oauth

package
v0.16.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2026 License: MIT Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	VaultKeyGitHub = "GH_OAUTH"
	VaultKeyLark   = "LARK_CLI_OAUTH"
	VaultKeyFeishu = "FEISHU_CLI_OAUTH"
)

Vault key names for the supported providers.

Variables

This section is empty.

Functions

func DeleteBundle 

func DeleteBundle(ctx context.Context, vs VaultStore, userID int64, key string) error

DeleteBundle removes the vault entry identified by key for userID.

func SaveOAuthBundle added in v0.16.0 

func SaveOAuthBundle(ctx context.Context, vs VaultStore, userID int64, key string, bundle OAuthBundle) error

SaveOAuthBundle serializes bundle to JSON and stores it under the given vault key for userID.

Types

type AuthCodeBroker added in v0.16.0 

type AuthCodeBroker struct {
	// contains filtered or unexported fields
}

AuthCodeBroker implements the OAuth2 authorization-code flow. The user visits VerificationURI (an auth-code URL) and the callback handler calls Complete with the code returned by the provider.

func NewAuthCodeBroker added in v0.16.0 

func NewAuthCodeBroker(cfg *oauth2.Config, store *FlowStore) *AuthCodeBroker

NewAuthCodeBroker creates an AuthCodeBroker backed by store.

func (*AuthCodeBroker) Complete added in v0.16.0 

func (b *AuthCodeBroker) Complete(ctx context.Context, flowID string, code string) (*oauth2.Token, error)

Complete exchanges an authorization code for tokens and returns the token. The code comes from the OAuth callback handler's query parameter.

func (*AuthCodeBroker) Poll added in v0.16.0 

func (b *AuthCodeBroker) Poll(ctx context.Context, flowID string) (FlowStatus, error)

Poll checks whether the flow has been completed externally.

func (*AuthCodeBroker) StartFlow added in v0.16.0 

func (b *AuthCodeBroker) StartFlow(ctx context.Context, provider Provider, userID int64) (FlowStatus, error)

StartFlow generates a state token, constructs the authorization URL, and stores a pending FlowStatus. The user must navigate to VerificationURI.

type DeviceCodeBroker added in v0.16.0 

type DeviceCodeBroker struct {
	// contains filtered or unexported fields
}

DeviceCodeBroker implements the OAuth2 device-code flow. It spawns a background goroutine that polls the token endpoint until the user authorizes the device.

func NewDeviceCodeBroker added in v0.16.0 

func NewDeviceCodeBroker(cfg *oauth2.Config, store *FlowStore) *DeviceCodeBroker

NewDeviceCodeBroker creates a DeviceCodeBroker backed by store. cfg.Endpoint must have DeviceAuthEndpoint set.

func (*DeviceCodeBroker) Complete added in v0.16.0 

func (b *DeviceCodeBroker) Complete(ctx context.Context, flowID string) (*oauth2.Token, error)

Complete returns the token once the background goroutine finishes. Must be called only after Poll returns FlowStateAuthorized.

func (*DeviceCodeBroker) Poll added in v0.16.0 

func (b *DeviceCodeBroker) Poll(ctx context.Context, flowID string) (FlowStatus, error)

Poll checks whether the user has completed authorization for flowID.

func (*DeviceCodeBroker) StartFlow added in v0.16.0 

func (b *DeviceCodeBroker) StartFlow(ctx context.Context, provider Provider, userID int64) (FlowStatus, error)

StartFlow requests a device code, stores pending state, and returns the FlowStatus the caller should display. A background goroutine polls the token endpoint until the user authorizes or the flow expires.

type FlowBroker added in v0.16.0 

type FlowBroker interface {
	StartFlow(ctx context.Context, provider Provider, userID int64) (FlowStatus, error)
	Poll(ctx context.Context, flowID string) (FlowStatus, error)
}

FlowBroker is the common interface for both device-code and authorization-code OAuth flows.

type FlowState 

type FlowState string

FlowState is the lifecycle state of a device-flow authorization. 

const (
	FlowStatePending    FlowState = "pending"
	FlowStateAuthorized FlowState = "authorized"
	FlowStateFailed     FlowState = "failed"
	FlowStateExpired    FlowState = "expired"
)

type FlowStatus 

type FlowStatus struct {
	Provider        Provider
	FlowID          string
	UserID          int64
	VerificationURI string
	UserCode        string
	ExpiresAt       time.Time
	State           FlowState
}

FlowStatus is the public view of an in-flight device-flow session.

type FlowStore 

type FlowStore struct {
	// contains filtered or unexported fields
}

FlowStore is an in-memory store of in-flight device-flow sessions. Known limitation: a process restart loses all pending flows.

func NewFlowStore 

func NewFlowStore() *FlowStore

NewFlowStore returns an empty FlowStore.

func (*FlowStore) Create 

func (s *FlowStore) Create(status FlowStatus)

Create stores a new FlowStatus keyed by its FlowID.

func (*FlowStore) Delete 

func (s *FlowStore) Delete(flowID string)

