feat(deps): upgrade sdk-go to v0.2.0 (credstore API) (#15)

- Upgrade the go-authgate SDK dependency to version 0.2.0
- Migrate token storage from the deprecated tokenstore package to the new generic credstore API
- Update token persistence to be keyed by client ID when loading and saving credentials
- Refactor runtime logic to explicitly track whether stored credentials exist instead of relying on nil tokens
- Adjust device flow and token refresh functions to return value-based tokens and propagate errors consistently
- Update API call flow to pass tokens by reference to support in-place refresh
- Align tests and benchmarks with the new credential store interfaces and multi-client save semantics

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>

Author: appleboy

go.mod

@@ -7,7 +7,7 @@ require (
 	charm.land/bubbletea/v2 v2.0.1
 	charm.land/lipgloss/v2 v2.0.0
 	github.com/appleboy/go-httpretry v0.11.0
-	github.com/go-authgate/sdk-go v0.0.0-20260308143712-376f312901c8
+	github.com/go-authgate/sdk-go v0.2.0
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
 	golang.org/x/oauth2 v0.36.0

go.sum

@@ -32,8 +32,8 @@ github.com/danieljoos/wincred v1.2.3 h1:v7dZC2x32Ut3nEfRH+vhoZGvN72+dQ/snVXo/vMF
 github.com/danieljoos/wincred v1.2.3/go.mod h1:6qqX0WNrS4RzPZ1tnroDzq9kY3fu1KwE7MRLQK4X0bs=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-authgate/sdk-go v0.0.0-20260308143712-376f312901c8 h1:cqsgCsNlvRew75W5gzXyzZcdzqpvwMxX2AizrnsT01M=
-github.com/go-authgate/sdk-go v0.0.0-20260308143712-376f312901c8/go.mod h1:ZRyXFKqO8HqWXIAqIwhjSxJ0DE3RckTVn9UtlX7MvJ8=
+github.com/go-authgate/sdk-go v0.2.0 h1:w22f+sAg/YMqnLOcS/4SAuMZXTbPurzkSQBsjb1hcbw=
+github.com/go-authgate/sdk-go v0.2.0/go.mod h1:RGqvrFdrPnOumndoQQV8qzu8zP1KFUZPdhX0IkWduho=
 github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
 github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=

main.go

@@ -24,7 +24,7 @@ import (
 
 	tea "charm.land/bubbletea/v2"
 	"github.com/go-authgate/device-cli/tui"
-	"github.com/go-authgate/sdk-go/tokenstore"
+	"github.com/go-authgate/sdk-go/credstore"
 )
 
 var (
@@ -38,7 +38,7 @@ var (
 	flagTokenStore    *string
 	configInitialized bool
 	retryClient       *retry.Client
-	tokenStore        tokenstore.Store
+	tokenStore        credstore.Store[credstore.Token]
 )
 
 const defaultKeyringService = "authgate-device-cli"
@@ -185,16 +185,16 @@ func initConfig() {
 	}
 
 	// Initialize token store based on mode
-	fileStore := tokenstore.NewFileStore(tokenFile)
+	fileStore := credstore.NewTokenFileStore(tokenFile)
 	switch tokenStoreMode {
 	case "file":
 		tokenStore = fileStore
 	case "keyring":
-		tokenStore = tokenstore.NewKeyringStore(defaultKeyringService)
+		tokenStore = credstore.NewTokenKeyringStore(defaultKeyringService)
 	case "auto":
-		kr := tokenstore.NewKeyringStore(defaultKeyringService)
-		tokenStore = tokenstore.NewSecureStore(kr, fileStore)
-		if !tokenStore.(*tokenstore.SecureStore).UseKeyring() {
+		kr := credstore.NewTokenKeyringStore(defaultKeyringService)
+		tokenStore = credstore.NewSecureStore[credstore.Token](kr, fileStore)
+		if !tokenStore.(*credstore.SecureStore[credstore.Token]).UseKeyring() {
 			fmt.Fprintln(
 				os.Stderr,
 				"⚠️  OS keyring unavailable, falling back to file-based token storage",
@@ -325,17 +325,22 @@ func run(ctx context.Context, d tui.Displayer) error {
 	ctx, stop := signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM)
 	defer stop()
 
