store

package
v0.36.0-rc.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 19, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package store provides local credential storage for OAuth tokens.

Index

Constants

This section is empty.

Variables

View Source 
var ErrCredentialBusy = errors.New("credentials are being refreshed by another process; retry shortly")

ErrCredentialBusy is returned by Save/Clear when another process holds the credentials file lock (a refresh is in progress) for longer than the write lock wait. The caller should retry shortly rather than clobber the rotation.

View Source 
var ErrCredentialDowngrade = errors.New("refusing to overwrite a refreshable credential with one that cannot refresh")

ErrCredentialDowngrade is returned by Save when the new tokens cannot refresh (no refresh token) but the stored credential can. Replacing a refreshable credential with one that cannot refresh would silently downgrade a working session to one that dies at the next access-token expiry.

Functions

This section is empty.

Types

type Config 

type Config struct {
	// Path is the path to the credentials file.
	// Defaults to a namespaced file in ~/.config/panda/credentials/
	Path string

	// IssuerURL namespaces stored credentials by auth issuer.
	IssuerURL string

	// ClientID namespaces stored credentials by OAuth client.
	ClientID string

	// Resource namespaces stored credentials by requested resource.
	Resource string

	// RefreshBuffer is how long before expiry to refresh the token.
	RefreshBuffer time.Duration

	// RefreshTokenTTL is the expected lifetime of the refresh token.
	// When set, the store will trigger a refresh at 50% of this duration
	// to keep the refresh token alive via provider rotation.
	RefreshTokenTTL time.Duration

	// WriteLockWait bounds how long Save/Clear wait for the credentials file
	// lock before returning ErrCredentialBusy. Defaults to credentialLockWait.
	WriteLockWait time.Duration

	// AuthClient is the OAuth client for refreshing tokens.
	AuthClient client.Client
}

Config configures the credential store.

type Store 

type Store interface {
	// Path returns the resolved credentials file path.
	Path() string

	// Save saves tokens to the store.
	Save(tokens *client.Tokens) error

	// Load loads tokens from the store.
	Load() (*client.Tokens, error)

	// Clear removes stored tokens.
	Clear() error

	// GetAccessToken returns a valid access token, refreshing if needed.
	GetAccessToken() (string, error)

	// Invalidate forces the next GetAccessToken to refresh the access token,
	// even if it has not yet hit the local expiry buffer. Used when the proxy
	// rejects a token that should still be valid locally (e.g. revocation).
	Invalidate()

	// IsAuthenticated returns true if valid tokens are stored.
	IsAuthenticated() bool
}

Store manages local credential storage.

func New 

func New(log logrus.FieldLogger, cfg Config) Store

New creates a new credential store.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.