jetify-com · mikeland73 · Sep 28, 2023 · Sep 25, 2023 · Sep 28, 2023 · Sep 28, 2023
diff --git a/envsec/internal/envcli/auth.go b/envsec/internal/envcli/auth.go
@@ -83,7 +83,11 @@ func refreshCmd() *cobra.Command {
 				return err
 			}
 
-			_ = client.RefreshSession()
+			_, ok := client.GetSession(cmd.Context())
+			if !ok {
+				return errors.New("Failed to refresh: not logged in. Run `envsec auth login` to log in")
+			}
+			fmt.Fprintln(cmd.OutOrStdout(), "Refreshed successfully")
 			return nil
 		},
 	}
@@ -102,7 +106,7 @@ func whoAmICmd() *cobra.Command {
 				return err
 			}
 
-			tok, ok := client.GetSession()
+			tok, ok := client.GetSession(cmd.Context())
 			if !ok {
 				return errors.New("not logged in. Run `envsec auth login` to log in")
 			}

diff --git a/envsec/internal/envcli/flags.go b/envsec/internal/envcli/flags.go
@@ -90,7 +90,7 @@ func (f *configFlags) genConfig(ctx context.Context) (*cmdConfig, error) {
 			return nil, err
 		}
 
-		tok, ok = client.GetSession()
+		tok, ok = client.GetSession(ctx)
 		if !ok {
 			return nil, errors.Errorf(
 				"To use envsec you must log in (`envsec auth login`) or specify --project-id and --org-id",

diff --git a/envsec/internal/envcli/init.go b/envsec/internal/envcli/init.go
@@ -19,7 +19,7 @@ func initCmd() *cobra.Command {
 			if err != nil {
 				return err
 			}
-			tok, ok := client.GetSession()
+			tok, ok := client.GetSession(cmd.Context())
 			if !ok {
 				return errors.New("not logged in, run `envsec auth login`")
 			}

diff --git a/pkg/sandbox/auth/auth.go b/pkg/sandbox/auth/auth.go
@@ -1,11 +1,14 @@
 package auth
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"path/filepath"
 
+	"github.com/coreos/go-oidc/v3/oidc"
 	"go.jetpack.io/pkg/sandbox/auth/session"
+	"golang.org/x/oauth2"
 
 	"go.jetpack.io/pkg/sandbox/auth/internal/authflow"
 	"go.jetpack.io/pkg/sandbox/auth/internal/callbackserver"
@@ -59,16 +62,60 @@ func (c *Client) LogoutFlow() error {
 // it will attempt to refresh it. If no token is found, or is unable to be refreshed,
 // it will return nil and false.
 // TODO: automatically refresh token as needed
-func (c *Client) GetSession() (*session.Token, bool) {
+func (c *Client) GetSession(ctx context.Context) (*session.Token, bool) {
 	tok := c.store.ReadToken(c.issuer, c.clientID)
-	if tok == nil || !tok.Valid() {
+	if tok == nil {
 		return nil, false
 	}
+
+	// Refresh if the token is no longer valid:
+	if !tok.Valid() {
+		tok = c.refresh(ctx, tok)
+		if !tok.Valid() {
+			return nil, false
+		}
+	}
+
 	return tok, true
 }
 
-func (c *Client) RefreshSession() *session.Token {
-	panic("refresh session not implemented")
+func (c *Client) refresh(
+	ctx context.Context,
+	tok *session.Token,
+) *session.Token {
+	if tok == nil {
+		return nil
+	}
+
+	// TODO: figure out how to share oidc provider and oauth2 client
+	// with auth flow:
+	provider, err := oidc.NewProvider(ctx, c.issuer)
+	if err != nil {
+		return tok
+	}
+
+	conf := oauth2.Config{
+		ClientID: c.clientID,
+		Endpoint: provider.Endpoint(),
+		Scopes:   []string{"openid", "offline_access"},
+	}
+
+	// Refresh logic:
+	tokenSource := conf.TokenSource(ctx, &tok.Token)
+	newToken, err := tokenSource.Token()
+	if err != nil {
+		return tok
+	}
+
+	if newToken.AccessToken != tok.AccessToken {
+		tok.Token = *newToken
+		err = c.store.WriteToken(c.issuer, c.clientID, tok)
+		if err != nil {
+			return tok
+		}
+	}
+
+	return tok
 }
 
 func (c *Client) RevokeSession() error {