oauth

package
v1.15.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package oauth holds OAuth helpers shared across the CLI: refresh-token revocation used by `login`, `logout`, and `config profiles update --oauth=false`; and sanitization of OAuth-server-supplied strings before they reach a terminal.

Why a separate package: `internal/login` already imports `internal/config` for profile-hint helpers, so neither package can host shared OAuth code without an import cycle. A neutral package keeps both callers honest.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Revoke

func Revoke(apiURL, refreshToken string) (ok bool)

Revoke posts a revocation request for refreshToken against apiURL. Errors are logged to stderr with a `warning:` prefix; the function returns true on success (or no-op) and false on failure so callers can optionally append a note to their success message. Callers rely on this function returning promptly regardless of outcome. No-ops (and returns true) when either argument is empty.

func SanitizeASText

func SanitizeASText(s string) string

SanitizeASText strips characters that would mislead or attack a terminal reader from a string supplied by the OAuth authorization server. Three classes are dropped:

  • ASCII control characters (0x00-0x1F, 0x7F) except tab (0x09). ESC sequences are the obvious vector — a hostile AS could embed them in `error_description` to redraw the user's terminal line. Line-breaking characters (\n, \r) are also dropped because the caller renders AS-supplied text inline with CLI-controlled text: a bare newline lets a hostile AS continue on a new terminal line that the user reads as CLI output (e.g. a forged "Logged in" line after a real "Error:" line). Tabs are kept because they do not introduce a new logical line.
  • Invalid UTF-8 byte sequences. Go's default behavior renders these as U+FFFD, which is visible noise carrying no signal — drop them.
  • Bidirectional override and zero-width control characters (U+200B-U+200F, U+202A-U+202E, U+2066-U+2069, U+FEFF). These were the vector behind CVE-2021-42574 (Trojan Source) — they reorder or hide adjacent text without altering its bytes, which can make a malicious error_description appear innocuous.
  • Unicode line-/paragraph-separator code points (U+0085, U+2028, U+2029). Terminals treat these as line breaks; dropping them closes the same forged-line-injection vector ASCII \n covers.

Input longer than maxASTextBytes is truncated up front to avoid allocating multi-megabyte buffers for content the caller will discard. All other valid runes — including non-ASCII (UTF-8) — pass through.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL