Authentication Commands
The aeroflare auth suite manages secrets and credentials for internal operations. Rather than just a generic credential store, the underlying logic is deeply tied to Aeroflare's specific API requirements, enforcing necessary OAuth scopes and directly setting environment variables utilized by underlying engines (e.g., OCI registry pushes).
aeroflare auth login
Initiates the interactive authentication wizard. Behind the scenes, it utilizes SecretsManager.Set to persist credentials to the local keychain.
Internal Keys Managed:
github-token: Stored for GitHub operations andghcr.ioOCI registry interactions.gitlab-token: Stored for GitLab operations.cf-token: Cloudflare API Token.cf-user-id: Cloudflare Account ID.oci-{registry}-username/oci-{registry}-token: Custom OCI registry credentials.
GitHub Device Flow Details:
If the "Device Auth Flow" is selected for GitHub, the CLI invokes auth.RequestDeviceCode and auth.PollAccessToken using the hardcoded GitHub Client ID Ov23liIJyLpd2Cse5gne.
Non-Interactive Execution:
If specific CLI flags or environment variables are provided (mapped internally to globalGithubToken, globalGitlabToken, globalCfToken, globalCfUserID), the command bypasses the interactive wizard, sets the provided keys directly in the SecretsManager, and exits.
aeroflare auth list
Lists all saved authentication credentials in a tabular format, or as JSON if the --json flag is provided.
Validation Mechanics: During execution, the CLI proactively validates tokens against remote APIs:
- GitHub (
github-token): InvokesGET https://api.github.com/userwith the saved token. It explicitly checks theX-OAuth-Scopesresponse header for thewrite:packagesandworkflowscopes. If missing, a warning is emitted to the user, as these are mandatory for GHCR pushes and Actions integration. - GitLab (
gitlab-token): InvokesGET https://gitlab.com/api/v4/userto resolve and display the associated GitLab username. - OCI Registries: Parses the internal keychain for keys matching the
oci-*-usernameandoci-*-tokenpatterns, grouping them by registry domain for display.
aeroflare auth import
A utility to scrape and import active credentials from other developer tools.
Import Sources & Mechanics:
- GitHub CLI (
gh): Executesgh auth tokenas a subprocess. If successful, checks the token for thewrite:packagesscope via the GitHub API and stores it asgithub-token. - GitLab CLI (
glab): Executesglab auth tokenas a subprocess and stores it asgitlab-token. - Docker CLI: Reads and parses
~/.docker/config.json. It base64-decodes theauthfield for each configured registry, splits the result into username and token, and stores them in theSecretsManagerusing theoci-{registry}-usernameandoci-{registry}-tokenformats.
aeroflare auth set / aeroflare auth remove
Low-level utilities for direct manipulation of the SecretsManager.
set [key] [value]: Directly invokesSecretsManager.Set(key, value). Useful for injecting custom secrets or overriding specific OCI registry configurations.remove [key]: Directly invokesSecretsManager.Delete(key).
Credential Resolution & Environment Injection
Commands across the Aeroflare CLI that require authentication rely on the cmd/auth_resolve.go mechanisms. These functions handle fallback chains and environment injection for subprocesses.
Resolution Chain (RequireGithubToken, RequireCloudflareToken, etc.):
- Global Flags: Checks variables set by command-line flags (e.g.,
globalGithubToken). - Keychain: Uses
auth.NewResolver().WithSecretsManager()to retrieve the secret from the internal store. - Environment Variables: As a fallback, resolvers inspect standard environment variables (e.g.,
CLOUDFLARE_API_TOKEN,CLOUDFLARE_ACCOUNT_ID,GITHUB_TOKEN,GITLAB_TOKEN). - Interactive Prompt: If all the above fail and
os.Stdinis a TTY (isTerminal() == true), the respective interactive wizard (fromauth_wizard.go) is launched dynamically. - Fatal Exit: If not in a TTY, the CLI prints an error and exits with code 1.
Environment Injection (getTokenForRegistry, getOptionalTokenForRegistry):
When resolving tokens for OCI registry pushes, the CLI manipulates the current process's environment variables to ensure underlying engines authenticate successfully:
- For
ghcr.io: Exportsoci_tokenandGITHUB_TOKENinto the environment. - For other registries: Exports
oci_tokeninto the environment.