feat(auth): add OAuth PKCE browser flow

Author: LorrisSaintGenez

.github/workflows/releases.yml

@@ -38,6 +38,10 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
           CHOCOLATEY_API_KEY: ${{ secrets.CHOCOLATEY_API_KEY }}
+          ALGOLIA_DASHBOARD_URL: ${{ secrets.ALGOLIA_DASHBOARD_URL }}
+          ALGOLIA_API_URL: ${{ secrets.ALGOLIA_API_URL }}
+          ALGOLIA_OAUTH_CLIENT_ID: ${{ secrets.ALGOLIA_OAUTH_CLIENT_ID }}
+          ALGOLIA_OAUTH_SCOPE: ${{ secrets.ALGOLIA_OAUTH_SCOPE }}
       - name: Docs checkout
         uses: actions/checkout@v4
         with:

.goreleaser.yml

@@ -16,7 +16,12 @@ builds:
       binary: algolia
       main: ./cmd/algolia/main.go
       ldflags:
-        - -s -w -X github.com/algolia/cli/pkg/version.Version={{.Version}}
+        - -s -w
+          -X github.com/algolia/cli/pkg/version.Version={{.Version}}
+          -X github.com/algolia/cli/api/dashboard.DefaultDashboardURL={{ .Env.ALGOLIA_DASHBOARD_URL }}
+          -X github.com/algolia/cli/api/dashboard.DefaultAPIURL={{ .Env.ALGOLIA_API_URL }}
+          -X github.com/algolia/cli/pkg/cmd/auth/login.DefaultOAuthClientID={{ .Env.ALGOLIA_OAUTH_CLIENT_ID }}
+          -X github.com/algolia/cli/api/dashboard.DefaultOAuthScope={{ .Env.ALGOLIA_OAUTH_SCOPE }}
     id: macos
     goos: [darwin]
     goarch: [amd64, arm64]

