feat(api): add Session.DoJSON for authenticated custom API requests

major0 · major0 · commit f308caeb9149 · 2026-04-13T15:19:05.000-07:00
Add DoJSON method to Session that executes authenticated JSON requests
against the Proton API using the session's UID, access token, and
cookie jar. Uses net/http directly to avoid coupling to go-proton-api
internals.

Add APIError type for structured Proton API error responses containing
HTTP status code, API error code, and message.

Rename share info command to share show.

Assisted-by: Kiro &lt;noreply@kiro.dev&gt;
diff --git a/api/dojson_test.go b/api/dojson_test.go
@@ -0,0 +1,218 @@
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/cookiejar"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/ProtonMail/go-proton-api"
+)
+
+// testSession creates a minimal Session pointing at the given test server.
+// It overrides proton.DefaultHostURL for the duration of the test.
+func testSession(t *testing.T, serverURL string) *Session {
+	t.Helper()
+	jar, _ := cookiejar.New(nil)
+	return &Session{
+		Auth: proton.Auth{
+			UID:         "test-uid-123",
+			AccessToken: "test-token-abc",
+		},
+		cookieJar: jar,
+	}
+}
+
+func TestDoJSON_SuccessGet(t *testing.T) {
+	type payload struct {
+		Name string `json:"Name"`
+		ID   int    `json:"ID"`
+	}
+
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet {
+			t.Fatalf("expected GET, got %s", r.Method)
+		}
+		if r.Header.Get("x-pm-uid") != "test-uid-123" {
+			t.Fatalf("missing x-pm-uid header")
+		}
+		if r.Header.Get("Authorization") != "Bearer test-token-abc" {
+			t.Fatalf("missing Authorization header")
+		}
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(map[string]any{
+			"Code": 1000,
+			"Name": "test-share",
+			"ID":   42,
+		})
+	}))
+	defer srv.Close()
+
+	s := testSession(t, srv.URL)
+	var result payload
+	err := s.DoJSON(context.Background(), "GET", srv.URL+"/test", nil, &result)
+	if err != nil {
+		t.Fatalf("DoJSON GET: %v", err)
+	}
+	if result.Name != "test-share" || result.ID != 42 {
+		t.Fatalf("unexpected result: %+v", result)
+	}
+}
+
+func TestDoJSON_SuccessPost(t *testing.T) {
+	type reqBody struct {
+		Email string `json:"Email"`
+	}
+
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			t.Fatalf("expected POST, got %s", r.Method)
+		}
+		if r.Header.Get("Content-Type") != "application/json" {
+			t.Fatalf("missing Content-Type header")
+		}
+		body, _ := io.ReadAll(r.Body)
+		var req reqBody
+		if err := json.Unmarshal(body, &req); err != nil {
+			t.Fatalf("unmarshal request body: %v", err)
+		}
+		if req.Email != "user@example.com" {
+			t.Fatalf("unexpected email: %s", req.Email)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(map[string]any{"Code": 1000})
+	}))
+	defer srv.Close()
+
+	s := testSession(t, srv.URL)
+	err := s.DoJSON(context.Background(), "POST", srv.URL+"/invite", reqBody{Email: "user@example.com"}, nil)
+	if err != nil {
+		t.Fatalf("DoJSON POST: %v", err)
+	}
+}
+
+func TestDoJSON_APIError(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusUnprocessableEntity)
+		json.NewEncoder(w).Encode(map[string]any{
+			"Code":  2011,
+			"Error": "Share not found",
+		})
+	}))
+	defer srv.Close()
+
+	s := testSession(t, srv.URL)
