auth

package
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 2, 2026 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Overview

Package auth implements the browser-based OAuth PKCE authentication flow for gcx. This file is based heavily on assistant-cli-internal/internal/tunnel/auth/flow.go.

Index

Constants

This section is empty.

Variables

View Source 
var ErrRefreshTokenExpired = errors.New("refresh token expired: re-authentication required")

ErrRefreshTokenExpired is returned when the refresh token has expired and the user must re-authenticate.

Functions

func StripControlChars 

func StripControlChars(s string) string

StripControlChars sanitises errors to stop potentially malicious errors from being interpolated.

func ValidateEndpointURL 

func ValidateEndpointURL(endpoint string) error

ValidateEndpointURL checks that the given endpoint URL is a trusted Grafana domain or a local address. Returns an error if the URL is untrusted.

Types

type Flow 

type Flow struct {
	// contains filtered or unexported fields
}

Flow manages the browser-based authentication process.

func NewFlow 

func NewFlow(endpoint string, opts Options) *Flow

NewFlow creates a new authentication flow for the given Grafana endpoint.

func (*Flow) Run 

func (f *Flow) Run(ctx context.Context) (*Result, error)

Run executes the authentication flow.

type Options 

type Options struct {
	// Port specifies a fixed port for the callback server.
	// If 0, an available port will be found automatically.
	Port int

	// BindAddress specifies the address to bind the callback server to.
	// Defaults to "127.0.0.1".
	BindAddress string

	// Scopes specifies the token scopes to request.
	// If empty, DefaultScopes are used.
	Scopes []string

	// Writer is the output writer for user-facing messages.
	// Defaults to os.Stderr.
	Writer io.Writer
}

Options configures the authentication flow.

type RefreshTransport 

type RefreshTransport struct {
	Base             http.RoundTripper
	ProxyEndpoint    string
	Token            string
	RefreshToken     string
	ExpiresAt        time.Time
	RefreshExpiresAt time.Time
	OnRefresh        TokenRefresher
	// contains filtered or unexported fields
}

RefreshTransport wraps an http.RoundTripper and transparently refreshes the gat_ access token when it is close to expiry.

func (*RefreshTransport) RoundTrip 

func (t *RefreshTransport) RoundTrip(req *http.Request) (*http.Response, error)

type Result 

type Result struct {
	// Token is the gat_ access token for API authentication.
	Token string

	// Email is the user's email address.
	Email string

	// DeviceName is the device name (if provided).
	DeviceName string

	// APIEndpoint is the proxy base URL for forwarding requests.
	APIEndpoint string

	// ExpiresAt is the token expiration time in RFC3339 format.
	ExpiresAt string

	// RefreshToken is the gar_ refresh token for obtaining new access tokens.
	RefreshToken string

	// RefreshExpiresAt is the refresh token expiration time in RFC3339 format.
	RefreshExpiresAt string
}

Result contains the result of a successful authentication flow.

type TokenRefresher 

type TokenRefresher func(token, refreshToken, expiresAt, refreshExpiresAt string) error

TokenRefresher is called after a successful refresh to persist the new tokens.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.