Skip to content

v1.6.4

Choose a tag to compare

View all tags
@github-actions github-actions released this 31 May 01:44
· 27 commits to main since this release
v1.6.4
6b4441f

pollen v1.6.4

A patch release that fills in the last item from the OAuth
roadmap reserved back in v1.5.0: tokens now persist across
pollen sessions.

Authorization Code with PKCE shipped in v1.6.0 with a real
browser dance. Every restart re-opening pollen would have
required re-running that dance to get a fresh access token —
a meaningful friction. Client Credentials was lighter (one
keypress to re-fetch) but the same overall cost: tokens
existed only for the lifetime of the process.

This patch persists both grants. After a successful fetch
or refresh, the token (plus its config context — Token URL,
Client ID, Scope, Grant) is written to
~/.config/pollen/oauth_tokens.json with mode 0600 (owner
read/write only) via an atomic temp-file-then-rename. On
next start, when the Auth panel's Token URL and Client ID
match a stored entry, the access token and refresh token
are hydrated automatically — the "Bearer …" preview appears
without pressing g. The hydrated-but-expired case still
runs through the v1.6.0 auto-refresh-on-send path.

Entries are keyed by (Token URL, Client ID, Grant), so CC
and AC tokens for the same IdP/client coexist as
independent entries. Scope is recorded but not part of the
key — re-fetching with a different scope cleanly overwrites
the prior entry.

Default is opt-out: the value prop is real and the file
mode is industry-standard for dev-tool credential storage
(gh, gcloud, aws-cli all write similar files with 0600 in
~/.config or ~/.local). Users who want session-only OAuth
set "oauth_persist_tokens": false in settings.json.

Two recovery paths for users who want to forget a stored
token without editing files:

  1. From inside pollen: press d on the Auth panel's
    action row (the same row where g triggers fetch /
    authorize / refresh). The current Token URL + Client
    ID entry is removed from the on-disk store and the
    in-memory token is cleared. A status toast confirms.

  2. From a shell: rm ~/.config/pollen/oauth_tokens.json.

Added:

  • OAuth token persistence to disk for both Client
    Credentials and Authorization Code with PKCE. New file:
    ~/.config/pollen/oauth_tokens.json (0600). Hydrated on
    start when Token URL + Client ID match
  • d on the OAuth / OAuth AC action row forgets the
    persisted token for the current Token URL + Client ID
  • oauth_persist_tokens settings flag (default true)
  • userconfig.SaveJSONSecure internal helper for 0600-mode
    atomic JSON writes

Notes:

  • v1.x SemVer-frozen surface: only additive changes (a new
    settings field, a new keybinding, a new on-disk file).
    Existing configurations load unchanged. The Auth panel's
    tab strip is unchanged
  • Default is opt-out (oauth_persist_tokens: true) because
    the value prop is real and 0600 mode matches gh / gcloud /
    aws-cli posture. The d shortcut and the settings flag
    give two opt-out paths
  • Token encryption at rest is intentionally not provided;
    0600 in ~/.config is the same posture as other dev tools

See CHANGELOG.md for the full list.

Assets 9
Loading