credential

package
v1.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 7, 2026 License: MIT Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func HasRealAppSecret 

func HasRealAppSecret(secret string) bool

HasRealAppSecret reports whether secret is an actual app secret rather than an empty/token-only marker or the internal runtime placeholder.

func RuntimeAppSecret 

func RuntimeAppSecret(secret string) string

RuntimeAppSecret returns the SDK-compatible app secret used at runtime. Token-only sources intentionally have no real secret; this helper injects a private placeholder so downstream SDK validation can proceed while callers still distinguish real secrets with HasRealAppSecret.

Types

type Account 

type Account struct {
	ProfileName         string
	AppID               string
	AppSecret           string
	Brand               core.LarkBrand
	DefaultAs           core.Identity
	UserOpenId          string
	UserName            string
	SupportedIdentities uint8
}

Account is the credential-layer view of the active runtime account. It intentionally mirrors only the resolved fields needed by runtime auth and identity selection, without exposing core.CliConfig as a dependency.

func AccountFromCliConfig 

func AccountFromCliConfig(cfg *core.CliConfig) *Account

AccountFromCliConfig copies the resolved config view into a credential.Account.

func (*Account) ToCliConfig 

func (a *Account) ToCliConfig() *core.CliConfig

ToCliConfig copies the credential-layer account into the downstream config shape.

type AccountProvider 

type AccountProvider interface {
	ResolveAccount(ctx context.Context) (*Account, error)
}

AccountProvider resolves app credentials. Returns nil, nil to indicate "I don't handle this, try next provider".

type CredentialProvider 

type CredentialProvider struct {
	// contains filtered or unexported fields
}

CredentialProvider is the unified entry point for all credential resolution.

func NewCredentialProvider 

func NewCredentialProvider(providers []extcred.Provider, defaultAcct DefaultAccountResolver, defaultToken DefaultTokenResolver, httpClient func() (*http.Client, error)) *CredentialProvider

NewCredentialProvider creates a CredentialProvider.

func (*CredentialProvider) ResolveAccount 

func (p *CredentialProvider) ResolveAccount(ctx context.Context) (*Account, error)

ResolveAccount resolves app credentials. Result is cached after first call. NOTE: Uses sync.Once — only the context from the first call is used for resolution. Subsequent calls return the cached result regardless of their context. This is acceptable for CLI (single invocation per process) but not for long-running servers.

func (*CredentialProvider) ResolveIdentityHint 

func (p *CredentialProvider) ResolveIdentityHint(ctx context.Context) (*IdentityHint, error)

ResolveIdentityHint resolves default/auto identity guidance from the selected source. NOTE: Uses sync.Once — only the context from the first call is used for resolution. This matches ResolveAccount and keeps identity decisions stable within one CLI invocation.

func (*CredentialProvider) ResolveToken 

func (p *CredentialProvider) ResolveToken(ctx context.Context, req TokenSpec) (*TokenResult, error)

ResolveToken resolves an access token.

func (*CredentialProvider) SetWarnOut 

func (p *CredentialProvider) SetWarnOut(warnOut io.Writer) *CredentialProvider

type DefaultAccountProvider 

type DefaultAccountProvider struct {
	// contains filtered or unexported fields
}

DefaultAccountProvider resolves account from config.json via keychain.

func NewDefaultAccountProvider 

func NewDefaultAccountProvider(kc keychain.KeychainAccess, profile string) *DefaultAccountProvider

func (*DefaultAccountProvider) ResolveAccount 

func (p *DefaultAccountProvider) ResolveAccount(ctx context.Context) (*Account, error)

type DefaultAccountResolver 

type DefaultAccountResolver interface {
	ResolveAccount(ctx context.Context) (*Account, error)
}

DefaultAccountResolver is implemented by the default account provider.

type DefaultTokenProvider 

type DefaultTokenProvider struct {
	// contains filtered or unexported fields
}

DefaultTokenProvider resolves UAT/TAT using keychain + direct HTTP calls. No SDK/LarkClient dependency — eliminates circular dependency with Factory.

func NewDefaultTokenProvider 

func NewDefaultTokenProvider(defaultAcct *DefaultAccountProvider, httpClient func() (*http.Client, error), errOut io.Writer) *DefaultTokenProvider

func (*DefaultTokenProvider) ResolveToken 

func (p *DefaultTokenProvider) ResolveToken(ctx context.Context, req TokenSpec) (*TokenResult, error)

type DefaultTokenResolver 

type DefaultTokenResolver interface {
	ResolveToken(ctx context.Context, req TokenSpec) (*TokenResult, error)
}

DefaultTokenResolver is implemented by the default token provider.

type IdentityHint 

type IdentityHint struct {
	DefaultAs core.Identity
	AutoAs    core.Identity
}

IdentityHint is credential-layer guidance for resolving the effective identity.

type MalformedTokenResultError 

type MalformedTokenResultError struct {
	Source string
	Type   TokenType
	Reason string
}

MalformedTokenResultError reports that a source returned an invalid token payload.

func (*MalformedTokenResultError) Error 

func (e *MalformedTokenResultError) Error() string

type TokenProvider 

type TokenProvider interface {
	ResolveToken(ctx context.Context, req TokenSpec) (*TokenResult, error)
}

TokenProvider resolves a runtime access token. Top-level resolvers should return a non-nil token or an error. Chain participants may use nil, nil internally to indicate "try next source".

type TokenResult 

type TokenResult struct {
	Token  string
	Scopes string // optional, space-separated; empty = skip scope pre-check
}

TokenResult is the output of TokenProvider.ResolveToken.

type TokenSpec 

type TokenSpec struct {
	Type  TokenType
	AppID string // identifies which app (multi-account); not sensitive
}

TokenSpec is the input to TokenProvider.ResolveToken.

func NewTokenSpec 

func NewTokenSpec(identity core.Identity, appID string) TokenSpec

NewTokenSpec returns a TokenSpec with the token type automatically selected based on identity: TAT for bot, UAT for user.

type TokenType 

type TokenType string

TokenType distinguishes UAT from TAT. Uses string constants matching extension/credential.TokenType for zero-cost conversion. 

const (
	TokenTypeUAT TokenType = "uat" // User Access Token
	TokenTypeTAT TokenType = "tat" // Tenant Access Token
)

func ParseTokenType 

func ParseTokenType(s string) (TokenType, bool)

ParseTokenType converts a string to TokenType.

func (TokenType) String 

func (t TokenType) String() string

type TokenUnavailableError 

type TokenUnavailableError struct {
	Source string
	Type   TokenType
}

TokenUnavailableError reports that no usable token was available.

func (*TokenUnavailableError) Error 

func (e *TokenUnavailableError) Error() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.