1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
|
//! Hub authentication support for Atuin
//!
//! This module provides programmatic access to the Atuin Hub authentication flow.
//! It can be used by other crates (like atuin-ai) to authenticate with the Hub
//! and obtain session tokens.
//!
//! Hub authentication is separate from sync authentication - users can have both
//! a sync session (for history sync) and a hub session (for Hub-specific features
//! like AI).
use std::time::Duration;
use eyre::{Context, Result, bail};
use reqwest::{StatusCode, Url, header::USER_AGENT};
use atuin_common::{
api::{
ATUIN_CARGO_VERSION, ATUIN_HEADER_VERSION, CliCodeResponse, CliVerifyResponse,
ErrorResponse,
},
tls::ensure_crypto_provider,
};
use crate::settings::Settings;
static APP_USER_AGENT: &str = concat!("atuin/", env!("CARGO_PKG_VERSION"));
/// The result of starting a hub authentication flow
#[derive(Debug, Clone)]
pub struct HubAuthSession {
/// The code to be verified
pub code: String,
/// The URL the user should visit to authenticate
pub auth_url: String,
/// The hub address being used
pub hub_address: String,
}
/// The result of polling for hub auth completion
#[derive(Debug, Clone)]
pub enum HubAuthStatus {
/// Still waiting for user authorization
Pending,
/// Authorization complete, contains the session token
Complete(String),
/// Authorization failed with an error
Failed(String),
}
/// Default poll interval for checking auth status
pub const DEFAULT_POLL_INTERVAL: Duration = Duration::from_secs(2);
/// Default timeout for the entire auth flow
pub const DEFAULT_AUTH_TIMEOUT: Duration = Duration::from_secs(600);
impl HubAuthSession {
/// Start a new hub authentication session
///
/// Returns a session containing the code and auth URL that the user should visit.
pub async fn start(hub_address: &str) -> Result<Self> {
debug!("Starting Hub authentication process...");
let hub_address = hub_address.trim_end_matches('/');
let code_response = request_code(hub_address)
.await
.context("Failed to request authentication code from Hub")?;
debug!("Received code from Hub");
let code = code_response.code;
let auth_url = format!("{}/auth/cli?code={}", hub_address, code);
Ok(Self {
code,
auth_url,
hub_address: hub_address.to_string(),
})
}
/// Poll for the authentication status
///
/// Returns the current status of the authentication flow.
pub async fn poll(&self) -> Result<HubAuthStatus> {
match verify_code(&self.hub_address, &self.code).await {
Ok(response) => {
if let Some(token) = response.token {
debug!("Authentication complete, received token");
Ok(HubAuthStatus::Complete(token))
} else if let Some(error) = response.error {
error!("Authentication failed: {}", error);
Ok(HubAuthStatus::Failed(error))
} else {
Ok(HubAuthStatus::Pending)
}
}
Err(e) => {
// Transient errors shouldn't fail the whole flow
log::debug!("Verification poll failed: {}", e);
Ok(HubAuthStatus::Pending)
}
}
}
/// Poll until completion or timeout
///
/// This is a convenience method that polls repeatedly until the auth completes
/// or times out.
pub async fn wait_for_completion(
&self,
timeout: Duration,
poll_interval: Duration,
) -> Result<String> {
let start = std::time::Instant::now();
debug!("Polling for Hub authentication completion...");
loop {
if start.elapsed() > timeout {
warn!("Authentication loop exited due to timeout");
bail!("Authentication timed out. Please try again.");
}
match self.poll().await? {
HubAuthStatus::Complete(token) => return Ok(token),
HubAuthStatus::Failed(error) => bail!("Authentication failed: {}", error),
HubAuthStatus::Pending => {
tokio::time::sleep(poll_interval).await;
}
}
}
}
}
/// Save a hub session token
///
/// This saves the token to the meta store so it can be used for subsequent Hub API calls.
/// Note: This is separate from the sync session token.
pub async fn save_session(token: &str) -> Result<()> {
Settings::meta_store()
.await?
.save_hub_session(token)
.await
.context("Failed to save hub session")
}
/// Delete the hub session token (logout from Hub)
pub async fn delete_session() -> Result<()> {
Settings::meta_store()
.await?
.delete_hub_session()
.await
.context("Failed to delete hub session")
}
/// Check if the user is logged in with Hub authentication
///
/// Returns true if the user has a valid Hub session token.
