mirror of
https://github.com/larksuite/cli.git
synced 2026-07-08 18:13:01 +08:00
Compare commits
7 Commits
main
...
feat/optim
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
29b0fe6751 | ||
|
|
61c6e1cc40 | ||
|
|
a5bd310d7c | ||
|
|
20c2a2d0f9 | ||
|
|
b65146ef2c | ||
|
|
8b53da5c6f | ||
|
|
520ff2263e |
@@ -49,6 +49,9 @@ func NewCmdAuthLogin(f *cmdutil.Factory, runF func(*LoginOptions) error) *cobra.
|
||||
Short: "Device Flow authorization login",
|
||||
Long: `Device Flow authorization login.
|
||||
|
||||
With no --scope/--domain/--recommend flag, this requests scopes for all known
|
||||
business domains (equivalent to --domain all); pass --domain or --scope to narrow it.
|
||||
|
||||
For AI agents: this command blocks until the user completes authorization in the
|
||||
browser. If your harness or agent tool only delivers final turn messages, use --no-wait --json,
|
||||
send the verification URL (or QR code) to the user as your final message, end the turn, then
|
||||
@@ -71,7 +74,7 @@ to generate QR codes (supports ASCII and PNG formats).`,
|
||||
cmdutil.SetRisk(cmd, "write")
|
||||
|
||||
cmd.Flags().StringVar(&opts.Scope, "scope", "", "scopes to request (space- or comma-separated). Combines additively with --domain/--recommend")
|
||||
cmd.Flags().BoolVar(&opts.Recommend, "recommend", false, "request only recommended (auto-approve) scopes")
|
||||
cmd.Flags().BoolVar(&opts.Recommend, "recommend", false, "request scopes for all known domains (equivalent to --domain all)")
|
||||
var helpBrand core.LarkBrand
|
||||
if f != nil && f.Config != nil {
|
||||
if cfg, err := f.Config(); err == nil && cfg != nil {
|
||||
@@ -144,33 +147,6 @@ func authLoginRun(opts *LoginOptions) error {
|
||||
}
|
||||
|
||||
selectedDomains := opts.Domains
|
||||
scopeLevel := "" // "common" or "all" (from interactive mode)
|
||||
|
||||
// Expand --domain all to all available domains (from_meta projects + shortcut services)
|
||||
for _, d := range selectedDomains {
|
||||
if strings.EqualFold(d, "all") {
|
||||
selectedDomains = sortedKnownDomains(config.Brand)
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
// Validate domain names and suggest corrections for unknown ones
|
||||
if len(selectedDomains) > 0 {
|
||||
knownDomains := allKnownDomains(config.Brand)
|
||||
for _, d := range selectedDomains {
|
||||
if !knownDomains[d] {
|
||||
if suggestion := suggestDomain(d, knownDomains); suggestion != "" {
|
||||
return errs.NewValidationError(errs.SubtypeInvalidArgument, "unknown domain %q, did you mean %q?", d, suggestion).WithParam("--domain")
|
||||
}
|
||||
available := make([]string, 0, len(knownDomains))
|
||||
for k := range knownDomains {
|
||||
available = append(available, k)
|
||||
}
|
||||
sort.Strings(available)
|
||||
return errs.NewValidationError(errs.SubtypeInvalidArgument, "unknown domain %q, available domains: %s", d, strings.Join(available, ", ")).WithParam("--domain")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
hasAnyOption := opts.Scope != "" || opts.Recommend || len(selectedDomains) > 0
|
||||
|
||||
@@ -178,30 +154,51 @@ func authLoginRun(opts *LoginOptions) error {
|
||||
return errs.NewValidationError(errs.SubtypeInvalidArgument, "--exclude requires --scope, --domain, or --recommend to be specified").WithParam("--exclude")
|
||||
}
|
||||
|
||||
if !hasAnyOption {
|
||||
if !opts.JSON && f.IOStreams.IsTerminal {
|
||||
result, err := runInteractiveLogin(f.IOStreams, lang.Base(), msg, config.Brand)
|
||||
if err != nil {
|
||||
return err
|
||||
// scopeOnly is the one path that must never touch the domain catalog
|
||||
// (remote or local): --scope given alone, with neither --domain nor
|
||||
// --recommend. Every other path — including bare `auth login`, now that
|
||||
// the interactive picker is gone — needs the legal domain set to resolve
|
||||
// scopes.
|
||||
scopeOnly := opts.Scope != "" && !opts.Recommend && len(selectedDomains) == 0
|
||||
|
||||
var remote map[string][]string
|
||||
var remoteOK bool
|
||||
|
||||
if !scopeOnly {
|
||||
// Pull the remote scopes.json once for this login (not cached); any
|
||||
// read failure (network/timeout/non-2xx/malformed) silently falls back
|
||||
// to the local full computation — no warning, no telemetry.
|
||||
remote, remoteOK = larkauth.FetchRemoteScopes(config.Brand)
|
||||
legalDomains, allLegalDomains := legalDomainsFor(remote, remoteOK, config.Brand)
|
||||
|
||||
// Expand --domain all against the resolved legal domain set.
|
||||
for _, d := range selectedDomains {
|
||||
if strings.EqualFold(d, "all") {
|
||||
selectedDomains = allLegalDomains
|
||||
break
|
||||
}
|
||||
if result == nil {
|
||||
return errs.NewValidationError(errs.SubtypeInvalidArgument, "no login options selected")
|
||||
}
|
||||
|
||||
if len(selectedDomains) > 0 {
|
||||
// Validate explicitly-supplied domain names and suggest corrections.
|
||||
for _, d := range selectedDomains {
|
||||
if !legalDomains[d] {
|
||||
if suggestion := suggestDomain(d, legalDomains); suggestion != "" {
|
||||
return errs.NewValidationError(errs.SubtypeInvalidArgument, "unknown domain %q, did you mean %q?", d, suggestion).WithParam("--domain")
|
||||
}
|
||||
available := make([]string, 0, len(legalDomains))
|
||||
for k := range legalDomains {
|
||||
available = append(available, k)
|
||||
}
|
||||
sort.Strings(available)
|
||||
return errs.NewValidationError(errs.SubtypeInvalidArgument, "unknown domain %q, available domains: %s", d, strings.Join(available, ", ")).WithParam("--domain")
|
||||
}
|
||||
}
|
||||
selectedDomains = result.Domains
|
||||
scopeLevel = result.ScopeLevel
|
||||
} else {
|
||||
log(msg.HintHeader)
|
||||
log("Common options:")
|
||||
log(msg.HintCommon1)
|
||||
log(msg.HintCommon2)
|
||||
log(msg.HintCommon3)
|
||||
log(msg.HintCommon4)
|
||||
log("")
|
||||
log("View all options:")
|
||||
log(msg.HintFooter)
|
||||
log("")
|
||||
log("Note: this command blocks until authorization is complete. For non-streaming agent harnesses, use --no-wait --json, send the verification URL as the final message of the turn, then run --device-code in a later step after the user confirms authorization.")
|
||||
return errs.NewValidationError(errs.SubtypeInvalidArgument, "please specify the scopes to authorize").WithParam("--scope")
|
||||
// Bare `auth login` and `--recommend` without `--domain` both span
|
||||
// the full legal domain set now that the interactive picker and
|
||||
// the local auto-approve filter are gone (--recommend ≡ --domain all).
|
||||
selectedDomains = allLegalDomains
|
||||
}
|
||||
}
|
||||
|
||||
@@ -215,19 +212,8 @@ func authLoginRun(opts *LoginOptions) error {
|
||||
// --scope, --domain, and --recommend combine additively so callers can,
|
||||
// for example, request all `docs` scopes plus a few specific `drive`
|
||||
// scopes in a single command.
