Add device flow authentication (#18)

Author: carole-lavillonniere

internal/api/client.go

@@ -0,0 +1,175 @@
+package api
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"time"
+)
+
+type PlatformAPI interface {
+	CreateAuthRequest(ctx context.Context) (*AuthRequest, error)
+	CheckAuthRequestConfirmed(ctx context.Context, id, exchangeToken string) (bool, error)
+	ExchangeAuthRequest(ctx context.Context, id, exchangeToken string) (string, error)
+	GetLicenseToken(ctx context.Context, bearerToken string) (string, error)
+}
+
+type AuthRequest struct {
+	ID            string `json:"id"`
+	Code          string `json:"code"`
+	ExchangeToken string `json:"exchange_token"`
+}
+
+type authRequestStatus struct {
+	Confirmed bool `json:"confirmed"`
+}
+
+type authTokenResponse struct {
+	ID        string `json:"id"`
+	AuthToken string `json:"auth_token"`
+}
+
+type licenseTokenResponse struct {
+	Token string `json:"token"`
+}
+
+type PlatformClient struct {
+	baseURL    string
+	httpClient *http.Client
+}
+
+func NewPlatformClient() *PlatformClient {
+	baseURL := os.Getenv("LOCALSTACK_API_ENDPOINT")
+	if baseURL == "" {
+		baseURL = "https://api.localstack.cloud"
+	}
+	return &PlatformClient{
+		baseURL:    baseURL,
+		httpClient: &http.Client{Timeout: 30 * time.Second},
+	}
+}
+
+func (c *PlatformClient) CreateAuthRequest(ctx context.Context) (*AuthRequest, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, c.baseURL+"/v1/auth/request", nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create auth request: %w", err)
+	}
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			log.Printf("failed to close response body: %v", err)
+		}
+	}()
+
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
+		return nil, fmt.Errorf("failed to create auth request: status %d", resp.StatusCode)
+	}
+
+	var authReq AuthRequest
+	if err := json.NewDecoder(resp.Body).Decode(&authReq); err != nil {
+		return nil, fmt.Errorf("failed to decode response: %w", err)
+	}
+
+	return &authReq, nil
+}
+
+func (c *PlatformClient) CheckAuthRequestConfirmed(ctx context.Context, id, exchangeToken string) (bool, error) {
+	url := fmt.Sprintf("%s/v1/auth/request/%s?exchange_token=%s", c.baseURL, id, exchangeToken)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return false, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return false, fmt.Errorf("failed to check auth request: %w", err)
+	}
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			log.Printf("failed to close response body: %v", err)
+		}
+	}()
+
+	if resp.StatusCode != http.StatusOK {
+		return false, fmt.Errorf("failed to check auth request: status %d", resp.StatusCode)
+	}
+
+	var status authRequestStatus
+	if err := json.NewDecoder(resp.Body).Decode(&status); err != nil {
+		return false, fmt.Errorf("failed to decode response: %w", err)
+	}
+
+	return status.Confirmed, nil
+}
+
+func (c *PlatformClient) ExchangeAuthRequest(ctx context.Context, id, exchangeToken string) (string, error) {
+	url := fmt.Sprintf("%s/v1/auth/request/%s/exchange", c.baseURL, id)
+	body, err := json.Marshal(map[string]string{"exchange_token": exchangeToken})
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewReader(body))
+	if err != nil {
+		return "", fmt.Errorf("failed to create request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("failed to exchange auth request: %w", err)
+	}
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			log.Printf("failed to close response body: %v", err)
+		}
+	}()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("failed to exchange auth request: status %d", resp.StatusCode)
+	}
+
+	var tokenResp authTokenResponse
+	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+		return "", fmt.Errorf("failed to decode response: %w", err)
+	}
+
+	return tokenResp.AuthToken, nil
+}
+
+func (c *PlatformClient) GetLicenseToken(ctx context.Context, bearerToken string) (string, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.baseURL+"/v1/license/credentials", nil)
+	if err != nil {
+		return "", fmt.Errorf("failed to create request: %w", err)
+	}
+	req.Header.Set("Authorization", bearerToken)
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("failed to get license token: %w", err)
+	}
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			log.Printf("failed to close response body: %v", err)
+		}
+	}()
+
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusAccepted {
+		return "", fmt.Errorf("failed to get license token: status %d", resp.StatusCode)
+	}
+
+	var tokenResp licenseTokenResponse
+	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+		return "", fmt.Errorf("failed to decode response: %w", err)
+	}
+
+	return tokenResp.Token, nil
+}