+	err := s.DoJSON(context.Background(), "GET", srv.URL+"/test", nil, nil)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+
+	apiErr, ok := err.(*APIError)
+	if !ok {
+		t.Fatalf("expected *APIError, got %T: %v", err, err)
+	}
+	if apiErr.Status != http.StatusUnprocessableEntity {
+		t.Fatalf("expected status 422, got %d", apiErr.Status)
+	}
+	if apiErr.Code != 2011 {
+		t.Fatalf("expected code 2011, got %d", apiErr.Code)
+	}
+	if apiErr.Message != "Share not found" {
+		t.Fatalf("expected message 'Share not found', got %q", apiErr.Message)
+	}
+}
+
+func TestDoJSON_AuthHeaders(t *testing.T) {
+	var gotUID, gotAuth string
+
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gotUID = r.Header.Get("x-pm-uid")
+		gotAuth = r.Header.Get("Authorization")
+		json.NewEncoder(w).Encode(map[string]any{"Code": 1000})
+	}))
+	defer srv.Close()
+
+	s := testSession(t, srv.URL)
+	_ = s.DoJSON(context.Background(), "GET", srv.URL+"/test", nil, nil)
+
+	if gotUID != "test-uid-123" {
+		t.Fatalf("x-pm-uid = %q, want %q", gotUID, "test-uid-123")
+	}
+	if gotAuth != "Bearer test-token-abc" {
+		t.Fatalf("Authorization = %q, want %q", gotAuth, "Bearer test-token-abc")
+	}
+}
+
+func TestDoJSON_CookiesAttached(t *testing.T) {
+	// First request sets a cookie, second request should send it back.
+	var gotCookie string
+
+	callCount := 0
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		callCount++
+		if callCount == 1 {
+			http.SetCookie(w, &http.Cookie{Name: "Session-Id", Value: "abc123", Path: "/"})
+		} else {
+			c, err := r.Cookie("Session-Id")
+			if err != nil {
+				gotCookie = ""
+			} else {
+				gotCookie = c.Value
+			}
+		}
+		json.NewEncoder(w).Encode(map[string]any{"Code": 1000})
+	}))
+	defer srv.Close()
+
+	s := testSession(t, srv.URL)
+
+	// First call — server sets cookie.
+	_ = s.DoJSON(context.Background(), "GET", srv.URL+"/first", nil, nil)
+	// Second call — cookie should be sent.
+	_ = s.DoJSON(context.Background(), "GET", srv.URL+"/second", nil, nil)
+
+	if gotCookie != "abc123" {
+		t.Fatalf("cookie not attached on second request: got %q", gotCookie)
+	}
+}
+
+func TestDoJSON_NilBody(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Body != nil {
+			body, _ := io.ReadAll(r.Body)
+			if len(body) > 0 {
+				t.Fatalf("expected empty body for GET, got %d bytes", len(body))
+			}
+		}
+		if r.Header.Get("Content-Type") != "" {
+			t.Fatalf("Content-Type should not be set for nil body, got %q", r.Header.Get("Content-Type"))
+		}
+		json.NewEncoder(w).Encode(map[string]any{"Code": 1000})
+	}))
+	defer srv.Close()
+
+	s := testSession(t, srv.URL)
+	err := s.DoJSON(context.Background(), "GET", srv.URL+"/test", nil, nil)
+	if err != nil {
+		t.Fatalf("DoJSON: %v", err)
+	}
+}
+
+func TestDoJSON_Delete(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodDelete {
+			t.Fatalf("expected DELETE, got %s", r.Method)
+		}
+		json.NewEncoder(w).Encode(map[string]any{"Code": 1000})
+	}))
+	defer srv.Close()
+
+	s := testSession(t, srv.URL)
+	err := s.DoJSON(context.Background(), "DELETE", srv.URL+"/member/123", nil, nil)
+	if err != nil {
+		t.Fatalf("DoJSON DELETE: %v", err)
+	}
+}
diff --git a/api/errors.go b/api/errors.go
@@ -2,6 +2,7 @@ package api
 