|
||||
if len(selectedDomains) > 0 || opts.Recommend {
|
||||
var candidateScopes []string
|
||||
if len(selectedDomains) > 0 {
|
||||
candidateScopes = collectScopesForDomains(selectedDomains, "user", config.Brand)
|
||||
} else {
|
||||
// --recommend without --domain: all domains
|
||||
candidateScopes = collectScopesForDomains(sortedKnownDomains(config.Brand), "user", config.Brand)
|
||||
}
|
||||
|
||||
// Filter to auto-approve scopes if --recommend or interactive "common"
|
||||
if opts.Recommend || scopeLevel == "common" {
|
||||
candidateScopes = registry.FilterAutoApproveScopes(candidateScopes)
|
||||
}
|
||||
if len(selectedDomains) > 0 {
|
||||
candidateScopes := resolveScopesForDomains(selectedDomains, remote, remoteOK, config.Brand)
|
||||
|
||||
if len(candidateScopes) == 0 && opts.Scope == "" {
|
||||
return errs.NewValidationError(errs.SubtypeInvalidArgument, "no matching scopes found, check domain/scope options")
|
||||
@@ -382,10 +368,10 @@ func authLoginRun(opts *LoginOptions) error {
|
||||
}
|
||||
|
||||
if issue := ensureRequestedScopesGranted(finalScope, result.Token.Scope, msg, scopeSummary); issue != nil {
|
||||
return handleLoginScopeIssue(opts, msg, f, issue, openId, userName)
|
||||
return handleLoginScopeIssue(opts, msg, f, issue, openId, userName, result.Token.StatusMessage)
|
||||
}
|
||||
|
||||
writeLoginSuccess(opts, msg, f, openId, userName, scopeSummary)
|
||||
writeLoginSuccess(opts, msg, f, openId, userName, scopeSummary, result.Token.StatusMessage)
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -465,10 +451,10 @@ func authLoginPollDeviceCode(opts *LoginOptions, config *core.CliConfig, msg *lo
|
||||
}
|
||||
|
||||
if issue := ensureRequestedScopesGranted(requestedScope, result.Token.Scope, msg, scopeSummary); issue != nil {
|
||||
return handleLoginScopeIssue(opts, msg, f, issue, openId, userName)
|
||||
return handleLoginScopeIssue(opts, msg, f, issue, openId, userName, result.Token.StatusMessage)
|
||||
}
|
||||
|
||||
writeLoginSuccess(opts, msg, f, openId, userName, scopeSummary)
|
||||
writeLoginSuccess(opts, msg, f, openId, userName, scopeSummary, result.Token.StatusMessage)
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -550,6 +536,30 @@ func collectScopesForDomains(domains []string, identity string, brand core.LarkB
|
||||
return result
|
||||
}
|
||||
|
||||
// resolveScopesForDomains resolves the scope set for the given domains. When
|
||||
// the remote scopes.json is available it takes the union of each domain's
|
||||
// user_scopes from the remote result (remote is authoritative, including
|
||||
// domains this CLI build doesn't know about locally); otherwise it falls back
|
||||
// to the local synthesis via collectScopesForDomains. Always returns a
|
||||
// deduplicated, alphabetically sorted slice.
|
||||
func resolveScopesForDomains(domains []string, remote map[string][]string, remoteOK bool, brand core.LarkBrand) []string {
|
||||
if remoteOK {
|
||||
set := make(map[string]bool)
|
||||
for _, d := range domains {
|
||||
for _, s := range remote[d] {
|
||||
set[s] = true
|
||||
}
|
||||
}
|
||||
out := make([]string, 0, len(set))
|
||||
for s := range set {
|
||||
out = append(out, s)
|
||||
}
|
||||
sort.Strings(out)
|
||||
return out
|
||||
}
|
||||
return collectScopesForDomains(domains, "user", brand)
|
||||
}
|
||||
|
||||
// allKnownDomains returns all valid auth domain names (from_meta projects +
|
||||
// shortcut services), excluding domains that have auth_domain set (they are
|
||||
// folded into their parent domain).
|
||||
@@ -582,6 +592,25 @@ func sortedKnownDomains(brand core.LarkBrand) []string {
|
||||
return domains
|
||||
}
|
||||
|
||||
// legalDomainsFor returns the authoritative domain set for this login: the
|
||||
// remote scopes.json keys when available (a remote-listed domain unknown to
|
||||
// this CLI build is still legal), otherwise the local known-domain set.
|
||||
// Returns both a membership set (for --domain validation) and a sorted slice
|
||||
// (for `all` expansion and the bare-login/--recommend-without-domain default).
|
||||
func legalDomainsFor(remote map[string][]string, remoteOK bool, brand core.LarkBrand) (map[string]bool, []string) {
|
||||
if remoteOK {
|
||||
set := make(map[string]bool, len(remote))
|
||||
sorted := make([]string, 0, len(remote))
|
||||
for d := range remote {
|
||||
set[d] = true
|
||||
sorted = append(sorted, d)
|
||||
}
|
||||
sort.Strings(sorted)
|
||||
return set, sorted
|
||||
}
|
||||
return allKnownDomains(brand), sortedKnownDomains(brand)
|
||||
}
|
||||
|
||||
// shortcutSupportsIdentity checks if a shortcut supports the given identity ("user" or "bot").
|
||||
// Empty AuthTypes defaults to ["user"].
|
||||
func shortcutSupportsIdentity(sc common.Shortcut, identity string) bool {
|
||||
|
||||
@@ -1,188 +0,0 @@
|
||||
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
||||
// SPDX-License-Identifier: MIT
|
||||
|
||||
package auth
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"sort"
|
||||
"strings"
|
||||
|
||||
"github.com/charmbracelet/huh"
|
||||
|
||||
"github.com/larksuite/cli/errs"
|
||||
"github.com/larksuite/cli/internal/cmdutil"
|
||||
"github.com/larksuite/cli/internal/core"
|
||||
"github.com/larksuite/cli/internal/output"
|
||||
"github.com/larksuite/cli/internal/registry"
|
||||
"github.com/larksuite/cli/shortcuts"
|
||||
)
|
||||
|
||||
// domainMeta describes a domain for the interactive selector.
|
||||
type domainMeta struct {
|
||||
Name string
|
||||
Title string
|
||||
Description string
|
||||
}
|
||||
|
||||
// interactiveResult holds the user's selections from the interactive form.
|
||||
type interactiveResult struct {
|
||||
Domains []string
|
||||
ScopeLevel string // "common" or "all"
|
||||
}
|
||||
|
||||
// getDomainMetadata returns metadata for all known domains, sorted by name.
|
||||
func getDomainMetadata(lang string) []domainMeta {
|
||||
seen := make(map[string]bool)
|
||||
var domains []domainMeta
|
||||
|
||||
// 1. Domains from from_meta projects (skip domains with auth_domain)
|
||||
for _, project := range registry.ListFromMetaProjects() {
|
||||
if registry.HasAuthDomain(project) {
|
||||
seen[project] = true
|
||||
continue
|
||||
}
|
||||
dm := buildDomainMeta(project, lang)
|
||||
domains = append(domains, dm)
|
||||
seen[project] = true
|
||||
}
|
||||
|
||||
// 2. Shortcut-only domains
|
||||
shortcutOnlyNames := getShortcutOnlyDomainNames()
|
||||
for _, name := range shortcutOnlyNames {
|
||||
if !seen[name] {
|
||||
dm := buildDomainMeta(name, lang)
|
||||
domains = append(domains, dm)
|
||||
seen[name] = true
|
||||
}
|
||||
}
|
||||
|
||||
// 3. Auto-discover remaining shortcut services that are listed as shortcut-only domains
|
||||
// (skip domains with auth_domain — they are folded into their parent)
|
||||
shortcutOnlySet := make(map[string]bool)
|
||||
for _, n := range shortcutOnlyNames {
|
||||
shortcutOnlySet[n] = true
|
||||
}
|
||||
for _, sc := range shortcuts.AllShortcuts() {
|
||||
if !seen[sc.Service] {
|
||||
if shortcutOnlySet[sc.Service] && !registry.HasAuthDomain(sc.Service) {
|
||||
dm := buildDomainMeta(sc.Service, lang)
|
||||
domains = append(domains, dm)
|
||||
}
|
||||
seen[sc.Service] = true
|
||||
}
|
||||
}
|
||||
|
||||
sort.Slice(domains, func(i, j int) bool {
|
||||
return domains[i].Name < domains[j].Name
|
||||
})
|
||||
return domains
|
||||
}
|
||||
|
||||
// buildDomainMeta constructs a domainMeta for a given service name and language.
|
||||
// It reads from the service_descriptions.json config first, falling back to
|
||||
// from_meta spec fields if not found.
|
||||
func buildDomainMeta(name, lang string) domainMeta {
|
||||
title := registry.GetServiceTitle(name, lang)
|
||||
desc := registry.GetServiceDetailDescription(name, lang)
|
||||
if title != "" || desc != "" {
|
||||
return domainMeta{
|
||||
Name: name,
|
||||
Title: title,
|
||||
Description: desc,
|
||||
}
|
||||
}
|
||||
// Fallback: read from the typed service spec (legacy)
|
||||
dm := domainMeta{Name: name}
|
||||
if svc, ok := registry.ServiceTyped(name); ok {
|
||||
dm.Title = svc.Title
|
||||
dm.Description = svc.Description
|
||||
}
|
||||
return dm
|
||||
}
|
||||
|
||||
// runInteractiveLogin shows an interactive TUI form for domain and permission selection.
|
||||
func runInteractiveLogin(ios *cmdutil.IOStreams, lang string, msg *loginMsg, brand core.LarkBrand) (*interactiveResult, error) {
|
||||
allDomains := getDomainMetadata(lang)
|
||||
|
||||
// Build multi-select options
|
||||
options := make([]huh.Option[string], len(allDomains))
|
||||
for i, dm := range allDomains {
|
||||
var label string
|
||||
switch {
|
||||
case dm.Title != "" && dm.Description != "":
|
||||
label = fmt.Sprintf("%-12s %s - %s", dm.Name, dm.Title, dm.Description)
|
||||
case dm.Title != "":
|
||||
label = fmt.Sprintf("%-12s %s", dm.Name, dm.Title)
|
||||
default:
|
||||
label = fmt.Sprintf("%-12s %s", dm.Name, dm.Description)
|
||||
}
|
||||
options[i] = huh.NewOption(label, dm.Name)
|
||||
}
|
||||
|
||||
var selectedDomains []string
|
||||
var permLevel string
|
||||
|
||||
// Phase 1a: domain selection
|
||||
// Phase 1b: permission level (shown after domain selection completes)
|
||||
form1 := huh.NewForm(
|
||||
huh.NewGroup(
|
||||
huh.NewMultiSelect[string]().
