Replace the loopback/PKCE-callback server and manual-paste fallback with the RFC 8628 device-code flow as the only xAI Grok OAuth login path. The flow works in headless/SSH/container sessions with no 127.0.0.1 listener, shrinking the local attack surface. - Poll the token endpoint with server-provided interval, honoring slow_down and expires_in; store tokens with auth_mode oauth_device_code. - Adaptive proactive refresh skew for short-lived device-code JWTs; rotated tokens sync back to auth.json, the global root store, and the credential pool (no refresh-token replay). - Clear source suppression on successful re-login (CLI + dashboard) and drop the duplicate dashboard pool entry so exactly one seeded device_code entry exists. - Use the shared device_code source name for consistency with the nous/codex device-code providers. - Desktop: remove the loopback OAuth flow states and dead type variants; pkce providers' sign-in URL selection is unchanged. - Docs (EN + zh-Hans) rewritten for device-code login; drop the deleted --manual-paste flag from documented commands.
98 lines
3.7 KiB
Python
98 lines
3.7 KiB
Python
"""``hermes auth`` subcommand parser.
|
|
|
|
Extracted verbatim from ``hermes_cli/main.py:main()`` (god-file Phase 2).
|
|
Handler injected to avoid importing ``main``.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from typing import Callable
|
|
|
|
|
|
def build_auth_parser(subparsers, *, cmd_auth: Callable) -> None:
|
|
"""Attach the ``auth`` subcommand to ``subparsers``."""
|
|
auth_parser = subparsers.add_parser(
|
|
"auth",
|
|
help="Manage pooled provider credentials",
|
|
)
|
|
auth_subparsers = auth_parser.add_subparsers(dest="auth_action")
|
|
auth_add = auth_subparsers.add_parser("add", help="Add a pooled credential")
|
|
auth_add.add_argument(
|
|
"provider",
|
|
help="Provider id (for example: anthropic, openai-codex, openrouter)",
|
|
)
|
|
auth_add.add_argument(
|
|
"--type",
|
|
dest="auth_type",
|
|
choices=["oauth", "api-key", "api_key"],
|
|
help="Credential type to add",
|
|
)
|
|
auth_add.add_argument("--label", help="Optional display label")
|
|
auth_add.add_argument(
|
|
"--api-key", help="API key value (otherwise prompted securely)"
|
|
)
|
|
auth_add.add_argument("--portal-url", help="Nous portal base URL")
|
|
auth_add.add_argument("--inference-url", help="Nous inference base URL")
|
|
auth_add.add_argument("--client-id", help="OAuth client id")
|
|
auth_add.add_argument("--scope", help="OAuth scope override")
|
|
auth_add.add_argument(
|
|
"--no-browser",
|
|
action="store_true",
|
|
help="Do not auto-open a browser for OAuth login",
|
|
)
|
|
auth_add.add_argument(
|
|
"--timeout", type=float, help="OAuth/network timeout in seconds"
|
|
)
|
|
auth_add.add_argument(
|
|
"--insecure",
|
|
action="store_true",
|
|
help="Disable TLS verification for OAuth login",
|
|
)
|
|
auth_add.add_argument("--ca-bundle", help="Custom CA bundle for OAuth login")
|
|
auth_list = auth_subparsers.add_parser("list", help="List pooled credentials")
|
|
auth_list.add_argument("provider", nargs="?", help="Optional provider filter")
|
|
auth_remove = auth_subparsers.add_parser(
|
|
"remove", help="Remove a pooled credential by index, id, or label"
|
|
)
|
|
auth_remove.add_argument("provider", help="Provider id")
|
|
auth_remove.add_argument(
|
|
"target", help="Credential index, entry id, or exact label"
|
|
)
|
|
auth_reset = auth_subparsers.add_parser(
|
|
"reset", help="Clear exhaustion status for all credentials for a provider"
|
|
)
|
|
auth_reset.add_argument("provider", help="Provider id")
|
|
auth_status = auth_subparsers.add_parser(
|
|
"status", help="Show auth status for a provider"
|
|
)
|
|
auth_status.add_argument("provider", help="Provider id")
|
|
auth_logout = auth_subparsers.add_parser(
|
|
"logout", help="Log out a provider and clear stored auth state"
|
|
)
|
|
auth_logout.add_argument("provider", help="Provider id")
|
|
auth_spotify = auth_subparsers.add_parser(
|
|
"spotify", help="Authenticate Hermes with Spotify via PKCE"
|
|
)
|
|
auth_spotify.add_argument(
|
|
"spotify_action",
|
|
nargs="?",
|
|
choices=["login", "status", "logout"],
|
|
default="login",
|
|
)
|
|
auth_spotify.add_argument(
|
|
"--client-id", help="Spotify app client_id (or set HERMES_SPOTIFY_CLIENT_ID)"
|
|
)
|
|
auth_spotify.add_argument(
|
|
"--redirect-uri",
|
|
help="Allow-listed localhost redirect URI for your Spotify app",
|
|
)
|
|
auth_spotify.add_argument("--scope", help="Override requested Spotify scopes")
|
|
auth_spotify.add_argument(
|
|
"--no-browser",
|
|
action="store_true",
|
|
help="Do not attempt to open the browser automatically",
|
|
)
|
|
auth_spotify.add_argument(
|
|
"--timeout", type=float, help="Callback/token exchange timeout in seconds"
|
|
)
|
|
auth_parser.set_defaults(func=cmd_auth)
|