auth

package
v0.20.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 16, 2026 License: MIT Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ClaudeClientID        = "9d1c250a-e61b-44d9-88ed-5944d1962f5e"
	ClaudeAuthorizeURL    = "https://claude.ai/oauth/authorize"
	ClaudeTokenURL        = "https://platform.claude.com/v1/oauth/token"
	ClaudeProfileURL      = "https://api.anthropic.com/api/oauth/profile"
	ClaudeOAuthBetaHeader = "oauth-2025-04-20"

	// ClaudeManualRedirectURL is used when the user cannot receive the automatic browser callback.
	// Matches claude-code's MANUAL_REDIRECT_URL = platform.claude.com/oauth/code/callback.
	// When used, platform.claude.com shows the authorization code to the user so they can paste it.
	ClaudeManualRedirectURL = "https://platform.claude.com/oauth/code/callback"

	// ClaudeSuccessURL is where to redirect after a successful automatic callback.
	// Matches claude-code's CLAUDEAI_SUCCESS_URL.
	ClaudeSuccessURL = "https://claude.ai/oauth/code/success?app=claude-code"

	// ClaudeOAuthScopes matches claude-code's ed1 scope set (union of console + claude.ai scopes).
	// org:create_api_key is required by the claude.ai authorization endpoint.
	ClaudeOAuthScopes = "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload"
)
View Source 
const (
	CopilotClientID = "Ov23li8tweQw6odWQebz"
)

Variables

This section is empty.

Functions

func CheckCopilotModelsAPI 

func CheckCopilotModelsAPI(token, baseURL string) error

CheckCopilotModelsAPI verifies that the Copilot models API endpoint is reachable using the provided bearer token and base URL.

func ClaudeLogout added in v0.16.0 

func ClaudeLogout() error

ClaudeLogout removes pando's Claude credential file.

func CopilotAPIBaseURL 

func CopilotAPIBaseURL(enterpriseURL string) string

func CopilotDeviceFlowInstructions 

func CopilotDeviceFlowInstructions(deviceCode CopilotDeviceCode) string

func CopilotSessionFilePath 

func CopilotSessionFilePath() (string, error)

func DeleteCopilotSession 

func DeleteCopilotSession() error

func IsClaudeTokenExpired added in v0.16.0 

func IsClaudeTokenExpired(creds *ClaudeCredentials) bool

IsClaudeTokenExpired returns true if the token expires within the next 5 minutes.

func LoadGitHubOAuthToken 

func LoadGitHubOAuthToken() (string, error)

func NormalizeGitHubDomain 

func NormalizeGitHubDomain(value string) string

func OpenBrowser 

func OpenBrowser(url string) error

func SaveClaudeCredentials added in v0.16.0 

func SaveClaudeCredentials(creds *ClaudeCredentials) error

SaveClaudeCredentials saves Claude credentials to pando's config directory.

func SaveCopilotSession 

func SaveCopilotSession(session CopilotSession) error

func ValidateCopilotToken 

func ValidateCopilotToken(ctx context.Context, session CopilotSession) error

Types

type ClaudeAuthStatus added in v0.16.0 

type ClaudeAuthStatus struct {
	Authenticated    bool
	AccessToken      string
	SubscriptionType string
	DisplayName      string
	Email            string
	Source           string // "env", "pando", or "claude-code"
}

ClaudeAuthStatus holds the authentication status for Claude.

func GetClaudeAuthStatus added in v0.16.0 

func GetClaudeAuthStatus() (*ClaudeAuthStatus, error)

GetClaudeAuthStatus loads credentials and returns the current authentication status.

type ClaudeAutoCode added in v0.20.0 

type ClaudeAutoCode struct {
	Code        string
	RedirectURI string
	Err         error
}

ClaudeAutoCode is sent on AutoCodeCh when the browser delivers the auth code.

type ClaudeCredentials added in v0.16.0 

type ClaudeCredentials struct {
	ClaudeAiOauth    *ClaudeOAuthToken `json:"claudeAiOauth"`
	OrganizationUUID string            `json:"organizationUuid,omitempty"`
}

ClaudeCredentials holds the OAuth credentials for Claude.

func ClaudeLoginFinish added in v0.20.0 

func ClaudeLoginFinish(session *ClaudeLoginSession, code, redirectURI string) (*ClaudeCredentials, string, error)

ClaudeLoginFinish exchanges an authorization code for credentials and fetches the user profile. redirectURI must be the one actually used during authorization (either session.AutoRedirectURI or ClaudeManualRedirectURL).

func GetValidClaudeToken added in v0.16.0 

func GetValidClaudeToken(creds *ClaudeCredentials) (string, *ClaudeCredentials, error)

GetValidClaudeToken returns a valid access token, refreshing if needed. Returns (accessToken, updatedCreds, error); updatedCreds is non-nil only when refreshed.

func LoadClaudeCredentials added in v0.16.0 

func LoadClaudeCredentials() (*ClaudeCredentials, string, error)

LoadClaudeCredentials loads Claude credentials with the following priority:

  1. CLAUDE_CODE_OAUTH_TOKEN env var → synthetic credentials
  2. ANTHROPIC_API_KEY env var → nil (API key mode)
  3. ~/.config/pando/auth/claude.json (pando's own store)
  4. ~/.claude/.credentials.json (read-only fallback from Claude Code)

Returns (creds, source, error) where source is "env", "pando", or "claude-code".

func RefreshClaudeToken added in v0.16.0 

func RefreshClaudeToken(creds *ClaudeCredentials) (*ClaudeCredentials, error)

RefreshClaudeToken uses the refresh token to obtain a new access token.

