refactor: add context-aware flow and graceful shutdown throughout CLI

- Rename project from authgate-cli to authgate-oauth-cli in configuration.
- Add a Makefile with common build, test, lint, coverage, and Docker targets.
- Modify openBrowser to accept a context and use exec.CommandContext for improved process control.
- Use context-aware net.Listener in callback server startup for better testability and shutdown.
- Update callback tests to disable gosec linter warnings for http.Get calls.
- Improve error handling in filelock tests by checking release errors and reporting them.
- Ensure file lock is properly released with error logging in saveTokens.
- Pass context to openBrowser to maintain consistent cancellation semantics.
- Expand context handling and shutdown hooks for graceful cancellation in main flow.
- Refactor API call retry for style and clarity.

Signed-off-by: appleboy <appleboy.tw@gmail.com>

Author: appleboy

.goreleaser.yaml

@@ -1,5 +1,5 @@
 version: 2
-project_name: authgate-cli
+project_name: authgate-oauth-cli
 before:
   hooks:
     - make generate

Makefile

@@ -0,0 +1,131 @@
+GO ?= go
+EXECUTABLE := oauth-cli
+GOFILES := $(shell find . -type f -name "*.go")
+TAGS ?=
+TEMPL_VERSION ?= latest
+
+ifneq ($(shell uname), Darwin)
+	EXTLDFLAGS = -extldflags "-static" $(null)
+else
+	EXTLDFLAGS =
+endif
+
+ifneq ($(DRONE_TAG),)
+	VERSION ?= $(DRONE_TAG)
+else
+	VERSION ?= $(shell git describe --tags --always || git rev-parse --short HEAD)
+endif
+COMMIT ?= $(shell git rev-parse --short HEAD)
+
+LDFLAGS ?=
+## build: build the authgate binary
+build: generate $(EXECUTABLE)
+
+$(EXECUTABLE): $(GOFILES)
+	$(GO) build -v -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)' -o bin/$@ .
+
+## air: Install air for hot reload.
+air:
+	@hash air > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		$(GO) install github.com/air-verse/air@latest; \
+	fi
+
+## dev: Run the application with hot reload.
+dev: air
+	air
+
+## install: install the authgate binary
+install: $(GOFILES)
+	$(GO) install -v -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)'
+
+## test: run tests
+test: generate
+	@$(GO) test -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+
+## coverage: view test coverage in browser
+coverage: test
+	$(GO) tool cover -html=coverage.txt
+
+## install-golangci-lint: install golangci-lint if not present
+install-golangci-lint:
+	@command -v golangci-lint >/dev/null 2>&1 || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $$($(GO) env GOPATH)/bin v2.7.2
+
+## fmt: format go files using golangci-lint
+fmt: install-golangci-lint
+	golangci-lint fmt
+
+## lint: run golangci-lint to check for issues
+lint: install-golangci-lint
+	golangci-lint run
+
+## build_linux_amd64: build the authgate binary for linux amd64
+build_linux_amd64: generate
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 $(GO) build -a -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)' -o release/linux/amd64/$(EXECUTABLE) .
+
+## build_linux_arm64: build the authgate binary for linux arm64
+build_linux_arm64: generate
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 $(GO) build -a -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)' -o release/linux/arm64/$(EXECUTABLE) .
+
+## clean: remove build artifacts and test coverage
+clean:
+	rm -rf bin/ release/ coverage.txt
+	find internal/templates -name "*_templ.go" -delete
+
+## rebuild: clean and build
+rebuild: clean build
+
+.PHONY: help build install test coverage fmt lint clean rebuild
+.PHONY: build_linux_amd64 build_linux_arm64
+.PHONY: install-templ generate watch air dev
+.PHONY: install-golangci-lint mod-download mod-tidy mod-verify check-tools version
+.PHONY: docker-build docker-run
+
+## install-templ: install templ CLI if not installed
+install-templ:
+	@command -v templ >/dev/null 2>&1 || $(GO) install github.com/a-h/templ/cmd/templ@$(TEMPL_VERSION)
+
+## generate: run templ generate to compile .templ files
+generate: install-templ
+	templ generate
+
+## watch: watch mode for automatic regeneration
+watch: install-templ
+	templ generate --watch
+
+## help: print this help message
+help:
+	@echo 'Usage:'
+	@sed -n 's/^##//p' ${MAKEFILE_LIST} | column -t -s ':' | sed -e 's/^/ /'
+
+## mod-download: download go module dependencies
+mod-download:
+	$(GO) mod download
+
+## mod-tidy: tidy go module dependencies
+mod-tidy:
+	$(GO) mod tidy
+
+## mod-verify: verify go module dependencies
+mod-verify:
+	$(GO) mod verify
+
+## check-tools: verify required tools are installed
+check-tools:
+	@command -v $(GO) >/dev/null 2>&1 || (echo "Go not found" && exit 1)
+	@command -v templ >/dev/null 2>&1 || echo "templ not installed (run: make install-templ)"
+	@command -v golangci-lint >/dev/null 2>&1 || echo "golangci-lint not installed (run: make install-golangci-lint)"
+
+## version: display version information
+version:
+	@echo "Version: $(VERSION)"
+	@echo "Commit: $(COMMIT)"
+	@echo "Go Version: $(shell $(GO) version)"
+
+## docker-build: build docker image
+docker-build:
+	docker build -t authgate:$(VERSION) -f Dockerfile .
+
+## docker-run: run docker container
+docker-run:
+	docker run -p 8080:8080 --env-file .env authgate:$(VERSION)
+

