Refactor auth flows to support storage contexts

Update authentication flows to support multiple storage contexts,
enabling context-aware token management and refresh.

Key changes:
- Add *WithContext() variants for auth functions
- Update user login flow to accept storage context parameter
- Store access token expiry (JWT exp claim) instead of session expiry
- Update token refresh to write tokens back to correct context
- Add getAccessTokenExpiresAtUnix() to parse JWT exp claim
- Update tests to use new context-aware functions

This enables proper token refresh and bidirectional sync for both
CLI and API authentication contexts.

Author: franklouwers

internal/pkg/auth/auth.go

@@ -1,7 +1,9 @@
 package auth
 
 import (
+	"bytes"
 	"fmt"
+	"io"
 	"net/http"
 	"os"
 	"strconv"
@@ -25,7 +27,10 @@ type tokenClaims struct {
 //
 // If the user was logged in and the user session expired, reauthorizeUserRoutine is called to reauthenticate the user again.
 // If the environment variable STACKIT_ACCESS_TOKEN is set this token is used instead.
-func AuthenticationConfig(p *print.Printer, reauthorizeUserRoutine func(p *print.Printer, _ bool) error) (authCfgOption sdkConfig.ConfigurationOption, err error) {
+func AuthenticationConfig(p *print.Printer, reauthorizeUserRoutine func(p *print.Printer, context StorageContext, _ bool) error) (authCfgOption sdkConfig.ConfigurationOption, err error) {
+	// Set the storage printer so debug messages use the correct verbosity
+	SetStoragePrinter(p)
+
 	// Get access token from env and use this if present
 	accessToken := os.Getenv(envAccessTokenName)
 	if accessToken != "" {
@@ -70,7 +75,7 @@ func AuthenticationConfig(p *print.Printer, reauthorizeUserRoutine func(p *print
 	case AUTH_FLOW_USER_TOKEN:
 		p.Debug(print.DebugLevel, "authenticating using user token")
 		if userSessionExpired {
-			err = reauthorizeUserRoutine(p, true)
+			err = reauthorizeUserRoutine(p, StorageContextCLI, true)
 			if err != nil {
 				return nil, fmt.Errorf("user login: %w", err)
 			}
@@ -84,7 +89,11 @@ func AuthenticationConfig(p *print.Printer, reauthorizeUserRoutine func(p *print
 }
 
 func UserSessionExpired() (bool, error) {
-	sessionExpiresAtString, err := GetAuthField(SESSION_EXPIRES_AT_UNIX)
+	return UserSessionExpiredWithContext(StorageContextCLI)
+}
+
+func UserSessionExpiredWithContext(context StorageContext) (bool, error) {
+	sessionExpiresAtString, err := GetAuthFieldWithContext(context, SESSION_EXPIRES_AT_UNIX)
 	if err != nil {
 		return false, fmt.Errorf("get %s: %w", SESSION_EXPIRES_AT_UNIX, err)
 	}
@@ -98,7 +107,11 @@ func UserSessionExpired() (bool, error) {
 }
 
 func GetAccessToken() (string, error) {
-	accessToken, err := GetAuthField(ACCESS_TOKEN)
+	return GetAccessTokenWithContext(StorageContextCLI)
+}
+
+func GetAccessTokenWithContext(context StorageContext) (string, error) {
+	accessToken, err := GetAuthFieldWithContext(context, ACCESS_TOKEN)
 	if err != nil {
 		return "", fmt.Errorf("get %s: %w", ACCESS_TOKEN, err)
 	}
@@ -134,18 +147,47 @@ func getEmailFromToken(token string) (string, error) {
 	return claims.Email, nil
 }
 
+func getAccessTokenExpiresAtUnix(accessToken string) (string, error) {
+	// Parse the access token to get its expiration time
+	parsedAccessToken, _, err := jwt.NewParser().ParseUnverified(accessToken, &jwt.RegisteredClaims{})
+	if err != nil {
+		return "", fmt.Errorf("parse access token: %w", err)
+	}
+
+	claims, ok := parsedAccessToken.Claims.(*jwt.RegisteredClaims)
+	if !ok {
+		return "", fmt.Errorf("get claims from parsed token: unknown claims type")
+	}
+
+	if claims.ExpiresAt == nil {
+		return "", fmt.Errorf("access token has no expiration claim")
+	}
+
+	return strconv.FormatInt(claims.ExpiresAt.Unix(), 10), nil
+}
+
 // GetValidAccessToken returns a valid access token for the current authentication flow.
 // For user token flows, it refreshes the token if necessary.
 // For service account flows, it returns the current access token.
 func GetValidAccessToken(p *print.Printer) (string, error) {
-	flow, err := GetAuthFlow()
+	return GetValidAccessTokenWithContext(p, StorageContextCLI)
+}
+
+// GetValidAccessTokenWithContext returns a valid access token for the specified storage context.
+// For user token flows, it refreshes the token if necessary.
+// For service account flows, it returns the current access token.
+func GetValidAccessTokenWithContext(p *print.Printer, context StorageContext) (string, error) {
+	// Set the storage printer so debug messages use the correct verbosity
+	SetStoragePrinter(p)
+
+	flow, err := GetAuthFlowWithContext(context)
 	if err != nil {
 		return "", fmt.Errorf("get authentication flow: %w", err)
 	}
 
 	// For service account flows, just return the current token
 	if flow == AUTH_FLOW_SERVICE_ACCOUNT_TOKEN || flow == AUTH_FLOW_SERVICE_ACCOUNT_KEY {
-		return GetAccessToken()
+		return GetAccessTokenWithContext(context)
 	}
 
 	if flow != AUTH_FLOW_USER_TOKEN {
@@ -158,7 +200,7 @@ func GetValidAccessToken(p *print.Printer) (string, error) {
 		REFRESH_TOKEN:      "",
 		IDP_TOKEN_ENDPOINT: "",
 	}
-	err = GetAuthFieldMap(authFields)
+	err = GetAuthFieldMapWithContext(context, authFields)
 	if err != nil {
 		return "", fmt.Errorf("get tokens from auth storage: %w", err)
 	}
@@ -193,6 +235,7 @@ func GetValidAccessToken(p *print.Printer) (string, error) {
 	utf := &userTokenFlow{
 		printer:       p,
 		client:        &http.Client{},
+		context:       context,
 		authFlow:      flow,
 		accessToken:   accessToken,
 		refreshToken:  refreshToken,
@@ -208,3 +251,53 @@ func GetValidAccessToken(p *print.Printer) (string, error) {
 	// Return the new access token
 	return utf.accessToken, nil
 }
+
+// debugHTTPRequest logs the raw HTTP request details for debugging purposes
+func debugHTTPRequest(p *print.Printer, req *http.Request) {
+	if p == nil || req == nil {
+		return
+	}
+
+	p.Debug(print.DebugLevel, "=== HTTP REQUEST ===")
+	p.Debug(print.DebugLevel, "Method: %s", req.Method)
+	p.Debug(print.DebugLevel, "URL: %s", req.URL.String())
+	p.Debug(print.DebugLevel, "Headers:")
+	for name, values := range req.Header {
+		for _, value := range values {
+			p.Debug(print.DebugLevel, "  %s: %s", name, value)
+		}
+	}
+	p.Debug(print.DebugLevel, "===================")
+}
+
+// debugHTTPResponse logs the raw HTTP response details for debugging purposes
+func debugHTTPResponse(p *print.Printer, resp *http.Response) {
+	if p == nil || resp == nil {
+		return
+	}
+
+	p.Debug(print.DebugLevel, "=== HTTP RESPONSE ===")
+	p.Debug(print.DebugLevel, "Status: %s", resp.Status)
+	p.Debug(print.DebugLevel, "Status Code: %d", resp.StatusCode)
+	p.Debug(print.DebugLevel, "Headers:")
+	for name, values := range resp.Header {
+		for _, value := range values {
+			p.Debug(print.DebugLevel, "  %s: %s", name, value)
+		}
+	}
+
+	// Read and log body (need to restore it for later use)
+	if resp.Body != nil {
+		bodyBytes, err := io.ReadAll(resp.Body)
+		if err != nil {
+			p.Debug(print.ErrorLevel, "Error reading response body: %v", err)
+		} else {
+			// Restore the body for later use
+			resp.Body = io.NopCloser(bytes.NewBuffer(bodyBytes))
+
+			// Show raw body without sanitization
+			p.Debug(print.DebugLevel, "Body: %s", string(bodyBytes))
+		}
+	}
+	p.Debug(print.DebugLevel, "====================")
+}

internal/pkg/auth/auth_test.go

@@ -188,7 +188,7 @@ func TestAuthenticationConfig(t *testing.T) {
 			}
 
 			reauthorizeUserCalled := false
-			reauthenticateUser := func(_ *print.Printer, _ bool) error {
+			reauthenticateUser := func(_ *print.Printer, _ StorageContext, _ bool) error {
 				if reauthorizeUserCalled {
 					t.Errorf("user reauthorized more than once")
 				}

