Files
larksuite-cli/internal/auth/token_store.go
JackZhao10086 b5b23fe82a feat: implement authentication response logging (#235)
* feat(auth): add response logging and centralize path constants

* refactor(auth): improve response logging and error handling

* fix(auth): ensure log cleanup runs only once per process

Add flag to track if cleanup has run and prevent duplicate executions
Add test to verify cleanup only runs once

* refactor(auth): simplify log writer and cleanup logic

* docs(auth): add comments to auth paths and logging functions

* style(auth): fix indentation in path constants

* docs(auth): add missing function comments across auth package

* docs(tests): add descriptive comments to auth test functions

* test(auth): rename test case and cleanup unused params

* fix(auth): handle file close error in auth response logging

* fix(auth): ensure log cleanup runs only once

* refactor(auth): replace custom log writer with standard logger

* feat(auth): add structured logging for keychain errors

* fix(auth): remove goroutine from auth log cleanup to prevent race condition

* fix(auth): remove goroutine from auth log cleanup to prevent race condition

* refactor(auth): move auth logging logic to keychain package
2026-04-03 15:40:30 +08:00

80 lines
2.2 KiB
Go

// Copyright (c) 2026 Lark Technologies Pte. Ltd.
// SPDX-License-Identifier: MIT
package auth
import (
"encoding/json"
"fmt"
"time"
"github.com/larksuite/cli/internal/keychain"
)
// StoredUAToken represents a stored user access token.
type StoredUAToken struct {
UserOpenId string `json:"userOpenId"`
AppId string `json:"appId"`
AccessToken string `json:"accessToken"`
RefreshToken string `json:"refreshToken"`
ExpiresAt int64 `json:"expiresAt"` // Unix ms
RefreshExpiresAt int64 `json:"refreshExpiresAt"` // Unix ms
Scope string `json:"scope"`
GrantedAt int64 `json:"grantedAt"` // Unix ms
}
const refreshAheadMs = 5 * 60 * 1000 // 5 minutes
// accountKey generates a unique key for an account based on its AppID and UserOpenID.
func accountKey(appId, userOpenId string) string {
return fmt.Sprintf("%s:%s", appId, userOpenId)
}
// MaskToken masks a token for safe logging.
func MaskToken(token string) string {
if len(token) <= 8 {
return "****"
}
return "****" + token[len(token)-4:]
}
// GetStoredToken reads the stored UAT for a given (appId, userOpenId) pair.
func GetStoredToken(appId, userOpenId string) *StoredUAToken {
jsonStr, err := keychain.Get(keychain.LarkCliService, accountKey(appId, userOpenId))
if err != nil || jsonStr == "" {
return nil
}
var token StoredUAToken
if err := json.Unmarshal([]byte(jsonStr), &token); err != nil {
return nil
}
return &token
}
// SetStoredToken persists a UAT.
func SetStoredToken(token *StoredUAToken) error {
key := accountKey(token.AppId, token.UserOpenId)
data, err := json.Marshal(token)
if err != nil {
return err
}
return keychain.Set(keychain.LarkCliService, key, string(data))
}
// RemoveStoredToken removes a stored UAT.
func RemoveStoredToken(appId, userOpenId string) error {
return keychain.Remove(keychain.LarkCliService, accountKey(appId, userOpenId))
}
// TokenStatus determines the freshness of a stored token.
func TokenStatus(token *StoredUAToken) string {
now := time.Now().UnixMilli()
if now < token.ExpiresAt-refreshAheadMs {
return "valid"
}
if now < token.RefreshExpiresAt {
return "needs_refresh"
}
return "expired"
}