browser.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"fmt"
 	"os/exec"
 	"runtime"
@@ -9,17 +10,17 @@ import (
 // openBrowser attempts to open url in the user's default browser.
 // Returns an error if launching the browser fails, but callers should
 // always print the URL as a fallback regardless of the error.
-func openBrowser(url string) error {
+func openBrowser(ctx context.Context, url string) error {
 	var cmd *exec.Cmd
 
 	switch runtime.GOOS {
 	case "darwin":
-		cmd = exec.Command("open", url)
+		cmd = exec.CommandContext(ctx, "open", url)
 	case "windows":
-		cmd = exec.Command("cmd", "/c", "start", url)
+		cmd = exec.CommandContext(ctx, "cmd", "/c", "start", url)
 	default:
 		// Linux and other Unix-like systems
-		cmd = exec.Command("xdg-open", url)
+		cmd = exec.CommandContext(ctx, "xdg-open", url)
 	}
 
 	if err := cmd.Start(); err != nil {

callback.go

@@ -81,7 +81,7 @@ func startCallbackServer(ctx context.Context, port int, expectedState string) (s
 	}
 
 	// Use a listener so we can report the actual bound port.
-	ln, err := net.Listen("tcp", srv.Addr)
+	ln, err := (&net.ListenConfig{}).Listen(ctx, "tcp", srv.Addr)
 	if err != nil {
 		return "", fmt.Errorf("failed to start callback server on port %d: %w", port, err)
 	}

callback_test.go

@@ -39,7 +39,7 @@ func TestCallbackServer_Success(t *testing.T) {
 		"http://127.0.0.1:%d/callback?code=mycode123&state=%s",
 		port, state,
 	)
-	resp, err := http.Get(callbackURL) //nolint:noctx
+	resp, err := http.Get(callbackURL) //nolint:noctx,gosec
 	if err != nil {
 		t.Fatalf("GET callback failed: %v", err)
 	}
@@ -74,7 +74,7 @@ func TestCallbackServer_StateMismatch(t *testing.T) {
 		"http://127.0.0.1:%d/callback?code=mycode&state=wrong-state",
 		port,
 	)
-	resp, err := http.Get(callbackURL) //nolint:noctx
+	resp, err := http.Get(callbackURL) //nolint:noctx,gosec
 	if err != nil {
 		t.Fatalf("GET callback failed: %v", err)
 	}
@@ -105,7 +105,7 @@ func TestCallbackServer_OAuthError(t *testing.T) {
 		"http://127.0.0.1:%d/callback?error=access_denied&error_description=User+denied&state=%s",
 		port, state,
 	)
-	resp, err := http.Get(callbackURL) //nolint:noctx
+	resp, err := http.Get(callbackURL) //nolint:noctx,gosec
 	if err != nil {
 		t.Fatalf("GET callback failed: %v", err)
 	}
@@ -146,7 +146,7 @@ func TestCallbackServer_DoubleCallback(t *testing.T) {
 	done := make(chan error, 2)
 	for range 2 {
 		go func() {
-			resp, err := http.Get(url) //nolint:noctx
+			resp, err := http.Get(url) //nolint:noctx,gosec
 			if err == nil {
 				resp.Body.Close()
 			}
@@ -185,7 +185,7 @@ func TestCallbackServer_MissingCode(t *testing.T) {
 		"http://127.0.0.1:%d/callback?state=%s",
 		port, state,
 	)
-	resp, err := http.Get(callbackURL) //nolint:noctx
+	resp, err := http.Get(callbackURL) //nolint:noctx,gosec
 	if err != nil {
 		t.Fatalf("GET callback failed: %v", err)
 	}

filelock_test.go

@@ -65,7 +65,9 @@ func TestConcurrentLocks(t *testing.T) {
 			concurrent--
 			mu.Unlock()
 
