mirror of
https://github.com/larksuite/cli.git
synced 2026-07-03 14:02:43 +08:00
Every failure on the authentication, authorization, and configuration
path now surfaces as a typed structured error instead of an ad-hoc
envelope. Users and scripts that consume CLI output get:
- a fixed nine-category taxonomy on the wire, each mapped to a
stable shell exit code (authentication/authorization/config = 3,
network = 4, internal = 5, policy = 6, confirmation = 10)
- identity-aware detail fields (missing_scopes, requested_scopes,
granted_scopes, console_url, log_id, retryable, hint) carried
uniformly on the envelope
- a single canonical policy envelope at exit 6; the legacy
auth_error carve-out is retired
- per-subtype canonical message + hint that preserves Lark's
diagnostic phrasing and routes recovery to the right actor:
app developer (app_scope_not_applied), user (missing_scope,
token_scope_insufficient, user_unauthorized), or tenant admin
(app_unavailable, app_disabled)
- wrong app credentials classify as config/invalid_client whether
surfaced by the Open API endpoint (99991543) or the tenant
access-token mint endpoint (10003 / 10014), instead of
collapsing to a transport error or api/unknown
- local shortcut scope preflight emits the same
authorization/missing_scope envelope (identity + deterministic
missing-scope set) used by the post-call permission path, so AI
consumers read the same structured shape from precheck and from
server-returned permission denial
- streaming download/upload failures keep the same network subtype
split (timeout / TLS / DNS / transport) as the non-stream path
instead of collapsing every cause to a generic transport failure
- console_url is carried only on the bot-perspective
app_scope_not_applied envelope (where the recovery action is
"developer applies the scope at the developer console"); the
user-perspective missing_scope envelope drops the field, since
the only actionable user recovery is `lark-cli auth login --scope`
and pointing an end user at a console they cannot modify is
misleading
- bind workflows (Hermes / OpenClaw / lark-channel) flatten dynamic
Type tags to wire 'config' with the original module name kept
as a metric label
All 10 typed errors are cause-bearing, nil-safe on .Error() and
.Unwrap(), and defensively clone slice setter inputs. Four lint
rules (CheckNilSafeError / CheckBuilderImmutable / CheckUnwrapSymmetry
/ CheckBuildAPIErrorArms) lock these invariants on migrated paths.
143 lines
4.4 KiB
Go
143 lines
4.4 KiB
Go
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package auth
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
|
|
"github.com/skip2/go-qrcode"
|
|
"github.com/spf13/cobra"
|
|
|
|
"github.com/larksuite/cli/errs"
|
|
"github.com/larksuite/cli/internal/cmdutil"
|
|
"github.com/larksuite/cli/internal/validate"
|
|
"github.com/larksuite/cli/internal/vfs"
|
|
)
|
|
|
|
// QRCodeOptions holds inputs for auth qrcode command.
|
|
type QRCodeOptions struct {
|
|
Factory *cmdutil.Factory
|
|
Ctx context.Context
|
|
URL string
|
|
Size int
|
|
ASCII bool
|
|
Output string
|
|
}
|
|
|
|
// NewCmdAuthQRCode creates the auth qrcode subcommand.
|
|
func NewCmdAuthQRCode(f *cmdutil.Factory, runF func(*QRCodeOptions) error) *cobra.Command {
|
|
opts := &QRCodeOptions{Factory: f, Size: 256}
|
|
|
|
cmd := &cobra.Command{
|
|
Use: "qrcode <url>",
|
|
Short: "Generate QR code for verification URL",
|
|
Long: `Generate a QR code image or ASCII representation for a verification URL.
|
|
|
|
This command is designed for AI agents to generate QR codes for OAuth authorization URLs.
|
|
|
|
For PNG output, the --output flag is required to specify the output file path (must be a relative path within the current directory).
