Documentation
¶
Overview ¶
Package githubflow runs the GitHub App user (user-to-server) OAuth "loopback" flow shared by clients such as chainctl and the guardener OAuth test binary.
It starts a temporary HTTP server on 127.0.0.1, opens the browser to GitHub's authorize endpoint with PKCE (S256), and captures the authorization code. The code is exchanged for a token server-side, so this package never holds the GitHub App client secret or the resulting user token — it only returns the code, the loopback redirect URI it used, and the PKCE verifier, all of which the server replays at exchange time.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Result ¶
type Result struct {
// Code is the GitHub authorization code.
Code string
// RedirectURI is the exact loopback redirect URI used; the server-side code
// exchange must replay it.
RedirectURI string
// Verifier is the PKCE code verifier; the server-side exchange must replay it.
Verifier string
}
Result is the outcome of a successful loopback authorization.
func Obtain ¶
Obtain runs the loopback PKCE flow for the given GitHub App OAuth client ID on the given loopback port, writing user-facing progress to out. The authorize request uses PKCE (S256) so an intercepted loopback code can't be redeemed without the verifier, forces the account picker (`prompt=select_account`), and disables signup (`allow_signup=false`).
state is the server-minted OAuth state from BeginGitHubOAuth: it is placed in the authorize request, GitHub echoes it back to the loopback, and Obtain verifies the echo (CSRF). The caller forwards the same state on the mutating RPC, where the server verifies its signature before exchanging the code.