diff --git a/internal/auth/kiro/oauth_web.go b/internal/auth/kiro/oauth_web.go index 4ffbb7fd..954f9f6b 100644 --- a/internal/auth/kiro/oauth_web.go +++ b/internal/auth/kiro/oauth_web.go @@ -5,6 +5,7 @@ import ( "context" "crypto/rand" "encoding/base64" + "encoding/json" "fmt" "html/template" "net/http" @@ -85,6 +86,7 @@ func (h *OAuthWebHandler) RegisterRoutes(router gin.IRouter) { oauth.GET("/social/callback", h.handleSocialCallback) oauth.GET("/status", h.handleStatus) oauth.POST("/import", h.handleImportToken) + oauth.POST("/refresh", h.handleManualRefresh) } } @@ -824,3 +826,157 @@ func (h *OAuthWebHandler) handleImportToken(c *gin.Context) { "fileName": fileName, }) } + +// handleManualRefresh handles manual token refresh requests from the web UI. +// This allows users to trigger a token refresh when needed, without waiting +// for the automatic 5-second check and 10-minute-before-expiry refresh cycle. +// Uses the same refresh logic as kiro_executor.Refresh for consistency. +func (h *OAuthWebHandler) handleManualRefresh(c *gin.Context) { + authDir := "" + if h.cfg != nil && h.cfg.AuthDir != "" { + var err error + authDir, err = util.ResolveAuthDir(h.cfg.AuthDir) + if err != nil { + log.Errorf("OAuth Web: failed to resolve auth directory: %v", err) + } + } + + if authDir == "" { + home, err := os.UserHomeDir() + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{ + "success": false, + "error": "Failed to get home directory", + }) + return + } + authDir = filepath.Join(home, ".cli-proxy-api") + } + + // Find all kiro token files in the auth directory + files, err := os.ReadDir(authDir) + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{ + "success": false, + "error": fmt.Sprintf("Failed to read auth directory: %v", err), + }) + return + } + + var refreshedCount int + var errors []string + + for _, file := range files { + if file.IsDir() { + continue + } + name := file.Name() + if !strings.HasPrefix(name, "kiro-") || !strings.HasSuffix(name, ".json") { + continue + } + + filePath := filepath.Join(authDir, name) + data, err := os.ReadFile(filePath) + if err != nil { + errors = append(errors, fmt.Sprintf("%s: read error - %v", name, err)) + continue + } + + var storage KiroTokenStorage + if err := json.Unmarshal(data, &storage); err != nil { + errors = append(errors, fmt.Sprintf("%s: parse error - %v", name, err)) + continue + } + + if storage.RefreshToken == "" { + errors = append(errors, fmt.Sprintf("%s: no refresh token", name)) + continue + } + + // Refresh token using the same logic as kiro_executor.Refresh + tokenData, err := h.refreshTokenData(c.Request.Context(), &storage) + if err != nil { + errors = append(errors, fmt.Sprintf("%s: refresh failed - %v", name, err)) + continue + } + + // Update storage with new token data + storage.AccessToken = tokenData.AccessToken + if tokenData.RefreshToken != "" { + storage.RefreshToken = tokenData.RefreshToken + } + storage.ExpiresAt = tokenData.ExpiresAt + storage.LastRefresh = time.Now().Format(time.RFC3339) + if tokenData.ProfileArn != "" { + storage.ProfileArn = tokenData.ProfileArn + } + + // Write updated token back to file + updatedData, err := json.MarshalIndent(storage, "", " ") + if err != nil { + errors = append(errors, fmt.Sprintf("%s: marshal error - %v", name, err)) + continue + } + + tmpFile := filePath + ".tmp" + if err := os.WriteFile(tmpFile, updatedData, 0600); err != nil { + errors = append(errors, fmt.Sprintf("%s: write error - %v", name, err)) + continue + } + if err := os.Rename(tmpFile, filePath); err != nil { + errors = append(errors, fmt.Sprintf("%s: rename error - %v", name, err)) + continue + } + + log.Infof("OAuth Web: manually refreshed token in %s, expires at %s", name, tokenData.ExpiresAt) + refreshedCount++ + + // Notify callback if set + if h.onTokenObtained != nil { + h.onTokenObtained(tokenData) + } + } + + if refreshedCount == 0 && len(errors) > 