Documentation
¶
Overview ¶
Package profile implements the `olares-cli profile` command tree.
Surface today (alphabetical, no separate `auth` namespace):
profile list # list all profiles + login status, mark current profile use <name|-> # switch current profile (`-` reverts to previous) profile remove <name> # delete profile + its stored token profile login --olares-id <id> ... # password-based login (mode A) profile import --olares-id <id> ... # refresh-token bootstrap (mode B) profile whoami [--refresh] # show identity + cached role
`whoami` doubles as `olares-cli settings users me` and `olares-cli settings me whoami` — all three call into pkg/whoami.Run. See docs/notes/olares-cli-auth-profile-config.md for the full design.
Index ¶
- func NewImportCommand() *cobra.Command
- func NewListCommand() *cobra.Command
- func NewLoginCommand() *cobra.Command
- func NewProfileCommand(f *cmdutil.Factory) *cobra.Command
- func NewRemoveCommand() *cobra.Command
- func NewUseCommand() *cobra.Command
- func NewWhoamiCommand(f *cmdutil.Factory) *cobra.Command
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewImportCommand ¶
NewImportCommand: `olares-cli profile import --olares-id <id> --refresh-token <tok> [...]`
Mode B: bootstrap an access_token from a user-supplied refresh_token by performing exactly ONE call to /api/refresh. This is the way to seed a profile when the user obtained their refresh token elsewhere (LarePass, wizard activation, manual extraction).
Phase 1 does NOT use the stored refresh_token for background renewal — that's a Phase 2 deliverable. The same `auth.Refresh` HTTP call will be reused there, so the wire-format contract is locked in now.
func NewListCommand ¶
NewListCommand: `olares-cli profile list`
Output is a TSV-like table: NAME / OLARES-ID / STATUS, with a leading "*" marking the current profile. STATUS reflects only what the local token store can prove without making a network call:
logged-in (23h59m) — token present, JWT exp claim still in the future
expired — token present, exp claim in the past
invalidated — token present but explicitly marked unusable
(Phase 2 sets this when /api/refresh returns 401/403);
takes precedence over `expired`
never — no stored token for this profile
logged-in — token present but JWT has no exp claim (we can't
tell client-side; trust until the server says no)
Per §7.5 of the design doc, we deliberately do NOT print any other JWT claims (username / groups / mfa / jid). The OlaresID column is the local authoritative identity.
func NewLoginCommand ¶
NewLoginCommand: `olares-cli profile login --olares-id <id> [...]`
Mode A (password login). Behavior matrix from the design doc:
- profile does not exist → auto-create (with provided overrides)
- profile exists, no/expired token → reuse existing profile, write new token
- profile exists, valid token → reject with `profile remove` hint
Password is read from stdin when --password-stdin is set, otherwise from the controlling terminal (with input echoing disabled). Two-factor accounts must supply --totp.
func NewProfileCommand ¶
NewProfileCommand returns the `profile` parent command, ready to be added to the olares-cli root.
The Factory is required by `whoami` (and the eager fetch on login / import); the other verbs ignore it. We thread it through so the settings/me + settings/users-me aliases can share the same plumbing without each rebuilding the auth-aware http.Client themselves.
func NewRemoveCommand ¶
NewRemoveCommand: `olares-cli profile remove <name>`
Removes the profile entry AND its stored token in one shot. There is no separate `auth logout` — `profile remove` is the canonical way to invalidate local credentials. If the removed profile was the current one, the current pointer falls back to PreviousProfile (when still valid) or to the first remaining profile.
Token deletion failures are reported but don't stop config save: a dangling token entry is harmless (it'll just be stale) and we'd rather have a consistent config.json than abort halfway.
func NewUseCommand ¶
NewUseCommand: `olares-cli profile use <name|->`
`name` may be a profile alias (Name) or its OlaresID. The literal `-` switches back to the previous profile (a la `cd -`), and is rejected when PreviousProfile is unset.
func NewWhoamiCommand ¶
NewWhoamiCommand: `olares-cli profile whoami [--refresh] [-o table|json]`
Reports the active profile's identity + role, defaulting to the locally cached value (config.json's ownerRole / whoamiRefreshedAt fields). Use --refresh to force a server roundtrip against /api/backend/v1/user-info — the same endpoint the SPA's admin store hits in apps/packages/app/src/stores/settings/admin.ts (`get_user_info`).
This command intentionally has two aliases under the settings tree:
- `olares-cli settings users me` (canonical "Settings -> Users -> me")
- `olares-cli settings me whoami` (canonical "Settings -> Person -> whoami")
All three call into the same pkg/whoami.Run driver so behavior, output shapes, and cache-write semantics stay identical no matter which surface the user reaches for.
Why --refresh (rather than always hitting the server): every settings subcommand performs a soft preflight using OwnerRole — making the cache the cheap default keeps `whoami` a single round-trip per session in the common case, and lets users still reconcile after a role change with a single keystroke.
Output:
- table (default): two human lines — identity + freshness, plus a "role changed" notice when --refresh detected drift.
- json: pkg/whoami.Display verbatim, so scripts can branch on {"role":"owner"} without parsing prose.
Types ¶
This section is empty.
Source Files