/// This is independent of whether they have a sync session.
pub async fn is_logged_in() -> Result<bool> {
Settings::meta_store().await?.hub_logged_in().await
}
/// Get the hub session token if available
///
/// Returns the Hub session token if the user is logged in with Hub auth,
/// or None if not logged in.
pub async fn get_session_token() -> Result<Option<String>> {
Settings::meta_store().await?.hub_session_token().await
}
/// Link an existing CLI sync account to the current Hub user.
///
/// This associates the CLI's sync records with the Hub account, enabling
/// unified authentication. After linking:
/// - The Hub token can be used for sync operations
/// - Records are migrated to be accessible via Hub auth
///
/// Requires:
/// - A valid Hub session (user must be logged in to Hub)
/// - A valid CLI session token to link
///
/// Returns Ok(()) on success, or an error if:
/// - Not logged in to Hub
/// - CLI token is invalid
/// - CLI account is already linked to a different Hub account
pub async fn link_account(hub_address: &str, cli_token: &str) -> Result<()> {
let hub_token = get_session_token()
.await?
.ok_or_else(|| eyre::eyre!("Not logged in to Hub - cannot link account"))?;
let url = make_url(hub_address, "/api/v0/account/link")?;
debug!("Linking CLI account to Hub at {}", hub_address);
ensure_crypto_provider();
let client = reqwest::Client::new();
let resp = client
.post(&url)
.header(USER_AGENT, APP_USER_AGENT)
.header(ATUIN_HEADER_VERSION, ATUIN_CARGO_VERSION)
.bearer_auth(&hub_token)
.json(&serde_json::json!({ "token": cli_token }))
.send()
.await?;
let status = resp.status();
if status == StatusCode::CONFLICT {
// 409 means CLI account is already linked to a (possibly different) Hub account
debug!("CLI account already linked to a Hub account");
return Ok(());
}
handle_resp_error(resp).await?;
info!("Successfully linked CLI account to Hub");
Ok(())
}
// --- Internal HTTP functions ---
fn make_url(address: &str, path: &str) -> Result<String> {
let address = if address.ends_with('/') {
address.to_string()
} else {
format!("{address}/")
};
let path = path.strip_prefix('/').unwrap_or(path);
let url = Url::parse(&address)
.context("failed to parse hub address")?
.join(path)
.context("failed to join hub URL path")?;
Ok(url.to_string())
}
async fn handle_resp_error(resp: reqwest::Response) -> Result<reqwest::Response> {
let status = resp.status();
if status == StatusCode::SERVICE_UNAVAILABLE {
error!("Service unavailable: check https://status.atuin.sh");
bail!("Service unavailable: check https://status.atuin.sh");
}
if status == StatusCode::TOO_MANY_REQUESTS {
error!("Rate limited; please wait before trying again");
bail!("Rate limited; please wait before trying again");
}
if !status.is_success() {
if let Ok(error) = resp.json::<ErrorResponse>().await {
error!("Hub error: {} - {}", status, error.reason);
bail!("Hub error: {} - {}", status, error.reason);
}
error!("Hub request failed with status: {}", status);
bail!("Hub request failed with status: {}", status);
}
Ok(resp)
}
/// Request a CLI auth code from the Atuin Hub
async fn request_code(address: &str) -> Result<CliCodeResponse> {
ensure_crypto_provider();
let url = make_url(address, "/auth/cli/code")?;
let client = reqwest::Client::new();
debug!("Requesting code from Hub at {url}");
let resp = client
.post(&url)
.header(USER_AGENT, APP_USER_AGENT)
.header(ATUIN_HEADER_VERSION, ATUIN_CARGO_VERSION)
.send()
.await?;
let resp = handle_resp_error(resp).await?;
let code_response = resp.json::<CliCodeResponse>().await?;
Ok(code_response)
}
/// Poll to verify the CLI auth code and get the session token
async fn verify_code(address: &str, code: &str) -> Result<CliVerifyResponse> {
ensure_crypto_provider();
let base = make_url(address, "/auth/cli/verify")?;
let url = format!("{base}?code={code}");
let client = reqwest::Client::new();
debug!("Verifying code with Hub at {base}?code=******");
let resp = client
.post(&url)
.header(USER_AGENT, APP_USER_AGENT)
.header(ATUIN_HEADER_VERSION, ATUIN_CARGO_VERSION)
.send()
.await?;
let resp = handle_resp_error(resp).await?;
let verify_response = resp.json::<CliVerifyResponse>().await?;
Ok(verify_response)
}
|