|
|
For ASCII output, the result is printed to stdout with fixed size.`,
|
|
Args: cobra.ExactArgs(1),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
opts.URL = args[0]
|
|
opts.Ctx = cmd.Context()
|
|
if runF != nil {
|
|
return runF(opts)
|
|
}
|
|
return runQRCode(opts)
|
|
},
|
|
}
|
|
|
|
cmd.Flags().IntVar(&opts.Size, "size", 256, "Size of the QR code image in pixels (default: 256, for PNG mode only)")
|
|
cmd.Flags().BoolVar(&opts.ASCII, "ascii", false, "Output ASCII QR code to stdout")
|
|
cmd.Flags().StringVarP(&opts.Output, "output", "o", "", "Output file path for PNG image (relative path within current directory, required for non-ASCII mode)")
|
|
|
|
return cmd
|
|
}
|
|
|
|
// runQRCode executes the auth qrcode command.
|
|
func runQRCode(opts *QRCodeOptions) error {
|
|
if opts.URL == "" {
|
|
return errs.NewValidationError(errs.SubtypeInvalidArgument, "url is required").WithParam("--url")
|
|
}
|
|
|
|
if opts.ASCII {
|
|
var out io.Writer = os.Stdout
|
|
if opts.Factory != nil {
|
|
out = opts.Factory.IOStreams.Out
|
|
}
|
|
return generateASCIIQRCode(opts.URL, out)
|
|
}
|
|
|
|
if opts.Output == "" {
|
|
return errs.NewValidationError(errs.SubtypeInvalidArgument, "output file path is required for PNG mode. Use --output or -o flag to specify the output file path.").WithParam("--output")
|
|
}
|
|
|
|
if opts.Size < 32 {
|
|
return errs.NewValidationError(errs.SubtypeInvalidArgument, "size must be at least 32, got %d", opts.Size).WithParam("--size")
|
|
}
|
|
|
|
if opts.Size > 1024 {
|
|
return errs.NewValidationError(errs.SubtypeInvalidArgument, "size must be at most 1024, got %d", opts.Size).WithParam("--size")
|
|
}
|
|
|
|
safePath, err := validate.SafeOutputPath(opts.Output)
|
|
if err != nil {
|
|
return errs.NewValidationError(errs.SubtypeInvalidArgument, "unsafe output path: %s", err).WithParam("--output").WithCause(err)
|
|
}
|
|
|
|
if err := generateImageQRCode(opts.URL, opts.Size, safePath); err != nil {
|
|
return err
|
|
}
|
|
|
|
result := map[string]interface{}{
|
|
"ok": true,
|
|
"file_path": safePath,
|
|
"hint": "You MUST include the QR image in your response. Generating the file alone is NOT enough—use image tags, inline images, or file attachments to display it.",
|
|
}
|
|
|
|
var out io.Writer = os.Stdout
|
|
if opts.Factory != nil {
|
|
out = opts.Factory.IOStreams.Out
|
|
}
|
|
encoder := json.NewEncoder(out)
|
|
encoder.SetEscapeHTML(false)
|
|
if err := encoder.Encode(result); err != nil {
|
|
return errs.NewInternalError(errs.SubtypeSDKError, "failed to write output: %v", err).WithCause(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// generateImageQRCode encodes the URL as a PNG QR code and writes it to outputPath.
|
|
func generateImageQRCode(url string, size int, outputPath string) error {
|
|
png, err := qrcode.Encode(url, qrcode.Medium, size)
|
|
if err != nil {
|
|
return errs.NewInternalError(errs.SubtypeSDKError, "failed to encode QR code: %v", err).WithCause(err)
|
|
}
|
|
|
|
err = vfs.WriteFile(outputPath, png, 0644)
|
|
if err != nil {
|
|
return errs.NewInternalError(errs.SubtypeSDKError, "failed to write QR code to %s: %v", outputPath, err).WithCause(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// generateASCIIQRCode encodes the URL as an ASCII QR code and prints it to stdout.
|
|
func generateASCIIQRCode(url string, w io.Writer) error {
|
|
q, err := qrcode.New(url, qrcode.Medium)
|
|
if err != nil {
|
|
return errs.NewInternalError(errs.SubtypeSDKError, "failed to create QR code: %v", err).WithCause(err)
|
|
}
|
|
|
|
fmt.Fprint(w, q.ToSmallString(false))
|
|
|
|
return nil
|
|
}
|