feat(cli): boxlite auth login --web (RFC 8628 device flow)#529
Closed
DorianZheng wants to merge 1 commit into
Closed
feat(cli): boxlite auth login --web (RFC 8628 device flow)#529DorianZheng wants to merge 1 commit into
DorianZheng wants to merge 1 commit into
Conversation
Adds the auth subcommand family (login / logout / status) to boxlite-cli with two co-equal paths matching how dev-workstation products (Daytona, Gitpod, Codespaces, Vercel) ship auth: - --api-key-stdin paste an opaque key from the dashboard - --web browser-based device flow (recommended) The interactive `boxlite auth login` (no flags) prompts the user to pick between the two; --non-interactive emits the verification URL + user_code as JSON for agent / IDE integrations. Credentials at ~/.config/boxlite/credentials.toml (0600, parent 0700) as a typed sum: [profiles.<name>.credential.api_key] XOR [profiles.<name>.credential.oauth]. Sum-type-on-disk means the file parser rejects mixed state, not a runtime warn!() (matches the type-driven-over-data-driven rule). Logout calls POST /v1/oauth/revoke best-effort (2s timeout) before deleting the profile from disk. Failure to revoke is non-fatal — local cleanup wins. URL precedence: --url / BOXLITE_REST_URL > stored profile. Credential precedence: BOXLITE_API_KEY env > stored profile. New deps: rpassword 7 hidden TTY prompt for --api-key-stdin toml 0.8 credentials file format directories 5 XDG_CONFIG_HOME resolution reqwest 0.12 device flow polling (rustls-tls) webbrowser 1 open verification_uri_complete Depends on the Rust SDK Credential enum (feat/auth-rest-credential). Wire protocol on feat/auth-single-bearer-impl. Server stubs on feat/auth-server-stubs.
This was referenced May 14, 2026
Member
Author
|
Superseded by #532 — three logical commits (SDK + CLI + server) consolidated into one PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the
boxlite auth {login,logout,status}subcommand family with two co-equal paths matching how dev-workstation products (Daytona, Gitpod, Codespaces, Vercel) ship auth:--api-key-stdin— paste an opaque key from the dashboard (no secret on argv)--web— browser-based device flow (recommended)Interactive
boxlite auth login(no flags) prompts the user to pick.--non-interactiveemits the verification URL + user_code as JSON for IDE / agent integration (Stripe pattern).Credentials are stored at
~/.config/boxlite/credentials.toml(0600, parent 0700) as a typed sum:```toml
[profiles.default]
url = "https://api.boxlite.ai"
[profiles.default.credential.api_key]
key = "blk_live_..."
OR (mutually exclusive):
[profiles.default.credential.oauth]
access_token = "blo_..."
refresh_token = "blr_..."
expires_at = "2026-06-14T12:00:00Z"
```
Sum-type-on-disk means the file parser rejects mixed state, not a runtime
warn!().Logout calls
POST /v1/oauth/revokebest-effort (2s timeout) before deleting the profile from disk.Precedence:
--url/BOXLITE_REST_URL> stored profile.BOXLITE_API_KEYenv > stored profile.Stacked PRs
Base is PR 2 (
feat/auth-rest-credential), not main. The diff shown here is CLI-only.Test plan
cargo check -p boxlite-cli+cargo test -p boxlite-cliboxlite auth logininteractive flow against localboxlite servereference server (PR 4)echo "blk_test_xxx" | boxlite auth login --api-key-stdinBOXLITE_API_KEY=blk_test_xxx boxlite list— env beats stored profileboxlite auth logout— revoke + delete profileauth statusor any debug output