Skip to content

feat(auth): add token refresh and logout-all#227

Open
YuMo12268 wants to merge 5 commits into
stack-rs:auth-enhancementfrom
YuMo12268:auth-refresh-logout
Open

feat(auth): add token refresh and logout-all#227
YuMo12268 wants to merge 5 commits into
stack-rs:auth-enhancementfrom
YuMo12268:auth-refresh-logout

Conversation

@YuMo12268

@YuMo12268 YuMo12268 commented Jul 8, 2026

Copy link
Copy Markdown

Summary

  • Make user login retain previously issued login tokens by default
  • Add authenticated /refresh endpoint to rotate the current login token
  • Add authenticated /revoke endpoint to invalidate all login tokens for the current user
  • Add client CLI, interactive commands, and SDK methods for refresh and revoke
  • Remove client and worker --retain flags because retain is now the default behavior
  • Update OpenAPI, config example, client guide, and SDK guide

Notes

  • login --refresh logs in with username/password and invalidates previously issued login tokens.
  • refresh uses the current valid token to issue a new token and invalidate previous login tokens.
  • revoke invalidates all login tokens for the current authenticated user.
  • Worker startup now retains previous login tokens by default. Worker runtime tokens are not changed by this PR.
  • The HTTP /login retain field is kept for API compatibility and defaults to true.

Checks

  • cargo fmt --all
  • cargo clippy --workspace
  • cargo build
  • cargo test
  • cargo doc
  • cd guide && mdbook build

Known Notes

  • cargo audit reported existing dependency advisories in the current dependency tree; these appear unrelated to the auth refresh/revoke changes.
  • cargo doc passed with an existing md5/md-5 output filename collision warning.

- Make login retain previous tokens by default
- Add refresh and logout-all HTTP endpoints
- Add client commands and SDK methods for token refresh and logout-all
- Update OpenAPI, config example, and client guide
@BobAnkh BobAnkh requested a review from un-lock-able July 8, 2026 14:52
@BobAnkh

BobAnkh commented Jul 8, 2026

Copy link
Copy Markdown
Member

@un-lock-able Please redirect to merge to a branch you specified

@un-lock-able un-lock-able changed the base branch from main to auth-enhancement July 8, 2026 15:34
@un-lock-able

Copy link
Copy Markdown

I think we can rename logout-all into revoke, and keep the logout-all as an alias.

Comment thread netmito/src/config/client/mod.rs Outdated
/// Whether to keep previously issued login tokens valid when logging in
#[arg(long)]
#[serde(default)]
pub retain: bool,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now retain is the default behavior, is this argument ever needed?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shall replace it with new arguments

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated.

  • Replaced logout-all with revoke across the HTTP route, CLI/interactive command, SDK method, docs, and OpenAPI.
  • Removed the client and worker --retain flags because retain is now the default behavior.
  • Kept the HTTP /login retain field for API compatibility and documented that it defaults to true.

@BobAnkh

BobAnkh commented Jul 10, 2026

Copy link
Copy Markdown
Member

I think we can rename logout-all into revoke, and keep the logout-all as an alias.

I think we could just use revoke, which is a good name. I don't think we should keep logout-all, as it will be confusing when used together with the logout command.

- Rename logout-all to revoke across HTTP, CLI, SDK, docs, and OpenAPI
- Remove client and worker --retain flags because retain is now the default behavior
- Keep the HTTP login retain field for API compatibility and document its default behavior
@BobAnkh BobAnkh requested a review from un-lock-able July 11, 2026 15:23
Comment thread netmito/src/client/mod.rs Outdated
config.password,
config.retain,
)
.connect(config.credential_path, config.user, config.password, true)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since now retain is the default behavior, the last argument is redundent and should be removed.

Comment thread netmito/src/worker.rs Outdated
config.user.take(),
config.password.take(),
config.retain,
true,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also redundent.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. The default connect/login flow no longer passes an explicit retain argument. Default login now uses the retain-by-default helper, while login --refresh uses the refreshing helper with retain=false. I also updated the worker login path accordingly.

@BobAnkh BobAnkh requested a review from un-lock-able July 13, 2026 04:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants