auth

package
v0.2.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 20, 2026 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Overview

Package auth implements the browser-based OAuth PKCE authentication flow for gcx. This file is based heavily on assistant-cli-internal/internal/tunnel/auth/flow.go.

Index

Constants

This section is empty.

Variables

View Source 
var ErrRefreshTokenExpired = errors.New("refresh token expired: re-authentication required")

ErrRefreshTokenExpired is returned when the refresh token has expired and the user must re-authenticate.

Functions

func StripControlChars 

func StripControlChars(s string) string

StripControlChars sanitises errors to stop potentially malicious errors from being interpolated.

func ValidateEndpointURL 

func ValidateEndpointURL(endpoint string) error

ValidateEndpointURL checks that the given endpoint URL is a trusted Grafana domain or a local address. Returns an error if the URL is untrusted.

Types

type Flow 

type Flow struct {
	// contains filtered or unexported fields
}

Flow manages the browser-based authentication process.

func NewFlow 

func NewFlow(endpoint string, opts Options) *Flow

NewFlow creates a new authentication flow for the given Grafana endpoint.

func (*Flow) Run 

func (f *Flow) Run(ctx context.Context) (*Result, error)

Run executes the authentication flow.

type Options 

type Options struct {
	// Port specifies a fixed port for the callback server.
	// If 0, an available port will be found automatically.
	Port int

	// BindAddress specifies the address to bind the callback server to.
	// Defaults to "127.0.0.1".
	BindAddress string

	// Scopes specifies the token scopes to request.
	// If empty, DefaultScopes are used.
	Scopes []string

	// Writer is the output writer for user-facing messages.
	// Defaults to os.Stderr.
	Writer io.Writer
}

Options configures the authentication flow.

type RefreshResult added in v0.2.2 

type RefreshResult struct {
	Token            string
	RefreshToken     string
	ExpiresAt        string
	RefreshExpiresAt string
}

RefreshResult holds the token credentials returned by a successful refresh.

func DoRefresh added in v0.2.2 

func DoRefresh(ctx context.Context, proxyEndpoint, refreshTok string) (RefreshResult, error)

DoRefresh calls the proxy refresh endpoint and returns new token credentials. This is used by the assistant command's token refresher, which needs to refresh tokens outside of an HTTP round-trip context.

type RefreshTransport 

type RefreshTransport struct {
	Base             http.RoundTripper
	ProxyEndpoint    string
	Token            string
	RefreshToken     string
	ExpiresAt        time.Time
	RefreshExpiresAt time.Time
	OnRefresh        TokenRefresher

	// Lock, if set, is called before a refresh to serialize concurrent gcx
	// invocations that share a config file. Without it, two processes race to
	// refresh the same rotating refresh token and one gets locked out.
	Lock TokenLocker
	// Reload, if set, is called inside the lock before issuing the network
	// refresh. If another process has already refreshed, its tokens are
	// adopted and the network refresh is skipped.
	Reload TokenReloader
	// contains filtered or unexported fields
}

RefreshTransport wraps an http.RoundTripper and transparently refreshes the gat_ access token when it is close to expiry.

func (*RefreshTransport) RoundTrip 

func (t *RefreshTransport) RoundTrip(req *http.Request) (*http.Response, error)

type Result 

type Result struct {
	// Token is the gat_ access token for API authentication.
	Token string

	// Email is the user's email address.
	Email string

	// DeviceName is the device name (if provided).
	DeviceName string

	// APIEndpoint is the proxy base URL for forwarding requests.
	APIEndpoint string

	// ExpiresAt is the token expiration time in RFC3339 format.
	ExpiresAt string

	// RefreshToken is the gar_ refresh token for obtaining new access tokens.
	RefreshToken string

	// RefreshExpiresAt is the refresh token expiration time in RFC3339 format.
	RefreshExpiresAt string

	// InstanceEndpoint is the endpoint returned by the grafana instance itself
	// Only used if the endpoint isn't available during auth (e.g. signing in through grafana.com)
	InstanceEndpoint string
}

Result contains the result of a successful authentication flow.

type StoredTokens added in v0.2.8 

type StoredTokens struct {
	Token            string
	RefreshToken     string
	ExpiresAt        time.Time
	RefreshExpiresAt time.Time
}

StoredTokens describes tokens currently on disk.

type TokenLocker added in v0.2.8 

type TokenLocker func(ctx context.Context) (release func(), err error)

TokenLocker acquires a cross-process lock around the refresh/persist cycle and returns a release function. Returning a nil release and an error causes the refresh to proceed without a lock (best-effort).

type TokenRefresher 

type TokenRefresher func(token, refreshToken, expiresAt, refreshExpiresAt string) error

TokenRefresher is called after a successful refresh to persist the new tokens.

type TokenReloader added in v0.2.8 

type TokenReloader func() (StoredTokens, bool, error)

TokenReloader reads the latest tokens from disk. Returns false if no persisted tokens are available.

Source Files

View all Source files

Directories

Path Synopsis
Package auth provides shared authentication helpers for the adaptive telemetry provider.
 Package auth provides shared authentication helpers for the adaptive telemetry provider.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.