rockwotj
diff --git a/‎catalog/rest/auth.go‎
Lines changed: 33 additions & 100 deletions b/‎catalog/rest/auth.go‎
Lines changed: 33 additions & 100 deletions
diff --git a/‎catalog/rest/auth_test.go‎
Lines changed: 38 additions & 32 deletions b/‎catalog/rest/auth_test.go‎
Lines changed: 38 additions & 32 deletions
@@ -18,12 +18,10 @@
 package rest
 
 import (
-	"encoding/json"
+	"errors"
 	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"strings"
+
+	"golang.org/x/oauth2"
 )
 
 // AuthManager is an interface for providing custom authorization headers.
@@ -32,115 +30,50 @@ type AuthManager interface {
 	AuthHeader() (string, string, error)
 }
 
-type oauthTokenResponse struct {
-	AccessToken  string `json:"access_token"`
-	TokenType    string `json:"token_type"`
-	ExpiresIn    int    `json:"expires_in"`
-	Scope        string `json:"scope"`
-	RefreshToken string `json:"refresh_token"`
-}
-
-type oauthErrorResponse struct {
-	Err     string `json:"error"`
-	ErrDesc string `json:"error_description"`
-	ErrURI  string `json:"error_uri"`
-}
-
-func (o oauthErrorResponse) Unwrap() error { return ErrOAuthError }
-func (o oauthErrorResponse) Error() string {
-	msg := o.Err
-	if o.ErrDesc != "" {
-		msg += ": " + o.ErrDesc
-	}
-
-	if o.ErrURI != "" {
-		msg += " (" + o.ErrURI + ")"
-	}
-
-	return msg
-}
-
 // Oauth2AuthManager is an implementation of the AuthManager interface which
-// simply returns the provided token as a bearer token. If a credential
-// is provided instead of a static token, it will fetch and refresh the
-// token as needed.
+// uses an oauth2.TokenSource to provide bearer tokens. The token source
+// handles caching, thread-safe refresh, and expiry management.
 type Oauth2AuthManager struct {
-	Token      string
-	Credential string
-
-	AuthURI *url.URL
-	Scope   string
-	Client  *http.Client
+	tokenSource oauth2.TokenSource
 }
 
 // AuthHeader returns the authorization header with the bearer token.
 func (o *Oauth2AuthManager) AuthHeader() (string, string, error) {
-	if o.Token == "" && o.Credential != "" {
-		if o.Client == nil {
-			return "", "", fmt.Errorf("%w: cannot fetch token without http client", ErrRESTError)
+	tok, err := o.tokenSource.Token()
+	if err != nil {
+		var re *oauth2.RetrieveError
+		if errors.As(err, &re) {
+			return "", "", oauthError{
+				code: re.ErrorCode,
+				desc: re.ErrorDescription,
+				uri:  re.ErrorURI,
+			}
 		}
 
-		tok, err := o.fetchAccessToken()
-		if err != nil {
-			return "", "", err
-		}
-		o.Token = tok
+		return "", "", fmt.Errorf("%w: %s", ErrOAuthError, err)
 	}
 
-	return "Authorization", "Bearer " + o.Token, nil
+	return "Authorization", tok.Type() + " " + tok.AccessToken, nil
 }
 
-func (o *Oauth2AuthManager) fetchAccessToken() (string, error) {
-	clientID, clientSecret, hasID := strings.Cut(o.Credential, ":")
-	if !hasID {
-		clientID, clientSecret = "", o.Credential
-	}
-
-	scope := "catalog"
-	if o.Scope != "" {
-		scope = o.Scope
-	}
-	data := url.Values{
-		"grant_type":    {"client_credentials"},
-		"client_id":     {clientID},
-		"client_secret": {clientSecret},
-		"scope":         {scope},
-	}
+// oauthError wraps OAuth2 error details and implements the error chain
+// so that errors.Is(err, ErrOAuthError) returns true.
+type oauthError struct {
+	code string
+	desc string
+	uri  string
+}
 
-	if o.AuthURI == nil {
-		return "", fmt.Errorf("%w: missing auth uri for fetching token", ErrRESTError)
+func (e oauthError) Error() string {
+	msg := e.code
+	if e.desc != "" {
+		msg += ": " + e.desc
 	}
-
-	rsp, err := o.Client.PostForm(o.AuthURI.String(), data)
-	if err != nil {
-		return "", err
+	if e.uri != "" {
+		msg += " (" + e.uri + ")"
 	}
 
