Add client_secret to device authorization request

[utafrali]

Summary

Device auth was failing because the endpoint requires client_secret but we weren't sending it. Added the missing parameter and a test to verify it gets included.

Changes

Added client_secret to the form payload in RequestDeviceAuthorization. Also added a test case that checks client_secret is in the request body.

Test Plan

New test passes. Tested locally with lark auth login and it works now.

Related Issues

Fixes #509

Summary by CodeRabbit

• Bug Fixes
  • Device authorization flow now transmits client credentials within the request payload in addition to authentication headers.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The change adds explicit inclusion of client_secret in the form-encoded payload for device authorization requests, fixing a missing required parameter error. A corresponding test verifies the client_secret is present in the request body.

Changes

Cohort / File(s)	Summary
Device Authorization Secret Parameter internal/auth/device_flow.go, internal/auth/device_flow_test.go	Added client_secret to the form payload in device authorization requests (previously only in Basic auth header). New test TestRequestDeviceAuthorization_ClientSecretInBody validates the parameter is correctly included in the form-encoded body.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A secret was hiding, tucked away from sight,
In headers so basic, not in the body's light,
Now whispered in form-fields, both plain and clear,
The device flows freely—no auth fears here! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: adding client_secret to the device authorization request.
Description check	✅ Passed	The description follows the template structure with Summary, Changes, Test Plan, and Related Issues sections; all required sections are present and adequately filled.
Linked Issues check	✅ Passed	The code changes directly address issue #509 by adding the missing client_secret parameter to the device authorization request, with supporting test coverage.
Out of Scope Changes check	✅ Passed	All changes are focused on fixing the device authorization issue; no unrelated modifications were introduced.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

internal/auth/device_flow_test.go (1)

136-138: Prefer parsing form data over substring matching in the body assertion.

At Line 137, strings.Contains can miss edge cases when values are URL-encoded. Parse the form and assert the decoded field value directly.

Suggested improvement

+import "net/url"
...
-	body := string(stub.CapturedBody)
-	if !strings.Contains(body, "client_secret=secret_b") {
-		t.Errorf("expected client_secret in form body, got %q", body)
-	}
+	values, err := url.ParseQuery(string(stub.CapturedBody))
+	if err != nil {
+		t.Fatalf("failed to parse form body: %v", err)
+	}
+	if got := values.Get("client_secret"); got != "secret_b" {
+		t.Errorf("expected client_secret=secret_b in form body, got %q (raw=%q)", got, string(stub.CapturedBody))
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/auth/device_flow_test.go` around lines 136 - 138, Replace the
brittle substring check against stub.CapturedBody with proper form parsing:
parse the body string (from stub.CapturedBody / variable body) using
url.ParseQuery (or equivalent form decoder) and assert that
values.Get("client_secret") == "secret_b"; update the test assertion in the
device flow test (where body := string(stub.CapturedBody) and the
strings.Contains check occurs) to use the parsed form values instead of
substring matching so URL-encoded payloads are handled correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@internal/auth/device_flow_test.go`:
- Around line 136-138: Replace the brittle substring check against
stub.CapturedBody with proper form parsing: parse the body string (from
stub.CapturedBody / variable body) using url.ParseQuery (or equivalent form
decoder) and assert that values.Get("client_secret") == "secret_b"; update the
test assertion in the device flow test (where body := string(stub.CapturedBody)
and the strings.Contains check occurs) to use the parsed form values instead of
substring matching so URL-encoded payloads are handled correctly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0a99296a-44f4-4f1b-9a05-b8b15cf90592

📥 Commits

Reviewing files that changed from the base of the PR and between 35a8288 and d2cd6e4.

📒 Files selected for processing (2)

• internal/auth/device_flow.go
• internal/auth/device_flow_test.go

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@d6fada0). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #517   +/-   ##
=======================================
  Coverage        ?   59.05%           
=======================================
  Files           ?      384           
  Lines           ?    32637           
  Branches        ?        0           
=======================================
  Hits            ?    19275           
  Misses          ?    11553           
  Partials        ?     1809           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@d2cd6e4bb9de1512ca6c1196419eed8f1b1cb421

🧩 Skill update

npx skills add utafrali/cli#fix/issue-509-lark-cli-auth-login-device-authorization -y -g

[JackZhao10086]

Thank you for your contribution