internal/auth/auth.go

@@ -17,7 +17,7 @@ type Auth struct {
 func New() *Auth {
 	return &Auth{
 		keyring:      systemKeyring{},
-		browserLogin: browserLogin{},
+		browserLogin: newBrowserLogin(),
 	}
 }
 

internal/auth/login.go

@@ -3,32 +3,40 @@ package auth
 //go:generate mockgen -source=login.go -destination=mock_login_test.go -package=auth
 
 import (
+	"bufio"
 	"context"
 	"fmt"
 	"log"
 	"net"
 	"net/http"
 	"os"
 
+	"github.com/localstack/lstk/internal/api"
 	"github.com/pkg/browser"
 )
 
+const webAppURL = "https://app.localstack.cloud"
+const loginCallbackURL = "127.0.0.1:45678"
+
 type LoginProvider interface {
 	Login(ctx context.Context) (string, error)
 }
 
-type browserLogin struct{}
+type browserLogin struct {
+	platformClient api.PlatformAPI
+}
+
+func newBrowserLogin() *browserLogin {
+	return &browserLogin{
+		platformClient: api.NewPlatformClient(),
+	}
+}
 
-func (browserLogin) Login(ctx context.Context) (string, error) {
-	listener, err := net.Listen("tcp", "127.0.0.1:45678")
+func startCallbackServer() (*http.Server, chan string, chan error, error) {
+	listener, err := net.Listen("tcp", loginCallbackURL)
 	if err != nil {
-		return "", fmt.Errorf("failed to start callback server: %w", err)
+		return nil, nil, nil, fmt.Errorf("failed to start callback server: %w", err)
 	}
-	defer func() {
-		if err := listener.Close(); err != nil {
-			log.Printf("failed to close listener: %v", err)
-		}
-	}()
 
 	tokenCh := make(chan string, 1)
 	errCh := make(chan error, 1)
@@ -44,28 +52,67 @@ func (browserLogin) Login(ctx context.Context) (string, error) {
 		w.WriteHeader(http.StatusOK)
 		tokenCh <- token
 	})
+
 	server := &http.Server{Handler: mux}
 	go func() {
 		if err := server.Serve(listener); err != nil && err != http.ErrServerClosed {
 			errCh <- fmt.Errorf("callback server error: %w", err)
 		}
 	}()
+
+	return server, tokenCh, errCh, nil
+}
+
+func (b *browserLogin) Login(ctx context.Context) (string, error) {
+	server, tokenCh, errCh, err := startCallbackServer()
+	if err != nil {
+		return "", err
+	}
 	defer func() {
 		if err := server.Shutdown(ctx); err != nil {
 			log.Printf("failed to shutdown server: %v", err)
 		}
 	}()
 
+	enterCh := make(chan struct{}, 1)
+
+	// Device flow as fallback
+	authReq, err := b.platformClient.CreateAuthRequest(ctx)
+	if err != nil {
+		return "", fmt.Errorf("failed to create auth request: %w", err)
+	}
+
+	deviceURL := fmt.Sprintf("%s/auth/request/%s", getWebAppURL(), authReq.ID)
+
+	// Try to open browser
 	loginURL := fmt.Sprintf("%s/redirect?name=CLI", getWebAppURL())
-	if err := browser.OpenURL(loginURL); err != nil {
-		log.Printf("Could not open browser. Please visit: %s", loginURL)
+	browserOpened := browser.OpenURL(loginURL) == nil
+
+	// Display device flow instructions
+	if browserOpened {
+		fmt.Printf("Browser didn't open? Open %s to authorize device.\n", deviceURL)
+	} else {
+		fmt.Printf("Open %s to authorize device.\n", deviceURL)
 	}
+	fmt.Printf("Verification code: %s\n", authReq.Code)
+	fmt.Println("Waiting for authentication... (Press ENTER when complete)")
 