type ClaudeLoginSession added in v0.20.0 

type ClaudeLoginSession struct {
	// ManualURL is the authorize URL using platform.claude.com as redirect_uri.
	// The user can open it manually; that page shows the authorization code.
	ManualURL string

	// AutoURL is the authorize URL using the local callback server as redirect_uri.
	// It is opened in the browser automatically.
	AutoURL string

	// AutoCodeCh receives the authorization code when the browser completes the flow.
	// The message carries the code and the redirect URI that was used.
	AutoCodeCh <-chan ClaudeAutoCode

	// AutoRedirectURI is the localhost redirect_uri for the automatic flow.
	AutoRedirectURI string
	// contains filtered or unexported fields
}

ClaudeLoginSession holds the state of an in-progress OAuth login flow. It is created by ClaudeLoginStart and consumed by ClaudeLoginFinish. The TUI layer owns the session and drives the two phases:

  1. Display ManualURL to the user; open AutoURL in the browser.
  2. Wait for AutoCodeCh (browser callback) or accept manual code from the dialog.
  3. Call ClaudeLoginFinish with the received code and the appropriate redirect URI.

func ClaudeLoginStart added in v0.20.0 

func ClaudeLoginStart() (*ClaudeLoginSession, error)

ClaudeLoginStart initializes the PKCE OAuth2 flow. It starts a local HTTP callback server (non-blocking) and returns a session with both the manual and automatic authorization URLs. The caller must eventually call session.Cancel() to release resources.

func (*ClaudeLoginSession) Cancel added in v0.20.0 

func (s *ClaudeLoginSession) Cancel()

Cancel releases the resources held by the session (stops the callback server).

func (*ClaudeLoginSession) ExtractCodeFromInput added in v0.20.0 

func (s *ClaudeLoginSession) ExtractCodeFromInput(input string) string

ExtractCodeFromInput extracts the authorization code from text entered by the user. Accepts either a raw code string or a full redirect URL containing the code.

type ClaudeOAuthToken added in v0.16.0 

type ClaudeOAuthToken struct {
	AccessToken      string   `json:"accessToken"`
	RefreshToken     string   `json:"refreshToken,omitempty"`
	ExpiresAt        int64    `json:"expiresAt"` // Unix milliseconds
	Scopes           []string `json:"scopes,omitempty"`
	SubscriptionType string   `json:"subscriptionType,omitempty"`
	RateLimitTier    string   `json:"rateLimitTier,omitempty"`
}

ClaudeOAuthToken holds the OAuth token details.

type ClaudeProfile added in v0.16.0 

type ClaudeProfile struct {
	Account      ClaudeProfileAccount      `json:"account"`
	Organization ClaudeProfileOrganization `json:"organization"`
}

ClaudeProfile holds the user profile from Claude API (/api/oauth/profile). The response is nested: account and organization sub-objects.

func GetClaudeProfile added in v0.16.0 

func GetClaudeProfile(accessToken string) (*ClaudeProfile, error)

GetClaudeProfile fetches the user profile from the Claude API. Matches claude-code's Kg function: only Authorization and Content-Type headers.

type ClaudeProfileAccount added in v0.20.0 

type ClaudeProfileAccount struct {
	DisplayName  string `json:"display_name"`
	EmailAddress string `json:"email_address"`
	CreatedAt    string `json:"created_at"`
}

ClaudeProfileAccount holds account-level info from the profile response.

type ClaudeProfileOrganization added in v0.20.0 

type ClaudeProfileOrganization struct {
	UUID                  string `json:"uuid"`
	OrganizationType      string `json:"organization_type"`
	RateLimitTier         string `json:"rate_limit_tier"`
	HasExtraUsageEnabled  bool   `json:"has_extra_usage_enabled"`
	BillingType           string `json:"billing_type"`
	SubscriptionCreatedAt string `json:"subscription_created_at"`
}

ClaudeProfileOrganization holds organization-level info from the profile response.

type CopilotAuthStatus 

type CopilotAuthStatus struct {
	Authenticated bool
	Source        string
	EnterpriseURL string
	Message       string
}

func GetCopilotAuthStatus 

func GetCopilotAuthStatus() CopilotAuthStatus

type CopilotDeviceCode 

type CopilotDeviceCode struct {
	DeviceCode      string `json:"device_code"`
	UserCode        string `json:"user_code"`
	VerificationURI string `json:"verification_uri"`
	Interval        int    `json:"interval"`
	ExpiresIn       int    `json:"expires_in"`
}

func StartCopilotDeviceFlow 

func StartCopilotDeviceFlow(ctx context.Context, enterpriseURL string) (*CopilotDeviceCode, error)

type CopilotSession 

type CopilotSession struct {
	Provider      string `json:"provider,omitempty"`
	AccessToken   string `json:"access_token"`
	TokenType     string `json:"token_type,omitempty"`
	Scope         string `json:"scope,omitempty"`
	ExpiresAt     int64  `json:"expires_at,omitempty"`
	EnterpriseURL string `json:"enterprise_url,omitempty"`
	CreatedAt     int64  `json:"created_at,omitempty"`
}

func CompleteCopilotDeviceFlow 

func CompleteCopilotDeviceFlow(ctx context.Context, enterpriseURL string, deviceCode *CopilotDeviceCode) (*CopilotSession, error)

func LoadCopilotSession 

func LoadCopilotSession() (*CopilotSession, error)

func PollCopilotDeviceFlow 

func PollCopilotDeviceFlow(ctx context.Context, enterpriseURL string, deviceCode *CopilotDeviceCode) (*CopilotSession, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.