auth

Documentation

Index

• Constants
• Variables
• func EnableInsecureHTTP()
• func LookupCurrentToken() (string, error)
• func SetManagerForTest(t interface{ ... }, mgr *tokenmanager.Manager) func()
• func SetProviderForTest(t interface{ ... }, p Provider)
• func Token(ctx context.Context, req TokenRequest) (string, error)
• func TokenForResource(ctx context.Context, resourceBaseURL string) (string, error)
• type Client
  • func NewClient(httpClient *http.Client) *Client
  • func (c *Client) BaseURL() string
  • func (c *Client) PollDeviceAuth(ctx context.Context, deviceCode string) (*DeviceAuthPoll, error)
  • func (c *Client) StartDeviceAuth(ctx context.Context) (*DeviceAuthStart, error)
• type DeviceAuthPoll
• type DeviceAuthStart
• type Provider
  • func CurrentProvider() Provider
• type Store
  • func NewStore() *Store
  • func NewStoreWithService(service string) *Store
  • func (s *Store) DeleteToken(baseURL string) error
  • func (s *Store) DeleteTokens(profile string) error
  • func (s *Store) GetToken(baseURL string) (string, error)
  • func (s *Store) LoadTokens(profile string) (tokens.TokenSet, error)
  • func (s *Store) SaveToken(baseURL, token string) error
  • func (s *Store) SaveTokens(profile string, t tokens.TokenSet) error
• type TokenRequest

Constants

const ProviderVersionEnvVar = "TRACE_AUTH_PROVIDER_VERSION"

ProviderVersionEnvVar overrides the auto-detected provider version. Set to "v1" or "v2"; see effectiveProviderVersion for resolution. Read once at process startup via CurrentProvider.

Variables

var ErrNotLoggedIn = tokenmanager.ErrNotLoggedIn

ErrNotLoggedIn re-exports tokenmanager.ErrNotLoggedIn so callers in the cli package can errors.Is against it without an extra import.

Functions

func EnableInsecureHTTP

func EnableInsecureHTTP()

EnableInsecureHTTP relaxes the package-level manager's HTTPS guard so non-loopback http:// resources (and the auth host's STS endpoint) are permitted during token resolution.

Call before any TokenForResource invocation — the manager is built lazily on first use and the AllowInsecureHTTP setting is frozen at that point.

func LookupCurrentToken

func LookupCurrentToken() (string, error)

LookupCurrentToken retrieves the token for the current base URL.

func SetManagerForTest

func SetManagerForTest(t interface{ Helper() }, mgr *tokenmanager.Manager) func()

SetManagerForTest installs mgr as the manager returned by defaultManager() and returns a cleanup function. Test-only.

func SetProviderForTest

func SetProviderForTest(t interface {
	Helper()
	Cleanup(f func())
}, p Provider,
)

SetProviderForTest installs p as the Provider returned by CurrentProvider for the duration of the test, and registers a t.Cleanup to remove the override. Test-only.

func Token

func Token(ctx context.Context, req TokenRequest) (string, error)

Token is the full-control entry point. Use TokenForResource for the common case; this exists so callers can override the wire-level Audience, RequestedTokenType, or Scope per call.

func TokenForResource

func TokenForResource(ctx context.Context, resourceBaseURL string) (string, error)

TokenForResource returns a bearer token suitable for use against resourceBaseURL, performing an RFC 8693 token exchange when the stored core token's audience doesn't already cover that resource.

Types

type Client

type Client struct {
	// contains filtered or unexported fields
}

func NewClient

func NewClient(httpClient *http.Client) *Client

func (*Client) BaseURL

func (c *Client) BaseURL() string

func (*Client) PollDeviceAuth

func (c *Client) PollDeviceAuth(ctx context.Context, deviceCode string) (*DeviceAuthPoll, error)

func (*Client) StartDeviceAuth

func (c *Client) StartDeviceAuth(ctx context.Context) (*DeviceAuthStart, error)

type DeviceAuthPoll

type DeviceAuthPoll struct {
	AccessToken string `json:"access_token,omitempty"`
	TokenType   string `json:"token_type,omitempty"`
	ExpiresIn   int    `json:"expires_in,omitempty"`
	Scope       string `json:"scope,omitempty"`
	Error       string `json:"error,omitempty"`
}

type DeviceAuthStart

type DeviceAuthStart struct {
	DeviceCode              string `json:"device_code"`
	UserCode                string `json:"user_code"`
	VerificationURI         string `json:"verification_uri"`
	VerificationURIComplete string `json:"verification_uri_complete"`
	ExpiresIn               int    `json:"expires_in"`
	Interval                int    `json:"interval"`
}

type Provider

type Provider struct {
	ClientID       string
	DeviceCodePath string
	TokenPath      string
	STSPath        string
	AuthTokensPath string
}

Provider captures the per-surface bits of OAuth wiring.

STSPath is the RFC 8693 token-exchange endpoint. v1 is the legacy single-host surface where the auth and data API live at the same origin; the same-host shortcut in tokenmanager.Token always wins and STS is never invoked, so v1.STSPath is left empty. v2 exposes a dedicated STS path because it's used in split-host deployments (e.g. us.auth.partial.to mints, partial.to consumes).

AuthTokensPath is the base path for the auth-tokens management endpoint family (list / revoke). Routed at the api.Client layer via (*api.Client).WithAuthTokensPath so the provider table is the single source of truth — no env-var duplication between auth/ and api/.

func CurrentProvider

func CurrentProvider() Provider

CurrentProvider returns the active Provider for this process. Resolution freezes on the first call (env vars must be set before then). Tests bypass the singleton via SetProviderForTest.

type Store

type Store struct {
	// contains filtered or unexported fields
}

Store manages CLI authentication tokens in the OS keyring. Implements tokenstore.Store for use with the tokenmanager library.

func NewStore

func NewStore() *Store

NewStore returns a Store backed by the system keyring.

func NewStoreWithService

func NewStoreWithService(service string) *Store

NewStoreWithService returns a Store with a custom keyring service name (for testing).

func (*Store) DeleteToken

func (s *Store) DeleteToken(baseURL string) error

DeleteToken removes a stored token for the given base URL. Legacy method for backward compatibility with plain-string tokens.

func (*Store) DeleteTokens

func (s *Store) DeleteTokens(profile string) error

DeleteTokens removes a stored TokenSet for the given profile. Treats missing profiles as a no-op. Implements tokenstore.Store.

func (*Store) GetToken

func (s *Store) GetToken(baseURL string) (string, error)

GetToken retrieves a stored token for the given base URL. Returns an empty string (and no error) if no token is stored. Legacy method for backward compatibility with plain-string tokens.

func (*Store) LoadTokens

func (s *Store) LoadTokens(profile string) (tokens.TokenSet, error)

LoadTokens retrieves a stored TokenSet for the given profile. Returns tokenstore.ErrNotFound if no token is stored. Handles legacy plain-string entries by wrapping them in a TokenSet. Implements tokenstore.Store.

func (*Store) SaveToken

func (s *Store) SaveToken(baseURL, token string) error

SaveToken persists an access token for the given base URL. Legacy method for backward compatibility with plain-string tokens.

func (*Store) SaveTokens

func (s *Store) SaveTokens(profile string, t tokens.TokenSet) error

SaveTokens persists a TokenSet for the given profile (typically a base URL). Implements tokenstore.Store. The TokenSet is stored as JSON in the keyring.

type TokenRequest

type TokenRequest = tokenmanager.TokenRequest

TokenRequest is the trace-CLI alias of tokenmanager.TokenRequest so callers don't have to import the underlying package for the common case. The two types are interchangeable.