auth

package
v6.9.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 25, 2026 License: MIT Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// CloseAllExecutionSessionsID asks an executor to release all active execution sessions.
	// Executors that do not support this marker may ignore it.
	CloseAllExecutionSessionsID = "__all_execution_sessions__"
)

Variables

This section is empty.

Functions

func OAuthModelAliasChannel 

func OAuthModelAliasChannel(provider, authKind string) string

OAuthModelAliasChannel returns the OAuth model alias channel name for a given provider and auth kind. Returns empty string if the provider/authKind combination doesn't support OAuth model alias (e.g., API key authentication).

Supported channels: gemini-cli, vertex, aistudio, antigravity, claude, codex, qwen, iflow, kimi.

func ProviderRefreshLead 

func ProviderRefreshLead(provider string, runtime any) *time.Duration

func RegisterRefreshLeadProvider 

func RegisterRefreshLeadProvider(provider string, factory func() *time.Duration)

func SetQuotaCooldownDisabled 

func SetQuotaCooldownDisabled(disable bool)

SetQuotaCooldownDisabled toggles quota cooldown scheduling globally.

func WithRequestInfo 

func WithRequestInfo(ctx context.Context, info *RequestInfo) context.Context

WithRequestInfo returns a new context with the given RequestInfo attached.

func WithSkipPersist 

func WithSkipPersist(ctx context.Context) context.Context

WithSkipPersist returns a derived context that disables persistence for Manager Update/Register calls. It is intended for code paths that are reacting to file watcher events, where the file on disk is already the source of truth and persisting again would create a write-back loop.

Types

type APIKeyConfigEntry 

type APIKeyConfigEntry interface {
	GetAPIKey() string
	GetBaseURL() string
}

APIKeyConfigEntry is a generic interface for API key configurations.

type Auth 

type Auth struct {
	// ID uniquely identifies the auth record across restarts.
	ID string `json:"id"`
	// Index is a stable runtime identifier derived from auth metadata (not persisted).
	Index string `json:"-"`
	// Provider is the upstream provider key (e.g. "gemini", "claude").
	Provider string `json:"provider"`
	// Prefix optionally namespaces models for routing (e.g., "teamA/gemini-3-pro-preview").
	Prefix string `json:"prefix,omitempty"`
	// FileName stores the relative or absolute path of the backing auth file.
	FileName string `json:"-"`
	// Storage holds the token persistence implementation used during login flows.
	Storage baseauth.TokenStorage `json:"-"`
	// Label is an optional human readable label for logging.
	Label string `json:"label,omitempty"`
	// Status is the lifecycle status managed by the AuthManager.
	Status Status `json:"status"`
	// StatusMessage holds a short description for the current status.
	StatusMessage string `json:"status_message,omitempty"`
	// Disabled indicates the auth is intentionally disabled by operator.
	Disabled bool `json:"disabled"`
	// Unavailable flags transient provider unavailability (e.g. quota exceeded).
	Unavailable bool `json:"unavailable"`
	// ProxyURL overrides the global proxy setting for this auth if provided.
	ProxyURL string `json:"proxy_url,omitempty"`
	// Attributes stores provider specific metadata needed by executors (immutable configuration).
	Attributes map[string]string `json:"attributes,omitempty"`
	// Metadata stores runtime mutable provider state (e.g. tokens, cookies).
	Metadata map[string]any `json:"metadata,omitempty"`
	// Quota captures recent quota information for load balancers.
	Quota QuotaState `json:"quota"`
	// LastError stores the last failure encountered while executing or refreshing.
	LastError *Error `json:"last_error,omitempty"`
	// CreatedAt is the creation timestamp in UTC.
	CreatedAt time.Time `json:"created_at"`
	// UpdatedAt is the last modification timestamp in UTC.
	UpdatedAt time.Time `json:"updated_at"`
	// LastRefreshedAt records the last successful refresh time in UTC.
	LastRefreshedAt time.Time `json:"last_refreshed_at"`
	// NextRefreshAfter is the earliest time a refresh should retrigger.
	NextRefreshAfter time.Time `json:"next_refresh_after"`
	// NextRetryAfter is the earliest time a retry should retrigger.
	NextRetryAfter time.Time `json:"next_retry_after"`
	// ModelStates tracks per-model runtime availability data.
	ModelStates map[string]*ModelState `json:"model_states,omitempty"`

