re_auth 0.32.1

Authentication helpers for Rerun
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

use std::time::Duration;

use indicatif::ProgressBar;

pub use crate::callback_server::Error;
use crate::oauth::api::{GenerateToken, send_async};
use crate::oauth::login_flow::OauthLoginFlowState;
use crate::{OauthLoginFlow, Permission, oauth};

pub struct LogoutOptions {
    pub open_browser: bool,
}

pub struct LoginOptions {
    pub open_browser: bool,
    pub force_login: bool,

    /// If set, switch to this `WorkOS` organization after login.
    pub org_id: Option<String>,
}

#[derive(Debug, thiserror::Error)]
#[error("No credentials are stored on your machine, run `rerun auth login` first")]
struct NoCredentialsError;

#[derive(Debug, thiserror::Error)]
#[error("Your session ended due to inactivity, run `rerun auth login` first")]
struct ExpiredCredentialsError;

/// Prints the token to stdout
pub async fn token() -> Result<(), Error> {
    match oauth::load_and_refresh_credentials().await {
        Ok(Some(credentials)) => {
            println!("{}", credentials.access_token().as_str());
            Ok(())
        }

        Ok(None) => Err(Error::Generic(NoCredentialsError.into())),

        Err(err) => {
            re_log::debug!("invalid credentials: {err}");
            Err(Error::Generic(Box::new(ExpiredCredentialsError)))
        }
    }
}

/// Login to Rerun using Authorization Code flow.
///
/// This first checks if valid credentials already exist locally,
/// and doesn't perform the login flow if so, unless `options.force_login` is set to `true`.
pub async fn login(options: LoginOptions) -> Result<(), Error> {
    // Login process:

    // 1. Start web server listening for token
    let mut credentials = match OauthLoginFlow::init(options.force_login).await? {
        OauthLoginFlowState::AlreadyLoggedIn(credentials) => {
            if options.org_id.is_none() {
                println!("You're already logged in as: {}", credentials.user().email);
                println!("Note: We've refreshed your credentials.");
                println!("Note: Run `rerun auth login --force` to login again.");
                return Ok(());
            }
            *credentials
        }
        OauthLoginFlowState::LoginFlowStarted(login_flow) => {
            let progress_bar = ProgressBar::new_spinner();

            // 2. Open authorization URL in browser
            let login_url = login_flow.get_login_url();
            if options.open_browser {
                progress_bar.println("Opening login page in your browser.");
                progress_bar.println("Once you've logged in, the process will continue here.");
                progress_bar.println(format!(
                    "Alternatively, manually open this url: {login_url}"
                ));
                webbrowser::open(login_url).ok(); // Ok to ignore error here. The user can just open the above url themselves.
            } else {
                progress_bar.println("Open the following page in your browser:");
                progress_bar.println(login_url);
            }
            progress_bar.inc(1);

            // 3. Wait for login to finish
            progress_bar.set_message("Waiting for browser…");
            let credentials = loop {
                if let Some(code) = login_flow.poll().await? {
                    break code;
                }
                progress_bar.inc(1);
                std::thread::sleep(Duration::from_millis(10));
            };

            progress_bar.finish_and_clear();
            credentials
        }
    };

    // 4. If an org was specified, switch to it via a refresh
    if let Some(org_id) = &options.org_id {
        credentials = oauth::refresh_credentials_with_org(credentials, Some(org_id))
            .await
            .map_err(|err| Error::Generic(err.into()))?;
    }

    println!(
        "Success! You are now logged in as {}",
        credentials.user().email
    );
    println!("Rerun will automatically use the credentials stored on your machine.");

    Ok(())
}

/// Log out of Rerun by clearing stored credentials.
pub fn logout(options: &LogoutOptions) -> Result<(), Error> {
    match crate::oauth::clear_credentials(None) {
        Ok(Some(outcome)) => {
            if options.open_browser {
                println!("Opening browser to end your session…");
                webbrowser::open(&outcome.logout_url).ok();
            } else {
                println!("Open the following URL in your browser to end your session:");
                println!("{}", outcome.logout_url);
            }
            println!("You have been logged out.");

            // Wait for the callback server to serve the "logged out" page
            // before the process exits.
            if let Some(handle) = outcome.server_handle {
                handle.join().ok();
            }

            Ok(())
        }
        Ok(None) => {
            println!("No credentials found. You are already logged out.");
            Ok(())
        }
        Err(err) => Err(Error::Generic(err.into())),
    }
}

pub struct GenerateTokenOptions {
    pub server: url::Origin,
    pub expiration: jiff::Span,
    pub permission: Permission,
}

pub async fn generate_token(options: GenerateTokenOptions) -> Result<(), Error> {
    let credentials = match oauth::load_and_refresh_credentials().await {
        Ok(Some(credentials)) => credentials,

        Ok(None) => return Err(Error::Generic(NoCredentialsError.into())),

        Err(err) => {
            re_log::debug!("invalid credentials: {err}");
            return Err(Error::Generic(Box::new(ExpiredCredentialsError)));
        }
    };

    let jwt = credentials.access_token().jwt();
    let server_url = url::Url::parse(&options.server.ascii_serialization())
        .map_err(|err| Error::Generic(err.into()))?;
    let server_host = server_url
        .host_str()
        .ok_or_else(|| Error::Generic("server URL has no host".into()))?;
    let token = jwt
        .for_host(server_host)
        .map_err(|err| Error::Generic(err.into()))?;

    let res = send_async(GenerateToken {
        server: options.server,
        token,
        expiration: options.expiration,
        permission: options.permission,
    })
    .await
    .map_err(|err| Error::Generic(err.into()))?;

    println!("{}", res.token);

    Ok(())
}