-	var storage *tokenstore.Token
+	var (
+		storage    credstore.Token
+		hasStorage bool
+	)
 
 	// Try to load existing tokens
-	storage, err := tokenStore.Load(clientID)
+	loaded, err := tokenStore.Load(clientID)
 	switch {
-	case err != nil && !errors.Is(err, tokenstore.ErrNotFound):
+	case err != nil && !errors.Is(err, credstore.ErrNotFound):
 		d.Fatal(err)
 		return err
 	case err != nil:
 		d.TokensNotFound()
-	case storage != nil:
+	default:
+		storage = loaded
+		hasStorage = true
 		d.TokensFound()
 
 		// Check if access token is still valid
@@ -349,18 +354,16 @@ func run(ctx context.Context, d tui.Displayer) error {
 			newStorage, err := refreshAccessToken(ctx, storage.RefreshToken, d)
 			if err != nil {
 				d.RefreshFailed(err)
-				storage = nil // Force device flow
+				hasStorage = false // Force device flow
 			} else {
 				storage = newStorage
 				d.RefreshOK()
 			}
 		}
-	default:
-		d.TokensNotFound()
 	}
 
 	// If no valid tokens, do device flow
-	if storage == nil {
+	if !hasStorage {
 		storage, err = performDeviceFlow(ctx, d)
 		if err != nil {
 			d.Fatal(err)
@@ -382,7 +385,7 @@ func run(ctx context.Context, d tui.Displayer) error {
 	}
 
 	// Demonstrate automatic refresh on 401
-	if err := makeAPICallWithAutoRefresh(ctx, storage, d); err != nil {
+	if err := makeAPICallWithAutoRefresh(ctx, &storage, d); err != nil {
 		// Check if error is due to expired refresh token
 		if err == ErrRefreshTokenExpired {
 			d.ReAuthRequired()
@@ -394,7 +397,7 @@ func run(ctx context.Context, d tui.Displayer) error {
 
 			// Retry API call with new tokens
 			d.TokenRefreshedRetrying()
-			if err := makeAPICallWithAutoRefresh(ctx, storage, d); err != nil {
+			if err := makeAPICallWithAutoRefresh(ctx, &storage, d); err != nil {
 				d.Fatal(err)
 				return err
 			}
@@ -473,7 +476,7 @@ func requestDeviceCode(ctx context.Context) (*oauth2.DeviceAuthResponse, error)
 }
 
 // performDeviceFlow performs the OAuth device authorization flow
-func performDeviceFlow(ctx context.Context, d tui.Displayer) (*tokenstore.Token, error) {
+func performDeviceFlow(ctx context.Context, d tui.Displayer) (credstore.Token, error) {
 	config := &oauth2.Config{
 		ClientID: clientID,
 		Endpoint: oauth2.Endpoint{
@@ -486,7 +489,7 @@ func performDeviceFlow(ctx context.Context, d tui.Displayer) (*tokenstore.Token,
 	// Step 1: Request device code (with retry logic)
 	deviceAuth, err := requestDeviceCode(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("device code request failed: %w", err)
+		return credstore.Token{}, fmt.Errorf("device code request failed: %w", err)
 	}
 
 	d.DeviceCodeReady(
@@ -500,21 +503,21 @@ func performDeviceFlow(ctx context.Context, d tui.Displayer) (*tokenstore.Token,
 	d.WaitingForAuth()
 	token, err := pollForTokenWithProgress(ctx, config, deviceAuth, d)
 	if err != nil {
-		return nil, fmt.Errorf("token poll failed: %w", err)
+		return credstore.Token{}, fmt.Errorf("token poll failed: %w", err)
 	}
 
 	d.AuthSuccess()
 
 	// Convert to Token and save
-	storage := &tokenstore.Token{
+	storage := credstore.Token{
 		AccessToken:  token.AccessToken,
 		RefreshToken: token.RefreshToken,
 		TokenType:    token.Type(),
 		ExpiresAt:    token.Expiry,
 		ClientID:     clientID,
 	}
 
