feat: add devtunnel auth token refresh endpoint

Add POST /tunnels/devtunnels/auth-token API endpoint that allows
CS-Bridge to push fresh Entra ID tokens before expiry. The SDK manager
now reads the token dynamically via a closure, so token updates take
effect without restarting linkspan.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: yasithdev

main.go

@@ -152,6 +152,7 @@ func main() {
 	// Tunnel management
 	api.HandleFunc("/tunnels/devtunnels", tunnel.ListDevTunnels).Methods("GET")
 	api.HandleFunc("/tunnels/devtunnels", tunnel.CreateDevTunnel).Methods("POST")
+	api.HandleFunc("/tunnels/devtunnels/auth-token", tunnel.RefreshDevTunnelAuthToken).Methods("POST")
 	api.HandleFunc("/tunnels/devtunnels/{id}", tunnel.DeleteDevTunnel).Methods("DELETE")
 
 	api.HandleFunc("/tunnels/frp", tunnel.ListFRPTunnels).Methods("GET")

subsystems/tunnel/api.go

@@ -168,6 +168,34 @@ func ListFRPTunnels(w http.ResponseWriter, r *http.Request) {
 	utils.RespondJSON(w, http.StatusOK, FRPTunnelListResponse{FRPTunnelInfos: ts})
 }
 
+// RefreshAuthTokenRequest is the JSON body for POST /tunnels/devtunnels/auth-token.
+type RefreshAuthTokenRequest struct {
+	AuthToken string `json:"authToken"`
+}
+
+// RefreshDevTunnelAuthToken handles POST /tunnels/devtunnels/auth-token.
+// CS-Bridge calls this to push a fresh Entra ID token before the previous one expires.
+func RefreshDevTunnelAuthToken(w http.ResponseWriter, r *http.Request) {
+	var req RefreshAuthTokenRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		utils.RespondJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON: " + err.Error()})
+		return
+	}
+	_ = r.Body.Close()
+
+	if req.AuthToken == "" {
+		utils.RespondJSON(w, http.StatusBadRequest, map[string]string{"error": "authToken is required"})
+		return
+	}
+
+	if err := UpdateAuthToken(req.AuthToken); err != nil {
+		utils.RespondJSON(w, http.StatusInternalServerError, map[string]string{"error": err.Error()})
+		return
+	}
+
+	utils.RespondJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
 // DeleteFRPTunnel handles DELETE /tunnels/frp/{id}.
 func DeleteFRPTunnel(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)

subsystems/tunnel/devtunnel_sdk.go

@@ -78,9 +78,9 @@ var globalSDK *SDKManager
 // InitSDK initialises the SDK Manager with a Microsoft Entra ID (Azure AD) bearer
 // token.  The manager is stored in the package-level globalSDK variable.
 // It is safe to call InitSDK multiple times; only the first call takes effect.
+// The token can be refreshed later via UpdateAuthToken.
 func InitSDK(authToken string) error {
 	// Re-entrant guard: only initialise once per token value.
-	// If the token changed the caller should create a new process.
 	if globalSDK != nil {
 		return nil
 	}
@@ -95,9 +95,17 @@ func InitSDK(authToken string) error {
 		{Name: "linkspan", Version: "0.1.0"},
 	}
 
-	// tokenProvider returns the bearer token for every outgoing SDK request.
+	sdk := &SDKManager{
+		authToken:  authToken,
+		sdkTunnels: make(map[string]*tunnels.Tunnel),
+	}
+
+	// tokenProvider reads from sdk.authToken so that UpdateAuthToken takes
+	// effect for all subsequent SDK requests without re-initialisation.
 	tokenProvider := func() string {
-		return "Bearer " + authToken
+		sdk.mu.Lock()
+		defer sdk.mu.Unlock()
+		return "Bearer " + sdk.authToken
 	}
 
 	debugClient := &http.Client{Transport: &debugTransport{base: http.DefaultTransport}}
@@ -106,11 +114,23 @@ func InitSDK(authToken string) error {
 		return fmt.Errorf("devtunnel sdk: create manager: %w", err)
 	}
 
-	globalSDK = &SDKManager{
-		manager:    mgr,
-		authToken:  authToken,
-		sdkTunnels: make(map[string]*tunnels.Tunnel),
+	sdk.manager = mgr
+	globalSDK = sdk
+	return nil
+}
+
+// UpdateAuthToken replaces the Entra ID bearer token used for all subsequent
+// SDK requests.  This allows CS-Bridge to push a fresh token before the
+// previous one expires, without restarting linkspan.
+func UpdateAuthToken(newToken string) error {
+	sdk, err := requireSDK()
+	if err != nil {
+		return err
 	}
+	sdk.mu.Lock()
+	defer sdk.mu.Unlock()
+	sdk.authToken = newToken
+	log.Printf("devtunnel sdk: auth token updated (len=%d)", len(newToken))
 	return nil
 }