auth

package
v6.7.49 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 5, 2026 License: MIT Imports: 26 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func OAuthModelAliasChannel added in v6.7.0 

func OAuthModelAliasChannel(provider, authKind string) string

OAuthModelAliasChannel returns the OAuth model alias channel name for a given provider and auth kind. Returns empty string if the provider/authKind combination doesn't support OAuth model alias (e.g., API key authentication).

Supported channels: gemini-cli, vertex, aistudio, antigravity, claude, codex, qwen, iflow.

func ProviderRefreshLead 

func ProviderRefreshLead(provider string, runtime any) *time.Duration

func RegisterRefreshLeadProvider 

func RegisterRefreshLeadProvider(provider string, factory func() *time.Duration)

func SetQuotaCooldownDisabled added in v6.2.28 

func SetQuotaCooldownDisabled(disable bool)

SetQuotaCooldownDisabled toggles quota cooldown scheduling globally.

func WithSkipPersist added in v6.7.25 

func WithSkipPersist(ctx context.Context) context.Context

WithSkipPersist returns a derived context that disables persistence for Manager Update/Register calls. It is intended for code paths that are reacting to file watcher events, where the file on disk is already the source of truth and persisting again would create a write-back loop.

Types

type APIKeyConfigEntry added in v6.7.0 

type APIKeyConfigEntry interface {
	GetAPIKey() string
	GetBaseURL() string
}

APIKeyConfigEntry is a generic interface for API key configurations.

type Auth 

type Auth struct {
	// ID uniquely identifies the auth record across restarts.
	ID string `json:"id"`
	// Index is a stable runtime identifier derived from auth metadata (not persisted).
	Index string `json:"-"`
	// Provider is the upstream provider key (e.g. "gemini", "claude").
	Provider string `json:"provider"`
	// Prefix optionally namespaces models for routing (e.g., "teamA/gemini-3-pro-preview").
	Prefix string `json:"prefix,omitempty"`
	// FileName stores the relative or absolute path of the backing auth file.
	FileName string `json:"-"`
	// Storage holds the token persistence implementation used during login flows.
	Storage baseauth.TokenStorage `json:"-"`
	// Label is an optional human readable label for logging.
	Label string `json:"label,omitempty"`
	// Status is the lifecycle status managed by the AuthManager.
	Status Status `json:"status"`
	// StatusMessage holds a short description for the current status.
	StatusMessage string `json:"status_message,omitempty"`
	// Disabled indicates the auth is intentionally disabled by operator.
	Disabled bool `json:"disabled"`
	// Unavailable flags transient provider unavailability (e.g. quota exceeded).
	Unavailable bool `json:"unavailable"`
	// ProxyURL overrides the global proxy setting for this auth if provided.
	ProxyURL string `json:"proxy_url,omitempty"`
	// Attributes stores provider specific metadata needed by executors (immutable configuration).
	Attributes map[string]string `json:"attributes,omitempty"`
	// Metadata stores runtime mutable provider state (e.g. tokens, cookies).
	Metadata map[string]any `json:"metadata,omitempty"`
	// Quota captures recent quota information for load balancers.
	Quota QuotaState `json:"quota"`
	// LastError stores the last failure encountered while executing or refreshing.
	LastError *Error `json:"last_error,omitempty"`
	// CreatedAt is the creation timestamp in UTC.
	CreatedAt time.Time `json:"created_at"`
	// UpdatedAt is the last modification timestamp in UTC.
	UpdatedAt time.Time `json:"updated_at"`
	// LastRefreshedAt records the last successful refresh time in UTC.
	LastRefreshedAt time.Time `json:"last_refreshed_at"`
	// NextRefreshAfter is the earliest time a refresh should retrigger.
	NextRefreshAfter time.Time `json:"next_refresh_after"`
	// NextRetryAfter is the earliest time a retry should retrigger.
	NextRetryAfter time.Time `json:"next_retry_after"`
	// ModelStates tracks per-model runtime availability data.
	ModelStates map[string]*ModelState `json:"model_states,omitempty"`

	// Runtime carries non-serialisable data used during execution (in-memory only).
	Runtime any `json:"-"`
	// contains filtered or unexported fields
}

Auth encapsulates the runtime state and metadata associated with a single credential.

func (*Auth) AccountInfo 

func (a *Auth) AccountInfo() (string, string)

func (*Auth) Clone 

func (a *Auth) Clone() *Auth

Clone shallow copies the Auth structure, duplicating maps to avoid accidental mutation.

