Integralist/example.go

## example.go
package authenticate

// https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow
// https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-device-authorization-flow

import (
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"net/url"
	"strings"
	"time"

	"github.com/fastly/cli/pkg/cmd"
	"github.com/fastly/cli/pkg/config"
	fsterr "github.com/fastly/cli/pkg/errors"
	"github.com/fastly/cli/pkg/text"
)

// RootCommand is the parent command for all subcommands in this package.
// It should be installed under the primary root command.
type RootCommand struct {
	cmd.Base
}

// Auth0DeviceCodeURL is the Auth0 device code URL.
const Auth0DeviceCodeURL = "https://<YOUR_DOMAIN>.us.auth0.com"

// Auth0ClientID is the Auth0 Client ID.
const Auth0ClientID = "<YOUR_CLIENT_ID>"

// Auth0Audience is the unique identifier of the API your app wants to access.
const Auth0Audience = "https://<YOUR_API>/"

// Auth0GrantType is an extension grant type (MUST be URL encoded).
var Auth0GrantType = url.QueryEscape("urn:ietf:params:oauth:grant-type:device_code")

// NewRootCommand returns a new command registered in the parent.
func NewRootCommand(parent cmd.Registerer, globals *config.Data) *RootCommand {
	var c RootCommand
	c.Globals = globals
	c.CmdClause = parent.Command("authenticate", "Authenticate with Fastly (returns temporary, auto-rotated, API token)")
	return &c
}

// Exec implements the command interface.
func (c *RootCommand) Exec(_ io.Reader, out io.Writer) error {
	deviceCodeResponse, err := getDeviceCode()
	if err != nil {
		return err
	}

	intro := "Please open the following URL and enter your user code: " + deviceCodeResponse.UserCode
	text.Description(out, intro, deviceCodeResponse.VerificationURI)

	var accessTokenResponse chan *AccessTokenResponse

	interval := time.Duration(deviceCodeResponse.Interval) * time.Second
	deviceCodeExpiration := time.Duration(deviceCodeResponse.ExpiresIn) * time.Second

	go pollForAccessToken(
		deviceCodeResponse.DeviceCode,
		interval,
		deviceCodeExpiration,
		accessTokenResponse,
		c.Globals.ErrLog,
	)

	select {
	case atr := <-accessTokenResponse:
		fmt.Printf("%+v\n", atr)
	case <-time.After(deviceCodeExpiration):
		return fsterr.RemediationError{
			Inner:       fmt.Errorf("user code expired"),
			Remediation: "Please re-run the command and complete the authorization flow.",
		}
	}

	return nil
}

// getDeviceCode retrieves a device code from Auth0.
func getDeviceCode() (deviceCodeResponse DeviceCodeResponse, err error) {
	path := "/oauth/device/code"

	// TODO: In the future we may want to restrict the API scope (see 'scope').
	// https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-device-authorization-flow#device-code-parameters
	payload := fmt.Sprintf("client_id=%s&audience=%s", Auth0ClientID, url.QueryEscape(Auth0Audience))

	req, err := http.NewRequest("POST", Auth0DeviceCodeURL+path, strings.NewReader(payload))
	if err != nil {
		return deviceCodeResponse, err
	}

	req.Header.Add("content-type", "application/x-www-form-urlencoded")

	res, err := http.DefaultClient.Do(req)
	if err != nil {
		return deviceCodeResponse, err
	}
	defer res.Body.Close()

	body, err := io.ReadAll(res.Body)
	if err != nil {
		return deviceCodeResponse, err
	}

	err = json.Unmarshal(body, &deviceCodeResponse)
	if err != nil {
		return deviceCodeResponse, err
	}

	return deviceCodeResponse, nil
}

// DeviceCodeResponse is the API response for an Auth0 Device Code request.
type DeviceCodeResponse struct {
	// DeviceCode is the unique code for the device.
	DeviceCode string `json:"device_code"`
	// ExpiresIn indicates the lifetime (in seconds) of the device_code and user_code.
	ExpiresIn int `json:"expires_in"`
	// Interval indicates the interval (in seconds) at which the app should poll the token URL to request a token.
	Interval int `json:"interval"`
	// UserCode contains the code that should be input at the verification_uri to authorize the device.
	UserCode string `json:"user_code"`
	// VerificationURI contains the URL the user should visit to authorize the device.
	VerificationURI string `json:"verification_uri"`
	// VerificationURIComplete contains the complete URL the user should visit to authorize the device.
	VerificationURIComplete string `json:"verification_uri_complete"`
}

func pollForAccessToken(
	deviceCode string,
	interval time.Duration,
	deviceCodeExpiration time.Duration,
	accessTokenResponse chan *AccessTokenResponse,
	errLog fsterr.LogInterface,
) {
	path := "/oauth/token"
	payload := fmt.Sprintf("grant_type=%s&device_code=%s&client_id=%s", Auth0GrantType, deviceCode, Auth0ClientID)
	ctx := map[string]any{
		"path":    path,
		"payload": payload,
	}

	req, err := http.NewRequest("POST", Auth0DeviceCodeURL+path, strings.NewReader(payload))
	if err != nil {
		errLog.AddWithContext(err, ctx)
		return
	}

	req.Header.Add("content-type", "application/x-www-form-urlencoded")

	ticker := time.NewTicker(interval)
	defer ticker.Stop()
	done := make(chan bool)
	go func() {
		time.Sleep(deviceCodeExpiration)
		done <- true
	}()
	for {
		select {
		case <-done:
			return
		case <-ticker.C:
			// NOTE: We extract the logic into a func to avoid a defer within a loop.
			checkAccessToken(req, errLog, ctx, accessTokenResponse, done)
		}
	}
}

func checkAccessToken(
	req *http.Request,
	errLog fsterr.LogInterface,
	ctx map[string]any,
	accessTokenResponse chan *AccessTokenResponse,
	done chan bool,
) {
	// TODO: Handle all the different error scenarios appropriately.
	// https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-device-authorization-flow#token-responses
	res, err := http.DefaultClient.Do(req)
	if err != nil {
		errLog.AddWithContext(err, ctx)
		return
	}
	defer res.Body.Close()

	body, err := io.ReadAll(res.Body)
	if err != nil {
		errLog.AddWithContext(err, ctx)
		return
	}

	var atr *AccessTokenResponse
	err = json.Unmarshal(body, atr)
	if err != nil {
		errLog.AddWithContext(err, ctx)
		return
	}

	done <- true
	accessTokenResponse <- atr
}

// AccessTokenResponse is the API response for an Auth0 Access Token request.
type AccessTokenResponse struct {
	// AccessToken can be exchanged for a Fastly API token.
	AccessToken string `json:"access_token"`
	// ExpiresIn indicates the lifetime (in seconds) of the access token.
	ExpiresIn int `json:"expires_in"`
	// IDToken contains user information that must be decoded and extracted.
	IDToken string `json:"id_token"`
	// RefreshToken is used to obtain a new Access Token or ID Token after the previous one has expired.
	RefreshToken string `json:"refresh_token"`
	// TokenType indicates which HTTP authentication scheme is used (e.g. Bearer).
	TokenType string `json:"token_type"`
}
	package authenticate

	// https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow
	// https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-device-authorization-flow

	import (
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"net/url"
	"strings"
	"time"

	"github.com/fastly/cli/pkg/cmd"
	"github.com/fastly/cli/pkg/config"
	fsterr "github.com/fastly/cli/pkg/errors"
	"github.com/fastly/cli/pkg/text"
	)

	// RootCommand is the parent command for all subcommands in this package.
	// It should be installed under the primary root command.
	type RootCommand struct {
	cmd.Base
	}

	// Auth0DeviceCodeURL is the Auth0 device code URL.
	const Auth0DeviceCodeURL = "https://<YOUR_DOMAIN>.us.auth0.com"

	// Auth0ClientID is the Auth0 Client ID.
	const Auth0ClientID = "<YOUR_CLIENT_ID>"

	// Auth0Audience is the unique identifier of the API your app wants to access.
	const Auth0Audience = "https://<YOUR_API>/"

	// Auth0GrantType is an extension grant type (MUST be URL encoded).
	var Auth0GrantType = url.QueryEscape("urn:ietf:params:oauth:grant-type:device_code")

	// NewRootCommand returns a new command registered in the parent.
	func NewRootCommand(parent cmd.Registerer, globals config.Data) RootCommand {
	var c RootCommand
	c.Globals = globals
	c.CmdClause = parent.Command("authenticate", "Authenticate with Fastly (returns temporary, auto-rotated, API token)")
	return &c
	}

	// Exec implements the command interface.
	func (c *RootCommand) Exec(_ io.Reader, out io.Writer) error {
	deviceCodeResponse, err := getDeviceCode()
	if err != nil {
	return err
	}

	intro := "Please open the following URL and enter your user code: " + deviceCodeResponse.UserCode
	text.Description(out, intro, deviceCodeResponse.VerificationURI)

	var accessTokenResponse chan *AccessTokenResponse

	interval := time.Duration(deviceCodeResponse.Interval) * time.Second
	deviceCodeExpiration := time.Duration(deviceCodeResponse.ExpiresIn) * time.Second

	go pollForAccessToken(
	deviceCodeResponse.DeviceCode,
	interval,
	deviceCodeExpiration,
	accessTokenResponse,
	c.Globals.ErrLog,
	)

	select {
	case atr := <-accessTokenResponse:
	fmt.Printf("%+v\n", atr)
	case <-time.After(deviceCodeExpiration):
	return fsterr.RemediationError{
	Inner: fmt.Errorf("user code expired"),
	Remediation: "Please re-run the command and complete the authorization flow.",
	}
	}

	return nil
	}

	// getDeviceCode retrieves a device code from Auth0.
	func getDeviceCode() (deviceCodeResponse DeviceCodeResponse, err error) {
	path := "/oauth/device/code"

