agentis_pay/

session.rs

use anyhow::{Context, Result, anyhow, bail};

use agentis_pay_shared::{
    BipaClient, ClientConfig, CredentialsStore, proto::pb, unix_timestamp_seconds,
};

#[derive(serde::Deserialize)]
struct OAuthTokenResponse {
    access_token: String,
    refresh_token: Option<String>,
    expires_in: Option<u64>,
    #[serde(default)]
    token_type: Option<String>,
}

#[derive(Debug, Clone, Default)]
pub struct EnvSession {
    jwt: Option<String>,
    refresh_token: Option<String>,
    jwt_expires_at: Option<i64>,
}

impl EnvSession {
    pub fn from_env() -> Result<Option<Self>> {
        Self::from_lookup(|name| {
            std::env::var(name)
                .ok()
                .map(|value| value.trim().to_string())
                .filter(|value| !value.is_empty())
        })
    }

    fn from_lookup(mut lookup: impl FnMut(&str) -> Option<String>) -> Result<Option<Self>> {
        let jwt = lookup("AGENTIS_PAY_JWT");
        let refresh_token = lookup("AGENTIS_PAY_REFRESH_TOKEN");
        let jwt_expires_at = match lookup("AGENTIS_PAY_JWT_EXPIRES_AT") {
            Some(value) => Some(
                value
                    .parse::<i64>()
                    .with_context(|| format!("parse AGENTIS_PAY_JWT_EXPIRES_AT: {value}"))?,
            ),
            None => None,
        };

        if jwt.is_none() {
            if refresh_token.is_some() || jwt_expires_at.is_some() {
                bail!(
                    "AGENTIS_PAY_REFRESH_TOKEN and AGENTIS_PAY_JWT_EXPIRES_AT require AGENTIS_PAY_JWT"
                );
            }
            return Ok(None);
        }

        Ok(Some(Self {
            jwt,
            refresh_token,
            jwt_expires_at,
        }))
    }

    pub fn jwt(&self) -> Option<&str> {
        self.jwt.as_deref().filter(|value| !value.trim().is_empty())
    }

    pub fn has_jwt(&self) -> bool {
        self.jwt().is_some()
    }

    pub fn jwt_expires_at(&self) -> Option<i64> {
        self.jwt_expires_at
    }

    pub fn refresh_token(&self) -> Option<&str> {
        self.refresh_token
            .as_deref()
            .filter(|value| !value.trim().is_empty())
    }

    pub fn clear_session(&mut self) {
        self.jwt = None;
        self.refresh_token = None;
        self.jwt_expires_at = None;
    }

    pub fn set_session(&mut self, jwt: String, refresh_token: Option<String>, ttl_seconds: i64) {
        self.jwt = Some(jwt);
        self.refresh_token = refresh_token.filter(|value| !value.trim().is_empty());
        let ttl_seconds = ttl_seconds.max(0);
        self.jwt_expires_at = Some(unix_timestamp_seconds() + ttl_seconds);
    }
}

pub async fn ensure_valid_session(
    config: &ClientConfig,
    client: &mut BipaClient,
    credentials: &mut CredentialsStore,
) -> Result<()> {
    if !credentials.has_jwt() {
        bail!("No active session. Run `agentis-pay login` first.");
    }

    let jwt = credentials
        .credentials()
        .jwt
        .as_deref()
        .ok_or_else(|| anyhow::anyhow!("No active session. Run `agentis-pay login` first."))?
        .to_string();
    client.set_jwt(jwt.clone());

    if !token_expired(credentials) {
        return Ok(());
    }

    if let Some(refresh_token) = oauth_refresh_token(credentials) {
        let refreshed =
            match refresh_oauth_access_token(config.oauth_endpoint(), refresh_token).await {
                Ok(response) => response,
                Err(error) => {
                    return invalidate(
                        credentials,
                        format!("session expired and oauth refresh failed: {error}"),
                    );
                }
            };

        if refreshed.access_token.trim().is_empty() {
            return invalidate(credentials, "oauth refresh returned an empty access token");
        }

        if let Err(error) = validate_bearer_token_type(refreshed.token_type.as_deref()) {
            credentials.clear_session();
            credentials.save()?;
            return Err(error);
        }

        let ttl_seconds = i64::try_from(refreshed.expires_in.unwrap_or(3600))
            .context("oauth refresh expires_in exceeds i64")?;
        credentials.set_session(
            refreshed.access_token.clone(),
            refreshed.refresh_token,
            ttl_seconds,
        );
        client.set_jwt(refreshed.access_token);
        credentials.save()?;
        return Ok(());
    }

    let response = match client.refresh_auth().await {
        Ok(response) => response,
        Err(error) => {
            return invalidate(
                credentials,
                format!("session expired and refresh failed: {error}"),
            );
        }
    };

    let refreshed = match response.outcome {
        Some(pb::refresh_auth_response::Outcome::Refreshed(r)) => r,
        Some(pb::refresh_auth_response::Outcome::Denied(_)) => {
            return invalidate(
                credentials,
                "session expired and refresh was denied by the server",
            );
        }
        None => {
            return invalidate(credentials, "refresh returned an empty response");
        }
    };

    if refreshed.token.trim().is_empty() {
        return invalidate(credentials, "refresh returned an empty token");
    }

    let refresh_token = credentials.credentials().refresh_token.clone();
    let ttl_seconds = i64::from(refreshed.refresh_in);
    credentials.set_session(refreshed.token.clone(), refresh_token, ttl_seconds);
    client.set_jwt(refreshed.token);
    credentials.save()?;
    Ok(())
}

pub async fn ensure_valid_env_session(
    config: &ClientConfig,
    client: &mut BipaClient,
    session: &mut EnvSession,
) -> Result<()> {
    if !session.has_jwt() {
        bail!("No active session. Set AGENTIS_PAY_JWT for MCP auth.");
    }

