auth

Documentation

Overview

Package auth implements the queenctl login flows. It supports three methods that all converge on the same outcome - a JWT stored in the OS keychain that subsequent commands attach as Authorization: Bearer.

token    paste a JWT (CI / external IdP)
password POST /api/login on the proxy with username/password
google   open https://<proxy>/api/auth/google in a browser; user pastes
         the JWT from the resulting dashboard page or browser cookie

The proxy's login endpoint sets an HTTP-only cookie named "token". We scrape that Set-Cookie header (the cookie is HTTP-only on the wire but fully visible to the client that initiated the request) and persist the JWT.

Index

• Variables
• func GoogleAuthorizeURL(serverURL string) (string, error)
• func IsGoogleEnabled(serverURL string) (bool, error)
• func PasswordLogin(serverURL, username, password string, insecure bool) (string, error)

Variables

var ErrInvalidCredentials = errors.New("invalid credentials")

ErrInvalidCredentials is returned by PasswordLogin when the proxy responds with 401.

Functions

func GoogleAuthorizeURL

func GoogleAuthorizeURL(serverURL string) (string, error)

GoogleAuthorizeURL returns the URL the user should open in a browser to kick off the proxy's Google OAuth flow.

func IsGoogleEnabled

func IsGoogleEnabled(serverURL string) (bool, error)

IsGoogleEnabled probes /api/auth/config and returns whether the proxy is configured for Google login.

func PasswordLogin

func PasswordLogin(serverURL, username, password string, insecure bool) (string, error)

PasswordLogin posts username/password to the proxy at server and returns the JWT extracted from the Set-Cookie header. Returns a typed error when credentials are bad so the CLI can map it to exit code 3.