garmin_cli/cli/commands/
auth.rs

1//! Authentication commands for garmin-cli
2
3use crate::client::{OAuth1Token, OAuth2Token, SsoClient};
4use crate::config::CredentialStore;
5use crate::error::{GarminError, Result};
6use std::io::{self, Write};
7
8/// Execute the login command
9pub async fn login(email: Option<String>, profile: Option<String>) -> Result<()> {
10    let store = CredentialStore::new(profile.clone())?;
11
12    // Check if already logged in
13    if store.has_credentials() {
14        if let Some((_, oauth2)) = store.load_tokens()? {
15            if !oauth2.is_expired() {
16                println!("Already logged in. Use 'garmin auth logout' to log out first.");
17                return Ok(());
18            }
19        }
20    }
21
22    // Get email
23    let email = match email {
24        Some(e) => e,
25        None => {
26            print!("Email: ");
27            io::stdout().flush()?;
28            let mut input = String::new();
29            io::stdin().read_line(&mut input)?;
30            input.trim().to_string()
31        }
32    };
33
34    // Get password
35    let password = rpassword_prompt("Password: ")?;
36
37    println!("Logging in...");
38
39    // Perform login
40    let mut sso_client = SsoClient::new(None)?;
41    let (oauth1, oauth2) = sso_client
42        .login(&email, &password, Some(|| prompt_mfa()))
43        .await?;
44
45    // Save tokens
46    store.save_tokens(&oauth1, &oauth2)?;
47
48    println!("Successfully logged in!");
49    println!("Profile: {}", store.profile());
50
51    Ok(())
52}
53
54/// Execute the logout command
55pub async fn logout(profile: Option<String>) -> Result<()> {
56    let store = CredentialStore::new(profile)?;
57
58    if !store.has_credentials() {
59        println!("Not logged in.");
60        return Ok(());
61    }
62
63    store.clear()?;
64    // Also try to clear keyring (ignore errors)
65    let _ = store.delete_secret_from_keyring();
66
67    println!("Successfully logged out.");
68    Ok(())
69}
70
71/// Execute the status command
72pub async fn status(profile: Option<String>) -> Result<()> {
73    let store = CredentialStore::new(profile)?;
74
75    if !store.has_credentials() {
76        println!("Status: Not logged in");
77        println!("Run 'garmin auth login' to authenticate.");
78        return Ok(());
79    }
80
81    match store.load_tokens()? {
82        Some((oauth1, oauth2)) => {
83            println!("Status: Logged in");
84            println!("Profile: {}", store.profile());
85            println!("Domain: {}", oauth1.domain);
86
87            if oauth2.is_expired() {
88                println!("Access Token: Expired (will refresh on next request)");
89            } else {
90                let expires_in = oauth2.expires_at - chrono::Utc::now().timestamp();
91                if expires_in > 3600 {
92                    println!("Access Token: Valid (expires in {} hours)", expires_in / 3600);
93                } else if expires_in > 60 {
94                    println!("Access Token: Valid (expires in {} minutes)", expires_in / 60);
95                } else {
96                    println!("Access Token: Valid (expires in {} seconds)", expires_in);
97                }
98            }
99
100            if oauth1.mfa_token.is_some() {
101                println!("MFA: Enabled");
102            }
103        }
104        None => {
105            println!("Status: Credentials corrupted");
106            println!("Run 'garmin auth logout' then 'garmin auth login' to fix.");
107        }
108    }
109
110    Ok(())
111}
112
113/// Refresh OAuth2 token using OAuth1 token
114pub async fn refresh_token(store: &CredentialStore) -> Result<(OAuth1Token, OAuth2Token)> {
115    let (oauth1, oauth2) = store
116        .load_tokens()?
117        .ok_or(GarminError::NotAuthenticated)?;
118
119    if !oauth2.is_expired() {
120        return Ok((oauth1, oauth2));
121    }
122
123    println!("Refreshing access token...");
124    let sso_client = SsoClient::new(Some(&oauth1.domain))?;
125    let new_oauth2 = sso_client.refresh_oauth2(&oauth1).await?;
126
127    store.save_oauth2(&new_oauth2)?;
128
129    Ok((oauth1, new_oauth2))
130}
131
132/// Prompt for password without echoing
133fn rpassword_prompt(prompt: &str) -> Result<String> {
134    print!("{}", prompt);
135    io::stdout().flush()?;
136
137    // Use rpassword if available, otherwise just read normally (less secure)
138    let password = rpassword::read_password()
139        .map_err(|e| GarminError::Io(io::Error::new(io::ErrorKind::Other, e.to_string())))?;
140
141    Ok(password)
142}
143
144/// Prompt for MFA code
145fn prompt_mfa() -> String {
146    print!("MFA Code: ");
147    io::stdout().flush().unwrap();
148
149    let mut input = String::new();
150    io::stdin().read_line(&mut input).unwrap();
151    input.trim().to_string()
152}
153
154#[cfg(test)]
155mod tests {
156    // Integration tests would go here, but they require actual credentials
157    // For unit testing, we'd use wiremock to mock the SSO endpoints
158}