fix(oauth): replace OOB OAuth flow with local callback server

Author: LorrisSaintGenez

Makefile

@@ -61,7 +61,14 @@ api-specs-pr:
 # Build the binary
 build:
 	go generate ./...
-	go build -ldflags "-s -w -X=github.com/algolia/cli/pkg/version.Version=$(VERSION)" -o algolia cmd/algolia/main.go
+	go build -ldflags "\
+		-s -w \
+		-X=github.com/algolia/cli/pkg/version.Version=$(VERSION) \
+		-X=github.com/algolia/cli/api/dashboard.DefaultDashboardURL=$(ALGOLIA_DASHBOARD_URL) \
+		-X=github.com/algolia/cli/api/dashboard.DefaultAPIURL=$(ALGOLIA_API_URL) \
+		-X=github.com/algolia/cli/pkg/cmd/auth/login.DefaultOAuthClientID=$(ALGOLIA_OAUTH_CLIENT_ID) \
+		-X 'github.com/algolia/cli/api/dashboard.DefaultOAuthScope=$(ALGOLIA_OAUTH_SCOPE)'" \
+		-o algolia cmd/algolia/main.go
 .PHONY: build
 
 ## Install & uninstall tasks are here for use on *nix platform only.

api/dashboard/client.go

@@ -83,24 +83,24 @@ func NewClientWithHTTPClient(clientID string, httpClient *http.Client) *Client {
 }
 
 // AuthorizeURL builds the OAuth 2.0 authorization URL for the browser-based sign-in flow.
-func (c *Client) AuthorizeURL(codeChallenge string) string {
-	return c.buildAuthorizeURL(codeChallenge, nil)
+func (c *Client) AuthorizeURL(codeChallenge, redirectURI string) string {
+	return c.buildAuthorizeURL(codeChallenge, redirectURI, nil)
 }
 
 // SignupAuthorizeURL builds an OAuth 2.0 authorization URL that opens the
 // sign-up page instead of the default sign-in page.
-func (c *Client) SignupAuthorizeURL(codeChallenge string) string {
-	return c.buildAuthorizeURL(codeChallenge, map[string]string{"screen": "signup"})
+func (c *Client) SignupAuthorizeURL(codeChallenge, redirectURI string) string {
+	return c.buildAuthorizeURL(codeChallenge, redirectURI, map[string]string{"screen": "signup"})
 }
 
-func (c *Client) buildAuthorizeURL(codeChallenge string, extra map[string]string) string {
+func (c *Client) buildAuthorizeURL(codeChallenge, redirectURI string, extra map[string]string) string {
 	params := url.Values{
 		"client_id":             {c.ClientID},
 		"response_type":         {"code"},
 		"code_challenge":        {codeChallenge},
 		"code_challenge_method": {"S256"},
 		"scope":                 {c.OAuthScope},
-		"redirect_uri":          {"urn:ietf:wg:oauth:2.0:oob"},
+		"redirect_uri":          {redirectURI},
 	}
 	for k, v := range extra {
 		params.Set(k, v)
@@ -109,14 +109,14 @@ func (c *Client) buildAuthorizeURL(codeChallenge string, extra map[string]string
 }
 
 // AuthorizationCodeGrant exchanges an authorization code + PKCE code_verifier
-// for an access token.
-func (c *Client) AuthorizationCodeGrant(code, codeVerifier string) (*OAuthTokenResponse, error) {
+// for an access token. The redirectURI must match the one used in the authorize URL.
+func (c *Client) AuthorizationCodeGrant(code, codeVerifier, redirectURI string) (*OAuthTokenResponse, error) {
 	form := url.Values{
 		"grant_type":    {"authorization_code"},
 		"client_id":     {c.ClientID},
 		"code":          {code},
 		"code_verifier": {codeVerifier},
-		"redirect_uri":  {"urn:ietf:wg:oauth:2.0:oob"},
+		"redirect_uri":  {redirectURI},
 	}
 
 	req, err := http.NewRequest(http.MethodPost, c.DashboardURL+"/2/oauth/token", strings.NewReader(form.Encode()))

api/dashboard/client_test.go

@@ -26,13 +26,13 @@ func TestAuthorizeURL(t *testing.T) {
 		OAuthScope:   "scope:test",
 	}
 
-	url := client.AuthorizeURL("test-challenge")
+	url := client.AuthorizeURL("test-challenge", "http://localhost:12345")
 	assert.Contains(t, url, "https://dashboard.example.com/2/oauth/authorize?")
 	assert.Contains(t, url, "client_id=my-client-id")
 	assert.Contains(t, url, "response_type=code")
 	assert.Contains(t, url, "code_challenge=test-challenge")
 	assert.Contains(t, url, "code_challenge_method=S256")
-	assert.Contains(t, url, "redirect_uri=urn")
+	assert.Contains(t, url, "redirect_uri=http")
 }
 
 func TestAuthorizationCodeGrant_Success(t *testing.T) {
@@ -64,7 +64,7 @@ func TestAuthorizationCodeGrant_Success(t *testing.T) {
 	ts, client := newTestClient(mux)
 	defer ts.Close()
 
-	resp, err := client.AuthorizationCodeGrant("auth-code-123", "verifier-xyz")
+	resp, err := client.AuthorizationCodeGrant("auth-code-123", "verifier-xyz", "http://localhost:12345")
 	require.NoError(t, err)
 	assert.Equal(t, "access-token-123", resp.AccessToken)
 	assert.Equal(t, "refresh-token-456", resp.RefreshToken)
@@ -84,7 +84,7 @@ func TestAuthorizationCodeGrant_InvalidGrant(t *testing.T) {
 	ts, client := newTestClient(mux)
 	defer ts.Close()
 
-	_, err := client.AuthorizationCodeGrant("expired-code", "verifier")
+	_, err := client.AuthorizationCodeGrant("expired-code", "verifier", "http://localhost:12345")
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "Authorization code has expired")
 }

pkg/auth/authenticate.go

@@ -23,7 +23,7 @@ func EnsureAuthenticated(
 	cs := io.ColorScheme()
 	fmt.Fprintf(io.Out, "%s %s\n", cs.WarningIcon(), err)
 
-	return RunInteractiveOAuth(io, client, false, nil)
+	return RunOAuth(io, client, false, true)
 }
 
 // ReauthenticateIfExpired checks if err is a session-expired error from the API.
@@ -41,5 +41,5 @@ func ReauthenticateIfExpired(
 	ClearToken()
 	fmt.Fprintf(io.Out, "%s Session expired.\n", cs.WarningIcon())
 
-	return RunInteractiveOAuth(io, client, false, nil)
+	return RunOAuth(io, client, false, true)
 }

pkg/auth/callback_server.go

@@ -0,0 +1,116 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"time"
+)
+
+const callbackShutdownTimeout = 5 * time.Second
+
+const successHTML = `<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<title>Algolia CLI</title>
+<style>
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+    display: flex; flex-direction: column;
+    justify-content: center; align-items: center;
+    height: 100vh; margin: 0;
+    background: #f5f5fa; color: #21243d;
+    position: relative;
+  }
+  .brand {
+    font-size: 1.5rem; font-weight: 700; color: #003dff;
+    margin-bottom: 1.5rem;
+  }
+  .card {
+    margin-top: 0.25rem;
+    background: #fff;
+    border-radius: 4px;
+    box-shadow: 0 0 0 1px rgba(35,38,59,.05),0 1px 3px 0 rgba(35,38,59,.15);
+    overflow: hidden;
+    min-width: 400px;
+  }
+  .card-header {
+    text-align: center; font-size: 1.25rem;
+    padding: 1.5rem 2rem 1rem;
+  }
+  .card-header h2 { margin: 0; font-size: 1.25rem; font-weight: 600; }
+  .card-body {
+    padding: 0 2rem 1.5rem;
+    text-align: center;
+    color: #5a5e9a; font-size: 0.95rem;
+  }
+  .card-body p { margin: 0; }
+</style>
+</head>
+<body>
+<h1>Algolia CLI</h1>
+<div class="card">
+  <div class="card-header">
+    <h2>Authentication successful</h2>
+  </div>
+  <div class="card-body">
+    <p>You can close this tab and return to your terminal.</p>
+  </div>
+</div>
+</body>
+</html>`
+
+// CallbackResult holds the authorization code (or an error description)
+// received from the OAuth redirect.
+type CallbackResult struct {
+	Code  string
+	Error string
+}
+
+// StartCallbackServer starts a local HTTP server on a random available port.
+// It returns the redirect URI (http://127.0.0.1:{port}) and a channel that
+// will receive exactly one CallbackResult when the OAuth redirect arrives.
+// The server shuts itself down after handling the first request.
+func StartCallbackServer() (redirectURI string, result <-chan CallbackResult, err error) {
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to start callback server: %w", err)
+	}
+
+	port := listener.Addr().(*net.TCPAddr).Port
+	redirectURI = fmt.Sprintf("http://127.0.0.1:%d", port)
+
+	ch := make(chan CallbackResult, 1)
+
+	mux := http.NewServeMux()
+	srv := &http.Server{Handler: mux}
+
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		q := r.URL.Query()
+
+		if errParam := q.Get("error"); errParam != "" {
+			desc := q.Get("error_description")
+			if desc == "" {
+				desc = errParam
+			}
+			http.Error(w, desc, http.StatusBadRequest)
+			ch <- CallbackResult{Error: desc}
+		} else {
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			fmt.Fprint(w, successHTML)
+			ch <- CallbackResult{Code: q.Get("code")}
+		}
+
+		go func() {
+			ctx, cancel := context.WithTimeout(context.Background(), callbackShutdownTimeout)
+			defer cancel()
+			_ = srv.Shutdown(ctx)
+		}()
+	})
+
+	go func() { _ = srv.Serve(listener) }()
+
+	return redirectURI, ch, nil
+}

pkg/auth/oauth_flow.go

@@ -4,44 +4,28 @@ import (
 	"fmt"
 	"os/exec"
 	"runtime"
-	"strings"
-
-	"github.com/AlecAivazis/survey/v2"
 
 	"github.com/algolia/cli/api/dashboard"
 	"github.com/algolia/cli/pkg/iostreams"
-	"github.com/algolia/cli/pkg/prompt"
 )
 
-// OAuthOptions configures the behaviour of RunOAuthFlow.
-type OAuthOptions struct {
-	// Code, if non-empty, skips the interactive browser+prompt step and
-	// exchanges this authorization code directly. The caller must also
-	// supply CodeVerifier so the PKCE handshake succeeds.
-	Code         string
-	CodeVerifier string
-}
-
-// RunInteractiveOAuth runs the browser-based OAuth PKCE flow and returns
-// a valid access token. This is the authentication-only portion — it does
-// not handle application selection or profile setup.
-// If signup is true, the browser opens to the sign-up page.
-func RunInteractiveOAuth(io *iostreams.IOStreams, client *dashboard.Client, signup bool, opts *OAuthOptions) (string, error) {
-	if opts == nil {
-		opts = &OAuthOptions{}
-	}
-
-	// Fast path: caller already has an authorization code + verifier.
-	if opts.Code != "" {
-		return exchangeCode(io, client, opts.Code, opts.CodeVerifier)
-	}
+// RunOAuth runs the OAuth PKCE flow with a local callback server and returns
+// a valid access token. A local HTTP server is started on a random port to
+// receive the authorization code via redirect — no copy-paste required.
+//
+// When openBrowser is true the authorize URL is opened automatically;
+// otherwise only the URL is printed (useful when the browser can't be
+// launched, e.g. SSH / containers).
+//
+// If signup is true the browser opens to the sign-up page.
+func RunOAuth(io *iostreams.IOStreams, client *dashboard.Client, signup, openBrowser bool) (string, error) {
+	cs := io.ColorScheme()
 
-	if !io.CanPrompt() {
-		return "", fmt.Errorf("not logged in — run `algolia auth login` interactively first, or use --print-url and --code for non-interactive mode")
+	redirectURI, resultCh, err := StartCallbackServer()
+	if err != nil {
+		return "", err
 	}
 
-	cs := io.ColorScheme()
-
 	codeVerifier, err := GenerateCodeVerifier()
 	if err != nil {
 		return "", fmt.Errorf("failed to generate PKCE verifier: %w", err)
@@ -50,58 +34,35 @@ func RunInteractiveOAuth(io *iostreams.IOStreams, client *dashboard.Client, sign
 
 	var authorizeURL string
 	if signup {
-		authorizeURL = client.SignupAuthorizeURL(codeChallenge)
-		fmt.Fprintf(io.Out, "Opening browser to create an account...\n")
+		authorizeURL = client.SignupAuthorizeURL(codeChallenge, redirectURI)
 	} else {
-		authorizeURL = client.AuthorizeURL(codeChallenge)
-		fmt.Fprintf(io.Out, "Opening browser to sign in...\n")
+		authorizeURL = client.AuthorizeURL(codeChallenge, redirectURI)
 	}
-	fmt.Fprintf(io.Out, "If the browser doesn't open, visit:\n  %s\n\n", cs.Bold(authorizeURL))
-	_ = OpenBrowser(authorizeURL)
 
-	var code string
-	err = prompt.SurveyAskOne(
-		&survey.Input{Message: "Paste the authorization code:"},
-		&code,
-		survey.WithValidator(survey.Required),
-	)
-	if err != nil {
-		return "", err
+	if openBrowser {
+		if signup {
+			fmt.Fprintf(io.Out, "Opening browser to create an account...\n")
+		} else {
+			fmt.Fprintf(io.Out, "Opening browser to sign in...\n")
+		}
+		fmt.Fprintf(io.Out, "If the browser doesn't open, visit:\n  %s\n\n", cs.Bold(authorizeURL))
+		_ = OpenBrowser(authorizeURL)
+	} else {
+		fmt.Fprintf(io.Out, "Open this URL in your browser to authenticate:\n\n  %s\n\n", cs.Bold(authorizeURL))
 	}
-	code = strings.TrimSpace(code)
 
-	return exchangeCode(io, client, code, codeVerifier)
-}
-
-// PrintAuthorizeURL generates a PKCE challenge, prints the authorize URL,
-// and returns the code verifier so the caller can later exchange the code
-// in a separate invocation via --code / --code-verifier.
-func PrintAuthorizeURL(io *iostreams.IOStreams, client *dashboard.Client, signup bool) (codeVerifier string, err error) {
-	cs := io.ColorScheme()
+	fmt.Fprintf(io.Out, "Waiting for authentication...\n")
+	cbResult := <-resultCh
 
-	codeVerifier, err = GenerateCodeVerifier()
-	if err != nil {
-		return "", fmt.Errorf("failed to generate PKCE verifier: %w", err)
+	if cbResult.Error != "" {
+		return "", fmt.Errorf("authorization failed: %s", cbResult.Error)
 	}
-	codeChallenge := CodeChallenge(codeVerifier)
-
-	var authorizeURL string
-	if signup {
-		authorizeURL = client.SignupAuthorizeURL(codeChallenge)
-	} else {
-		authorizeURL = client.AuthorizeURL(codeChallenge)
+	if cbResult.Code == "" {
+		return "", fmt.Errorf("no authorization code received")
 	}
 
-	fmt.Fprintf(io.Out, "Open this URL in your browser to authenticate:\n\n  %s\n\n", cs.Bold(authorizeURL))
-	fmt.Fprintf(io.Out, "Then run:\n\n  algolia auth login --code <AUTHORIZATION_CODE> --code-verifier %s\n\n", codeVerifier)
-	return codeVerifier, nil
-}
-
-func exchangeCode(io *iostreams.IOStreams, client *dashboard.Client, code, codeVerifier string) (string, error) {
-	cs := io.ColorScheme()
-
 	io.StartProgressIndicatorWithLabel("Exchanging code for tokens")
-	tokenResp, err := client.AuthorizationCodeGrant(code, codeVerifier)
+	tokenResp, err := client.AuthorizationCodeGrant(cbResult.Code, codeVerifier, redirectURI)
 	io.StopProgressIndicator()
 	if err != nil {
 		return "", err