api/dashboard/client.go

@@ -0,0 +1,357 @@
+package dashboard
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+)
+
+// DefaultDashboardURL and DefaultAPIURL are empty by default and must be
+// injected at build time via ldflags, e.g.:
+//
+//	go build -ldflags "-X github.com/algolia/cli/api/dashboard.DefaultDashboardURL=https://..."
+//
+// They can also be overridden at runtime with ALGOLIA_DASHBOARD_URL / ALGOLIA_API_URL / ALGOLIA_OAUTH_SCOPE
+// environment variables.
+var (
+	DefaultDashboardURL = ""
+	DefaultAPIURL       = ""
+	DefaultOAuthScope   = ""
+)
+
+// Client interacts with the Algolia Dashboard OAuth endpoint and the Public API.
+type Client struct {
+	DashboardURL string
+	APIURL       string
+	OAuthScope   string
+	ClientID     string
+	client       *http.Client
+}
+
+// NewClient creates a new dashboard client with the given OAuth client ID.
+// Respects ALGOLIA_DASHBOARD_URL, ALGOLIA_API_URL, and ALGOLIA_OAUTH_SCOPE
+// environment variables, falling back to the compiled-in defaults (set via ldflags).
+func NewClient(clientID string) *Client {
+	dashboardURL := DefaultDashboardURL
+	if v := os.Getenv("ALGOLIA_DASHBOARD_URL"); v != "" {
+		dashboardURL = strings.TrimRight(v, "/")
+	}
+	if dashboardURL == "" {
+		fmt.Fprintln(os.Stderr, "fatal: ALGOLIA_DASHBOARD_URL is not set and no default was compiled in")
+		os.Exit(1)
+	}
+
+	apiURL := DefaultAPIURL
+	if v := os.Getenv("ALGOLIA_API_URL"); v != "" {
+		apiURL = strings.TrimRight(v, "/")
+	}
+	if apiURL == "" {
+		fmt.Fprintln(os.Stderr, "fatal: ALGOLIA_API_URL is not set and no default was compiled in")
+		os.Exit(1)
+	}
+
+	oauthScope := DefaultOAuthScope
+	if v := os.Getenv("ALGOLIA_OAUTH_SCOPE"); v != "" {
+		oauthScope = v
+	}
+	if oauthScope == "" {
+		fmt.Fprintln(os.Stderr, "fatal: ALGOLIA_OAUTH_SCOPE is not set and no default was compiled in")
+		os.Exit(1)
+	}
+
+	return &Client{
+		DashboardURL: dashboardURL,
+		APIURL:       apiURL,
+		OAuthScope:   oauthScope,
+		ClientID:     clientID,
+		client:       http.DefaultClient,
+	}
+}
+
+// NewClientWithHTTPClient creates a new dashboard client with a custom HTTP client.
+// Used primarily in tests; callers must set DashboardURL and APIURL explicitly.
+func NewClientWithHTTPClient(clientID string, httpClient *http.Client) *Client {
+	return &Client{
+		ClientID: clientID,
+		client:   httpClient,
+	}
+}
+
+// AuthorizeURL builds the OAuth 2.0 authorization URL for the browser-based sign-in flow.
+func (c *Client) AuthorizeURL(codeChallenge string) string {
+	return c.buildAuthorizeURL(codeChallenge, nil)
+}
+
+// SignupAuthorizeURL builds an OAuth 2.0 authorization URL that opens the
+// sign-up page instead of the default sign-in page.
+func (c *Client) SignupAuthorizeURL(codeChallenge string) string {
+	return c.buildAuthorizeURL(codeChallenge, map[string]string{"screen": "signup"})
+}
+
+func (c *Client) buildAuthorizeURL(codeChallenge string, extra map[string]string) string {
+	params := url.Values{
+		"client_id":             {c.ClientID},
+		"response_type":         {"code"},
+		"code_challenge":        {codeChallenge},
+		"code_challenge_method": {"S256"},
+		"scope":                 {c.OAuthScope},
+		"redirect_uri":          {"urn:ietf:wg:oauth:2.0:oob"},
+	}
+	for k, v := range extra {
+		params.Set(k, v)
+	}
+	return c.DashboardURL + "/2/oauth/authorize?" + params.Encode()
+}
+
+// AuthorizationCodeGrant exchanges an authorization code + PKCE code_verifier
+// for an access token.
+func (c *Client) AuthorizationCodeGrant(code, codeVerifier string) (*OAuthTokenResponse, error) {
+	form := url.Values{
+		"grant_type":    {"authorization_code"},
+		"client_id":     {c.ClientID},
+		"code":          {code},
+		"code_verifier": {codeVerifier},
+		"redirect_uri":  {"urn:ietf:wg:oauth:2.0:oob"},
+	}
+
+	req, err := http.NewRequest(http.MethodPost, c.DashboardURL+"/2/oauth/token", strings.NewReader(form.Encode()))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("token request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, parseOAuthError(resp, "authorization code exchange")
+	}
+
+	var tokenResp OAuthTokenResponse
+	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+		return nil, fmt.Errorf("failed to parse token response: %w", err)
+	}
+
+	return &tokenResp, nil
+}
+
+// RefreshToken uses a refresh token to obtain a new access token.
+func (c *Client) RefreshToken(refreshToken string) (*OAuthTokenResponse, error) {
+	form := url.Values{
+		"grant_type":    {"refresh_token"},
+		"client_id":     {c.ClientID},
+		"refresh_token": {refreshToken},
+	}
+
+	req, err := http.NewRequest(http.MethodPost, c.DashboardURL+"/2/oauth/token", strings.NewReader(form.Encode()))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("token refresh request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, parseOAuthError(resp, "token refresh")
+	}
+
+	var tokenResp OAuthTokenResponse
+	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+		return nil, fmt.Errorf("failed to parse refresh token response: %w", err)
+	}
+
+	return &tokenResp, nil
+}
+