|
||||
Title(msg.SelectDomains).
|
||||
Description(msg.DomainHint).
|
||||
Options(options...).
|
||||
Value(&selectedDomains).
|
||||
Validate(func(s []string) error {
|
||||
if len(s) == 0 {
|
||||
return fmt.Errorf(msg.ErrNoDomain)
|
||||
}
|
||||
return nil
|
||||
}),
|
||||
),
|
||||
huh.NewGroup(
|
||||
huh.NewSelect[string]().
|
||||
Title(msg.PermLevel).
|
||||
Options(
|
||||
huh.NewOption(msg.PermCommon, "common"),
|
||||
huh.NewOption(msg.PermAll, "all"),
|
||||
).
|
||||
Value(&permLevel),
|
||||
),
|
||||
).WithTheme(cmdutil.ThemeFeishu())
|
||||
|
||||
if err := form1.Run(); err != nil {
|
||||
if err == huh.ErrUserAborted {
|
||||
return nil, output.ErrBare(1)
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if len(selectedDomains) == 0 {
|
||||
return nil, errs.NewValidationError(errs.SubtypeInvalidArgument, "no domains selected").WithParam("--domain")
|
||||
}
|
||||
|
||||
// Compute scope summary
|
||||
scopes := collectScopesForDomains(selectedDomains, "user", brand)
|
||||
if permLevel == "common" {
|
||||
scopes = registry.FilterAutoApproveScopes(scopes)
|
||||
}
|
||||
|
||||
// Print summary
|
||||
permLabel := msg.PermAllLabel
|
||||
if permLevel == "common" {
|
||||
permLabel = msg.PermCommonLabel
|
||||
}
|
||||
fmt.Fprintf(ios.ErrOut, msg.Summary)
|
||||
fmt.Fprintf(ios.ErrOut, msg.SummaryDomains, strings.Join(selectedDomains, ", "))
|
||||
fmt.Fprintf(ios.ErrOut, msg.SummaryPerm, permLabel)
|
||||
scopePreview := strings.Join(scopes, ", ")
|
||||
if len(scopePreview) > 80 {
|
||||
scopePreview = strings.Join(scopes[:3], ", ") + ", ..."
|
||||
}
|
||||
fmt.Fprintf(ios.ErrOut, msg.SummaryScopes, len(scopes), scopePreview)
|
||||
|
||||
return &interactiveResult{
|
||||
Domains: selectedDomains,
|
||||
ScopeLevel: permLevel,
|
||||
}, nil
|
||||
}
|
||||
@@ -6,21 +6,6 @@ package auth
|
||||
import "github.com/larksuite/cli/internal/i18n"
|
||||
|
||||
type loginMsg struct {
|
||||
// Interactive UI (login_interactive.go)
|
||||
SelectDomains string
|
||||
DomainHint string
|
||||
PermLevel string
|
||||
PermCommon string
|
||||
PermAll string
|
||||
Summary string
|
||||
SummaryDomains string
|
||||
SummaryPerm string
|
||||
SummaryScopes string
|
||||
PermAllLabel string
|
||||
PermCommonLabel string
|
||||
ErrNoDomain string
|
||||
ConfirmAuth string
|
||||
|
||||
// Non-interactive prompts (login.go)
|
||||
OpenURL string
|
||||
WaitingAuth string
|
||||
@@ -34,31 +19,9 @@ type loginMsg struct {
|
||||
NewlyGrantedScopes string
|
||||
NoScopes string
|
||||
StatusHint string
|
||||
|
||||
// Non-interactive hint (no flags)
|
||||
HintHeader string
|
||||
HintCommon1 string
|
||||
HintCommon2 string
|
||||
HintCommon3 string
|
||||
HintCommon4 string
|
||||
HintFooter string
|
||||
}
|
||||
|
||||
var loginMsgZh = &loginMsg{
|
||||
SelectDomains: "选择要授权的业务域",
|
||||
DomainHint: "空格=选择, 回车=确认",
|
||||
PermLevel: "权限类型",
|
||||
PermCommon: "常用权限",
|
||||
PermAll: "全部权限",
|
||||
Summary: "\n摘要:\n",
|
||||
SummaryDomains: " 域: %s\n",
|
||||
SummaryPerm: " 权限: %s\n",
|
||||
SummaryScopes: " Scopes (%d): %s\n\n",
|
||||
PermAllLabel: "全部权限",
|
||||
PermCommonLabel: "常用权限",
|
||||
ErrNoDomain: "请至少选择一个业务域",
|
||||
ConfirmAuth: "确认授权?",
|
||||
|
||||
OpenURL: "在浏览器中打开以下链接进行认证:\n\n",
|
||||
WaitingAuth: "等待用户授权...",
|
||||
AgentTimeoutHint: "[AI agent] 此命令最长阻塞约 10 分钟,等待用户在浏览器内完成授权。请确保 runner 的 timeout >= 600s。若你的 harness 或 agent 工具只会把最终回复发给用户,请改用 \"lark-cli auth login --no-wait --json\" 拿到 device_code 和 verification_url,把 verification_url 作为本轮最终消息发给用户并结束本轮;等用户回复已完成授权后,再在后续步骤运行 \"lark-cli auth login --device-code <code>\" 续上轮询。**不要在同一轮里展示 URL 后立刻阻塞执行 --device-code**,也不要短 timeout 反复重试;每次重启会作废上一轮的 device code,导致用户授权链接失效。**必须生成二维码并展示**: 你必须调用 lark-cli auth qrcode 将 verification_url 转为二维码,这是必须步骤,不要跳过。优先生成 PNG 二维码(--output);仅当用户明确要求时才使用 ASCII(--ascii)。**关键:生成后必须在回复中展示图片**,仅生成文件不算完成,须用 image 标签或内联图片等方式将图片包含在回复中。**展示顺序**: 先输出 URL,再将二维码图片置于 URL 下方完整展示。**URL 输出规则**: 将 verification_url 视为不可修改的 opaque string,不要做任何修改(包括 URL 编码/解码、添加空格或标点)。",
|
||||
@@ -71,30 +34,9 @@ var loginMsgZh = &loginMsg{
|
||||
NewlyGrantedScopes: " 本次新授予 scopes: %s\n",
|
||||
NoScopes: "(空)",
|
||||
StatusHint: "可执行 `lark-cli auth status` 查看账号当前已授予的全部 scopes;",
|
||||
|
||||
HintHeader: "请指定要授权的权限:\n",
|
||||
HintCommon1: " --recommend 授权推荐权限",
|
||||
HintCommon2: " --domain all 授权所有已知域的权限",
|
||||
HintCommon3: " --domain calendar,task 授权日历和任务域的权限",
|
||||
HintCommon4: " --domain calendar --recommend 授权日历域的推荐权限",
|
||||
HintFooter: " lark-cli auth login --help",
|
||||
}
|
||||
|
||||
var loginMsgEn = &loginMsg{
|
||||
SelectDomains: "Select domains to authorize",
|
||||
DomainHint: "Space=toggle, Enter=confirm",
|
||||
PermLevel: "Permission level",
|
||||
PermCommon: "Common scopes",
|
||||
PermAll: "All scopes",
|
||||
Summary: "\nSummary:\n",
|
||||
SummaryDomains: " Domains: %s\n",
|
||||
SummaryPerm: " Level: %s\n",
|
||||
SummaryScopes: " Scopes (%d): %s\n\n",
|
||||
PermAllLabel: "All scopes",
|
||||
PermCommonLabel: "Common scopes",
|
||||
ErrNoDomain: "please select at least one domain",
|
||||
ConfirmAuth: "Confirm authorization?",
|
||||
|
||||
OpenURL: "Open this URL in your browser to authenticate:\n\n",
|
||||
WaitingAuth: "Waiting for user authorization...",
|
||||
AgentTimeoutHint: "[AI agent] This command blocks for up to ~10 minutes while waiting for the user to authorize in their browser. Make sure your runner's timeout is >= 600s. If your harness or agent tool only delivers final turn messages, use \"lark-cli auth login --no-wait --json\" to get device_code and verification_url, present verification_url to the user exactly as the final message of this turn, then end the turn; after the user replies that they authorized, run \"lark-cli auth login --device-code <code>\" in a later step to resume polling. **Do NOT show the URL and then immediately block on --device-code in the same turn**, and do not retry with a short timeout; each restart invalidates the previous device code and makes the earlier authorization URL useless.**MUST generate QR code AND display it:** You MUST call lark-cli auth qrcode to convert verification_url into a QR code. This is a required step, do NOT skip it. Prefer PNG QR code (--output); use ASCII (--ascii) only when the user explicitly requests it.**CRITICAL: You MUST include the QR image in your response.** Generating the file alone is NOT enough—use image tags, inline images, or file attachments to display it.**Display order:** Output the URL first, then place the QR code image below the URL.**URL Output Rules:** Treat verification_url as an opaque string that cannot be modified. Do NOT URL-encode/decode or add spaces/punctuation.",
|
||||
@@ -107,13 +49,6 @@ var loginMsgEn = &loginMsg{
|
||||
NewlyGrantedScopes: " Newly granted scopes: %s\n",
|
||||
NoScopes: "(none)",
|
||||
StatusHint: "Run `lark-cli auth status` to inspect all scopes currently granted to the account.",
|
||||
|
||||
HintHeader: "Please specify the scopes to authorize:\n",
|
||||
HintCommon1: " --recommend authorize recommended scopes",
|
||||
HintCommon2: " --domain all authorize all known domain scopes",
|
||||
HintCommon3: " --domain calendar,task authorize calendar and task scopes",
|
||||
HintCommon4: " --domain calendar --recommend authorize calendar recommended scopes",
|
||||
HintFooter: " lark-cli auth login --help",
|
||||
}
|
||||
|
||||
// getLoginMsg returns the login message bundle for the given language.
