthTypeOAuth  AuthType = "oauth"
	AuthTypeAPIKey AuthType = "api_key"
)

type OAuthCredential

type OAuthCredential struct {
	AccessToken  string    `json:"access_token"`
	RefreshToken string    `json:"refresh_token"`
	Expiry       time.Time `json:"expiry,omitempty"`
}

OAuthCredential holds an OAuth access and refresh token pair, along with the access token's absolute expiry. Expiry is what golang.org/x/oauth2 uses to decide whether to refresh; persisting it lets refresh work across CLI invocations.

type Profile added in v0.2.0

type Profile struct {
	RemoteURL string   `json:"remote_url"`
	AuthType  AuthType `json:"auth_type"`

	// InsecureOAuthCredential and InsecureAPIKey are only populated when the
	// keyring is unavailable or --insecure-storage was used.
	InsecureOAuthCredential *OAuthCredential `json:"oauth_credential,omitempty"`
	InsecureAPIKey          string           `json:"api_key,omitempty"`
}

Profile is a single named, self-contained credential: a remote URL plus the auth used against it. The profile name is the keyring account and the auth.json map key.

type Session added in v0.2.0

type Session struct {
	// contains filtered or unexported fields
}

Session is the auth context resolved once per invocation. Exactly one of the credential paths applies: a stored profile (ProfileName set) or ephemeral env credentials (ephemeralAPIKey set).

func ResolveSession added in v0.2.0

func ResolveSession(profileFlag, defaultProfile string) (*Session, error)

ResolveSession determines the effective auth for this invocation, most specific source first:

  1. profileFlag (the --profile flag)
  2. BASETEN_API_KEY (+ optional BASETEN_REMOTE_URL), ephemeral
  3. BASETEN_PROFILE
  4. defaultProfile (a baked-in fallback, e.g. from the SSH config)
  5. the current profile in auth.json

defaultProfile is "" for most commands; the SSH sign/proxy commands pass their --default-profile so a pinned profile is used only when nothing more specific selects one.

A named profile that does not exist is not an error here; the failure surfaces when a credential is actually needed (or in the auth commands that manage profiles directly).

func (*Session) IsEphemeral added in v0.2.0

func (s *Session) IsEphemeral() bool

IsEphemeral reports whether the session uses credentials from BASETEN_API_KEY rather than a stored profile.

func (*Session) ProfileName added in v0.2.0

func (s *Session) ProfileName() string

ProfileName is the stored profile this session uses, or "" when the session is ephemeral or unauthenticated.

func (*Session) RemoteURL added in v0.2.0

func (s *Session) RemoteURL() string

RemoteURL is the remote the resolved session targets. It may be empty, in which case the caller applies its own default.

type Store

type Store struct {
	// contains filtered or unexported fields
}

Store manages reading and writing auth.json and keyring secrets.

func NewStore

func NewStore(opts StoreOptions) *Store

NewStore creates a Store from the given options.

func (*Store) CurrentProfile added in v0.2.0

func (s *Store) CurrentProfile() (name string, profile Profile, ok bool)

CurrentProfile returns the current profile name and entry.

func (*Store) GetAPIKey

func (s *Store) GetAPIKey(profileName string) (string, error)

GetAPIKey retrieves the API key for a profile, trying the keyring first, then falling back to the auth.json plaintext field.

func (*Store) GetOAuthCredential

func (s *Store) GetOAuthCredential(profileName string) (*OAuthCredential, error)

GetOAuthCredential retrieves the OAuth credential for a profile, trying the keyring first, then falling back to the auth.json plaintext field.

func (*Store) GetProfile added in v0.2.0

func (s *Store) GetProfile(profileName string) (Profile, bool)

GetProfile returns the profile with the given name.

func (*Store) Load

func (s *Store) Load() (*AuthFile, error)

Load reads auth.json from disk. Returns an empty AuthFile if it does not exist.

func (*Store) ProfileNames added in v0.2.0

func (s *Store) ProfileNames() ([]string, error)

ProfileNames returns the stored profile names in sorted order.

func (*Store) RemoveProfile added in v0.2.0

func (s *Store) RemoveProfile(profileName string) error

RemoveProfile removes a profile and deletes its keyring entry. If the removed profile was current, the current pointer is cleared.

func (*Store) SetAPIKeyProfile added in v0.2.0

func (s *Store) SetAPIKeyProfile(profileName, remoteURL, apiKey string, switchCurrent bool, warnWriter func(string)) error

SetAPIKeyProfile stores an API key credential under name. When switchCurrent is true, the profile also becomes the current profile.

func (*Store) SetOAuthProfile added in v0.2.0

func (s *Store) SetOAuthProfile(profileName, remoteURL string, cred OAuthCredential, switchCurrent bool, warnWriter func(string)) error

SetOAuthProfile stores an OAuth credential under name. When switchCurrent is true, the profile also becomes the current profile. Tries the keyring first; falls back to plaintext in auth.json with a warning written to warnWriter (if non-nil).

func (*Store) SwitchProfile added in v0.2.0

func (s *Store) SwitchProfile(profileName string) error

SwitchProfile sets the current profile. Returns an error if it does not exist.

type StoreOptions

type StoreOptions struct {
	// Dir is the directory where auth.json is stored.
	Dir string

	// InsecureStorage, when true, stores secrets in auth.json instead of
	// the system keyring.
	InsecureStorage bool
}

StoreOptions configures a Store.

type Transport

type Transport struct {
	Session *Session

	// OAuthConfig is the OAuth2 configuration used for token refresh.
	OAuthConfig *oauth2.Config

	Base http.RoundTripper
}

Transport is an HTTP client that injects the appropriate Authorization header for the resolved session. For OAuth credentials, it uses oauth2.TokenSource for transparent token refresh.

It implements the Do(*http.Request) (*http.Response, error) interface expected by the baseten-go SDK clients.

func (*Transport) Do

func (t *Transport) Do(req *http.Request) (*http.Response, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL