huskies: merge 609_story_extract_oauth_service

2026-04-24 16:15:10 +00:00
parent 2dc2513fac
commit 60a9c87794
6 changed files with 758 additions and 283 deletions
@@ -0,0 +1,269 @@
+//! OAuth service — domain logic for the Anthropic OAuth 2.0 PKCE flow.
+//!
+//! Extracts business logic from `http/oauth.rs` following the conventions in
+//! `docs/architecture/service-modules.md`:
+//! - `mod.rs` (this file) — public API, typed `Error`, `OAuthState`, orchestration
+//! - `io.rs` — the ONLY place that performs side effects (HTTP, filesystem, clock)
+//! - `pkce.rs` — pure PKCE helpers: generation, challenge, encoding
+//! - `flow.rs` — pure flow types and token-expiry decision logic
+
+pub mod flow;
+pub(super) mod io;
+pub mod pkce;
+
+pub use flow::FlowStatus;
+
+use flow::PendingFlow;
+use std::collections::HashMap;
+use std::sync::{Arc, Mutex};
+
+// ── Error type ────────────────────────────────────────────────────────────────
+
+/// Typed errors returned by `service::oauth` functions.
+///
+/// HTTP handlers map these to status codes:
+/// - [`Error::InvalidGrant`] → 400 Bad Request
+/// - [`Error::Network`] → 500 Internal Server Error
+/// - [`Error::TokenExpired`] → 401 Unauthorized
+/// - [`Error::TokenStorage`] → 500 Internal Server Error
+/// - [`Error::InvalidState`] → 400 Bad Request
+/// - [`Error::MissingCode`] → 400 Bad Request
+/// - [`Error::MissingState`] → 400 Bad Request
+/// - [`Error::AuthorizationDenied`] → 400 Bad Request
+/// - [`Error::Parse`] → 500 Internal Server Error
+#[derive(Debug)]
+#[allow(dead_code)]
+pub enum Error {
+    /// The OAuth provider rejected the authorization code (invalid-grant).
+    InvalidGrant(String),
+    /// A network error occurred communicating with the OAuth provider.
+    Network(String),
+    /// The access token has expired and cannot be refreshed.
+    TokenExpired(String),
+    /// Failed to read or write the credential storage file.
+    TokenStorage(String),
+    /// The CSRF state parameter does not match any pending flow.
+    InvalidState(String),
+    /// No authorization code was provided in the callback.
+    MissingCode,
+    /// No state parameter was provided in the callback.
+    MissingState,
+    /// The OAuth provider returned an explicit error (e.g. user denied access).
+    AuthorizationDenied(String),
+    /// The token response could not be parsed.
+    Parse(String),
+}
+
+impl std::fmt::Display for Error {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::InvalidGrant(msg) => write!(f, "Invalid grant: {msg}"),
+            Self::Network(msg) => write!(f, "Network error: {msg}"),
+            Self::TokenExpired(msg) => write!(f, "Token expired: {msg}"),
+            Self::TokenStorage(msg) => write!(f, "Token storage error: {msg}"),
+            Self::InvalidState(msg) => write!(f, "Invalid state: {msg}"),
+            Self::MissingCode => write!(f, "Missing authorization code"),
+            Self::MissingState => write!(f, "Missing state parameter"),
+            Self::AuthorizationDenied(msg) => write!(f, "Authorization denied: {msg}"),
+            Self::Parse(msg) => write!(f, "Parse error: {msg}"),
+        }
+    }
+}
+
+// ── OAuthState ────────────────────────────────────────────────────────────────
+
+/// In-memory store for pending PKCE flows, keyed by CSRF state parameter.
+///
+/// Injected into Poem route handlers via `Data<Arc<OAuthState>>`.
+#[derive(Clone)]
+pub struct OAuthState {
+    /// Maps CSRF state → pending PKCE flow data.
+    pending: Arc<Mutex<HashMap<String, PendingFlow>>>,
+    /// Server port, used to build the `redirect_uri`.
+    port: u16,
+}
+
+impl OAuthState {
+    /// Create a new `OAuthState` for the server listening on `port`.
+    pub fn new(port: u16) -> Self {
+        Self {
+            pending: Arc::new(Mutex::new(HashMap::new())),
+            port,
+        }
+    }
+
+    /// Return the OAuth callback URL for this server instance.
+    pub(crate) fn callback_url(&self) -> String {
+        format!("http://localhost:{}/callback", self.port)
+    }
+}
+
+// ── Public API ────────────────────────────────────────────────────────────────
+
+/// Initiate a new OAuth PKCE flow.
+///
+/// Generates a code verifier, CSRF state token, and PKCE challenge; stores
+/// the pending flow; and returns `(csrf_state, authorize_url)` for the caller
+/// to redirect the browser to.
+pub fn initiate_flow(state: &OAuthState) -> (String, String) {
+    use pkce::{build_authorize_url, compute_code_challenge, random_string};
+
+    let code_verifier = random_string(128);
+    let code_challenge = compute_code_challenge(&code_verifier);
+    let csrf_state = random_string(32);
+    let redirect_uri = state.callback_url();
+
+    crate::slog!("[oauth] Starting OAuth flow, state={}", csrf_state);
+
+    state.pending.lock().unwrap().insert(
+        csrf_state.clone(),
+        PendingFlow {
+            code_verifier,
+            redirect_uri: redirect_uri.clone(),
+        },
+    );
+
+    let url = build_authorize_url(&redirect_uri, &code_challenge, &csrf_state);
+    (csrf_state, url)
+}
+
+/// Exchange an authorization code for tokens and persist the credentials.
