feat: Add OAuth support for HTTP Sync

[thisthat]

This PR

• adds support for OAuth in the HTTP Sync

Related Issues

Addresses #1785

Notes

Properly testing this via unit tests is not possible. The HTTP Sync is built by the syncbuilder pkg. This entails that testing any behavior of the HTTP Sync can only be possible as part of the syncbuilder module, which IMHO doesn't make much sense.

Follow-up Tasks

Add documentation for the new properties used in the HTTP Sync.
Available here: #1805

How to test

Manually create a small mockup server that handles OAuth requests

func (h *OAuthHandler) Authorize(w http.ResponseWriter, r *http.Request) {

	reqDump, _ := httputil.DumpRequest(r, true)
	fmt.Printf("GOT OAUTH REQUEST:\n%s", string(reqDump))

	w.WriteHeader(http.StatusOK)
	w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
	w.Write([]byte("access_token=mocktoken&scope=mockscope&token_type=bearer"))
}

Afterwards, start flagd pointing to the mockup server:

go run main.go start --sources='[{ "uri": "http://localhost:8180/flags", "provider": "http", "interval": 1, "bearerToken": "it-will-be-overridden", "oauthConfig": { "clientID": "test", "clientSecret": "test", "tokenUrl": "http://localhost:8180/oauth" }}]'

The HTTP request to http://localhost:8180/flags will contain the HTTP Header Authorization: Bearer mocktoken.

[netlify]

✅ Deploy Preview for polite-licorice-3db33c canceled.

Name	Link
🔨 Latest commit	d0b41ee
🔍 Latest deploy log	https://app.netlify.com/projects/polite-licorice-3db33c/deploys/68e3e32a7b9b45000833f23d

[gemini-code-assist]

Summary of Changes

Hello @thisthat, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces OAuth 2.0 client credentials flow support for HTTP synchronization, allowing flagd to authenticate with remote flag sources using OAuth. This enhances security and flexibility for fetching flag configurations.

Highlights

• OAuth Integration: Implemented OAuth 2.0 client credentials flow for HTTP Sync, enabling secure authentication with flag sources.
• Configurable HTTP Client: The HTTP client used for synchronization now dynamically configures itself to use OAuth if oauthConfig is provided in the source configuration.
• New Configuration Structure: Introduced a dedicated OAuthConfig structure to define OAuth client ID, client secret, and token URL within the source configuration.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces OAuth support for the HTTP Sync provider, which is a great addition. The implementation is solid, but I've identified a few areas for improvement to enhance robustness, flexibility, and adherence to Go's idiomatic coding style. Specifically, the new OAuth HTTP client is missing a request timeout, which could lead to hanging requests. Additionally, the OAuth authentication style is hardcoded, which might limit compatibility with some OAuth servers. Lastly, some of the new struct field names could be adjusted to better align with Go conventions. I've provided detailed comments and code suggestions to address these points.

[thisthat]

move the logic of creating the HTTPSync inside the HTTPSync

[thisthat]

we don't need to expose these details anymore since we moved its construction here

[aepfli]

Generally those changes look great, we do have some minor improvements/questions - but generally the implementation looks fine.

The biggest part missing tough is documentation, and currently this looks like a hidden feature. Especially the fact that filesource for oauth takes priority, and the current double purpose of clientId and clientSecret.

[toddbaert]

I'll review this tomorrow, first thing. Thanks @thisthat

[toddbaert]

I pushed one small change to fix some static checks on a unit test and improve some mocking.

Looks great @thisthat , thanks 🙏