0 { + c.JSON(http.StatusBadRequest, gin.H{ + "success": false, + "error": fmt.Sprintf("All refresh attempts failed: %v", errors), + }) + return + } + + response := gin.H{ + "success": true, + "message": fmt.Sprintf("Refreshed %d token(s)", refreshedCount), + "refreshedCount": refreshedCount, + } + if len(errors) > 0 { + response["warnings"] = errors + } + + c.JSON(http.StatusOK, response) +} + +// refreshTokenData refreshes a token using the appropriate method based on auth type. +// This mirrors the logic in kiro_executor.Refresh for consistency. +func (h *OAuthWebHandler) refreshTokenData(ctx context.Context, storage *KiroTokenStorage) (*KiroTokenData, error) { + ssoClient := NewSSOOIDCClient(h.cfg) + + switch { + case storage.ClientID != "" && storage.ClientSecret != "" && storage.AuthMethod == "idc" && storage.Region != "": + // IDC refresh with region-specific endpoint + log.Debugf("OAuth Web: using SSO OIDC refresh for IDC (region=%s)", storage.Region) + return ssoClient.RefreshTokenWithRegion(ctx, storage.ClientID, storage.ClientSecret, storage.RefreshToken, storage.Region, storage.StartURL) + + case storage.ClientID != "" && storage.ClientSecret != "" && storage.AuthMethod == "builder-id": + // Builder ID refresh with default endpoint + log.Debugf("OAuth Web: using SSO OIDC refresh for AWS Builder ID") + return ssoClient.RefreshToken(ctx, storage.ClientID, storage.ClientSecret, storage.RefreshToken) + + default: + // Fallback to Kiro's OAuth refresh endpoint (for social auth: Google/GitHub) + log.Debugf("OAuth Web: using Kiro OAuth refresh endpoint") + oauth := NewKiroOAuth(h.cfg) + return oauth.RefreshToken(ctx, storage.RefreshToken) + } +} diff --git a/internal/auth/kiro/oauth_web_templates.go b/internal/auth/kiro/oauth_web_templates.go index 064a1ff9..228677a5 100644 --- a/internal/auth/kiro/oauth_web_templates.go +++ b/internal/auth/kiro/oauth_web_templates.go @@ -541,6 +541,9 @@ const ( } .auth-btn.manual { background: #6c757d; } .auth-btn.manual:hover { background: #5a6268; } + .auth-btn.refresh { background: #17a2b8; } + .auth-btn.refresh:hover { background: #138496; } + .auth-btn.refresh:disabled { background: #7fb3bd; cursor: not-allowed; } .manual-form { background: #f8f9fa; padding: 20px; @@ -606,6 +609,13 @@ const ( 📋 Import RefreshToken from Kiro IDE + + + +
@@ -726,6 +736,43 @@ const ( btn.textContent = '📥 Import Token'; } } + + async function manualRefresh() { + const btn = document.getElementById('refreshBtn'); + const statusEl = document.getElementById('refreshStatus'); + + btn.disabled = true; + btn.innerHTML = ' Refreshing...'; + statusEl.className = 'status-message'; + statusEl.style.display = 'none'; + + try { + const response = await fetch('/v0/oauth/kiro/refresh', { + method: 'POST', + headers: { 'Content-Type': 'application/json' } + }); + + const data = await response.json(); + + if (response.ok && data.success) { + statusEl.className = 'status-message success'; + let msg = '✅ ' + data.message; + if (data.warnings && data.warnings.length > 0) { + msg += ' (Warnings: ' + data.warnings.join('; ') + ')'; + } + statusEl.textContent = msg; + } else { + statusEl.className = 'status-message error'; + statusEl.textContent = '❌ ' + (data.error || data.message || 'Refresh failed'); + } + } catch (error) { + statusEl.className = 'status-message error'; + statusEl.textContent = '❌ Network error: ' + error.message; + } finally { + btn.disabled = false; + btn.innerHTML = '🔄 Manual Refresh All Tokens'; + } + } ` diff --git a/sdk/auth/filestore.go b/sdk/auth/filestore.go index db9f7148..76361507 100644 --- a/sdk/auth/filestore.go +++ b/sdk/auth/filestore.go @@ -217,6 +217,15 @@ func (s *FileTokenStore) readAuthFile(path, baseDir string) (*cliproxyauth.Auth, return nil, fmt.Errorf("stat file: %w", err) } id := s.idFor(path, baseDir) + + // Calculate NextRefreshAfter from expires_at (10 minutes before expiry) + var nextRefreshAfter time.Time + if expiresAtStr, ok := metadata["expires_at"].