+// RevokeToken revokes an OAuth access or refresh token via POST /2/oauth/revoke.
+func (c *Client) RevokeToken(token string) error {
+	form := url.Values{
+		"client_id": {c.ClientID},
+		"token":     {token},
+	}
+
+	req, err := http.NewRequest(http.MethodPost, c.DashboardURL+"/2/oauth/revoke", strings.NewReader(form.Encode()))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("token revocation request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return parseOAuthError(resp, "token revocation")
+	}
+
+	return nil
+}
+
+// ListApplications returns all applications for the authenticated user.
+func (c *Client) ListApplications(accessToken string) ([]Application, error) {
+	req, err := http.NewRequest(http.MethodGet, c.APIURL+"/1/applications", nil)
+	if err != nil {
+		return nil, err
+	}
+	c.setAPIHeaders(req, accessToken)
+
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("list applications request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusUnauthorized {
+		return nil, ErrSessionExpired
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("list applications failed with status: %d", resp.StatusCode)
+	}
+
+	var appsResp ApplicationsResponse
+	if err := json.NewDecoder(resp.Body).Decode(&appsResp); err != nil {
+		return nil, fmt.Errorf("failed to parse applications response: %w", err)
+	}
+
+	apps := make([]Application, len(appsResp.Data))
+	for i := range appsResp.Data {
+		apps[i] = appsResp.Data[i].toApplication()
+	}
+
+	return apps, nil
+}
+
+// GetApplication returns a single application by its ID.
+func (c *Client) GetApplication(accessToken, appID string) (*Application, error) {
+	req, err := http.NewRequest(http.MethodGet, c.APIURL+"/1/application/"+url.PathEscape(appID), nil)
+	if err != nil {
+		return nil, err
+	}
+	c.setAPIHeaders(req, accessToken)
+
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("get application request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusUnauthorized {
+		return nil, ErrSessionExpired
+	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("get application failed with status: %d", resp.StatusCode)
+	}
+
+	var singleResp SingleApplicationResponse
+	if err := json.NewDecoder(resp.Body).Decode(&singleResp); err != nil {
+		return nil, fmt.Errorf("failed to parse application response: %w", err)
+	}
+
+	app := singleResp.Data.toApplication()
+	return &app, nil
+}
+
+// CreateApplication creates a new application for the authenticated user.
+func (c *Client) CreateApplication(accessToken, region, name string) (*Application, error) {
+	payload := CreateApplicationRequest{RegionCode: region, Name: name}
+	body, err := json.Marshal(payload)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(http.MethodPost, c.APIURL+"/1/applications", bytes.NewReader(body))
+	if err != nil {
+		return nil, err
+	}
+	c.setAPIHeaders(req, accessToken)
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("create application request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
+		respBody, _ := io.ReadAll(resp.Body)
+		respStr := string(respBody)
+
+		if strings.Contains(strings.ToLower(respStr), "cluster") && strings.Contains(strings.ToLower(respStr), "not available") ||
+			strings.Contains(strings.ToLower(respStr), "no cluster") {
+			return nil, &ErrClusterUnavailable{Region: region, Message: fmt.Sprintf("no cluster available in region %q", region)}
+		}
+
+		return nil, fmt.Errorf("create application failed with status %d: %s", resp.StatusCode, respStr)
+	}
+
+	var singleResp SingleApplicationResponse
+	if err := json.NewDecoder(resp.Body).Decode(&singleResp); err != nil {
+		return nil, fmt.Errorf("failed to parse application response: %w", err)
+	}
+
+	app := singleResp.Data.toApplication()
+	return &app, nil
+}
+
+// ListRegions returns the allowed hosting regions for application creation.
+func (c *Client) ListRegions(accessToken string) ([]Region, error) {
+	req, err := http.NewRequest(http.MethodGet, c.APIURL+"/1/hosting/regions", nil)
+	if err != nil {
+		return nil, err
+	}
+	c.setAPIHeaders(req, accessToken)
+
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("list regions request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("list regions failed with status: %d", resp.StatusCode)
+	}
+
+	var regionsResp RegionsResponse
+	if err := json.NewDecoder(resp.Body).Decode(&regionsResp); err != nil {
+		return nil, fmt.Errorf("failed to parse regions response: %w", err)
+	}
+
+	return regionsResp.RegionCodes, nil
+}
+
+func (c *Client) setAPIHeaders(req *http.Request, accessToken string) {
+	req.Header.Set("Authorization", "Bearer "+accessToken)
+	req.Header.Set("Accept", "application/vnd.api+json")
+}
+
+func parseOAuthError(resp *http.Response, context string) error {
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("%s failed with status %d", context, resp.StatusCode)
+	}
+
+	var oauthErr OAuthErrorResponse
+	if json.Unmarshal(body, &oauthErr) == nil && oauthErr.ErrorDescription != "" {
+		return fmt.Errorf("%s: %s", context, oauthErr.ErrorDescription)
+	}
+
+	return fmt.Errorf("%s failed with status %d: %s", context, resp.StatusCode, string(body))
+}