	// Runtime carries non-serialisable data used during execution (in-memory only).
	Runtime any `json:"-"`
	// contains filtered or unexported fields
}

Auth encapsulates the runtime state and metadata associated with a single credential.

func (*Auth) AccountInfo 

func (a *Auth) AccountInfo() (string, string)

func (*Auth) Clone 

func (a *Auth) Clone() *Auth

Clone shallow copies the Auth structure, duplicating maps to avoid accidental mutation.

func (*Auth) DisableCoolingOverride 

func (a *Auth) DisableCoolingOverride() (bool, bool)

DisableCoolingOverride returns the auth-file scoped disable_cooling override when present. The value is read from metadata key "disable_cooling" (or legacy "disable-cooling").

func (*Auth) EnsureIndex 

func (a *Auth) EnsureIndex() string

EnsureIndex returns a stable index derived from the auth file name or credential identity.

func (*Auth) ExpirationTime 

func (a *Auth) ExpirationTime() (time.Time, bool)

ExpirationTime attempts to extract the credential expiration timestamp from metadata. It inspects common keys such as "expired", "expire", "expires_at", and also nested "token" objects to remain compatible with legacy auth file formats.

func (*Auth) ProxyInfo 

func (a *Auth) ProxyInfo() string

func (*Auth) RequestRetryOverride 

func (a *Auth) RequestRetryOverride() (int, bool)

RequestRetryOverride returns the auth-file scoped request_retry override when present. The value is read from metadata key "request_retry" (or legacy "request-retry").

func (*Auth) ToolPrefixDisabled 

func (a *Auth) ToolPrefixDisabled() bool

ToolPrefixDisabled returns whether the proxy_ tool name prefix should be skipped for this auth. When true, tool names are sent to Anthropic unchanged. The value is read from metadata key "tool_prefix_disabled" (or "tool-prefix-disabled").

type Error 

type Error struct {
	// Code is a short machine readable identifier.
	Code string `json:"code,omitempty"`
	// Message is a human readable description of the failure.
	Message string `json:"message"`
	// Retryable indicates whether a retry might fix the issue automatically.
	Retryable bool `json:"retryable"`
	// HTTPStatus optionally records an HTTP-like status code for the error.
	HTTPStatus int `json:"http_status,omitempty"`
}

Error describes an authentication related failure in a provider agnostic format.

func (*Error) Error 

func (e *Error) Error() string

Error implements the error interface.

func (*Error) StatusCode 

func (e *Error) StatusCode() int

StatusCode implements optional status accessor for manager decision making.

type ExecutionSessionCloser 

type ExecutionSessionCloser interface {
	CloseExecutionSession(sessionID string)
}

ExecutionSessionCloser allows executors to release per-session runtime resources.

type FillFirstSelector 

type FillFirstSelector struct{}

FillFirstSelector selects the first available credential (deterministic ordering). This "burns" one account before moving to the next, which can help stagger rolling-window subscription caps (e.g. chat message limits).

func (*FillFirstSelector) Pick 

func (s *FillFirstSelector) Pick(ctx context.Context, provider, model string, opts cliproxyexecutor.Options, auths []*Auth) (*Auth, error)

Pick selects the first available auth for the provider in a deterministic manner.

type Hook 

type Hook interface {
	// OnAuthRegistered fires when a new auth is registered.
	OnAuthRegistered(ctx context.Context, auth *Auth)
	// OnAuthUpdated fires when an existing auth changes state.
	OnAuthUpdated(ctx context.Context, auth *Auth)
	// OnResult fires when execution result is recorded.
	OnResult(ctx context.Context, result Result)
}

Hook captures lifecycle callbacks for observing auth changes.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager orchestrates auth lifecycle, selection, execution, and persistence.