    let jwt = session
        .jwt()
        .ok_or_else(|| anyhow!("No active session. Set AGENTIS_PAY_JWT for MCP auth."))?
        .to_string();
    client.set_jwt(jwt);

    if !token_expired_at(session.jwt_expires_at()) {
        return Ok(());
    }

    if let Some(refresh_token) = session.refresh_token() {
        let refreshed =
            match refresh_oauth_access_token(config.oauth_endpoint(), refresh_token).await {
                Ok(response) => response,
                Err(error) => {
                    return invalidate_env_session(
                        session,
                        format!("session expired and oauth refresh failed: {error}"),
                    );
                }
            };

        if refreshed.access_token.trim().is_empty() {
            return invalidate_env_session(session, "oauth refresh returned an empty access token");
        }

        if let Err(error) = validate_bearer_token_type(refreshed.token_type.as_deref()) {
            session.clear_session();
            return Err(error);
        }

        let ttl_seconds = i64::try_from(refreshed.expires_in.unwrap_or(3600))
            .context("oauth refresh expires_in exceeds i64")?;
        session.set_session(
            refreshed.access_token.clone(),
            refreshed.refresh_token,
            ttl_seconds,
        );
        client.set_jwt(refreshed.access_token);
        return Ok(());
    }

    let response = match client.refresh_auth().await {
        Ok(response) => response,
        Err(error) => {
            return invalidate_env_session(
                session,
                format!("session expired and refresh failed: {error}"),
            );
        }
    };

    let refreshed = match response.outcome {
        Some(pb::refresh_auth_response::Outcome::Refreshed(r)) => r,
        Some(pb::refresh_auth_response::Outcome::Denied(_)) => {
            return invalidate_env_session(
                session,
                "session expired and refresh was denied by the server",
            );
        }
        None => {
            return invalidate_env_session(session, "refresh returned an empty response");
        }
    };

    if refreshed.token.trim().is_empty() {
        return invalidate_env_session(session, "refresh returned an empty token");
    }

    let refresh_token = session.refresh_token.clone();
    let ttl_seconds = i64::from(refreshed.refresh_in);
    session.set_session(refreshed.token.clone(), refresh_token, ttl_seconds);
    client.set_jwt(refreshed.token);
    Ok(())
}

/// Clear the session and bail with an error message.
fn invalidate(credentials: &mut CredentialsStore, msg: impl std::fmt::Display) -> Result<()> {
    credentials.clear_session();
    credentials.save()?;
    bail!("{msg}");
}

fn invalidate_env_session(session: &mut EnvSession, msg: impl std::fmt::Display) -> Result<()> {
    session.clear_session();
    bail!("{msg}");
}

fn oauth_refresh_token(credentials: &CredentialsStore) -> Option<&str> {
    credentials
        .oauth_client_id()
        .zip(
            credentials
                .credentials()
                .refresh_token
                .as_deref()
                .filter(|value| !value.trim().is_empty()),
        )
        .map(|(_, refresh_token)| refresh_token)
}

pub fn validate_bearer_token_type(token_type: Option<&str>) -> Result<&str> {
    let token_type =
        token_type.ok_or_else(|| anyhow::anyhow!("oauth token response missing token_type"))?;
    if !token_type.eq_ignore_ascii_case("Bearer") {
        bail!("unsupported oauth token_type: {token_type}");
    }
    Ok(token_type)
}

async fn refresh_oauth_access_token(
    oauth_endpoint: &str,
    refresh_token: &str,
) -> Result<OAuthTokenResponse> {
    let response = reqwest::Client::new()
        .post(format!("{oauth_endpoint}/oauth/token"))
        .form(&[
            ("grant_type", "refresh_token"),
            ("refresh_token", refresh_token),
        ])
        .send()
        .await
        .context("POST /oauth/token")?;

    if !response.status().is_success() {
        let status = response.status();
        let text = response.text().await.unwrap_or_default();
        bail!("oauth token refresh failed ({status}): {text}");
    }

    response
        .json()
        .await
        .context("parse oauth token refresh response")
}

fn token_expired(credentials: &CredentialsStore) -> bool {
    token_expired_at(credentials.jwt_expires_at())
}

fn token_expired_at(expires_at: Option<i64>) -> bool {
    match expires_at {
        None => true,
        Some(expires_at) => {
            let now = unix_timestamp_seconds();
            now.saturating_add(SESSION_REFRESH_SKEW_SECONDS) >= expires_at
        }
    }
}

const SESSION_REFRESH_SKEW_SECONDS: i64 = 60;

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn env_session_from_lookup_parses_expected_fields() {
        let session = EnvSession::from_lookup(|name| match name {
            "AGENTIS_PAY_JWT" => Some("jwt-token".to_string()),
            "AGENTIS_PAY_REFRESH_TOKEN" => Some("refresh-token".to_string()),
            "AGENTIS_PAY_JWT_EXPIRES_AT" => Some("123".to_string()),
            _ => None,
        })
        .expect("parse env session")
        .expect("env session must exist");

        assert_eq!(session.jwt(), Some("jwt-token"));
        assert_eq!(session.refresh_token(), Some("refresh-token"));
        assert_eq!(session.jwt_expires_at(), Some(123));
    }

    #[test]
    fn env_session_rejects_refresh_without_jwt() {
        let error = EnvSession::from_lookup(|name| match name {
            "AGENTIS_PAY_REFRESH_TOKEN" => Some("refresh-token".to_string()),
            _ => None,
        })
        .expect_err("missing jwt must fail");

        assert!(error.to_string().contains("require AGENTIS_PAY_JWT"));
    }
}