(string); ok && expiresAtStr != "" { + if expiresAt, err := time.Parse(time.RFC3339, expiresAtStr); err == nil { + nextRefreshAfter = expiresAt.Add(-10 * time.Minute) + } + } + auth := &cliproxyauth.Auth{ ID: id, Provider: provider, @@ -228,7 +237,7 @@ func (s *FileTokenStore) readAuthFile(path, baseDir string) (*cliproxyauth.Auth, CreatedAt: info.ModTime(), UpdatedAt: info.ModTime(), LastRefreshedAt: time.Time{}, - NextRefreshAfter: time.Time{}, + NextRefreshAfter: nextRefreshAfter, } if email, ok := metadata["email"].(string); ok && email != "" { auth.Attributes["email"] = email diff --git a/sdk/auth/kiro.go b/sdk/auth/kiro.go index 7747c777..b0687eba 100644 --- a/sdk/auth/kiro.go +++ b/sdk/auth/kiro.go @@ -52,9 +52,9 @@ func (a *KiroAuthenticator) Provider() string { } // RefreshLead indicates how soon before expiry a refresh should be attempted. -// Set to 5 minutes to match Antigravity and avoid frequent refresh checks while still ensuring timely token refresh. +// Set to 10 minutes for proactive refresh before token expiry. func (a *KiroAuthenticator) RefreshLead() *time.Duration { - d := 5 * time.Minute + d := 10 * time.Minute return &d } @@ -66,13 +66,19 @@ func (a *KiroAuthenticator) createAuthRecord(tokenData *kiroauth.KiroTokenData, expiresAt = time.Now().Add(1 * time.Hour) } - // Extract identifier for file naming - idPart := extractKiroIdentifier(tokenData.Email, tokenData.ProfileArn, tokenData.ClientID) - - // Determine label based on auth method - label := fmt.Sprintf("kiro-%s", source) + // Determine label and identifier based on auth method + var label, idPart string if tokenData.AuthMethod == "idc" { label = "kiro-idc" + // For IDC auth, always use clientID as identifier + if tokenData.ClientID != "" { + idPart = kiroauth.SanitizeEmailForFilename(tokenData.ClientID) + } else { + idPart = fmt.Sprintf("%d", time.Now().UnixNano()%100000) + } + } else { + label = fmt.Sprintf("kiro-%s", source) + idPart = extractKiroIdentifier(tokenData.Email, tokenData.ProfileArn, tokenData.ClientID) } now := time.Now() @@ -126,8 +132,8 @@ func (a *KiroAuthenticator) createAuthRecord(tokenData *kiroauth.KiroTokenData, UpdatedAt: now, Metadata: metadata, Attributes: attributes, - // NextRefreshAfter is aligned with RefreshLead (5min) - NextRefreshAfter: expiresAt.Add(-5 * time.Minute), + // NextRefreshAfter: 10 minutes before expiry + NextRefreshAfter: expiresAt.Add(-10 * time.Minute), } if tokenData.Email != "" { @@ -208,8 +214,8 @@ func (a *KiroAuthenticator) LoginWithAuthCode(ctx context.Context, cfg *config.C "source": "aws-builder-id-authcode", "email": tokenData.Email, }, - // NextRefreshAfter is aligned with RefreshLead (5min) - NextRefreshAfter: expiresAt.Add(-5 * time.Minute), + // NextRefreshAfter: 10 minutes before expiry + NextRefreshAfter: expiresAt.Add(-10 * time.Minute), } if tokenData.Email != "" { @@ -292,8 +298,8 @@ func (a *KiroAuthenticator) ImportFromKiroIDE(ctx context.Context, cfg *config.C "email": tokenData.Email, "region": tokenData.Region, }, - // NextRefreshAfter is aligned with RefreshLead (5min) - NextRefreshAfter: expiresAt.Add(-5 * time.Minute), + // NextRefreshAfter: 10 minutes before expiry + NextRefreshAfter: expiresAt.Add(-10 * time.Minute), } // Display the email if extracted @@ -361,8 +367,8 @@ func (a *KiroAuthenticator) Refresh(ctx context.Context, cfg *config.Config, aut updated.Metadata["refresh_token"] = tokenData.RefreshToken updated.Metadata["expires_at"] = tokenData.ExpiresAt updated.Metadata["last_refresh"] = now.Format(time.RFC3339) // For double-check optimization - // NextRefreshAfter is aligned with RefreshLead (5min) - updated.NextRefreshAfter = expiresAt.Add(-5 * time.Minute) + // NextRefreshAfter: 10 minutes before expiry + updated.NextRefreshAfter = expiresAt.Add(-10 * time.Minute) return updated, nil }