Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates fmsg-cli authentication to support both main-account user JWTs and sub-account opaque API keys (exchanged for short-lived JWTs), and wires token refresh into the HTTP client and CLI commands.
Changes:
- Replace locally-minted JWT auth with API-key exchange (
POST /fmsg/token) + cached/auto-refresh JWTs, while still supporting direct user JWT login. - Refactor API client auth to use a token provider and retry once on 401 with a forced refresh for replayable requests.
- Update CLI commands, tests, and documentation/env examples to reflect the new auth modes and flags.
Reviewed changes
Copilot reviewed 26 out of 27 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Documents JWT vs API-key login flows, env var FMSG_API_KEY, and updated command usage/examples. |
| internal/config/config.go | Adds FMSG_API_KEY env lookup helper. |
| internal/auth/token.go | Removes local JWT mint/validate implementation. |
| internal/auth/store.go | Expands stored credential schema (versioned, supports api key + access token metadata). |
| internal/auth/manager.go | Adds auth manager for exchanging API keys, caching tokens, parsing JWT claims, and persisting refreshed creds. |
| internal/auth/manager_test.go | Adds unit tests for exchange, caching/refresh, env override behavior, and secret non-leakage. |
| internal/api/client.go | Introduces TokenProvider, trims base URL, retries replayable requests after a 401 with forced refresh. |
| internal/api/client_test.go | Tests 401 refresh + replay for replayable requests. |
| go.mod | Drops github.com/golang-jwt/jwt/v5, adds golang.org/x/term (and indirect x/sys). |
| go.sum | Updates checksums for dependency changes. |
| cmd/client.go | Centralizes creation of authenticated API client + auth manager. |
| cmd/login.go | Updates login to accept API key or user JWT, adds --address, and hides input on TTY. |
| cmd/root.go | Updates root help text to reflect new login args. |
| cmd/list.go | Uses authenticated client helper instead of loading static creds. |
| cmd/sent.go | Uses authenticated client helper instead of loading static creds. |
| cmd/get.go | Uses authenticated client helper instead of loading static creds. |
| cmd/get_data.go | Uses authenticated client helper instead of loading static creds. |
| cmd/get_attach.go | Uses authenticated client helper instead of loading static creds. |
| cmd/attach.go | Uses authenticated client helper instead of loading static creds. |
| cmd/rm_attach.go | Uses authenticated client helper instead of loading static creds. |
| cmd/del.go | Uses authenticated client helper instead of loading static creds. |
| cmd/add_to.go | Uses authenticated client helper instead of loading static creds. |
| cmd/send.go | Uses authenticated client helper and derives from via manager.User(). |
| cmd/draft.go | Uses authenticated client helper and derives from via manager.User(). |
| cmd/update.go | Uses authenticated client helper and derives from via manager.User(). |
| cmd/msgid_test.go | Updates tests for new api.New(baseURL, TokenProvider) signature. |
| .env.example | Replaces FMSG_JWT_SECRET with optional FMSG_API_KEY example. |
Comment on lines
+14
to
+18
| Version int `json:"version"` | ||
| AuthType string `json:"auth_type,omitempty"` | ||
| APIKey string `json:"api_key,omitempty"` | ||
| AccessToken string `json:"access_token,omitempty"` | ||
| TokenType string `json:"token_type,omitempty"` |
Comment on lines
+116
to
+118
| if strings.Contains(apiKey, "@") { | ||
| return Token{}, fmt.Errorf("API-key login expects a key starting with fmsgk_; for main-account login, pass a user JWT") | ||
| } |
Comment on lines
23
to
+26
| Long: `Send a message to a recipient. The second argument can be: | ||
| - A path to a file (must exist on disk) | ||
| - A text string | ||
| - "-" to read from stdin`, | ||
| - "-" to read from stdin`, |
Comment on lines
28
to
+31
| Long: `Create a draft message for a recipient. The second argument can be: | ||
| - A path to a file (must exist on disk) | ||
| - A text string | ||
| - "-" to read from stdin`, | ||
| - "-" to read from stdin`, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.