 import (
 	"errors"
+	"fmt"
 )
 
 var (
@@ -16,3 +17,17 @@ var (
 	// ErrNotLoggedIn indicates that no active session exists.
 	ErrNotLoggedIn = errors.New("not logged in")
 )
+
+// APIError represents a non-success response from the Proton API.
+type APIError struct {
+	Status  int    // HTTP status code
+	Code    int    // Proton API error code
+	Message string // error description from the API
+}
+
+func (e *APIError) Error() string {
+	if e.Message != "" {
+		return fmt.Sprintf("api: %d/%d: %s", e.Status, e.Code, e.Message)
+	}
+	return fmt.Sprintf("api: %d/%d", e.Status, e.Code)
+}
diff --git a/api/session.go b/api/session.go
@@ -1,13 +1,17 @@
 package api
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"log/slog"
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
+	"strings"
 	"sync"
 	"time"
 
@@ -224,6 +228,79 @@ func (s *Session) Stop() {
 	s.manager.Close()
 }
 
+// apiEnvelope is the standard Proton API response wrapper.
+type apiEnvelope struct {
+	Code  int    `json:"Code"`
+	Error string `json:"Error,omitempty"`
+}
+
+// DoJSON executes an authenticated JSON API request against the Proton API.
+// Method is "GET", "POST", "DELETE", etc. Path is relative to the API base
+// (e.g. "/drive/shares/{id}/members"). If body is non-nil it is JSON-encoded
+// as the request body. If result is non-nil the response body is JSON-decoded
+// into it. Returns an *APIError on non-success API responses.
+func (s *Session) DoJSON(ctx context.Context, method, path string, body, result any) error {
+	reqURL := path
+	if !strings.HasPrefix(path, "http") {
+		reqURL = proton.DefaultHostURL + path
+	}
+
+	var bodyReader io.Reader
+	if body != nil {
+		data, err := json.Marshal(body)
+		if err != nil {
+			return fmt.Errorf("doJSON: marshal body: %w", err)
+		}
+		bodyReader = bytes.NewReader(data)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, method, reqURL, bodyReader)
+	if err != nil {
+		return fmt.Errorf("doJSON: new request: %w", err)
+	}
+
+	req.Header.Set("x-pm-uid", s.Auth.UID)
+	req.Header.Set("Authorization", "Bearer "+s.Auth.AccessToken)
+	if body != nil {
+		req.Header.Set("Content-Type", "application/json")
+	}
+	req.Header.Set("Accept", "application/json")
+
+	httpClient := &http.Client{Jar: s.cookieJar}
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("doJSON: %s %s: %w", method, path, err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("doJSON: read response: %w", err)
+	}
+
+	// Parse the envelope to check the API-level error code.
+	var envelope apiEnvelope
+	if err := json.Unmarshal(respBody, &envelope); err != nil {
+		return fmt.Errorf("doJSON: unmarshal envelope: %w", err)
+	}
+
+	if envelope.Code != 1000 {
+		return &APIError{
+			Status:  resp.StatusCode,
+			Code:    envelope.Code,
+			Message: envelope.Error,
+		}
+	}
+
+	if result != nil {
+		if err := json.Unmarshal(respBody, result); err != nil {
+			return fmt.Errorf("doJSON: unmarshal result: %w", err)
+		}
+	}
+
+	return nil
+}
+
 // SessionRestore loads credentials from the store and creates an unlocked
 // session. Returns ErrNotLoggedIn if no session is stored.
 func SessionRestore(ctx context.Context, options []proton.Option, store SessionStore, managerHook func(*proton.Manager)) (*Session, error) {
diff --git a/cmd/share/share.go b/cmd/share/share.go
@@ -24,12 +24,12 @@ func notImplemented(name string) func(*cobra.Command, []string) error {
 	}
 }
 
-var shareInfoCmd = &cobra.Command{
-	Use:   "info <share-name>",
+var shareShowCmd = &cobra.Command{
+	Use:   "show <share-name>",
 	Short: "Show detailed share information",
 	Long:  "Show detailed information about a share including members and invitations",
 	Args:  cobra.ExactArgs(1),
-	RunE:  notImplemented("share info"),
+	RunE:  notImplemented("share show"),
 }
 
 var shareInviteCmd = &cobra.Command{
@@ -50,7 +50,7 @@ var shareRevokeCmd = &cobra.Command{
 
 func init() {
 	cli.AddCommand(shareCmd)
-	shareCmd.AddCommand(shareInfoCmd)
+	shareCmd.AddCommand(shareShowCmd)
 	shareCmd.AddCommand(shareInviteCmd)
 	shareCmd.AddCommand(shareRevokeCmd)
 }

Original file line number	Diff line number	Diff line change
`@@ -24,12 +24,12 @@ func notImplemented(name string) func(*cobra.Command, []string) error {`
`24`	`24`	`}`
`25`	`25`	`}`
`26`	`26`
`27`		`-var shareInfoCmd = &cobra.Command{`
`28`		`- Use: "info <share-name>",`
	`27`	`+var shareShowCmd = &cobra.Command{`
	`28`	`+ Use: "show <share-name>",`
`29`	`29`	`Short: "Show detailed share information",`
`30`	`30`	`Long: "Show detailed information about a share including members and invitations",`
`31`	`31`	`Args: cobra.ExactArgs(1),`
`32`		`- RunE: notImplemented("share info"),`
	`32`	`+ RunE: notImplemented("share show"),`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`var shareInviteCmd = &cobra.Command{`
`@@ -50,7 +50,7 @@ var shareRevokeCmd = &cobra.Command{`
`50`	`50`
`51`	`51`	`func init() {`
`52`	`52`	`cli.AddCommand(shareCmd)`
`53`		`- shareCmd.AddCommand(shareInfoCmd)`
	`53`	`+ shareCmd.AddCommand(shareShowCmd)`
`54`	`54`	`shareCmd.AddCommand(shareInviteCmd)`
`55`	`55`	`shareCmd.AddCommand(shareRevokeCmd)`
`56`	`56`	`}`