-	if rsp.StatusCode == http.StatusOK {
-		defer rsp.Body.Close()
-		dec := json.NewDecoder(rsp.Body)
-		var tok oauthTokenResponse
-		if err := dec.Decode(&tok); err != nil {
-			return "", fmt.Errorf("failed to decode oauth token response: %w", err)
-		}
-
-		return tok.AccessToken, nil
-	}
-
-	switch rsp.StatusCode {
-	case http.StatusUnauthorized, http.StatusBadRequest:
-		defer func() {
-			_, _ = io.Copy(io.Discard, rsp.Body)
-			_ = rsp.Body.Close()
-		}()
-		dec := json.NewDecoder(rsp.Body)
-		var oauthErr oauthErrorResponse
-		if err := dec.Decode(&oauthErr); err != nil {
-			return "", fmt.Errorf("failed to decode oauth error: %w", err)
-		}
-
-		return "", oauthErr
-	default:
-		return "", handleNon200(rsp, nil)
-	}
+	return msg
 }
+
+func (e oauthError) Unwrap() error { return ErrOAuthError }
@@ -18,19 +18,25 @@
 package rest
 
 import (
+	"context"
 	"encoding/json"
+	"errors"
 	"net/http"
 	"net/http/httptest"
-	"net/url"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/clientcredentials"
 )
 
 func TestOauth2AuthManager_AuthHeader_StaticToken(t *testing.T) {
 	manager := &Oauth2AuthManager{
-		Token: "static_token",
+		tokenSource: oauth2.StaticTokenSource(&oauth2.Token{
+			AccessToken: "static_token",
+			TokenType:   "Bearer",
+		}),
 	}
 
 	key, value, err := manager.AuthHeader()
@@ -39,16 +45,6 @@ func TestOauth2AuthManager_AuthHeader_StaticToken(t *testing.T) {
 	assert.Equal(t, "Bearer static_token", value)
 }
 
-func TestOauth2AuthManager_AuthHeader_MissingClient(t *testing.T) {
-	manager := &Oauth2AuthManager{
-		Credential: "client:secret",
-	}
-
-	_, _, err := manager.AuthHeader()
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "cannot fetch token without http client")
-}
-
 func TestOauth2AuthManager_AuthHeader_FetchToken_Success(t *testing.T) {
 	mux := http.NewServeMux()
 	server := httptest.NewServer(mux)
@@ -61,28 +57,32 @@ func TestOauth2AuthManager_AuthHeader_FetchToken_Success(t *testing.T) {
 		assert.Equal(t, "secret", r.FormValue("client_secret"))
 		assert.Equal(t, "catalog", r.FormValue("scope"))
 
+		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
-		json.NewEncoder(w).Encode(oauthTokenResponse{
-			AccessToken: "fetched_token",
-			TokenType:   "Bearer",
-			ExpiresIn:   3600,
+		json.NewEncoder(w).Encode(map[string]any{
+			"access_token": "fetched_token",
+			"token_type":   "Bearer",
+			"expires_in":   3600,
 		})
 	})
 
-	authURL, err := url.Parse(server.URL + "/oauth/token")
-	require.NoError(t, err)
+	cfg := &clientcredentials.Config{
+		ClientID:     "client",
+		ClientSecret: "secret",
+		TokenURL:     server.URL + "/oauth/token",
+		Scopes:       []string{"catalog"},
+		AuthStyle:    oauth2.AuthStyleInParams,
+	}
 
+	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, server.Client())
 	manager := &Oauth2AuthManager{
-		Credential: "client:secret",
-		AuthURI:    authURL,
-		Client:     server.Client(),
+		tokenSource: cfg.TokenSource(ctx),
 	}
 
 	key, value, err := manager.AuthHeader()
 	require.NoError(t, err)
 	assert.Equal(t, "Authorization", key)
 	assert.Equal(t, "Bearer fetched_token", value)
-	assert.Equal(t, "fetched_token", manager.Token)
 }
 
 func TestOauth2AuthManager_AuthHeader_FetchToken_ErrorResponse(t *testing.T) {
@@ -91,23 +91,29 @@ func TestOauth2AuthManager_AuthHeader_FetchToken_ErrorResponse(t *testing.T) {
 	defer server.Close()
 
 	mux.HandleFunc("/oauth/token", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusBadRequest)
-		json.NewEncoder(w).Encode(oauthErrorResponse{
-			Err:     "invalid_client",
-			ErrDesc: "Invalid client credentials",
+		json.NewEncoder(w).Encode(map[string]any{
+			"error":             "invalid_client",
+			"error_description": "Invalid client credentials",
 		})
 	})
 
-	authURL, err := url.Parse(server.URL + "/oauth/token")
-	require.NoError(t, err)
+	cfg := &clientcredentials.Config{
+		ClientID:     "client",
+		ClientSecret: "secret",
+		TokenURL:     server.URL + "/oauth/token",
+		AuthStyle:    oauth2.AuthStyleInParams,
+	}
 
+	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, server.Client())
 	manager := &Oauth2AuthManager{
-		Credential: "client:secret",
-		AuthURI:    authURL,
-		Client:     server.Client(),
+		tokenSource: cfg.TokenSource(ctx),
 	}
 
-	_, _, err = manager.AuthHeader()
+	_, _, err := manager.AuthHeader()
 	require.Error(t, err)
-	assert.Contains(t, err.Error(), "invalid_client: Invalid client credentials")
+	assert.True(t, errors.Is(err, ErrOAuthError), "error should wrap ErrOAuthError")
+	assert.Contains(t, err.Error(), "invalid_client")
+	assert.Contains(t, err.Error(), "Invalid client credentials")
 }