func (*Auth) DisableCoolingOverride added in v6.7.25 

func (a *Auth) DisableCoolingOverride() (bool, bool)

DisableCoolingOverride returns the auth-file scoped disable_cooling override when present. The value is read from metadata key "disable_cooling" (or legacy "disable-cooling").

func (*Auth) EnsureIndex added in v6.3.56 

func (a *Auth) EnsureIndex() string

EnsureIndex returns a stable index derived from the auth file name or API key.

func (*Auth) ExpirationTime 

func (a *Auth) ExpirationTime() (time.Time, bool)

ExpirationTime attempts to extract the credential expiration timestamp from metadata. It inspects common keys such as "expired", "expire", "expires_at", and also nested "token" objects to remain compatible with legacy auth file formats.

func (*Auth) ProxyInfo added in v6.6.15 

func (a *Auth) ProxyInfo() string

func (*Auth) RequestRetryOverride added in v6.7.25 

func (a *Auth) RequestRetryOverride() (int, bool)

RequestRetryOverride returns the auth-file scoped request_retry override when present. The value is read from metadata key "request_retry" (or legacy "request-retry").

type Error 

type Error struct {
	// Code is a short machine readable identifier.
	Code string `json:"code,omitempty"`
	// Message is a human readable description of the failure.
	Message string `json:"message"`
	// Retryable indicates whether a retry might fix the issue automatically.
	Retryable bool `json:"retryable"`
	// HTTPStatus optionally records an HTTP-like status code for the error.
	HTTPStatus int `json:"http_status,omitempty"`
}

Error describes an authentication related failure in a provider agnostic format.

func (*Error) Error 

func (e *Error) Error() string

Error implements the error interface.

func (*Error) StatusCode 

func (e *Error) StatusCode() int

StatusCode implements optional status accessor for manager decision making.

type FillFirstSelector added in v6.6.42 

type FillFirstSelector struct{}

FillFirstSelector selects the first available credential (deterministic ordering). This "burns" one account before moving to the next, which can help stagger rolling-window subscription caps (e.g. chat message limits).

func (*FillFirstSelector) Pick added in v6.6.42 

func (s *FillFirstSelector) Pick(ctx context.Context, provider, model string, opts cliproxyexecutor.Options, auths []*Auth) (*Auth, error)

Pick selects the first available auth for the provider in a deterministic manner.

type Hook 

type Hook interface {
	// OnAuthRegistered fires when a new auth is registered.
	OnAuthRegistered(ctx context.Context, auth *Auth)
	// OnAuthUpdated fires when an existing auth changes state.
	OnAuthUpdated(ctx context.Context, auth *Auth)
	// OnResult fires when execution result is recorded.
	OnResult(ctx context.Context, result Result)
}

Hook captures lifecycle callbacks for observing auth changes.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager orchestrates auth lifecycle, selection, execution, and persistence.

func NewManager 

func NewManager(store Store, selector Selector, hook Hook) *Manager

NewManager constructs a manager with optional custom selector and hook.

func (*Manager) Execute 

func (m *Manager) Execute(ctx context.Context, providers []string, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error)

Execute performs a non-streaming execution using the configured selector and executor. It supports multiple providers for the same model and round-robins the starting provider per model.

func (*Manager) ExecuteCount 

func (m *Manager) ExecuteCount(ctx context.Context, providers []string, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error)

ExecuteCount performs a non-streaming execution using the configured selector and executor. It supports multiple providers for the same model and round-robins the starting provider per model.

func (*Manager) ExecuteStream 

func (m *Manager) ExecuteStream(ctx context.Context, providers []string, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (<-chan cliproxyexecutor.StreamChunk, error)

ExecuteStream performs a streaming execution using the configured selector and executor. It supports multiple providers for the same model and round-robins the starting provider per model.

func (*Manager) GetByID 

func (m *Manager) GetByID(id string) (*Auth, bool)

func (*Manager) HttpRequest added in v6.6.98 

func (m *Manager) HttpRequest(ctx context.Context, auth *Auth, req *http.Request) (*http.Response, error)

HttpRequest injects provider credentials into the supplied HTTP request and executes it.

func (*Manager) InjectCredentials 

func (m *Manager) InjectCredentials(req *http.Request, authID string) error

InjectCredentials delegates per-provider HTTP request preparation when supported. If the registered executor for the auth provider implements RequestPreparer, it will be invoked to modify the request (e.g., add headers).

func (*Manager) List 

func (m *Manager) List() []*Auth

List returns all auth entries currently known by the manager.

func (*Manager) Load 

func (m *Manager) Load(ctx context.Context) error

Load resets manager state from the backing store.