internal/pkg/auth/user_login.go

@@ -50,7 +50,10 @@ type apiClient interface {
 }
 
 // AuthorizeUser implements the PKCE OAuth2 flow.
-func AuthorizeUser(p *print.Printer, isReauthentication bool) error {
+func AuthorizeUser(p *print.Printer, context StorageContext, isReauthentication bool) error {
+	// Set the storage printer so debug messages use the correct verbosity
+	SetStoragePrinter(p)
+
 	idpWellKnownConfigURL, err := getIDPWellKnownConfigURL()
 	if err != nil {
 		return fmt.Errorf("get IDP well-known configuration: %w", err)
@@ -65,7 +68,7 @@ func AuthorizeUser(p *print.Printer, isReauthentication bool) error {
 
 	p.Debug(print.DebugLevel, "get IDP well-known configuration from %s", idpWellKnownConfigURL)
 	httpClient := &http.Client{}
-	idpWellKnownConfig, err := parseWellKnownConfiguration(httpClient, idpWellKnownConfigURL)
+	idpWellKnownConfig, err := parseWellKnownConfiguration(p, httpClient, idpWellKnownConfigURL, context)
 	if err != nil {
 		return fmt.Errorf("parse IDP well-known configuration: %w", err)
 	}
@@ -159,29 +162,30 @@ func AuthorizeUser(p *print.Printer, isReauthentication bool) error {
 		p.Debug(print.DebugLevel, "trading authorization code for access and refresh tokens")
 
 		// Trade the authorization code and the code verifier for access and refresh tokens
-		accessToken, refreshToken, err := getUserAccessAndRefreshTokens(idpWellKnownConfig, idpClientID, codeVerifier, code, redirectURL)
+		accessToken, refreshToken, err := getUserAccessAndRefreshTokens(p, idpWellKnownConfig, idpClientID, codeVerifier, code, redirectURL)
 		if err != nil {
 			errServer = fmt.Errorf("retrieve tokens: %w", err)
 			return
 		}
 
 		p.Debug(print.DebugLevel, "received response from the authentication server")
 
-		sessionExpiresAtUnix, err := getStartingSessionExpiresAtUnix()
+		// Get access token expiration from the token itself (not session time limit)
+		sessionExpiresAtUnix, err := getAccessTokenExpiresAtUnix(accessToken)
 		if err != nil {
-			errServer = fmt.Errorf("compute session expiration timestamp: %w", err)
+			errServer = fmt.Errorf("get access token expiration: %w", err)
 			return
 		}
 
 		sessionExpiresAtUnixInt, err := strconv.Atoi(sessionExpiresAtUnix)
 		if err != nil {
-			p.Debug(print.ErrorLevel, "parse session expiration value \"%s\": %s", sessionExpiresAtUnix, err)
+			p.Debug(print.ErrorLevel, "parse access token expiration value \"%s\": %s", sessionExpiresAtUnix, err)
 		} else {
 			sessionExpiresAt := time.Unix(int64(sessionExpiresAtUnixInt), 0)
-			p.Debug(print.DebugLevel, "session expires at %s", sessionExpiresAt)
+			p.Debug(print.DebugLevel, "access token expires at %s", sessionExpiresAt)
 		}
 
-		err = SetAuthFlow(AUTH_FLOW_USER_TOKEN)
+		err = SetAuthFlowWithContext(context, AUTH_FLOW_USER_TOKEN)
 		if err != nil {
 			errServer = fmt.Errorf("set auth flow type: %w", err)
 			return
@@ -195,7 +199,7 @@ func AuthorizeUser(p *print.Printer, isReauthentication bool) error {
 
 		p.Debug(print.DebugLevel, "user %s logged in successfully", email)
 
-		err = LoginUser(email, accessToken, refreshToken, sessionExpiresAtUnix)
+		err = LoginUserWithContext(context, email, accessToken, refreshToken, sessionExpiresAtUnix)
 		if err != nil {
 			errServer = fmt.Errorf("set in auth storage: %w", err)
 			return
@@ -211,7 +215,7 @@ func AuthorizeUser(p *print.Printer, isReauthentication bool) error {
 	mux.HandleFunc(loginSuccessPath, func(w http.ResponseWriter, _ *http.Request) {
 		defer cleanup(server)
 