|
||||
@@ -123,10 +58,3 @@ func getLoginMsg(lang i18n.Lang) *loginMsg {
|
||||
}
|
||||
return loginMsgZh
|
||||
}
|
||||
|
||||
// getShortcutOnlyDomainNames returns domain names that exist only as shortcuts
|
||||
// (not backed by from_meta service specs). Descriptions are now centralized in
|
||||
// service_descriptions.json.
|
||||
func getShortcutOnlyDomainNames() []string {
|
||||
return []string{"base", "contact", "docs", "markdown", "apps", "note"}
|
||||
}
|
||||
|
||||
@@ -17,8 +17,8 @@ func TestGetLoginMsg_Zh(t *testing.T) {
|
||||
if msg != loginMsgZh {
|
||||
t.Error("expected zh message set")
|
||||
}
|
||||
if msg.SelectDomains != "选择要授权的业务域" {
|
||||
t.Errorf("unexpected SelectDomains: %s", msg.SelectDomains)
|
||||
if msg.OpenURL != "在浏览器中打开以下链接进行认证:\n\n" {
|
||||
t.Errorf("unexpected OpenURL: %s", msg.OpenURL)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -27,8 +27,8 @@ func TestGetLoginMsg_En(t *testing.T) {
|
||||
if msg != loginMsgEn {
|
||||
t.Error("expected en message set")
|
||||
}
|
||||
if msg.SelectDomains != "Select domains to authorize" {
|
||||
t.Errorf("unexpected SelectDomains: %s", msg.SelectDomains)
|
||||
if msg.OpenURL != "Open this URL in your browser to authenticate:\n\n" {
|
||||
t.Errorf("unexpected OpenURL: %s", msg.OpenURL)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -77,24 +77,6 @@ func TestLoginMsg_FormatStrings(t *testing.T) {
|
||||
if got == msg.AuthorizedUser {
|
||||
t.Errorf("%s AuthorizedUser has no format verb", lang)
|
||||
}
|
||||
|
||||
// SummaryDomains should contain %s
|
||||
got = fmt.Sprintf(msg.SummaryDomains, "calendar, task")
|
||||
if got == msg.SummaryDomains {
|
||||
t.Errorf("%s SummaryDomains has no format verb", lang)
|
||||
}
|
||||
|
||||
// SummaryPerm should contain %s
|
||||
got = fmt.Sprintf(msg.SummaryPerm, "all")
|
||||
if got == msg.SummaryPerm {
|
||||
t.Errorf("%s SummaryPerm has no format verb", lang)
|
||||
}
|
||||
|
||||
// SummaryScopes should contain %d and %s
|
||||
got = fmt.Sprintf(msg.SummaryScopes, 5, "a, b, c")
|
||||
if got == msg.SummaryScopes {
|
||||
t.Errorf("%s SummaryScopes has no format verb", lang)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -140,13 +140,15 @@ func writeLoginScopeBreakdown(errOut *cmdutil.IOStreams, msg *loginMsg, summary
|
||||
}
|
||||
|
||||
// writeLoginSuccess emits the successful login payload in either JSON or text
|
||||
// format together with the computed scope breakdown.
|
||||
func writeLoginSuccess(opts *LoginOptions, msg *loginMsg, f *cmdutil.Factory, openId, userName string, summary *loginScopeSummary) {
|
||||
// format together with the computed scope breakdown. statusMessage is the
|
||||
// authorization response's status_message text (e.g. pending-approval),
|
||||
// passed through verbatim into the JSON payload; text mode does not render it.
|
||||
func writeLoginSuccess(opts *LoginOptions, msg *loginMsg, f *cmdutil.Factory, openId, userName string, summary *loginScopeSummary, statusMessage string) {
|
||||
if summary == nil {
|
||||
summary = &loginScopeSummary{}
|
||||
}
|
||||
if opts.JSON {
|
||||
b, _ := json.Marshal(authorizationCompletePayload(openId, userName, summary, nil))
|
||||
b, _ := json.Marshal(authorizationCompletePayload(openId, userName, summary, nil, statusMessage))
|
||||
fmt.Fprintln(f.IOStreams.Out, string(b))
|
||||
return
|
||||
}
|
||||
@@ -161,14 +163,17 @@ func writeLoginSuccess(opts *LoginOptions, msg *loginMsg, f *cmdutil.Factory, op
|
||||
|
||||
// handleLoginScopeIssue prints or returns a structured missing-scope result
|
||||
// while preserving a successful login outcome when authorization completed.
|
||||
func handleLoginScopeIssue(opts *LoginOptions, msg *loginMsg, f *cmdutil.Factory, issue *loginScopeIssue, openId, userName string) error {
|
||||
// statusMessage is the authorization response's status_message text, passed
|
||||
// through into the JSON payload when authorization actually succeeded
|
||||
// (partial grant); it is unused on the failed-login path.
|
||||
func handleLoginScopeIssue(opts *LoginOptions, msg *loginMsg, f *cmdutil.Factory, issue *loginScopeIssue, openId, userName, statusMessage string) error {
|
||||
if issue == nil {
|
||||
return nil
|
||||
}
|
||||
loginSucceeded := openId != ""
|
||||
if opts.JSON {
|
||||
if loginSucceeded {
|
||||
b, _ := json.Marshal(authorizationCompletePayload(openId, userName, issue.Summary, issue))
|
||||
b, _ := json.Marshal(authorizationCompletePayload(openId, userName, issue.Summary, issue, statusMessage))
|
||||
fmt.Fprintln(f.IOStreams.Out, string(b))
|
||||
return output.ErrBare(output.ExitAuth)
|
||||
}
|
||||
@@ -198,7 +203,13 @@ func handleLoginScopeIssue(opts *LoginOptions, msg *loginMsg, f *cmdutil.Factory
|
||||
|
||||
// authorizationCompletePayload builds the JSON payload for a completed login,
|
||||
// optionally attaching a warning when requested scopes are missing.
|
||||
func authorizationCompletePayload(openId, userName string, summary *loginScopeSummary, issue *loginScopeIssue) map[string]interface{} {
|
||||
// statusMessage is the authorization response's status_message text (e.g.
|
||||
// "user hasn't chosen yet" / "tenant doesn't allow this" / "pending
|
||||
// approval"), passed through verbatim — the CLI does not parse, classify, or
|
||||
// truncate it. The key is always present; an empty string means
|
||||
// the upstream response carried no message, matching the stable-shape
|
||||
// convention used by the other summary fields above.
|
||||
func authorizationCompletePayload(openId, userName string, summary *loginScopeSummary, issue *loginScopeIssue, statusMessage string) map[string]interface{} {
|
||||
if summary == nil {
|
||||
summary = &loginScopeSummary{}
|
||||
}
|
||||
@@ -212,6 +223,7 @@ func authorizationCompletePayload(openId, userName string, summary *loginScopeSu
|
||||
"already_granted": emptyIfNil(summary.AlreadyGranted),
|
||||
"missing": emptyIfNil(summary.Missing),
|
||||
"granted": emptyIfNil(summary.Granted),
|
||||
"status_message": statusMessage,
|
||||
}
|
||||
if issue != nil {
|
||||
payload["warning"] = map[string]interface{}{
|
||||
|
||||
@@ -40,6 +40,7 @@ func TestHandleLoginScopeIssue_FailedJSON_PreservesScopeTriple(t *testing.T) {
|
||||
},
|
||||
"", // openId empty -> loginSucceeded = false
|
||||
"tester",
|
||||
"", // statusMessage unused on the failed-login path
|
||||
)
|
||||
|
||||
if err == nil {
|
||||
@@ -59,3 +60,24 @@ func TestHandleLoginScopeIssue_FailedJSON_PreservesScopeTriple(t *testing.T) {
|
||||
t.Errorf("MissingScopes = %v, want %v", permErr.MissingScopes, missing)
|
||||
}
|
||||
}
|
||||
|
||||
// TestAuthorizationCompletePayload_StatusMessage asserts that the
|
||||
// authorization response's status_message text is passed through into the
|
||||
// JSON payload verbatim (CLI does not parse/classify/truncate it), and
|
||||
// that the field is always present, using an empty string when there is no
|
||||
// message, consistent with the stable-output-shape convention already used
|
||||
// by "scope" and the other summary fields.