func NewManager 

func NewManager(store Store, selector Selector, hook Hook) *Manager

NewManager constructs a manager with optional custom selector and hook.

func (*Manager) CloseExecutionSession 

func (m *Manager) CloseExecutionSession(sessionID string)

CloseExecutionSession asks all registered executors to release the supplied execution session.

func (*Manager) Execute 

func (m *Manager) Execute(ctx context.Context, providers []string, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error)

Execute performs a non-streaming execution using the configured selector and executor. It supports multiple providers for the same model and round-robins the starting provider per model.

func (*Manager) ExecuteCount 

func (m *Manager) ExecuteCount(ctx context.Context, providers []string, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error)

ExecuteCount performs a non-streaming execution using the configured selector and executor. It supports multiple providers for the same model and round-robins the starting provider per model.

func (*Manager) ExecuteStream 

func (m *Manager) ExecuteStream(ctx context.Context, providers []string, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (*cliproxyexecutor.StreamResult, error)

ExecuteStream performs a streaming execution using the configured selector and executor. It supports multiple providers for the same model and round-robins the starting provider per model.

func (*Manager) Executor 

func (m *Manager) Executor(provider string) (ProviderExecutor, bool)

Executor returns the registered provider executor for a provider key.

func (*Manager) GetByID 

func (m *Manager) GetByID(id string) (*Auth, bool)

func (*Manager) HttpRequest 

func (m *Manager) HttpRequest(ctx context.Context, auth *Auth, req *http.Request) (*http.Response, error)

HttpRequest injects provider credentials into the supplied HTTP request and executes it.

func (*Manager) InjectCredentials 

func (m *Manager) InjectCredentials(req *http.Request, authID string) error

InjectCredentials delegates per-provider HTTP request preparation when supported. If the registered executor for the auth provider implements RequestPreparer, it will be invoked to modify the request (e.g., add headers).

func (*Manager) List 

func (m *Manager) List() []*Auth

List returns all auth entries currently known by the manager.

func (*Manager) Load 

func (m *Manager) Load(ctx context.Context) error

Load resets manager state from the backing store.

func (*Manager) MarkResult 

func (m *Manager) MarkResult(ctx context.Context, result Result)

MarkResult records an execution result and notifies hooks.

func (*Manager) NewHttpRequest 

func (m *Manager) NewHttpRequest(ctx context.Context, auth *Auth, method, targetURL string, body []byte, headers http.Header) (*http.Request, error)

NewHttpRequest constructs a new HTTP request and injects provider credentials into it.

func (*Manager) PrepareHttpRequest 

func (m *Manager) PrepareHttpRequest(ctx context.Context, auth *Auth, req *http.Request) error

PrepareHttpRequest injects provider credentials into the supplied HTTP request.

func (*Manager) RefreshSchedulerEntry 

func (m *Manager) RefreshSchedulerEntry(authID string)

RefreshSchedulerEntry re-upserts a single auth into the scheduler so that its supportedModelSet is rebuilt from the current global model registry state. This must be called after models have been registered for a newly added auth, because the initial scheduler.upsertAuth during Register/Update runs before registerModelsForAuth and therefore snapshots an empty model set.

func (*Manager) Register 

func (m *Manager) Register(ctx context.Context, auth *Auth) (*Auth, error)

Register inserts a new auth entry into the manager.

func (*Manager) RegisterExecutor 

func (m *Manager) RegisterExecutor(executor ProviderExecutor)

RegisterExecutor registers a provider executor with the manager.

func (*Manager) SetConfig 

func (m *Manager) SetConfig(cfg *internalconfig.Config)

SetConfig updates the runtime config snapshot used by request-time helpers. Callers should provide the latest config on reload so per-credential alias mapping stays in sync.

func (*Manager) SetOAuthModelAlias 

func (m *Manager) SetOAuthModelAlias(aliases map[string][]internalconfig.OAuthModelAlias)

SetOAuthModelAlias updates the OAuth model name alias table used during execution. The alias is applied per-auth channel to resolve the upstream model name while keeping the client-visible model name unchanged for translation/response formatting.