-		email, err := GetAuthField(USER_EMAIL)
+		email, err := GetAuthFieldWithContext(context, USER_EMAIL)
 		if err != nil {
 			errServer = fmt.Errorf("read user email: %w", err)
 		}
@@ -265,7 +269,7 @@ func AuthorizeUser(p *print.Printer, isReauthentication bool) error {
 }
 
 // getUserAccessAndRefreshTokens trades the authorization code retrieved from the first OAuth2 leg for an access token and a refresh token
-func getUserAccessAndRefreshTokens(idpWellKnownConfig *wellKnownConfig, clientID, codeVerifier, authorizationCode, callbackURL string) (accessToken, refreshToken string, err error) {
+func getUserAccessAndRefreshTokens(p *print.Printer, idpWellKnownConfig *wellKnownConfig, clientID, codeVerifier, authorizationCode, callbackURL string) (accessToken, refreshToken string, err error) {
 	// Set form-encoded data for the POST to the access token endpoint
 	data := fmt.Sprintf(
 		"grant_type=authorization_code&client_id=%s"+
@@ -278,6 +282,10 @@ func getUserAccessAndRefreshTokens(idpWellKnownConfig *wellKnownConfig, clientID
 	// Create the request and execute it
 	req, _ := http.NewRequest("POST", idpWellKnownConfig.TokenEndpoint, payload)
 	req.Header.Add("content-type", "application/x-www-form-urlencoded")
+
+	// Debug log the request
+	debugHTTPRequest(p, req)
+
 	httpClient := &http.Client{}
 	res, err := httpClient.Do(req)
 	if err != nil {
@@ -291,6 +299,10 @@ func getUserAccessAndRefreshTokens(idpWellKnownConfig *wellKnownConfig, clientID
 			err = fmt.Errorf("close response body: %w", closeErr)
 		}
 	}()
+
+	// Debug log the response
+	debugHTTPResponse(p, res)
+
 	body, err := io.ReadAll(res.Body)
 	if err != nil {
 		return "", "", fmt.Errorf("read response body: %w", err)
@@ -350,8 +362,12 @@ func openBrowser(pageUrl string) error {
 
 // parseWellKnownConfiguration gets the well-known OpenID configuration from the provided URL and returns it as a JSON
 // the method also stores the IDP token endpoint in the authentication storage
-func parseWellKnownConfiguration(httpClient apiClient, wellKnownConfigURL string) (wellKnownConfig *wellKnownConfig, err error) {
+func parseWellKnownConfiguration(p *print.Printer, httpClient apiClient, wellKnownConfigURL string, context StorageContext) (wellKnownConfig *wellKnownConfig, err error) {
 	req, _ := http.NewRequest("GET", wellKnownConfigURL, http.NoBody)
+
+	// Debug log the request
+	debugHTTPRequest(p, req)
+
 	res, err := httpClient.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("make the request: %w", err)
@@ -364,6 +380,10 @@ func parseWellKnownConfiguration(httpClient apiClient, wellKnownConfigURL string
 			err = fmt.Errorf("close response body: %w", closeErr)
 		}
 	}()
+
+	// Debug log the response
+	debugHTTPResponse(p, res)
+
 	body, err := io.ReadAll(res.Body)
 	if err != nil {
 		return nil, fmt.Errorf("read response body: %w", err)
@@ -386,7 +406,7 @@ func parseWellKnownConfiguration(httpClient apiClient, wellKnownConfigURL string
 		return nil, fmt.Errorf("found no token endpoint")
 	}
 
-	err = SetAuthField(IDP_TOKEN_ENDPOINT, wellKnownConfig.TokenEndpoint)
+	err = SetAuthFieldWithContext(context, IDP_TOKEN_ENDPOINT, wellKnownConfig.TokenEndpoint)
 	if err != nil {
 		return nil, fmt.Errorf("set token endpoint in the authentication storage: %w", err)
 	}

internal/pkg/auth/user_login_test.go

@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/print"
 	"github.com/zalando/go-keyring"
 )
 
@@ -93,7 +94,9 @@ func TestParseWellKnownConfig(t *testing.T) {
 				tt.getResponse,
 			}
 
-			got, err := parseWellKnownConfiguration(&testClient, "")
+			p := print.NewPrinter()
+
+			got, err := parseWellKnownConfiguration(p, &testClient, "", StorageContextCLI)
 
 			if tt.isValid && err != nil {
 				t.Fatalf("expected no error, got %v", err)