Documentation
¶
Overview ¶
Package auth handles authentication token storage and retrieval.
Index ¶
- Variables
- func AuthorizeURL(supabaseURL, challenge, redirectTo, provider string) string
- func GenerateChallenge(verifier string) string
- func GenerateVerifier() (string, error)
- func GetToken() (string, error)
- func SaveCachedAuth(cfg *Config) error
- type CallbackServer
- type Config
- type PKCEResult
- type ResolveResult
- type ResolveSource
- type Storage
- type Tokens
Constants ¶
This section is empty.
Variables ¶
var ErrPartialOverride = errors.New("--supabase-url and --supabase-anon-key (or WESIDE_SUPABASE_URL/WESIDE_SUPABASE_ANON_KEY) must be set together")
ErrPartialOverride is returned by overrideConfig (via Resolve.FetchError) when only one of supabase_url / supabase_anon_key is set. Exported so cmd/auth.go can errors.Is-match against it and print an unconditional warning to stderr — partial overrides always indicate a misconfiguration and must not silently mix a user-supplied URL with the prod-default key.
Functions ¶
func AuthorizeURL ¶ added in v0.2.0
AuthorizeURL builds the Supabase social login authorization URL (PKCE flow). supabaseURL comes from the resolved Config — never hardcoded here.
func GenerateChallenge ¶ added in v0.2.0
GenerateChallenge creates the PKCE code challenge from a verifier.
func GenerateVerifier ¶ added in v0.2.0
GenerateVerifier creates a cryptographically random PKCE code verifier.
func SaveCachedAuth ¶ added in v0.5.0
SaveCachedAuth persists cfg to ~/.weside/config.yaml under the `auth.*` block. Sets FetchedAt to now (UTC, RFC3339) if empty. Used by Resolve on a successful live fetch and by `weside config refresh-auth`.
Routes through config.PersistUpdates rather than viper.WriteConfigAs so that flag values from the current invocation (--api-url, --supabase-url, …) are not silently persisted alongside the auth cache.
Types ¶
type CallbackServer ¶ added in v0.2.0
type CallbackServer struct {
// contains filtered or unexported fields
}
CallbackServer handles the OAuth callback on localhost.
func NewCallbackServer ¶ added in v0.2.0
func NewCallbackServer(port int) (*CallbackServer, error)
NewCallbackServer creates and starts a localhost HTTP server for OAuth callbacks on the given port (must match a Supabase-whitelisted redirect URL).
func (*CallbackServer) RedirectURI ¶ added in v0.2.0
func (cs *CallbackServer) RedirectURI() string
RedirectURI returns the callback URL to use in the authorization request.
func (*CallbackServer) WaitForCode ¶ added in v0.2.0
func (cs *CallbackServer) WaitForCode(ctx context.Context) (string, error)
WaitForCode blocks until an authorization code is received or the context expires.
type Config ¶ added in v0.5.0
type Config struct {
SupabaseURL string `json:"supabase_url" mapstructure:"supabase_url"`
SupabaseAnonKey string `json:"supabase_anon_key" mapstructure:"supabase_anon_key"`
CallbackPort int `json:"callback_port" mapstructure:"callback_port"`
MCPURL string `json:"mcp_url" mapstructure:"mcp_url"`
FetchedAt string `json:"fetched_at,omitempty" mapstructure:"fetched_at,omitempty"`
}
Config holds the backend-derived auth/discovery values used during PKCE login.
Source of truth at runtime is the resolver (Resolve / Fetch); the hardcoded constants in this file are last-resort fallbacks for offline first-runs.
type PKCEResult ¶ added in v0.2.0
type PKCEResult struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
ExpiresIn int `json:"expires_in"`
TokenType string `json:"token_type"`
}
PKCEResult contains the tokens from a successful PKCE flow.
func ExchangeCode ¶ added in v0.2.0
func ExchangeCode(supabaseURL, supabaseAnonKey, code, verifier string) (*PKCEResult, error)
ExchangeCode exchanges an authorization code for tokens via PKCE. supabaseURL + supabaseAnonKey come from the resolved Config.
func RefreshAccessToken ¶ added in v0.2.0
func RefreshAccessToken(supabaseURL, supabaseAnonKey, refreshToken string) (*PKCEResult, error)
RefreshAccessToken uses a refresh token to get a new access token. supabaseURL + supabaseAnonKey come from the resolved Config.
type ResolveResult ¶ added in v0.5.0
type ResolveResult struct {
Config *Config
Source ResolveSource
FetchError error
}
ResolveResult bundles the resolved config with provenance metadata.
func Resolve ¶ added in v0.5.0
func Resolve(ctx context.Context, apiURL string) ResolveResult
Resolve picks a Config using a fixed precedence chain:
- Override — `--supabase-url`/`--supabase-anon-key` flags or `WESIDE_SUPABASE_URL` / `WESIDE_SUPABASE_ANON_KEY` env vars.
- Cache — `auth.*` block in ~/.weside/config.yaml (must be complete).
- Live — single GET to `<apiURL>/.well-known/weside-auth` (5s timeout). On success the result is written back to the cache.
- Fallback — hardcoded defaults in this file.
Resolve never returns nil — Source==SourceFallback indicates that the live fetch was attempted and failed; FetchError carries the underlying error so the caller can surface it under --verbose. A partial override (only one of supabase_url / supabase_anon_key set) is reported via FetchError on the fallback result so the caller can show the user a precise diagnosis.
type ResolveSource ¶ added in v0.5.0
type ResolveSource string
ResolveSource identifies which precedence level produced a Config.
const ( SourceOverride ResolveSource = "override" SourceCache ResolveSource = "cache" SourceLive ResolveSource = "live" SourceFallback ResolveSource = "fallback" )
Source labels for ResolveResult — see Resolve for the precedence chain.
Source Files