func (*Manager) SetRetryConfig 

func (m *Manager) SetRetryConfig(retry int, maxRetryInterval time.Duration, maxRetryCredentials int)

SetRetryConfig updates retry attempts, credential retry limit and cooldown wait interval.

func (*Manager) SetRoundTripperProvider 

func (m *Manager) SetRoundTripperProvider(p RoundTripperProvider)

SetRoundTripperProvider register a provider that returns a per-auth RoundTripper.

func (*Manager) SetSelector 

func (m *Manager) SetSelector(selector Selector)

func (*Manager) SetStore 

func (m *Manager) SetStore(store Store)

SetStore swaps the underlying persistence store.

func (*Manager) StartAutoRefresh 

func (m *Manager) StartAutoRefresh(parent context.Context, interval time.Duration)

StartAutoRefresh launches a background loop that evaluates auth freshness every few seconds and triggers refresh operations when required. Only one loop is kept alive; starting a new one cancels the previous run.

func (*Manager) StopAutoRefresh 

func (m *Manager) StopAutoRefresh()

StopAutoRefresh cancels the background refresh loop, if running.

func (*Manager) UnregisterExecutor 

func (m *Manager) UnregisterExecutor(provider string)

UnregisterExecutor removes the executor associated with the provider key.

func (*Manager) Update 

func (m *Manager) Update(ctx context.Context, auth *Auth) (*Auth, error)

Update replaces an existing auth entry and notifies hooks.

type ModelState 

type ModelState struct {
	// Status reflects the lifecycle status for this model.
	Status Status `json:"status"`
	// StatusMessage provides an optional short description of the status.
	StatusMessage string `json:"status_message,omitempty"`
	// Unavailable mirrors whether the model is temporarily blocked for retries.
	Unavailable bool `json:"unavailable"`
	// NextRetryAfter defines the per-model retry time.
	NextRetryAfter time.Time `json:"next_retry_after"`
	// LastError records the latest error observed for this model.
	LastError *Error `json:"last_error,omitempty"`
	// Quota retains quota information if this model hit rate limits.
	Quota QuotaState `json:"quota"`
	// UpdatedAt tracks the last update timestamp for this model state.
	UpdatedAt time.Time `json:"updated_at"`
}

ModelState captures the execution state for a specific model under an auth entry.

func (*ModelState) Clone 

func (m *ModelState) Clone() *ModelState

Clone duplicates a model state including nested error details.

type NoopHook 

type NoopHook struct{}

NoopHook provides optional hook defaults.

func (NoopHook) OnAuthRegistered 

func (NoopHook) OnAuthRegistered(context.Context, *Auth)

OnAuthRegistered implements Hook.

func (NoopHook) OnAuthUpdated 

func (NoopHook) OnAuthUpdated(context.Context, *Auth)

OnAuthUpdated implements Hook.

func (NoopHook) OnResult 

func (NoopHook) OnResult(context.Context, Result)

OnResult implements Hook.

type PostAuthHook 

type PostAuthHook func(context.Context, *Auth) error

PostAuthHook defines a function that is called after an Auth record is created but before it is persisted to storage. This allows for modification of the Auth record (e.g., injecting metadata) based on external context.

type ProviderExecutor 

type ProviderExecutor interface {
	// Identifier returns the provider key handled by this executor.
	Identifier() string
	// Execute handles non-streaming execution and returns the provider response payload.
	Execute(ctx context.Context, auth *Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error)
	// ExecuteStream handles streaming execution and returns a StreamResult containing
	// upstream headers and a channel of provider chunks.
	ExecuteStream(ctx context.Context, auth *Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (*cliproxyexecutor.StreamResult, error)
	// Refresh attempts to refresh provider credentials and returns the updated auth state.
	Refresh(ctx context.Context, auth *Auth) (*Auth, error)
	// CountTokens returns the token count for the given request.
	CountTokens(ctx context.Context, auth *Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error)
	// HttpRequest injects provider credentials into the supplied HTTP request and executes it.
	// Callers must close the response body when non-nil.
	HttpRequest(ctx context.Context, auth *Auth, req *http.Request) (*http.Response, error)
}