+	// Listen for ENTER key in background
+	go func() {
+		reader := bufio.NewReader(os.Stdin)
+		_, _ = reader.ReadString('\n')
+		enterCh <- struct{}{}
+	}()
+
+	// Wait for either browser callback, ENTER key, or context cancellation
 	select {
 	case token := <-tokenCh:
 		return token, nil
 	case err := <-errCh:
 		return "", err
+	case <-enterCh:
+		// User pressed ENTER, try device flow
+		return b.completeDeviceFlow(ctx, authReq)
 	case <-ctx.Done():
 		return "", ctx.Err()
 	}
@@ -76,5 +123,30 @@ func getWebAppURL() string {
 	if url := os.Getenv("LOCALSTACK_WEB_APP_URL"); url != "" {
 		return url
 	}
-	return "https://app.localstack.cloud"
+	return webAppURL
+}
+
+func (b *browserLogin) completeDeviceFlow(ctx context.Context, authReq *api.AuthRequest) (string, error) {
+	log.Println("Checking if auth request is confirmed...")
+	confirmed, err := b.platformClient.CheckAuthRequestConfirmed(ctx, authReq.ID, authReq.ExchangeToken)
+	if err != nil {
+		return "", fmt.Errorf("failed to check auth request: %w", err)
+	}
+	if !confirmed {
+		return "", fmt.Errorf("auth request not confirmed - please enter the code in the browser first")
+	}
+	log.Println("Auth request confirmed, exchanging for token...")
+
+	bearerToken, err := b.platformClient.ExchangeAuthRequest(ctx, authReq.ID, authReq.ExchangeToken)
+	if err != nil {
+		return "", fmt.Errorf("failed to exchange auth request: %w", err)
+	}
+
+	log.Println("Fetching license token...")
+	licenseToken, err := b.platformClient.GetLicenseToken(ctx, bearerToken)
+	if err != nil {
+		return "", fmt.Errorf("failed to get license token: %w", err)
+	}
+
+	return licenseToken, nil
 }

test/integration/login_browser_flow_test.go

@@ -0,0 +1,56 @@
+package integration_test
+
+import (
+	"context"
+	"net/http"
+	"os/exec"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/zalando/go-keyring"
+)
+
+func TestBrowserFlowStoresToken(t *testing.T) {
+	requireDocker(t)
+	cleanup()
+	t.Cleanup(cleanup)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, binaryPath(), "start")
+	cmd.Env = envWithoutAuthToken()
+
+	// Keep stdin open so ENTER listener doesn't trigger immediately
+	stdinPipe, err := cmd.StdinPipe()
+	require.NoError(t, err)
+	defer stdinPipe.Close()
+
+	// Capture output asynchronously
+	output := make(chan []byte)
+	go func() {
+		out, _ := cmd.CombinedOutput()
+		output <- out
+	}()
+
+	// Wait for callback server to be ready
+	time.Sleep(1 * time.Second)
+
+	// Simulate browser callback with mock token
+	resp, err := http.Get("http://127.0.0.1:45678/auth/success?token=mock-token")
+	require.NoError(t, err)
+	require.NoError(t, resp.Body.Close())
+
+	out := <-output
+
+	// Login should succeed, but container will fail with invalid token
+	assert.Contains(t, string(out), "Login successful")
+	assert.Contains(t, string(out), "License activation failed")
+
+	// Verify token was stored in keyring
+	storedToken, err := keyring.Get(keyringService, keyringUser)
+	require.NoError(t, err, "token should be stored in keyring")
+	assert.Equal(t, "mock-token", storedToken)
+}