|
||||
func TestAuthorizationCompletePayload_StatusMessage(t *testing.T) {
|
||||
summary := &loginScopeSummary{Granted: []string{"a:b:c"}}
|
||||
|
||||
p := authorizationCompletePayload("ou_x", "u", summary, nil, "审批中,请等待管理员处理")
|
||||
if p["status_message"] != "审批中,请等待管理员处理" {
|
||||
t.Fatalf("status_message = %v", p["status_message"])
|
||||
}
|
||||
|
||||
// No message from upstream -> stable empty string, not an absent key.
|
||||
p2 := authorizationCompletePayload("ou_x", "u", summary, nil, "")
|
||||
if p2["status_message"] != "" {
|
||||
t.Fatalf("empty status_message should be \"\", got %v", p2["status_message"])
|
||||
}
|
||||
}
|
||||
|
||||
@@ -9,7 +9,7 @@ import (
|
||||
"errors"
|
||||
"io"
|
||||
"net/http"
|
||||
"slices"
|
||||
"reflect"
|
||||
"sort"
|
||||
"strings"
|
||||
"testing"
|
||||
@@ -202,25 +202,6 @@ func TestSortedKnownDomains(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetShortcutOnlyDomainNames_HaveDescriptions(t *testing.T) {
|
||||
for _, name := range getShortcutOnlyDomainNames() {
|
||||
zhDesc := registry.GetServiceDescription(name, "zh")
|
||||
enDesc := registry.GetServiceDescription(name, "en")
|
||||
if zhDesc == "" {
|
||||
t.Errorf("missing zh description for shortcut-only domain %q", name)
|
||||
}
|
||||
if enDesc == "" {
|
||||
t.Errorf("missing en description for shortcut-only domain %q", name)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetShortcutOnlyDomainNames_IncludesNote(t *testing.T) {
|
||||
if !slices.Contains(getShortcutOnlyDomainNames(), "note") {
|
||||
t.Fatal("shortcut-only domains must include note so auth login can select vc:note:read")
|
||||
}
|
||||
}
|
||||
|
||||
func TestCollectScopesForDomains(t *testing.T) {
|
||||
projects := registry.ListFromMetaProjects()
|
||||
if len(projects) == 0 {
|
||||
@@ -260,75 +241,82 @@ func TestCollectScopesForDomains_NonexistentDomain(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetDomainMetadata_IncludesFromMeta(t *testing.T) {
|
||||
domains := getDomainMetadata("zh")
|
||||
nameSet := make(map[string]bool)
|
||||
for _, dm := range domains {
|
||||
nameSet[dm.Name] = true
|
||||
func TestResolveScopesForDomains_RemoteUsed(t *testing.T) {
|
||||
remote := map[string][]string{
|
||||
"im": {"im:message:send", "im:chat:read"},
|
||||
"docs": {"docs:doc:read"},
|
||||
}
|
||||
|
||||
// from_meta projects must be present
|
||||
for _, p := range registry.ListFromMetaProjects() {
|
||||
if !nameSet[p] {
|
||||
t.Errorf("from_meta project %q missing from getDomainMetadata", p)
|
||||
}
|
||||
got := resolveScopesForDomains([]string{"im"}, remote, true, core.BrandFeishu)
|
||||
want := []string{"im:chat:read", "im:message:send"} // deduped, ascending by sort.Strings
|
||||
if !reflect.DeepEqual(got, want) {
|
||||
t.Fatalf("got %v, want %v", got, want)
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetDomainMetadata_IncludesShortcutOnlyDomains(t *testing.T) {
|
||||
domains := getDomainMetadata("zh")
|
||||
nameSet := make(map[string]bool)
|
||||
for _, dm := range domains {
|
||||
nameSet[dm.Name] = true
|
||||
func TestResolveScopesForDomains_UnionAcrossDomains(t *testing.T) {
|
||||
remote := map[string][]string{
|
||||
"im": {"im:message:send"},
|
||||
"docs": {"docs:doc:read"},
|
||||
}
|
||||
|
||||
for _, name := range getShortcutOnlyDomainNames() {
|
||||
if !nameSet[name] {
|
||||
t.Errorf("shortcut-only domain %q missing from getDomainMetadata", name)
|
||||
}
|
||||
got := resolveScopesForDomains([]string{"im", "docs"}, remote, true, core.BrandFeishu)
|
||||
want := []string{"docs:doc:read", "im:message:send"}
|
||||
if !reflect.DeepEqual(got, want) {
|
||||
t.Fatalf("got %v, want %v", got, want)
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetDomainMetadata_Sorted(t *testing.T) {
|
||||
domains := getDomainMetadata("zh")
|
||||
for i := 1; i < len(domains); i++ {
|
||||
if domains[i].Name < domains[i-1].Name {
|
||||
t.Errorf("not sorted: %q before %q", domains[i-1].Name, domains[i].Name)
|
||||
}
|
||||
func TestResolveScopesForDomains_FallbackToLocal(t *testing.T) {
|
||||
// remoteOK=false -> falls back to local collectScopesForDomains; im must yield non-empty local scopes
|
||||
got := resolveScopesForDomains([]string{"im"}, nil, false, core.BrandFeishu)
|
||||
if len(got) == 0 {
|
||||
t.Fatal("fallback should return non-empty local scopes for im")
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetDomainMetadata_HasTitleAndDescription(t *testing.T) {
|
||||
domains := getDomainMetadata("zh")
|
||||
for _, dm := range domains {
|
||||
if dm.Title == "" {
|
||||
t.Errorf("domain %q has empty Title", dm.Name)
|
||||
func TestLegalDomainsFor_RemoteUsed(t *testing.T) {
|
||||
// includes "newbiz", a domain unknown to this CLI build, verifying a remote-listed domain is still legal
|
||||
remote := map[string][]string{
|
||||
"im": {"im:message:send"},
|
||||
"docs": {"docs:doc:read"},
|
||||
"newbiz": {"newbiz:thing:read"},
|
||||
}
|
||||
set, sorted := legalDomainsFor(remote, true, core.BrandFeishu)
|
||||
wantSorted := []string{"docs", "im", "newbiz"} // remote keys, ascending by sort.Strings
|
||||
if !reflect.DeepEqual(sorted, wantSorted) {
|
||||
t.Fatalf("sorted = %v, want %v", sorted, wantSorted)
|
||||
}
|
||||
if len(set) != len(wantSorted) {
|
||||
t.Fatalf("set size = %d, want %d", len(set), len(wantSorted))
|
||||
}
|
||||
for _, d := range wantSorted {
|
||||
if !set[d] {
|
||||
t.Errorf("set missing domain %q", d)
|
||||
}
|
||||
}
|
||||
if !set["newbiz"] {
|
||||
t.Error("remote-listed domain unknown to this build should still be legal")
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthLoginRun_NonTerminal_NoFlags_RejectsWithHint(t *testing.T) {
|
||||
f, _, stderr, _ := cmdutil.TestFactory(t, &core.CliConfig{
|
||||
AppID: "cli_test", AppSecret: "secret", Brand: core.BrandFeishu,
|
||||
})
|
||||
// TestFactory has IsTerminal=false by default
|
||||
opts := &LoginOptions{Factory: f, Ctx: context.Background()}
|
||||
err := authLoginRun(opts)
|
||||
if err == nil {
|
||||
t.Fatal("expected error for non-terminal without flags")
|
||||
func TestLegalDomainsFor_FallbackToLocal(t *testing.T) {
|
||||
// remoteOK=false -> falls back to local allKnownDomains/sortedKnownDomains
|
||||
set, sorted := legalDomainsFor(nil, false, core.BrandFeishu)
|
||||
if len(sorted) == 0 {
|
||||
t.Fatal("fallback should return non-empty local domain slice")
|
||||
}
|
||||
// Should mention specifying scopes
|
||||
msg := err.Error()
|
||||
if !strings.Contains(msg, "scopes") {
|
||||
t.Errorf("expected error to mention scopes, got: %s", msg)
|
||||
// set and sorted are two views of the same local domain set and must correspond
|
||||
if len(set) != len(sorted) {
|
||||
t.Fatalf("set size %d != sorted size %d", len(set), len(sorted))
|
||||
}
|
||||
// Stderr should explain the split-flow path for non-streaming agents.
