Documentation
¶
Overview ¶
Package cloud implements `txco login` — cloud identity for the thanks-computer cloud, via OAuth (Authorization Code + PKCE). It is deliberately distinct from `txco auth …`, which manages the ed25519 signing keys that grant administrative authority over a self-hosted chassis: the OAuth token here represents the signed-in *user/account*, while the ed25519 key represents admin authority over a chassis.
The CLI is a public OAuth client (no secret) that talks ONLY to the cloud, treating it as a generic OAuth front door: `txco login` opens the browser to the cloud's authorize endpoint, captures the redirect on a loopback listener, exchanges the code at the cloud's token endpoint, and stores the tokens under $TXCO_HOME/cloud/<profile>.json (0600). The cloud brokers whatever upstream identity provider it uses; the CLI neither knows nor hardcodes it. Login-only for now: key enrollment and hosted-stack creation are deliberate fast-follows.
Reached two ways, both arriving here with the verb in args[0]:
- top-level `txco login` / `txco logout` (dispatched from cli.go)
- `txco cloud <login|logout|whoami>` namespace
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ClientVersion string
ClientVersion is the running CLI's version, set by the cli package before dispatch (cloud can't import cli — files under cli import chassis/server, and cli imports cloud). Used to warn (warn-only) after login when the CLI is below the bound chassis's advertised minimum. Empty disables the check.
Functions ¶
func DeleteCloudToken ¶
DeleteCloudToken removes a profile's token file. A missing file is not an error; the bool reports whether a file existed.
func SaveCloudToken ¶
func SaveCloudToken(profile string, t CloudToken) error
SaveCloudToken writes the token atomically (temp + rename) with 0600, matching the discipline used for ed25519 keys.
Types ¶
type CloudToken ¶
type CloudToken struct {
// Kind is a seam for the future cloud|chassis profile-kind split; today
// every file under cloud/ is a cloud token. Not yet acted on.
Kind string `json:"kind,omitempty"`
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token,omitempty"`
IDToken string `json:"id_token,omitempty"`
TokenType string `json:"token_type,omitempty"`
Scope string `json:"scope,omitempty"`
Expiry time.Time `json:"expiry"` // absolute = obtained_at + expires_in
ObtainedAt time.Time `json:"obtained_at"`
Subject string `json:"subject"` // e.g. email:matt@example.com
Email string `json:"email,omitempty"`
Issuer string `json:"issuer"`
ClientID string `json:"client_id"`
CloudURL string `json:"cloud_url,omitempty"`
}
CloudToken is the persisted cloud session for one profile, stored as a 0600 JSON file at $TXCO_HOME/cloud/<profile>.json. The OAuth token represents the signed-in user/account — distinct from the ed25519 keys in $TXCO_HOME/keys, which carry chassis admin authority.
func LoadCloudToken ¶
func LoadCloudToken(profile string) (*CloudToken, error)
LoadCloudToken reads a profile's token file. The returned error wraps os.ErrNotExist when the file is absent (use errors.Is).
func (*CloudToken) Expired ¶
func (t *CloudToken) Expired(now time.Time) bool
Expired reports whether the access token is at/over its expiry, applying a small negative skew. A zero Expiry is treated as not-expired (unknown lifetime). The absolute Expiry (stored at login as obtained_at + expires_in) means a paused laptop can't misjudge a relative TTL.
Refreshing an expired token (grant_type=refresh_token, using RefreshToken) is a fast-follow; this is the hook for it.
Source Files