Introduce a CLI-owned Store interface for token storage#5383
Merged
Conversation
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
renaudhartert-db
changed the title
Introduce a CLI-owned Store interface (Put/Lookup/Delete) over an explicit Entry envelope around the OAuth token, decoupling the CLI's token storage from the SDK's U2M-internal TokenCache. A thin ToU2MTokenCache adapter presents a Store to the SDK at the one seam that requires it (u2m.PersistentAuth). The file and keyring backends now implement Store. Structural scaffolding only, no behavior change. The Entry envelope ships holding just the token; it can grow additional fields (e.g. a config checksum for token invalidation) without touching the interface or the SDK. Concrete type names are intentionally left in the old Cache vocabulary; a follow-up uniformizes them to the Store vocabulary. Co-authored-by: Isaac
renaudhartert-db
force-pushed
the
cli-storage-cache-interface
branch
from
f9d2b8b to
b4a4a55
Compare
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Collaborator
|
Commit: b4a4a55 |
simonfaltum
approved these changes
May 31, 2026
Member
simonfaltum
left a comment
simonfaltum
left a comment
There was a problem hiding this comment.
No findings. Reviewed the Store refactor and SDK adapter call sites; focused tests passed locally: go test ./cmd/auth ./libs/auth ./libs/auth/storage.
Collaborator
|
Commit: a649259 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is this about?
The CLI's token storage is currently shaped by the SDK's TokenCache interface. That interface is internal to the SDK's user-to-machine (U2M) login flow and only carries a bare OAuth token keyed by a string, so there is no room to store anything alongside a token, and the CLI's storage is coupled to an SDK type that exists specifically for U2M login.
This PR introduces a CLI-owned
Storeinterface (Put,Lookup,Delete) over an explicitEntryenvelope that wraps the token. A small adapter,ToU2MTokenCache, presents aStoreto the SDK at the one place that still requires the SDK interface: passing a cache tou2m.PersistentAuth. The file and keyring backends now implementStore, and the OAuth helpers adapt it for the U2M paths.This is a structural change with no behavior change. The
Entryonly holds the token; the point is that it can now grow additional fields without changing the interface or depending on the SDK. The first such field will be a config checksum used to invalidate a cached token when its profile changed, which arrives with a later change that adds caching for machine-to-machine (M2M) and OIDC tokens.Naming note for reviewers: the new interface is named Store to distinguish the CLI's durable storage from the SDK's transient Cache. The concrete types and helpers in this package are intentionally left in the old vocabulary (fileTokenCache, keyringCache, and so on) in this PR to keep the diff focused on the structural change. A follow-up PR will take care of renaming.
Testing
Existing auth unit and acceptance tests pass; there are no output or behavior changes.