|
||||
stderrStr := stderr.String()
|
||||
for _, want := range []string{"--no-wait --json", "final message of the turn", "--device-code"} {
|
||||
if !strings.Contains(stderrStr, want) {
|
||||
t.Errorf("expected stderr to mention %q, got: %s", want, stderrStr)
|
||||
for _, d := range sorted {
|
||||
if !set[d] {
|
||||
t.Errorf("set missing local domain %q", d)
|
||||
}
|
||||
}
|
||||
// fallback adopts the local sort order directly, which must equal sortedKnownDomains
|
||||
if want := sortedKnownDomains(core.BrandFeishu); !reflect.DeepEqual(sorted, want) {
|
||||
t.Fatalf("sorted = %v, want sortedKnownDomains %v", sorted, want)
|
||||
}
|
||||
}
|
||||
|
||||
func TestEnsureRequestedScopesGranted(t *testing.T) {
|
||||
@@ -376,7 +364,7 @@ func TestWriteLoginSuccess_JSONIncludesScopeDiff(t *testing.T) {
|
||||
NewlyGranted: []string{"im:message:send"},
|
||||
AlreadyGranted: []string{"im:message:reply"},
|
||||
Granted: []string{"im:message:send", "im:message:reply"},
|
||||
})
|
||||
}, "")
|
||||
|
||||
var data map[string]interface{}
|
||||
if err := json.Unmarshal(stdout.Bytes(), &data); err != nil {
|
||||
@@ -406,7 +394,7 @@ func TestHandleLoginScopeIssue_NonJSONAlignsWithLoginSuccess(t *testing.T) {
|
||||
Missing: []string{"im:message:send"},
|
||||
Granted: []string{"base:app:copy"},
|
||||
},
|
||||
}, "ou_user", "tester")
|
||||
}, "ou_user", "tester", "")
|
||||
if err == nil {
|
||||
t.Fatal("expected error, got nil")
|
||||
}
|
||||
@@ -448,7 +436,7 @@ func TestHandleLoginScopeIssue_JSONAlignsWithLoginSuccess(t *testing.T) {
|
||||
Missing: []string{"im:message:send"},
|
||||
Granted: []string{"base:app:copy"},
|
||||
},
|
||||
}, "ou_user", "tester")
|
||||
}, "ou_user", "tester", "")
|
||||
if err == nil {
|
||||
t.Fatal("expected error, got nil")
|
||||
}
|
||||
@@ -480,7 +468,7 @@ func TestWriteLoginSuccess_JSONEmptySlicesNotNull(t *testing.T) {
|
||||
|
||||
writeLoginSuccess(&LoginOptions{JSON: true}, getLoginMsg("en"), f, "ou_user", "tester", &loginScopeSummary{
|
||||
Granted: []string{"offline_access"},
|
||||
})
|
||||
}, "")
|
||||
|
||||
var data map[string]interface{}
|
||||
if err := json.Unmarshal(stdout.Bytes(), &data); err != nil {
|
||||
@@ -565,7 +553,7 @@ func TestWriteLoginSuccess_TextOutputScenarios(t *testing.T) {
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
f, _, stderr, _ := cmdutil.TestFactory(t, nil)
|
||||
writeLoginSuccess(&LoginOptions{}, getLoginMsg("zh"), f, "ou_user", "tester", tt.summary)
|
||||
writeLoginSuccess(&LoginOptions{}, getLoginMsg("zh"), f, "ou_user", "tester", tt.summary, "")
|
||||
|
||||
got := stderr.String()
|
||||
for _, want := range tt.expectedPresent {
|
||||
@@ -819,7 +807,7 @@ func TestWriteLoginSuccess_TextOutputEnglishIncludesStatusHintWhenNoMissingScope
|
||||
Requested: []string{"im:message:send"},
|
||||
NewlyGranted: []string{"im:message:send"},
|
||||
Granted: []string{"im:message:send"},
|
||||
})
|
||||
}, "")
|
||||
|
||||
got := stderr.String()
|
||||
for _, want := range []string{
|
||||
@@ -1167,15 +1155,6 @@ func TestAuthLoginRun_JSONDeviceAuthorizationAgentHintIncludesRawURLGuidance(t *
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetDomainMetadata_ExcludesEvent(t *testing.T) {
|
||||
domains := getDomainMetadata("zh")
|
||||
for _, dm := range domains {
|
||||
if dm.Name == "event" {
|
||||
t.Error("event should not appear in interactive domain list")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestAllKnownDomains_ExcludesAuthDomainChildren(t *testing.T) {
|
||||
domains := allKnownDomains("")
|
||||
if domains["whiteboard"] {
|
||||
@@ -1200,12 +1179,3 @@ func TestCollectScopesForDomains_ExpandsAuthDomainChildren(t *testing.T) {
|
||||
t.Error("collectScopesForDomains([docs]) should include whiteboard scopes (board:whiteboard:*)")
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetDomainMetadata_ExcludesAuthDomainChildren(t *testing.T) {
|
||||
domains := getDomainMetadata("zh")
|
||||
for _, dm := range domains {
|
||||
if dm.Name == "whiteboard" {
|
||||
t.Error("whiteboard should not appear in interactive domain list (has auth_domain=docs)")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -34,6 +34,7 @@ type DeviceFlowTokenData struct {
|
||||
ExpiresIn int
|
||||
RefreshExpiresIn int
|
||||
Scope string
|
||||
StatusMessage string // authorization result text from the response's status_message (e.g. pending-approval); passed through verbatim, not parsed
|
||||
}
|
||||
|
||||
// DeviceFlowResult is the result of polling the token endpoint.
|
||||
@@ -222,6 +223,7 @@ func PollDeviceToken(ctx context.Context, httpClient *http.Client, appId, appSec
|
||||
ExpiresIn: tokenExpiresIn,
|
||||
RefreshExpiresIn: refreshExpiresIn,
|
||||
Scope: getStr(data, "scope"),
|
||||
StatusMessage: getStr(data, "status_message"),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
@@ -216,3 +216,34 @@ func TestPollDeviceToken_DefaultsZeroIntervalToFiveSeconds(t *testing.T) {
|
||||
t.Fatalf("PollDeviceToken() sent %d requests before context cancellation, want 0", got)
|
||||
}
|
||||
}
|
||||
|
||||
// TestPollDeviceToken_SuccessIncludesStatusMessage asserts that the success
|
||||
// branch reads the token response's status_message field verbatim into
|
||||
// DeviceFlowTokenData.StatusMessage. The CLI is a pure passthrough here — no
|
||||
// parsing/classification of the text.
|
||||
func TestPollDeviceToken_SuccessIncludesStatusMessage(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
reg := &httpmock.Registry{}
|
||||
t.Cleanup(func() { reg.Verify(t) })
|
||||
reg.Register(&httpmock.Stub{
|
||||
Method: "POST",
|
||||
URL: PathOAuthTokenV2,
|
||||
Body: map[string]interface{}{
|
||||
"access_token": "test-token",
|
||||
"refresh_token": "test-token",
|
||||
"expires_in": 7200,
|
||||
"refresh_token_expires_in": 604800,
|
||||
"scope": "a:b:c",
|
||||
"status_message": "审批中,请等待管理员处理",
|
||||
},
|
||||
})
|
||||
|
||||
result := PollDeviceToken(context.Background(), httpmock.NewClient(reg), "cli_a", "secret_b", core.BrandFeishu, "device-code", 1, 10, nil)
|
||||
if result == nil || !result.OK || result.Token == nil {
|
||||
t.Fatalf("PollDeviceToken() = %+v, want OK with a token", result)
|
||||
}
|
||||
if result.Token.StatusMessage != "审批中,请等待管理员处理" {
|
||||
t.Fatalf("StatusMessage = %q, want the approval-pending text", result.Token.StatusMessage)
|
||||
}
|
||||
}
|
||||
|
||||
107
internal/auth/remote_scopes.go
Normal file
107
internal/auth/remote_scopes.go
Normal file
@@ -0,0 +1,107 @@
|
||||
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
||||
// SPDX-License-Identifier: MIT
|
||||
|
||||
package auth
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"io"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/larksuite/cli/internal/core"
|
||||
"github.com/larksuite/cli/internal/transport"
|
||||
)
|
||||
|
||||
const (
|
||||
remoteScopesPath = "/lark-cli/apis/scopes.json"
|
||||
remoteScopesTimeout = 1 * time.Second
|
||||
maxRemoteScopesSize = 10 * 1024 * 1024 // 10MB, aligned with internal/registry/remote.go
|
||||
)
|
||||
|
||||
// remoteScopesURLForTest is the injection seam for unit tests to point at an
|
||||
// httptest server. It is empty at runtime, where the brand-hardcoded production
|
||||
// URL is used, and must never carry an internal / non-production domain.
