refactor(oauth): deduplicate token parsing and fix struct copy bug (#12)

* refactor(oauth): deduplicate token parsing and fix struct copy bug

- Extract shared tokenResponse struct and parseOAuthError helper to eliminate duplicate error parsing
- Simplify PKCE branching to always set code_verifier unconditionally
- Fix incomplete struct copy in makeAPICallWithAutoRefresh using full struct assignment
- Drain response body on 401 to allow HTTP connection reuse
- Replace time.After with time.NewTimer to prevent timer leak
- Extract quitInterrupted method to deduplicate interrupt-handling blocks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(oauth): address PR review feedback for error handling and connection reuse

- Add errResp.Error != "" guard in refreshAccessToken to avoid empty error messages when JSON unmarshals successfully but contains no OAuth error
- Close response body immediately after draining on 401 so the HTTP transport can reuse the connection for the retry request

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: appleboy

callback.go

@@ -130,6 +130,9 @@ func startCallbackServer(
 	}()
 
 	// Wait for callback, timeout, or context cancellation.
+	timer := time.NewTimer(callbackTimeout)
+	defer timer.Stop()
+
 	select {
 	case result := <-resultCh:
 		if result.Error != "" {
@@ -143,7 +146,7 @@ func startCallbackServer(
 	case <-ctx.Done():
 		return nil, ctx.Err()
 
-	case <-time.After(callbackTimeout):
+	case <-timer.C:
 		return nil, fmt.Errorf("timed out waiting for browser authorization (%s)", callbackTimeout)
 	}
 }

main.go

@@ -204,6 +204,25 @@ type ErrorResponse struct {
 	ErrorDescription string `json:"error_description"`
 }
 
+// tokenResponse is the JSON structure returned by /oauth/token.
+type tokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+	Scope        string `json:"scope"`
+}
+
+// parseOAuthError attempts to extract a structured OAuth error from a non-200
+// response body. Falls back to including the raw body in the error message.
+func parseOAuthError(statusCode int, body []byte, action string) error {
+	var errResp ErrorResponse
+	if jsonErr := json.Unmarshal(body, &errResp); jsonErr == nil && errResp.Error != "" {
+		return fmt.Errorf("%s: %s", errResp.Error, errResp.ErrorDescription)
+	}
+	return fmt.Errorf("%s failed with status %d: %s", action, statusCode, string(body))
+}
+
 func loadTokens() (*tui.TokenStorage, error) {
 	data, err := os.ReadFile(tokenFile)
 	if err != nil {
@@ -317,13 +336,10 @@ func exchangeCode(ctx context.Context, code, codeVerifier string) (*tui.TokenSto
 	data.Set("redirect_uri", redirectURI)
 	data.Set("client_id", clientID)
 
-	if isPublicClient() {
-		// Public client: send code_verifier for PKCE verification.
-		data.Set("code_verifier", codeVerifier)
-	} else {
-		// Confidential client: send client_secret (and also verifier for PKCE).
+	// PKCE is always enabled (defense in depth).
+	data.Set("code_verifier", codeVerifier)
+	if !isPublicClient() {
 		data.Set("client_secret", clientSecret)
-		data.Set("code_verifier", codeVerifier)
 	}
 
 	req, err := http.NewRequestWithContext(
@@ -349,24 +365,10 @@ func exchangeCode(ctx context.Context, code, codeVerifier string) (*tui.TokenSto
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		var errResp ErrorResponse
-		if jsonErr := json.Unmarshal(body, &errResp); jsonErr == nil && errResp.Error != "" {
-			return nil, fmt.Errorf("%s: %s", errResp.Error, errResp.ErrorDescription)
-		}
-		return nil, fmt.Errorf(
-			"token exchange failed with status %d: %s",
-			resp.StatusCode,
-			string(body),
-		)
+		return nil, parseOAuthError(resp.StatusCode, body, "token exchange")
 	}
 
-	var tokenResp struct {
-		AccessToken  string `json:"access_token"`
-		RefreshToken string `json:"refresh_token"`
-		TokenType    string `json:"token_type"`
-		ExpiresIn    int    `json:"expires_in"`
-		Scope        string `json:"scope"`
-	}
+	var tokenResp tokenResponse
 	if err := json.Unmarshal(body, &tokenResp); err != nil {
 		return nil, fmt.Errorf("failed to parse token response: %w", err)
 	}
@@ -427,22 +429,18 @@ func refreshAccessToken(ctx context.Context, refreshToken string) (*tui.TokenSto
 	}
 
 	if resp.StatusCode != http.StatusOK {
+		// Check for expired/invalid refresh token before general error handling.
 		var errResp ErrorResponse
-		if jsonErr := json.Unmarshal(body, &errResp); jsonErr == nil {
+		if jsonErr := json.Unmarshal(body, &errResp); jsonErr == nil && errResp.Error != "" {
 			if errResp.Error == "invalid_grant" || errResp.Error == "invalid_token" {
 				return nil, tui.ErrRefreshTokenExpired
 			}
 			return nil, fmt.Errorf("%s: %s", errResp.Error, errResp.ErrorDescription)
 		}
-		return nil, fmt.Errorf("refresh failed with status %d: %s", resp.StatusCode, string(body))
+		return nil, parseOAuthError(resp.StatusCode, body, "refresh")
 	}
 
