Documentation
¶
Overview ¶
Package oauth: browser_flow runs the OAuth2 authorization code flow by opening the system browser and running a local redirect server to capture the code, then exchanging it for a token and storing it in the device keyring.
Package oauth provides build-time injected OAuth client credentials shared by Google API tools (Calendar, Contacts). Both use the same client ID and secret so one OAuth consent can grant Calendar + Contacts.
Inject at build time via -X (do not commit to repo):
go build -ldflags "-X github.com/stackgenhq/genie/pkg/tools/google/oauth.GoogleClientID=ID -X github.com/stackgenhq/genie/pkg/tools/google/oauth.GoogleClientSecret=SECRET" ...
Or set GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET in CI (e.g. GitHub Actions).
Package oauth: token retrieval (file, inline, or device keychain) and OAuth2 HTTP client construction with token refresh and persist.
Index ¶
- Constants
- Variables
- func CanRunBrowserFlow() bool
- func EmbeddedCredentialsJSON() []byte
- func GetCredentials(credsEntry, serviceName string) ([]byte, error)
- func GetStoredUserInfo() (name, email string)
- func GetToken(ctx context.Context, sp security.SecretProvider) (tokenJSON []byte, save func([]byte) error, err error)
- func HTTPClient(ctx context.Context, credsJSON, tokenJSON []byte, saveToken func([]byte) error, ...) (*http.Client, error)
- func RunBrowserFlow(ctx context.Context, credsJSON []byte) error
Constants ¶
const DefaultGenieAGUIPort = 9876
DefaultGenieAGUIPort is the default port for the Genie AG-UI server. Must match messenger.DefaultAGUIPort; we cannot import messenger here (messenger/agui imports this package). See browser_flow_test.go for an assertion that keeps them in sync.
const RedirectPort = "8765"
RedirectPort is the local port used for the OAuth callback. The Google Cloud Console OAuth client must list http://localhost:8765 as an authorized redirect URI.
Variables ¶
var GoogleClientID = ""
GoogleClientID is the OAuth 2.0 client ID for the Genie "installed app" client. Injected at build time via -X; empty means tools fall back to CredentialsFile from config or GOOGLE_CLIENT_ID env at runtime.
var GoogleClientSecret = ""
GoogleClientSecret is the OAuth 2.0 client secret. Injected at build time via -X.
Functions ¶
func CanRunBrowserFlow ¶
func CanRunBrowserFlow() bool
CanRunBrowserFlow reports whether the OAuth browser flow can run (embedded credentials available). When false, setup can still record "connect Google" and tell the user to run genie grant later.
func EmbeddedCredentialsJSON ¶
func EmbeddedCredentialsJSON() []byte
EmbeddedCredentialsJSON returns a minimal "installed" credentials JSON when both client ID and secret are available (build-time -X or env GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET). Returns nil if either is empty.
func GetCredentials ¶
GetCredentials returns the user-provided credentials JSON (credsEntry), or embedded build-time credentials, or credentials stored in the keyring after a successful "genie setup" Google sign-in. Returns an error only when no credentials are available. ServiceName is used in the error message (e.g. "Calendar", "Contacts").
func GetStoredUserInfo ¶
func GetStoredUserInfo() (name, email string)
GetStoredUserInfo returns the Google user name and email stored after the OAuth browser flow (e.g. for salutation and /health). Empty strings are returned if no user info is in the keyring.
func GetToken ¶
func GetToken(ctx context.Context, sp security.SecretProvider) (tokenJSON []byte, save func([]byte) error, err error)
GetToken returns the Google OAuth token JSON and a save callback. Token is resolved in order: TokenFile (path from secret provider), Token/Password (inline from secret provider), then device keychain. Save should be called after token refresh so the new token is persisted (to file or keyring).
func HTTPClient ¶
func HTTPClient(ctx context.Context, credsJSON, tokenJSON []byte, saveToken func([]byte) error, scopes []string) (*http.Client, error)
HTTPClient builds an OAuth2-authenticated *http.Client for the given credentials JSON, token JSON, and scopes. SaveToken is called whenever the token is refreshed so it can be persisted (file or keyring).
func RunBrowserFlow ¶
RunBrowserFlow runs the OAuth2 authorization code flow: starts a local server on RedirectPort, opens the system browser to the consent URL, waits for the redirect with the code, exchanges it for a token, and stores the token in the device keyring. credsJSON must be the same format as EmbeddedCredentialsJSON or a full credentials file; the redirect URI used is http://localhost:8765. Returns an error if credentials are missing, the user denies consent, or the keyring cannot be written.
Types ¶
This section is empty.
Source Files