|
||||
var remoteScopesURLForTest string
|
||||
|
||||
type remoteScopesFile struct {
|
||||
Scopes map[string]remoteDomainScopes `json:"scopes"`
|
||||
}
|
||||
|
||||
type remoteDomainScopes struct {
|
||||
UserScopes []string `json:"user_scopes"`
|
||||
TenantScopes []string `json:"tenant_scopes"`
|
||||
}
|
||||
|
||||
func remoteScopesURL(brand core.LarkBrand) string {
|
||||
if remoteScopesURLForTest != "" {
|
||||
return remoteScopesURLForTest
|
||||
}
|
||||
return core.ResolveOpenBaseURL(brand) + remoteScopesPath
|
||||
}
|
||||
|
||||
// FetchRemoteScopes fetches and binary-validates the remote scopes.json.
|
||||
// It returns (domain -> user_scopes, true) when the whole file is usable, or
|
||||
// (nil, false) when the caller should fall back to the local set. Any failure
|
||||
// (network / timeout / non-2xx / empty / bad JSON / structure mismatch /
|
||||
// malformed scope) returns (nil, false) silently — no warning, no telemetry.
|
||||
func FetchRemoteScopes(brand core.LarkBrand) (map[string][]string, bool) {
|
||||
client := transport.NewHTTPClient(remoteScopesTimeout)
|
||||
req, err := http.NewRequest(http.MethodGet, remoteScopesURL(brand), nil)
|
||||
if err != nil {
|
||||
return nil, false
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return nil, false
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
|
||||
return nil, false
|
||||
}
|
||||
body, err := io.ReadAll(io.LimitReader(resp.Body, maxRemoteScopesSize))
|
||||
if err != nil || len(body) == 0 {
|
||||
return nil, false
|
||||
}
|
||||
var file remoteScopesFile
|
||||
if err := json.Unmarshal(body, &file); err != nil {
|
||||
return nil, false
|
||||
}
|
||||
return validateRemoteScopes(file)
|
||||
}
|
||||
|
||||
func validateRemoteScopes(file remoteScopesFile) (map[string][]string, bool) {
|
||||
if len(file.Scopes) == 0 {
|
||||
return nil, false
|
||||
}
|
||||
result := make(map[string][]string, len(file.Scopes))
|
||||
for domain, ds := range file.Scopes {
|
||||
if ds.UserScopes == nil { // missing user_scopes field / null → whole file untrusted
|
||||
return nil, false
|
||||
}
|
||||
for _, s := range ds.UserScopes {
|
||||
if !isValidScopeFormat(s) {
|
||||
return nil, false
|
||||
}
|
||||
}
|
||||
result[domain] = ds.UserScopes
|
||||
}
|
||||
return result, true
|
||||
}
|
||||
|
||||
// isValidScopeFormat checks the service:resource:action shape: exactly three
|
||||
// ":"-separated segments, each non-empty. The resource segment may contain "."
|
||||
// (e.g. vc:meeting.meetingevent:read). i18n / tenant / version are not checked.
|
||||
func isValidScopeFormat(s string) bool {
|
||||
parts := strings.Split(s, ":")
|
||||
if len(parts) != 3 {
|
||||
return false
|
||||
}
|
||||
for _, p := range parts {
|
||||
if p == "" {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
100
internal/auth/remote_scopes_test.go
Normal file
100
internal/auth/remote_scopes_test.go
Normal file
@@ -0,0 +1,100 @@
|
||||
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
||||
// SPDX-License-Identifier: MIT
|
||||
|
||||
package auth
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/larksuite/cli/internal/core"
|
||||
)
|
||||
|
||||
func withRemoteScopesURL(t *testing.T, url string) {
|
||||
t.Helper()
|
||||
prev := remoteScopesURLForTest
|
||||
remoteScopesURLForTest = url
|
||||
t.Cleanup(func() { remoteScopesURLForTest = prev })
|
||||
}
|
||||
|
||||
func TestFetchRemoteScopes(t *testing.T) {
|
||||
cases := []struct {
|
||||
name string
|
||||
status int
|
||||
body string
|
||||
wantOK bool
|
||||
wantDom string
|
||||
wantLen int
|
||||
}{
|
||||
{
|
||||
name: "whole usable returns all user_scopes incl unknown domain",
|
||||
status: 200,
|
||||
body: `{"version":"1.5.3","scopes":{"bitable":{"i18n_name":{"zh_cn":"多维表格"},"user_scopes":["base:app:copy","base:app:create"],"tenant_scopes":["base:app:copy"]},"brandnewdomain":{"user_scopes":["newsvc:res:read"]}}}`,
|
||||
wantOK: true,
|
||||
wantDom: "brandnewdomain",
|
||||
wantLen: 1,
|
||||
},
|
||||
{name: "missing scopes key falls back", status: 200, body: `{"version":"1"}`, wantOK: false},
|
||||
{name: "empty scopes falls back", status: 200, body: `{"scopes":{}}`, wantOK: false},
|
||||
{name: "domain missing user_scopes falls back", status: 200, body: `{"scopes":{"im":{"i18n_name":{"zh_cn":"消息"}}}}`, wantOK: false},
|
||||
{name: "malformed scope falls back", status: 200, body: `{"scopes":{"im":{"user_scopes":["im:message"]}}}`, wantOK: false},
|
||||
{name: "non-2xx falls back", status: 500, body: `{"scopes":{"im":{"user_scopes":["im:message:send"]}}}`, wantOK: false},
|
||||
{name: "empty body falls back", status: 200, body: ``, wantOK: false},
|
||||
{name: "bad json falls back", status: 200, body: `{not json`, wantOK: false},
|
||||
{name: "i18n/tenant missing still usable", status: 200, body: `{"scopes":{"im":{"user_scopes":["im:message:send_as_bot","vc:meeting.meetingevent:read"]}}}`, wantOK: true, wantDom: "im", wantLen: 2},
|
||||
{name: "empty user_scopes array is usable", status: 200, body: `{"scopes":{"im":{"user_scopes":[]}}}`, wantOK: true, wantDom: "im", wantLen: 0},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(tc.status)
|
||||
_, _ = w.Write([]byte(tc.body))
|
||||
}))
|
||||
t.Cleanup(srv.Close)
|
||||
withRemoteScopesURL(t, srv.URL)
|
||||
|
||||
got, ok := FetchRemoteScopes(core.BrandFeishu)
|
||||
if ok != tc.wantOK {
|
||||
t.Fatalf("ok = %v, want %v", ok, tc.wantOK)
|
||||
}
|
||||
if tc.wantOK {
|
||||
if _, exists := got[tc.wantDom]; !exists {
|
||||
t.Fatalf("domain %q missing in result %v", tc.wantDom, got)
|
||||
}
|
||||
if len(got[tc.wantDom]) != tc.wantLen {
|
||||
t.Fatalf("len(%s) = %d, want %d", tc.wantDom, len(got[tc.wantDom]), tc.wantLen)
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestFetchRemoteScopesTimeoutFallsBack(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
time.Sleep(remoteScopesTimeout + 500*time.Millisecond)
|
||||
_, _ = w.Write([]byte(`{"scopes":{"im":{"user_scopes":["im:message:send"]}}}`))
|
||||
}))
|
||||
t.Cleanup(srv.Close)
|
||||
withRemoteScopesURL(t, srv.URL)
|
||||
|
||||
_, ok := FetchRemoteScopes(core.BrandFeishu)
|
||||
if ok {
|
||||
t.Fatal("expected fallback (ok=false) on timeout")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRemoteScopesURLByBrand(t *testing.T) {
|
||||
// With an empty seam the production URL is used: core.ResolveOpenBaseURL(brand) + path
|
||||
remoteScopesURLForTest = ""
|
||||
feishu := remoteScopesURL(core.BrandFeishu)
|
||||
lark := remoteScopesURL(core.BrandLark)
|
||||
if !strings.HasSuffix(feishu, "/lark-cli/apis/scopes.json") || !strings.Contains(feishu, "open.feishu.cn") {
|
||||
t.Fatalf("feishu url unexpected: %s", feishu)
|
||||
}
|
||||
if !strings.Contains(lark, "open.larksuite.com") {
|
||||
t.Fatalf("lark url unexpected: %s", lark)
|
||||
}
|
||||
}
|
||||
@@ -165,9 +165,6 @@ const DefaultScopeScore = 0
|
||||
|
||||
var cachedScopePriorities map[string]int
|
||||
var cachedAutoApproveSet map[string]bool
|
||||
var cachedPlatformAutoApprove map[string]bool // from scope_priorities.json only
|
||||
var cachedOverrideAutoAllow map[string]bool // from scope_overrides.json allow only
|
||||
var cachedOverrideAutoDeny map[string]bool // from scope_overrides.json deny only
|
||||
|
||||
// scopePriorityEntry is used to parse scope_priorities.json entries.
|
||||
type scopePriorityEntry struct {
|
||||
@@ -264,90 +261,6 @@ func LoadAutoApproveSet() map[string]bool {
|
||||
return cachedAutoApproveSet
|
||||
}
|
||||
|
||||
// LoadPlatformAutoApproveSet returns scopes with AutoApprove rule on the platform
|
||||
// (from scope_priorities.json only, before overrides).