	// TODO: In the future we may want to restrict the API scope (see 'scope').
	// https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-device-authorization-flow#device-code-parameters
	payload := fmt.Sprintf("client_id=%s&audience=%s", Auth0ClientID, url.QueryEscape(Auth0Audience))

	req, err := http.NewRequest("POST", Auth0DeviceCodeURL+path, strings.NewReader(payload))
	if err != nil {
	return deviceCodeResponse, err
	}

	req.Header.Add("content-type", "application/x-www-form-urlencoded")

	res, err := http.DefaultClient.Do(req)
	if err != nil {
	return deviceCodeResponse, err
	}
	defer res.Body.Close()

	body, err := io.ReadAll(res.Body)
	if err != nil {
	return deviceCodeResponse, err
	}

	err = json.Unmarshal(body, &deviceCodeResponse)
	if err != nil {
	return deviceCodeResponse, err
	}

	return deviceCodeResponse, nil
	}

	// DeviceCodeResponse is the API response for an Auth0 Device Code request.
	type DeviceCodeResponse struct {
	// DeviceCode is the unique code for the device.
	DeviceCode string `json:"device_code"`
	// ExpiresIn indicates the lifetime (in seconds) of the device_code and user_code.
	ExpiresIn int `json:"expires_in"`
	// Interval indicates the interval (in seconds) at which the app should poll the token URL to request a token.
	Interval int `json:"interval"`
	// UserCode contains the code that should be input at the verification_uri to authorize the device.
	UserCode string `json:"user_code"`
	// VerificationURI contains the URL the user should visit to authorize the device.
	VerificationURI string `json:"verification_uri"`
	// VerificationURIComplete contains the complete URL the user should visit to authorize the device.
	VerificationURIComplete string `json:"verification_uri_complete"`
	}

	func pollForAccessToken(
	deviceCode string,
	interval time.Duration,
	deviceCodeExpiration time.Duration,
	accessTokenResponse chan *AccessTokenResponse,
	errLog fsterr.LogInterface,
	) {
	path := "/oauth/token"
	payload := fmt.Sprintf("grant_type=%s&device_code=%s&client_id=%s", Auth0GrantType, deviceCode, Auth0ClientID)
	ctx := map[string]any{
	"path": path,
	"payload": payload,
	}

	req, err := http.NewRequest("POST", Auth0DeviceCodeURL+path, strings.NewReader(payload))
	if err != nil {
	errLog.AddWithContext(err, ctx)
	return
	}

	req.Header.Add("content-type", "application/x-www-form-urlencoded")

	ticker := time.NewTicker(interval)
	defer ticker.Stop()
	done := make(chan bool)
	go func() {
	time.Sleep(deviceCodeExpiration)
	done <- true
	}()
	for {
	select {
	case <-done:
	return
	case <-ticker.C:
	// NOTE: We extract the logic into a func to avoid a defer within a loop.
	checkAccessToken(req, errLog, ctx, accessTokenResponse, done)
	}
	}
	}

	func checkAccessToken(
	req *http.Request,
	errLog fsterr.LogInterface,
	ctx map[string]any,
	accessTokenResponse chan *AccessTokenResponse,
	done chan bool,
	) {
	// TODO: Handle all the different error scenarios appropriately.
	// https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-device-authorization-flow#token-responses
	res, err := http.DefaultClient.Do(req)
	if err != nil {
	errLog.AddWithContext(err, ctx)
	return
	}
	defer res.Body.Close()

	body, err := io.ReadAll(res.Body)
	if err != nil {
	errLog.AddWithContext(err, ctx)
	return
	}

	var atr *AccessTokenResponse
	err = json.Unmarshal(body, atr)
	if err != nil {
	errLog.AddWithContext(err, ctx)
	return
	}

	done <- true
	accessTokenResponse <- atr
	}

	// AccessTokenResponse is the API response for an Auth0 Access Token request.
	type AccessTokenResponse struct {
	// AccessToken can be exchanged for a Fastly API token.
	AccessToken string `json:"access_token"`
	// ExpiresIn indicates the lifetime (in seconds) of the access token.
	ExpiresIn int `json:"expires_in"`
	// IDToken contains user information that must be decoded and extracted.
	IDToken string `json:"id_token"`
	// RefreshToken is used to obtain a new Access Token or ID Token after the previous one has expired.
	RefreshToken string `json:"refresh_token"`
	// TokenType indicates which HTTP authentication scheme is used (e.g. Bearer).
	TokenType string `json:"token_type"`
	}