-	var tokenResp struct {
-		AccessToken  string `json:"access_token"`
-		RefreshToken string `json:"refresh_token"`
-		TokenType    string `json:"token_type"`
-		ExpiresIn    int    `json:"expires_in"`
-	}
+	var tokenResp tokenResponse
 	if err := json.Unmarshal(body, &tokenResp); err != nil {
 		return nil, fmt.Errorf("failed to parse token response: %w", err)
 	}
@@ -498,11 +496,7 @@ func verifyToken(ctx context.Context, accessToken string) (string, error) {
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		var errResp ErrorResponse
-		if jsonErr := json.Unmarshal(body, &errResp); jsonErr == nil {
-			return "", fmt.Errorf("%s: %s", errResp.Error, errResp.ErrorDescription)
-		}
-		return "", fmt.Errorf("server returned status %d: %s", resp.StatusCode, string(body))
+		return "", parseOAuthError(resp.StatusCode, body, "token verification")
 	}
 
 	return string(body), nil
@@ -523,6 +517,10 @@ func makeAPICallWithAutoRefresh(ctx context.Context, storage *tui.TokenStorage)
 	defer resp.Body.Close()
 
 	if resp.StatusCode == http.StatusUnauthorized {
+		// Drain and close body immediately so the HTTP transport can reuse the connection.
+		_, _ = io.Copy(io.Discard, resp.Body)
+		resp.Body.Close()
+
 		newStorage, err := refreshAccessToken(ctx, storage.RefreshToken)
 		if err != nil {
 			if err == tui.ErrRefreshTokenExpired {
@@ -531,9 +529,7 @@ func makeAPICallWithAutoRefresh(ctx context.Context, storage *tui.TokenStorage)
 			return fmt.Errorf("refresh failed: %w", err)
 		}
 
-		storage.AccessToken = newStorage.AccessToken
-		storage.RefreshToken = newStorage.RefreshToken
-		storage.ExpiresAt = newStorage.ExpiresAt
+		*storage = *newStorage
 
 		req, err = http.NewRequestWithContext(
 			ctx,

tui/model.go

@@ -196,9 +196,7 @@ func (m OAuthModel) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 	case msgTokenRefreshed:
 		if msg.err != nil {
 			if isContextCanceled(msg.err) {
-				m.ExitCode = 130
-				m.interrupted = true
-				return m, tea.Quit
+				return m.quitInterrupted()
 			}
 			m.stepStatuses[stepRefreshToken] = statusFailed
 			m.stepMessages[stepRefreshToken] = msg.err.Error()
@@ -216,9 +214,7 @@ func (m OAuthModel) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 	case msgAuthFlowReady:
 		if msg.err != nil {
 			if isContextCanceled(msg.err) {
-				m.ExitCode = 130
-				m.interrupted = true
-				return m, tea.Quit
+				return m.quitInterrupted()
 			}
 			m.stepStatuses[stepAuthFlow] = statusFailed
 			m.stepMessages[stepAuthFlow] = msg.err.Error()
@@ -246,9 +242,7 @@ func (m OAuthModel) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 	case msgCallbackReceived:
 		if msg.err != nil {
 			if isContextCanceled(msg.err) {
-				m.ExitCode = 130
-				m.interrupted = true
-				return m, tea.Quit
+				return m.quitInterrupted()
 			}
 			m.stepStatuses[stepWaitCallback] = statusFailed
 			m.stepMessages[stepWaitCallback] = msg.err.Error()
@@ -267,9 +261,7 @@ func (m OAuthModel) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 	case msgTokenVerified:
 		if msg.err != nil {
 			if isContextCanceled(msg.err) {
-				m.ExitCode = 130
-				m.interrupted = true
-				return m, tea.Quit
+				return m.quitInterrupted()
 			}
 			// Verification failure is non-fatal — still proceed to API call.
 			m.stepStatuses[stepVerifyToken] = statusFailed
@@ -283,9 +275,7 @@ func (m OAuthModel) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 	case msgAPICallDone:
 		if msg.err != nil {
 			if isContextCanceled(msg.err) {
-				m.ExitCode = 130
-				m.interrupted = true
-				return m, tea.Quit
+				return m.quitInterrupted()
 			}
 			if errors.Is(msg.err, ErrRefreshTokenExpired) {
 				// Refresh token expired during API call — restart auth sub-steps.
@@ -324,3 +314,10 @@ func (m OAuthModel) startStep(s step, cmd tea.Cmd) (tea.Model, tea.Cmd) {
 func isContextCanceled(err error) bool {
 	return errors.Is(err, context.Canceled)
 }
+
+// quitInterrupted marks the model as interrupted (exit code 130) and returns tea.Quit.
+func (m OAuthModel) quitInterrupted() (tea.Model, tea.Cmd) {
+	m.ExitCode = 130
+	m.interrupted = true
+	return m, tea.Quit
+}