Crate car_auth 

Shared Parslee OAuth2 PKCE + token/keychain logic.

Used by car-cli (car auth login parslee, loopback flow) and by car-server (the auth.* JSON-RPC surface that CAR Host.app’s signup GUI drives). The keychain keys + default service exactly match what car-inference reads at request time (PARSLEE_ACCESS_TOKEN, default "car" service) — see car-inference remote.rs::lease_key.

Structs

RefreshedTokens

Result of a refresh_grant. The gateway may omit a rotated refresh token (reuse the prior one) and/or an expiry, so both are optional.

TokenSet

/connect/token success body.

Constants

DEFAULT_API_BASE

PARSLEE_ACCESS_TOKEN_KEY

PARSLEE_API_BASE_KEY

PARSLEE_EXPIRES_AT_KEY

PARSLEE_REFRESH_TOKEN_KEY

REFRESH_SKEW_SECS

Seconds before the stored expiry at which access_token_refreshing proactively refreshes — absorbs clock skew plus a slow request. Public so the daemon’s load_or_refresh shares the same threshold (#320).

Functions

access_token

Current access token (env override first, then keychain).

access_token_refreshing

Current access token, proactively refreshed when the stored token is within REFRESH_SKEW_SECS of expiry (or already expired) and a refresh token is available. The PARSLEE_ACCESS_TOKEN env override always wins and is never refreshed — it’s a deliberate injection for tests/CI. Returns None only when no token is available at all.

api_base

Resolve the API base: explicit override → stored → default.

authorize_url

Build the /connect/authorize URL the user opens in a browser.

clear_tokens

Remove all stored Parslee credentials. Idempotent.

exchange_code

Exchange an authorization code + PKCE verifier for tokens.

fetch_status

Fetch the Parslee session JSON for the stored token. Returns the raw response body (the caller renders it). Ok(None) = not signed in.

force_refresh

Unconditionally refresh the Parslee bearer, for the reactive 401 path. access_token_refreshing only refreshes inside a proactive window keyed on the stored expiry — but a token can be revoked or invalidated server-side before its advertised expiry, and a token stored without an expiry never enters that window at all. When a live request is rejected with 401/403, the caller invokes this to mint a fresh bearer and retry once, instead of letting the failure poison 30-day model health (#313).

new_state

Opaque OAuth state value (CSRF guard).

pkce_challenge

PKCE S256 challenge for a verifier.

pkce_verifier

PKCE code verifier (URL-safe, no padding).

refresh_grant

refresh_token grant against /connect/token. Network-only — the caller persists. Mirrors the Parslee gateway contract used by the daemon’s own refresh path (car-server-core::parslee_auth): the gateway treats this as a public-client grant, so no client_id is sent. This lives in car-auth (not car-server-core) so the request-time inference path — which cannot depend on car-server-core — shares one definition of “mint a fresh Parslee bearer” (#313).

store_tokens

Persist a token set + the API base into the OS keychain (default "car" service — the same place car-inference reads from).