+///
+/// Looks up the pending PKCE flow for `csrf_state`, exchanges the code with
+/// Anthropic's token endpoint, and writes the result to
+/// `~/.claude/.credentials.json`.
+///
+/// # Errors
+/// - [`Error::InvalidState`] if `csrf_state` is unknown or already consumed.
+/// - [`Error::Network`] if the token endpoint is unreachable.
+/// - [`Error::InvalidGrant`] if Anthropic rejects the code (non-2xx response).
+/// - [`Error::Parse`] if the token response cannot be parsed.
+/// - [`Error::TokenStorage`] if writing credentials to disk fails.
+pub async fn exchange_code(state: &OAuthState, code: &str, csrf_state: &str) -> Result<(), Error> {
+    crate::slog!("[oauth] Received callback, exchanging code for tokens");
+
+    let pending = state.pending.lock().unwrap().remove(csrf_state);
+    let flow = pending.ok_or_else(|| {
+        crate::slog!("[oauth] Unknown state parameter: {}", csrf_state);
+        Error::InvalidState(
+            "Unknown or expired state parameter. Please try logging in again.".to_string(),
+        )
+    })?;
+
+    let token =
+        io::exchange_code_for_tokens(code, &flow.redirect_uri, &flow.code_verifier, csrf_state)
+            .await?;
+    let now_ms = io::current_time_ms();
+    io::save_credentials(&token, now_ms)?;
+
+    crate::slog!("[oauth] Successfully authenticated and saved credentials");
+    Ok(())
+}
+
+/// Return the current OAuth credential status without performing any I/O beyond
+/// reading the credentials file.
+///
+/// Returns an unauthenticated [`FlowStatus`] when no credentials file exists.
+pub fn check_status() -> FlowStatus {
+    io::load_status()
+}
+
+// ── Tests ─────────────────────────────────────────────────────────────────────
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn oauth_state_new_sets_port() {
+        let s = OAuthState::new(3001);
+        assert_eq!(s.callback_url(), "http://localhost:3001/callback");
+    }
+
+    #[test]
+    fn oauth_state_different_ports() {
+        let s = OAuthState::new(9876);
+        assert_eq!(s.callback_url(), "http://localhost:9876/callback");
+    }
+
+    #[test]
+    fn initiate_flow_stores_pending_entry() {
+        let state = OAuthState::new(3001);
+        let (csrf_state, url) = initiate_flow(&state);
+        assert!(!csrf_state.is_empty());
+        assert!(url.contains(&csrf_state));
+        assert!(state.pending.lock().unwrap().contains_key(&csrf_state));
+    }
+
+    #[test]
+    fn initiate_flow_generates_unique_states() {
+        let state = OAuthState::new(3001);
+        let (s1, _) = initiate_flow(&state);
+        let (s2, _) = initiate_flow(&state);
+        assert_ne!(s1, s2);
+    }
+
+    #[test]
+    fn error_display_invalid_grant() {
+        let e = Error::InvalidGrant("bad code".to_string());
+        assert_eq!(e.to_string(), "Invalid grant: bad code");
+    }
+
+    #[test]
+    fn error_display_network_error() {
+        let e = Error::Network("timeout".to_string());
+        assert_eq!(e.to_string(), "Network error: timeout");
+    }
+
+    #[test]
+    fn error_display_token_expired() {
+        let e = Error::TokenExpired("expired".to_string());
+        assert_eq!(e.to_string(), "Token expired: expired");
+    }
+
+    #[test]
+    fn error_display_token_storage() {
+        let e = Error::TokenStorage("disk full".to_string());
+        assert_eq!(e.to_string(), "Token storage error: disk full");
+    }
+
+    #[test]
+    fn error_display_invalid_state() {
+        let e = Error::InvalidState("unknown".to_string());
+        assert_eq!(e.to_string(), "Invalid state: unknown");
+    }
+
+    #[test]
+    fn error_display_missing_code() {
+        let e = Error::MissingCode;
+        assert_eq!(e.to_string(), "Missing authorization code");
+    }
+
+    #[test]
+    fn error_display_missing_state() {
+        let e = Error::MissingState;
+        assert_eq!(e.to_string(), "Missing state parameter");
+    }
+
+    #[test]
+    fn error_display_authorization_denied() {
+        let e = Error::AuthorizationDenied("access_denied".to_string());
+        assert_eq!(e.to_string(), "Authorization denied: access_denied");
+    }
+
+    #[test]
+    fn error_display_parse_error() {
+        let e = Error::Parse("bad json".to_string());
+        assert_eq!(e.to_string(), "Parse error: bad json");
+    }
+
+    #[test]
+    fn exchange_code_returns_invalid_state_for_unknown_csrf() {
+        // Can test the InvalidState path synchronously by driving the pending map directly
+        let state = OAuthState::new(3001);
+        // No pending flow inserted — exchange_code will find no match
+        let rt = tokio::runtime::Runtime::new().unwrap();
+        let result = rt.block_on(exchange_code(&state, "somecode", "unknownstate"));
+        assert!(matches!(result, Err(Error::InvalidState(_))));
+    }
+}