Login via oauth2 flow

2025-09-04 19:08:29 +02:00 · 2025-02-27 22:46:02 -05:00
parent 9888ca69b2
commit d7d45f5ca5
7 changed files with 647 additions and 2 deletions
--- a/cmd/login/add.go
+++ b/cmd/login/add.go
@ -4,6 +4,7 @@
 package login

 import (
+	"code.gitea.io/tea/modules/auth"
 	"code.gitea.io/tea/modules/interact"
 	"code.gitea.io/tea/modules/task"

@ -89,6 +90,19 @@ var CmdLoginAdd = cli.Command{
 			Aliases: []string{"j"},
 			Usage:   "Add helper",
 		},
+		&cli.BoolFlag{
+			Name:    "oauth",
+			Aliases: []string{"o"},
+			Usage:   "Use interactive OAuth2 flow for authentication",
+		},
+		&cli.StringFlag{
+			Name:  "client-id",
+			Usage: "OAuth client ID (for use with --oauth)",
+		},
+		&cli.StringFlag{
+			Name:  "redirect-url",
+			Usage: "OAuth redirect URL (for use with --oauth)",
+		},
 	},
 	Action: runLoginAdd,
 }
@ -99,6 +113,27 @@ func runLoginAdd(ctx *cli.Context) error {
 		return interact.CreateLogin()
 	}

+	// if OAuth flag is provided, use OAuth2 PKCE flow
+	if ctx.Bool("oauth") {
+		opts := auth.OAuthOptions{
+			Name:     ctx.String("name"),
+			URL:      ctx.String("url"),
+			Insecure: ctx.Bool("insecure"),
+		}
+
+		// Only set clientID if provided
+		if ctx.String("client-id") != "" {
+			opts.ClientID = ctx.String("client-id")
+		}
+
+		// Only set redirect URL if provided
+		if ctx.String("redirect-url") != "" {
+			opts.RedirectURL = ctx.String("redirect-url")
+		}
+
+		return auth.OAuthLoginWithFullOptions(opts)
+	}
+
 	sshAgent := false
 	if ctx.String("ssh-agent-key") != "" || ctx.String("ssh-agent-principal") != "" {
 		sshAgent = true
--- a/cmd/login/oauth_refresh.go
+++ b/cmd/login/oauth_refresh.go
@ -0,0 +1,58 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package login
+
+import (
+	"fmt"
+
+	"code.gitea.io/tea/modules/auth"
+	"code.gitea.io/tea/modules/config"
+
+	"github.com/urfave/cli/v2"
+)
+
+// CmdLoginOAuthRefresh represents a command to refresh an OAuth token
+var CmdLoginOAuthRefresh = cli.Command{
+	Name:        "oauth-refresh",
+	Usage:       "Refresh an OAuth token",
+	Description: "Manually refresh an expired OAuth token. Usually only used when troubleshooting authentication.",
+	ArgsUsage:   "[<login name>]",
+	Action:      runLoginOAuthRefresh,
+}
+
+func runLoginOAuthRefresh(ctx *cli.Context) error {
+	var loginName string
+
+	// Get login name from args or use default
+	if ctx.Args().Len() > 0 {
+		loginName = ctx.Args().First()
+	} else {
+		// Get default login
+		login, err := config.GetDefaultLogin()
+		if err != nil {
+			return fmt.Errorf("no login specified and no default login found: %s", err)
+		}
+		loginName = login.Name
+	}
+
+	// Get the login from config
+	login := config.GetLoginByName(loginName)
+	if login == nil {
+		return fmt.Errorf("login '%s' not found", loginName)
+	}
+
+	// Check if the login has a refresh token
+	if login.RefreshToken == "" {
+		return fmt.Errorf("login '%s' does not have a refresh token. It may have been created using a different authentication method", loginName)
+	}
+
+	// Refresh the token
+	err := auth.RefreshAccessToken(login)
+	if err != nil {
+		return fmt.Errorf("failed to refresh token: %s", err)
+	}
+
+	fmt.Printf("Successfully refreshed OAuth token for %s\n", loginName)
+	return nil
+}