Skip to content

Commit ec0da82

Browse files
kopkop
authored
refactor(auth): implement browser-based and refresh token authentication flow (#15)
## Summary Adds browser-based OAuth PKCE authentication as an alternative to Service Account login, migrates secret storage to the OS keychain, and fixes several bugs discovered during implementation. ## What changed ### New authentication flow (`src/auth.rs`, `src/context.rs`) - `fb auth` now offers a choice: **Browser login (PKCE)** or **Service Account** - Browser flow: opens system browser → local callback server (5 fixed candidate ports) → PKCE code exchange → tokens stored in OS keychain - After authenticating, interactively selects an account from the API (`GET /web/v3/myAccounts`) — auto-selects if only one account exists - System engine URL is discovered automatically per account - Both flows prompt for optional default database/engine ### Keyring-based secret storage - All secrets (SA client secret, access tokens, refresh tokens) stored in OS keychain via `keyring` crate - `--no-keyring` flag falls back to `~/.firebolt/fb_secrets` (YAML file) - Enabled `apple-native` and `linux-native` keyring features — without these the crate compiled with an in-memory mock backend, losing tokens between invocations - Namespaced keyring keys: `browser_access_token`/`browser_refresh_token` for browser flow, `sa_access_token`/`sa_secret` for SA flow — prevents cross-flow token collisions ### New subcommands - `fb auth token` — prints current access token to stdout, refreshes if expired
1 parent 85483b8 commit ec0da82

9 files changed

Lines changed: 2106 additions & 869 deletions

File tree

Cargo.lock

Lines changed: 1108 additions & 457 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,3 +24,8 @@ urlencoding = "2.1"
2424
pest = "2.7"
2525
pest_derive = "2.7"
2626
console = "0.15"
27+
keyring = { version = "3.6.3", features = ["apple-native", "linux-native"] }
28+
rand = "0.8"
29+
sha2 = "0.10"
30+
base64 = "0.22"
31+
open = "5"

src/args.rs

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,10 @@ pub struct Args {
9595
#[serde(default)]
9696
pub no_spinner: bool,
9797

98+
#[options(no_short, help = "Store secrets in file instead of OS keychain")]
99+
#[serde(default)]
100+
pub no_keyring: bool,
101+
98102
#[options(no_short, help = "Update default configuration values")]
99103
#[serde(skip_serializing, skip_deserializing)]
100104
pub update_defaults: bool,

0 commit comments

Comments
 (0)