func (*Manager) MarkResult 

func (m *Manager) MarkResult(ctx context.Context, result Result)

MarkResult records an execution result and notifies hooks.

func (*Manager) NewHttpRequest added in v6.6.98 

func (m *Manager) NewHttpRequest(ctx context.Context, auth *Auth, method, targetURL string, body []byte, headers http.Header) (*http.Request, error)

NewHttpRequest constructs a new HTTP request and injects provider credentials into it.

func (*Manager) PrepareHttpRequest added in v6.6.98 

func (m *Manager) PrepareHttpRequest(ctx context.Context, auth *Auth, req *http.Request) error

PrepareHttpRequest injects provider credentials into the supplied HTTP request.

func (*Manager) Register 

func (m *Manager) Register(ctx context.Context, auth *Auth) (*Auth, error)

Register inserts a new auth entry into the manager.

func (*Manager) RegisterExecutor 

func (m *Manager) RegisterExecutor(executor ProviderExecutor)

RegisterExecutor registers a provider executor with the manager.

func (*Manager) SetConfig added in v6.7.0 

func (m *Manager) SetConfig(cfg *internalconfig.Config)

SetConfig updates the runtime config snapshot used by request-time helpers. Callers should provide the latest config on reload so per-credential alias mapping stays in sync.

func (*Manager) SetOAuthModelAlias added in v6.7.0 

func (m *Manager) SetOAuthModelAlias(aliases map[string][]internalconfig.OAuthModelAlias)

SetOAuthModelAlias updates the OAuth model name alias table used during execution. The alias is applied per-auth channel to resolve the upstream model name while keeping the client-visible model name unchanged for translation/response formatting.

func (*Manager) SetRetryConfig added in v6.5.13 

func (m *Manager) SetRetryConfig(retry int, maxRetryInterval time.Duration)

SetRetryConfig updates retry attempts and cooldown wait interval.

func (*Manager) SetRoundTripperProvider 

func (m *Manager) SetRoundTripperProvider(p RoundTripperProvider)

SetRoundTripperProvider register a provider that returns a per-auth RoundTripper.

func (*Manager) SetSelector added in v6.6.42 

func (m *Manager) SetSelector(selector Selector)

func (*Manager) SetStore 

func (m *Manager) SetStore(store Store)

SetStore swaps the underlying persistence store.

func (*Manager) StartAutoRefresh 

func (m *Manager) StartAutoRefresh(parent context.Context, interval time.Duration)

StartAutoRefresh launches a background loop that evaluates auth freshness every few seconds and triggers refresh operations when required. Only one loop is kept alive; starting a new one cancels the previous run.

func (*Manager) StopAutoRefresh 

func (m *Manager) StopAutoRefresh()

StopAutoRefresh cancels the background refresh loop, if running.

func (*Manager) UnregisterExecutor added in v6.2.33 

func (m *Manager) UnregisterExecutor(provider string)

UnregisterExecutor removes the executor associated with the provider key.

func (*Manager) Update 

func (m *Manager) Update(ctx context.Context, auth *Auth) (*Auth, error)

Update replaces an existing auth entry and notifies hooks.

type ModelState 

type ModelState struct {
	// Status reflects the lifecycle status for this model.
	Status Status `json:"status"`
	// StatusMessage provides an optional short description of the status.
	StatusMessage string `json:"status_message,omitempty"`
	// Unavailable mirrors whether the model is temporarily blocked for retries.
	Unavailable bool `json:"unavailable"`
	// NextRetryAfter defines the per-model retry time.
	NextRetryAfter time.Time `json:"next_retry_after"`
	// LastError records the latest error observed for this model.
	LastError *Error `json:"last_error,omitempty"`
	// Quota retains quota information if this model hit rate limits.
	Quota QuotaState `json:"quota"`
	// UpdatedAt tracks the last update timestamp for this model state.
	UpdatedAt time.Time `json:"updated_at"`
}

ModelState captures the execution state for a specific model under an auth entry.

func (*ModelState) Clone 

func (m *ModelState) Clone() *ModelState

Clone duplicates a model state including nested error details.

type NoopHook 

type NoopHook struct{}

NoopHook provides optional hook defaults.

func (NoopHook) OnAuthRegistered 

func (NoopHook) OnAuthRegistered(context.Context, *Auth)

OnAuthRegistered implements Hook.

func (NoopHook) OnAuthUpdated 

func (NoopHook) OnAuthUpdated(context.Context, *Auth)

OnAuthUpdated implements Hook.