Delete removes the flow with the given ID from the store.

func (*FlowStore) Get 

func (s *FlowStore) Get(flowID string) (FlowStatus, bool)

Get returns the FlowStatus for flowID, or false if not found.

func (*FlowStore) Update 

func (s *FlowStore) Update(flowID string, state FlowState, update func(*FlowStatus))

Update sets state on the named flow and then calls update (if non-nil) to allow further mutation. The state is applied first so callers can inspect or override it inside update.

type OAuthBundle added in v0.16.0 

type OAuthBundle struct {
	Version          int       `json:"version"`
	ClientID         string    `json:"client_id"`
	ClientSecret     string    `json:"client_secret"`
	AccessToken      string    `json:"access_token"`
	RefreshToken     string    `json:"refresh_token,omitempty"`
	AccessExpiresAt  time.Time `json:"access_expires_at"`
	RefreshExpiresAt time.Time `json:"refresh_expires_at,omitempty"`
	Brand            string    `json:"brand,omitempty"` // e.g. "lark" or "feishu"
}

OAuthBundle is the generic versioned vault payload for all YAML-driven OAuth providers. It replaces provider-specific bundles so TokenManager and brokers can work uniformly.

func LoadOAuthBundle added in v0.16.0 

func LoadOAuthBundle(ctx context.Context, vs VaultStore, userID int64, key string) (*OAuthBundle, error)

LoadOAuthBundle retrieves and deserializes the OAuth bundle for userID under the given vault key. Returns nil, nil if no entry exists yet.

type Provider 

type Provider string

Provider identifies an OAuth provider. 

const (
	ProviderGitHub Provider = "github"
	ProviderLark   Provider = "lark"
)

type ProviderConfig added in v0.16.0 

type ProviderConfig struct {
	ID       string
	Scopes   []string
	VaultKey string
	Flows    []ProviderFlowConfig
}

ProviderConfig holds the static configuration for an OAuth provider read from manifest YAML. Credentials are not baked in — they are fetched from plugin config at flow-start time so admin UI edits take effect immediately.

type ProviderFlowConfig added in v0.16.0 

type ProviderFlowConfig struct {
	Type          string
	AuthURL       string
	DeviceAuthURL string
	TokenURL      string
	AuthStyle     oauth2.AuthStyle
}

ProviderFlowConfig holds the static configuration for one OAuth flow type (authorization_code or device_code) read from manifest YAML.

type ProviderRegistry added in v0.16.0 

type ProviderRegistry struct {
	// contains filtered or unexported fields
}

ProviderRegistry maps OAuth provider IDs to their static ProviderConfig. It is populated from manifest oauth_providers at runtime.

func NewProviderRegistry added in v0.16.0 

func NewProviderRegistry() *ProviderRegistry

NewProviderRegistry returns an empty registry.

func (*ProviderRegistry) Get added in v0.16.0 

func (r *ProviderRegistry) Get(providerID string) (ProviderConfig, bool)

Get returns the ProviderConfig for providerID, or false if not registered.

func (*ProviderRegistry) GetToken added in v0.16.0 

func (r *ProviderRegistry) GetToken(ctx context.Context, vs VaultStore, providerID string, userID int64) (*OAuthBundle, error)

GetToken loads the OAuthBundle for userID from vault using the provider's registered vault key.

func (*ProviderRegistry) IDs added in v0.16.0 

func (r *ProviderRegistry) IDs() []string

IDs returns all registered provider IDs in sorted order.

func (*ProviderRegistry) Register added in v0.16.0 

func (r *ProviderRegistry) Register(cfg ProviderConfig)

Register adds a provider's static configuration to the registry.

func (*ProviderRegistry) VaultKey added in v0.16.0 

func (r *ProviderRegistry) VaultKey(providerID string) (string, bool)

VaultKey returns the vault key for providerID, or false if not registered.

type TokenManager 

type TokenManager struct {
	// contains filtered or unexported fields
}

TokenManager provides host-side token validation and reads from/writes to the vault.

func NewTokenManager 

func NewTokenManager(vs VaultStore) *TokenManager

NewTokenManager constructs a TokenManager backed by vs.

func (*TokenManager) GetOAuthToken added in v0.16.0 

func (m *TokenManager) GetOAuthToken(ctx context.Context, providerID string, userID int64) (*OAuthBundle, error)

GetOAuthToken returns the generic OAuthBundle for providerID and userID. It delegates to the ProviderRegistry to load the bundle from vault.

func (*TokenManager) SetRegistry added in v0.16.0 

func (m *TokenManager) SetRegistry(r *ProviderRegistry)

SetRegistry wires the provider registry used by GetOAuthToken.

type VaultStore 

type VaultStore interface {
	Set(ctx context.Context, userID int64, name string, plaintext string) error
	Delete(ctx context.Context, userID int64, name string) error
	LoadEnv(ctx context.Context, userID int64) (map[string]string, error)
}

VaultStore is the narrow interface this package needs from the vault service.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.