ProviderExecutor defines the contract required by Manager to execute provider calls.

type QuotaState 

type QuotaState struct {
	// Exceeded indicates the credential recently hit a quota error.
	Exceeded bool `json:"exceeded"`
	// Reason provides an optional provider specific human readable description.
	Reason string `json:"reason,omitempty"`
	// NextRecoverAt is when the credential may become available again.
	NextRecoverAt time.Time `json:"next_recover_at"`
	// BackoffLevel stores the progressive cooldown exponent used for rate limits.
	BackoffLevel int `json:"backoff_level,omitempty"`
}

QuotaState contains limiter tracking data for a credential.

type RefreshEvaluator 

type RefreshEvaluator interface {
	ShouldRefresh(now time.Time, auth *Auth) bool
}

RefreshEvaluator allows runtime state to override refresh decisions.

type RequestInfo 

type RequestInfo struct {
	Query   url.Values
	Headers http.Header
}

RequestInfo holds information extracted from the HTTP request. It is injected into the context passed to PostAuthHook.

func GetRequestInfo 

func GetRequestInfo(ctx context.Context) *RequestInfo

GetRequestInfo retrieves the RequestInfo from the context, if present.

type RequestPreparer 

type RequestPreparer interface {
	PrepareRequest(req *http.Request, auth *Auth) error
}

RequestPreparer is an optional interface that provider executors can implement to mutate outbound HTTP requests with provider credentials.

type Result 

type Result struct {
	// AuthID references the auth that produced this result.
	AuthID string
	// Provider is copied for convenience when emitting hooks.
	Provider string
	// Model is the upstream model identifier used for the request.
	Model string
	// Success marks whether the execution succeeded.
	Success bool
	// RetryAfter carries a provider supplied retry hint (e.g. 429 retryDelay).
	RetryAfter *time.Duration
	// Error describes the failure when Success is false.
	Error *Error
}

Result captures execution outcome used to adjust auth state.

type RoundRobinSelector 

type RoundRobinSelector struct {
	// contains filtered or unexported fields
}

RoundRobinSelector provides a simple provider scoped round-robin selection strategy.

func (*RoundRobinSelector) Pick 

func (s *RoundRobinSelector) Pick(ctx context.Context, provider, model string, opts cliproxyexecutor.Options, auths []*Auth) (*Auth, error)

Pick selects the next available auth for the provider in a round-robin manner. For gemini-cli virtual auths (identified by the gemini_virtual_parent attribute), a two-level round-robin is used: first cycling across credential groups (parent accounts), then cycling within each group's project auths.

type RoundTripperProvider 

type RoundTripperProvider interface {
	RoundTripperFor(auth *Auth) http.RoundTripper
}

RoundTripperProvider defines a minimal provider of per-auth HTTP transports.

type Selector 

type Selector interface {
	Pick(ctx context.Context, provider, model string, opts cliproxyexecutor.Options, auths []*Auth) (*Auth, error)
}

Selector chooses an auth candidate for execution.

type Status 

type Status string

Status represents the lifecycle state of an Auth entry. 

const (
	// StatusUnknown means the auth state could not be determined.
	StatusUnknown Status = "unknown"
	// StatusActive indicates the auth is valid and ready for execution.
	StatusActive Status = "active"
	// StatusPending indicates the auth is waiting for an external action, such as MFA.
	StatusPending Status = "pending"
	// StatusRefreshing indicates the auth is undergoing a refresh flow.
	StatusRefreshing Status = "refreshing"
	// StatusError indicates the auth is temporarily unavailable due to errors.
	StatusError Status = "error"
	// StatusDisabled marks the auth as intentionally disabled.
	StatusDisabled Status = "disabled"
)

type Store 

type Store interface {
	// List returns all auth records stored in the backend.
	List(ctx context.Context) ([]*Auth, error)
	// Save persists the provided auth record, replacing any existing one with same ID.
	Save(ctx context.Context, auth *Auth) (string, error)
	// Delete removes the auth record identified by id.
	Delete(ctx context.Context, id string) error
}

Store abstracts persistence of Auth state across restarts.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.