-	if err := tokenStore.Save(storage); err != nil {
+	if err := tokenStore.Save(clientID, storage); err != nil {
 		d.TokenSaveFailed(err)
 	} else {
 		d.TokenSaved(tokenStore.String())
@@ -715,7 +718,7 @@ func refreshAccessToken(
 	ctx context.Context,
 	refreshToken string,
 	d tui.Displayer,
-) (*tokenstore.Token, error) {
+) (credstore.Token, error) {
 	// Create request with timeout
 	reqCtx, cancel := context.WithTimeout(ctx, refreshTokenTimeout)
 	defer cancel()
@@ -732,38 +735,42 @@ func refreshAccessToken(
 		strings.NewReader(data.Encode()),
 	)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create request: %w", err)
+		return credstore.Token{}, fmt.Errorf("failed to create request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 
 	// Execute request with retry logic
 	resp, err := retryClient.DoWithContext(reqCtx, req)
 	if err != nil {
-		return nil, fmt.Errorf("refresh request failed: %w", err)
+		return credstore.Token{}, fmt.Errorf("refresh request failed: %w", err)
 	}
 	defer resp.Body.Close()
 
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read response: %w", err)
+		return credstore.Token{}, fmt.Errorf("failed to read response: %w", err)
 	}
 
 	if resp.StatusCode != http.StatusOK {
 		var errResp ErrorResponse
 		if err := json.Unmarshal(body, &errResp); err == nil {
 			// Check if refresh token is expired or invalid
 			if errResp.Error == oauthErrInvalidGrant || errResp.Error == oauthErrInvalidToken {
-				return nil, ErrRefreshTokenExpired
+				return credstore.Token{}, ErrRefreshTokenExpired
 			}
-			return nil, fmt.Errorf("%s: %s", errResp.Error, errResp.ErrorDescription)
+			return credstore.Token{}, fmt.Errorf("%s: %s", errResp.Error, errResp.ErrorDescription)
 		}
-		return nil, fmt.Errorf("refresh failed with status %d: %s", resp.StatusCode, string(body))
+		return credstore.Token{}, fmt.Errorf(
+			"refresh failed with status %d: %s",
+			resp.StatusCode,
+			string(body),
+		)
 	}
 
 	// Parse token response
 	var tokenResp tokenResponse
 	if err := json.Unmarshal(body, &tokenResp); err != nil {
-		return nil, fmt.Errorf("failed to parse token response: %w", err)
+		return credstore.Token{}, fmt.Errorf("failed to parse token response: %w", err)
 	}
 
 	// Validate token response
@@ -772,7 +779,7 @@ func refreshAccessToken(
 		tokenResp.TokenType,
 		tokenResp.ExpiresIn,
 	); err != nil {
-		return nil, fmt.Errorf("invalid token response: %w", err)
+		return credstore.Token{}, fmt.Errorf("invalid token response: %w", err)
 	}
 
 	// Handle refresh token rotation modes:
@@ -784,7 +791,7 @@ func refreshAccessToken(
 		newRefreshToken = refreshToken
 	}
 
-	storage := &tokenstore.Token{
+	storage := credstore.Token{
 		AccessToken:  tokenResp.AccessToken,
 		RefreshToken: newRefreshToken,
 		TokenType:    tokenResp.TokenType,
@@ -793,7 +800,7 @@ func refreshAccessToken(
 	}
 
 	// Save updated tokens
-	if err := tokenStore.Save(storage); err != nil {
+	if err := tokenStore.Save(clientID, storage); err != nil {
 		d.TokenSaveFailed(err)
 	}
 
@@ -803,7 +810,7 @@ func refreshAccessToken(
 // makeAPICallWithAutoRefresh demonstrates automatic refresh on 401
 func makeAPICallWithAutoRefresh(
 	ctx context.Context,
-	storage *tokenstore.Token,
+	storage *credstore.Token,
 	d tui.Displayer,
 ) error {
 	// Try with current access token