|
||||
func LoadPlatformAutoApproveSet() map[string]bool {
|
||||
if cachedPlatformAutoApprove != nil {
|
||||
return cachedPlatformAutoApprove
|
||||
}
|
||||
m := make(map[string]bool)
|
||||
if data, err := registryFS.ReadFile("scope_priorities.json"); err == nil {
|
||||
var entries []scopePriorityEntry
|
||||
if json.Unmarshal(data, &entries) == nil {
|
||||
for _, entry := range entries {
|
||||
if entry.Recommend == "true" {
|
||||
m[entry.ScopeName] = true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
cachedPlatformAutoApprove = m
|
||||
return cachedPlatformAutoApprove
|
||||
}
|
||||
|
||||
// LoadOverrideAutoApproveAllow returns scopes explicitly listed in
|
||||
// scope_overrides.json recommend.allow (our desired additions).
|
||||
func LoadOverrideAutoApproveAllow() map[string]bool {
|
||||
if cachedOverrideAutoAllow != nil {
|
||||
return cachedOverrideAutoAllow
|
||||
}
|
||||
m := make(map[string]bool)
|
||||
if data, err := registryFS.ReadFile("scope_overrides.json"); err == nil {
|
||||
var wrapper struct {
|
||||
AutoApprove struct {
|
||||
Allow []string `json:"allow"`
|
||||
} `json:"recommend"`
|
||||
}
|
||||
if json.Unmarshal(data, &wrapper) == nil {
|
||||
for _, s := range wrapper.AutoApprove.Allow {
|
||||
m[s] = true
|
||||
}
|
||||
}
|
||||
}
|
||||
cachedOverrideAutoAllow = m
|
||||
return cachedOverrideAutoAllow
|
||||
}
|
||||
|
||||
// LoadOverrideAutoApproveDeny returns scopes explicitly listed in
|
||||
// scope_overrides.json recommend.deny
|
||||
func LoadOverrideAutoApproveDeny() map[string]bool {
|
||||
if cachedOverrideAutoDeny != nil {
|
||||
return cachedOverrideAutoDeny
|
||||
}
|
||||
m := make(map[string]bool)
|
||||
if data, err := registryFS.ReadFile("scope_overrides.json"); err == nil {
|
||||
var wrapper struct {
|
||||
AutoApprove struct {
|
||||
Deny []string `json:"deny"`
|
||||
} `json:"recommend"`
|
||||
}
|
||||
if json.Unmarshal(data, &wrapper) == nil {
|
||||
for _, s := range wrapper.AutoApprove.Deny {
|
||||
m[s] = true
|
||||
}
|
||||
}
|
||||
}
|
||||
cachedOverrideAutoDeny = m
|
||||
return cachedOverrideAutoDeny
|
||||
}
|
||||
|
||||
// IsAutoApproveScope returns true if the scope has AutoApprove rule.
|
||||
func IsAutoApproveScope(scope string) bool {
|
||||
return LoadAutoApproveSet()[scope]
|
||||
}
|
||||
|
||||
// FilterAutoApproveScopes filters a scope list to only include auto-approve scopes.
|
||||
func FilterAutoApproveScopes(scopes []string) []string {
|
||||
autoApprove := LoadAutoApproveSet()
|
||||
var result []string
|
||||
for _, s := range scopes {
|
||||
if autoApprove[s] {
|
||||
result = append(result, s)
|
||||
}
|
||||
}
|
||||
return result
|
||||
}
|
||||
|
||||
// GetScopeScore returns the priority score for a scope, or DefaultScopeScore if not found.
|
||||
func GetScopeScore(scope string) int {
|
||||
priorities := LoadScopePriorities()
|
||||
|
||||
@@ -235,83 +235,6 @@ func TestLoadAutoApproveSet(t *testing.T) {
|
||||
t.Logf("Auto-approve set has %d scopes", len(aaSet))
|
||||
}
|
||||
|
||||
func TestLoadPlatformAutoApproveSet(t *testing.T) {
|
||||
paaSet := LoadPlatformAutoApproveSet()
|
||||
// This should only include scopes from scope_priorities.json with AutoApprove rule.
|
||||
// It does NOT apply deny overrides.
|
||||
if len(paaSet) == 0 {
|
||||
t.Fatal("expected non-empty platform auto-approve set")
|
||||
}
|
||||
|
||||
t.Logf("Platform auto-approve set has %d scopes", len(paaSet))
|
||||
}
|
||||
|
||||
func TestLoadOverrideAutoApproveAllow(t *testing.T) {
|
||||
allowSet := LoadOverrideAutoApproveAllow()
|
||||
// recommend.allow in scope_overrides.json is intentionally empty:
|
||||
// no scopes are special-cased into the auto-approve set anymore.
|
||||
if len(allowSet) != 0 {
|
||||
t.Errorf("expected empty override allow set, got %d entries", len(allowSet))
|
||||
}
|
||||
}
|
||||
|
||||
func TestLoadOverrideAutoApproveDeny(t *testing.T) {
|
||||
denySet := LoadOverrideAutoApproveDeny()
|
||||
// deny list may be empty if all entries are moved to _deny (commented out)
|
||||
t.Logf("Override deny set has %d scopes", len(denySet))
|
||||
}
|
||||
|
||||
func TestIsAutoApproveScope(t *testing.T) {
|
||||
// Known auto-approve scope (recommend=true in scope_priorities.json)
|
||||
if !IsAutoApproveScope("sheets:spreadsheet:read") {
|
||||
t.Error("expected sheets:spreadsheet:read to be auto-approve")
|
||||
}
|
||||
|
||||
// Completely unknown scope
|
||||
if IsAutoApproveScope("zzz:unknown:scope") {
|
||||
t.Error("expected unknown scope to NOT be auto-approve")
|
||||
}
|
||||
}
|
||||
|
||||
func TestFilterAutoApproveScopes(t *testing.T) {
|
||||
scopes := []string{
|
||||
"sheets:spreadsheet:read", // auto-approve (recommend=true in priorities)
|
||||
"zzz:unknown:scope", // not in auto-approve
|
||||
}
|
||||
|
||||
result := FilterAutoApproveScopes(scopes)
|
||||
if len(result) < 1 {
|
||||
t.Fatal("expected at least 1 auto-approve scope in result")
|
||||
}
|
||||
|
||||
// Check that sheets:spreadsheet:read is included
|
||||
found := false
|
||||
for _, s := range result {
|
||||
if s == "sheets:spreadsheet:read" {
|
||||
found = true
|
||||
}
|
||||
// Ensure unknown scopes are not included
|
||||
if s == "zzz:unknown:scope" {
|
||||
t.Error("unknown scope should not be in auto-approve result")
|
||||
}
|
||||
}
|
||||
if !found {
|
||||
t.Error("expected sheets:spreadsheet:read in result")
|
||||
}
|
||||
}
|
||||
|
||||
func TestFilterAutoApproveScopes_Empty(t *testing.T) {
|
||||
result := FilterAutoApproveScopes(nil)
|
||||
if result != nil {
|
||||
t.Errorf("expected nil, got %v", result)
|
||||
}
|
||||
|
||||
result = FilterAutoApproveScopes([]string{})
|
||||
if result != nil {
|
||||
t.Errorf("expected nil for empty input, got %v", result)
|
||||
}
|
||||
}
|
||||
|
||||
// --- Helper functions ---
|
||||
|
||||
func TestGetRegistryDir(t *testing.T) {
|
||||
|
||||
@@ -40,9 +40,6 @@ func resetInit() {
|
||||
cachedAllScopes = nil
|
||||
cachedScopePriorities = nil
|
||||
cachedAutoApproveSet = nil
|
||||
cachedPlatformAutoApprove = nil
|
||||
cachedOverrideAutoAllow = nil
|
||||
cachedOverrideAutoDeny = nil
|
||||
refreshOnce = sync.Once{}
|
||||
configuredBrand = ""
|
||||
enableRemoteMeta = true // tests exercise remote logic
|
||||
|
||||
@@ -58,26 +58,6 @@ func GetServiceDescription(name, lang string) string {
|
||||
return loc.Description
|
||||
}
|
||||
|
||||
// GetServiceTitle returns the localized title for a service domain.
|
||||
// Returns empty string if not found.
|
||||
func GetServiceTitle(name, lang string) string {
|
||||
loc := getServiceLocale(name, lang)
|
||||
if loc == nil {
|
||||
return ""
|
||||
}
|
||||
return loc.Title
|
||||
}
|
||||
|
||||
// GetServiceDetailDescription returns the localized detail description for a service domain.
|
||||
// Returns empty string if not found.
|
||||
func GetServiceDetailDescription(name, lang string) string {
|
||||
loc := getServiceLocale(name, lang)
|
||||
if loc == nil {
|
||||
return ""
|
||||
}
|
||||
return loc.Description
|
||||
}
|
||||
|
||||
// GetAuthDomain returns the auth_domain for a service, or "" if not set.
|
||||
// When auth_domain is set, the service's scopes are collected under the
|
||||
// parent domain during auth login.
|
||||
|
||||
Reference in New Issue
Block a user