func (NoopHook) OnResult 

func (NoopHook) OnResult(context.Context, Result)

OnResult implements Hook.

type ProviderExecutor 

type ProviderExecutor interface {
	// Identifier returns the provider key handled by this executor.
	Identifier() string
	// Execute handles non-streaming execution and returns the provider response payload.
	Execute(ctx context.Context, auth *Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error)
	// ExecuteStream handles streaming execution and returns a channel of provider chunks.
	ExecuteStream(ctx context.Context, auth *Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (<-chan cliproxyexecutor.StreamChunk, error)
	// Refresh attempts to refresh provider credentials and returns the updated auth state.
	Refresh(ctx context.Context, auth *Auth) (*Auth, error)
	// CountTokens returns the token count for the given request.
	CountTokens(ctx context.Context, auth *Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error)
	// HttpRequest injects provider credentials into the supplied HTTP request and executes it.
	// Callers must close the response body when non-nil.
	HttpRequest(ctx context.Context, auth *Auth, req *http.Request) (*http.Response, error)
}

ProviderExecutor defines the contract required by Manager to execute provider calls.

type QuotaState 

type QuotaState struct {
	// Exceeded indicates the credential recently hit a quota error.
	Exceeded bool `json:"exceeded"`
	// Reason provides an optional provider specific human readable description.
	Reason string `json:"reason,omitempty"`
	// NextRecoverAt is when the credential may become available again.
	NextRecoverAt time.Time `json:"next_recover_at"`
	// BackoffLevel stores the progressive cooldown exponent used for rate limits.
	BackoffLevel int `json:"backoff_level,omitempty"`
}

QuotaState contains limiter tracking data for a credential.

type RefreshEvaluator 

type RefreshEvaluator interface {
	ShouldRefresh(now time.Time, auth *Auth) bool
}

RefreshEvaluator allows runtime state to override refresh decisions.

type RequestPreparer 

type RequestPreparer interface {
	PrepareRequest(req *http.Request, auth *Auth) error
}

RequestPreparer is an optional interface that provider executors can implement to mutate outbound HTTP requests with provider credentials.

type Result 

type Result struct {
	// AuthID references the auth that produced this result.
	AuthID string
	// Provider is copied for convenience when emitting hooks.
	Provider string
	// Model is the upstream model identifier used for the request.
	Model string
	// Success marks whether the execution succeeded.
	Success bool
	// RetryAfter carries a provider supplied retry hint (e.g. 429 retryDelay).
	RetryAfter *time.Duration
	// Error describes the failure when Success is false.
	Error *Error
}

Result captures execution outcome used to adjust auth state.

type RoundRobinSelector 

type RoundRobinSelector struct {
	// contains filtered or unexported fields
}

RoundRobinSelector provides a simple provider scoped round-robin selection strategy.

func (*RoundRobinSelector) Pick 

func (s *RoundRobinSelector) Pick(ctx context.Context, provider, model string, opts cliproxyexecutor.Options, auths []*Auth) (*Auth, error)

Pick selects the next available auth for the provider in a round-robin manner.

type RoundTripperProvider 

type RoundTripperProvider interface {
	RoundTripperFor(auth *Auth) http.RoundTripper
}

RoundTripperProvider defines a minimal provider of per-auth HTTP transports.

type Selector 

type Selector interface {
	Pick(ctx context.Context, provider, model string, opts cliproxyexecutor.Options, auths []*Auth) (*Auth, error)
}

Selector chooses an auth candidate for execution.

type Status 

type Status string

Status represents the lifecycle state of an Auth entry. 

const (
	// StatusUnknown means the auth state could not be determined.
	StatusUnknown Status = "unknown"
	// StatusActive indicates the auth is valid and ready for execution.
	StatusActive Status = "active"
	// StatusPending indicates the auth is waiting for an external action, such as MFA.
	StatusPending Status = "pending"
	// StatusRefreshing indicates the auth is undergoing a refresh flow.
	StatusRefreshing Status = "refreshing"
	// StatusError indicates the auth is temporarily unavailable due to errors.
	StatusError Status = "error"
	// StatusDisabled marks the auth as intentionally disabled.
	StatusDisabled Status = "disabled"
)

type Store 

type Store interface {
	// List returns all auth records stored in the backend.
	List(ctx context.Context) ([]*Auth, error)
	// Save persists the provided auth record, replacing any existing one with same ID.
	Save(ctx context.Context, auth *Auth) (string, error)
	// Delete removes the auth record identified by id.
	Delete(ctx context.Context, id string) error
}

Store abstracts persistence of Auth state across restarts.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.