-			lock.release()
+			if err := lock.release(); err != nil {
+				t.Errorf("goroutine %d: release() error: %v", idx, err)
+			}
 		}(i)
 	}
 
@@ -94,5 +96,7 @@ func TestStaleLockRemoval(t *testing.T) {
 	if err != nil {
 		t.Fatalf("acquireFileLock() with stale lock: %v", err)
 	}
-	lock.release()
+	if err := lock.release(); err != nil {
+		t.Errorf("release() error: %v", err)
+	}
 }

main.go

@@ -251,7 +251,11 @@ func saveTokens(storage *TokenStorage) error {
 	if err != nil {
 		return fmt.Errorf("failed to acquire lock: %w", err)
 	}
-	defer lock.release()
+	defer func() {
+		if releaseErr := lock.release(); releaseErr != nil {
+			fmt.Fprintf(os.Stderr, "warning: failed to release file lock: %v\n", releaseErr)
+		}
+	}()
 
 	var storageMap TokenStorageMap
 	if existing, err := os.ReadFile(tokenFile); err == nil {
@@ -329,7 +333,7 @@ func performAuthCodeFlow(ctx context.Context) (*TokenStorage, error) {
 	fmt.Println("Step 1: Opening authorization URL in your browser...")
 	fmt.Printf("\n  %s\n\n", authURL)
 
-	if err := openBrowser(authURL); err != nil {
+	if err := openBrowser(ctx, authURL); err != nil {
 		fmt.Println("Could not open browser automatically. Please open the URL above manually.")
 	} else {
 		fmt.Println("Browser opened. Please complete authorization in your browser.")
@@ -610,7 +614,12 @@ func makeAPICallWithAutoRefresh(ctx context.Context, storage *TokenStorage) erro
 
 		fmt.Println("Token refreshed, retrying API call...")
 
-		req, err = http.NewRequestWithContext(ctx, http.MethodGet, serverURL+"/oauth/tokeninfo", nil)
+		req, err = http.NewRequestWithContext(
+			ctx,
+			http.MethodGet,
+			serverURL+"/oauth/tokeninfo",
+			nil,
+		)
 		if err != nil {
 			return fmt.Errorf("failed to create retry request: %w", err)
 		}
@@ -671,6 +680,7 @@ func main() {
 			if err != nil {
 				if ctx.Err() != nil {
 					fmt.Fprintln(os.Stderr, "\nInterrupted.")
+					stop()
 					os.Exit(130)
 				}
 				fmt.Printf("Refresh failed: %v\n", err)
@@ -690,7 +700,8 @@ func main() {
 		if err != nil {
 			if ctx.Err() != nil {
 				fmt.Fprintln(os.Stderr, "\nInterrupted.")
-				os.Exit(130)
+				stop()
+				os.Exit(130) //nolint:gocritic
 			}
 			fmt.Fprintf(os.Stderr, "Authorization failed: %v\n", err)
 			os.Exit(1)
@@ -714,6 +725,7 @@ func main() {
 	if err := verifyToken(ctx, storage.AccessToken); err != nil {
 		if ctx.Err() != nil {
 			fmt.Fprintln(os.Stderr, "\nInterrupted.")
+			stop()
 			os.Exit(130)
 		}
 		fmt.Printf("Token verification failed: %v\n", err)
@@ -726,6 +738,7 @@ func main() {
 	if err := makeAPICallWithAutoRefresh(ctx, storage); err != nil {
 		if ctx.Err() != nil {
 			fmt.Fprintln(os.Stderr, "\nInterrupted.")
+			stop()
 			os.Exit(130)
 		}
 		if err == ErrRefreshTokenExpired {
@@ -734,6 +747,7 @@ func main() {
 			if err != nil {
 				if ctx.Err() != nil {
 					fmt.Fprintln(os.Stderr, "\nInterrupted.")
+					stop()
 					os.Exit(130)
 				}
 				fmt.Fprintf(os.Stderr, "Re-authentication failed: %v\n", err)
@@ -742,6 +756,7 @@ func main() {
 			if err := makeAPICallWithAutoRefresh(ctx, storage); err != nil {
 				if ctx.Err() != nil {
 					fmt.Fprintln(os.Stderr, "\nInterrupted.")
+					stop()
 					os.Exit(130)
 				}
 				fmt.Fprintf(os.Stderr, "API call failed after re-authentication: %v\n", err)