ee362f7785
* refactor(oauth): async coroutine support, pure-Lua PKCE, server hardening Problem: OAuth module shelled out to openssl for PKCE, used blocking `vim.system():wait()`, had a weak `os.time()` PRNG seed, and the TCP callback server leaked on read errors with no timeout. Solution: Add `M.system()` coroutine wrapper and `M.async()` helper, replace openssl with `vim.fn.sha256` + `vim.base64.encode`, seed from `vim.uv.hrtime()`, add `close_server()` guard with 120s timeout, and close the server on read errors. * fix(gtasks): async operations, error notifications, buffer refresh Problem: Sync operations blocked the editor, `push_pass` silently dropped delete/update/create API errors, and the buffer was not re-rendered after push/pull/sync. Solution: Wrap `push`, `pull`, `sync` in `oauth.async()`, add `vim.notify` for all `push_pass` failure paths, and re-render the pending buffer after each operation. * fix(init): edit recompute, filter predicates, sync action listing Problem: `M.edit()` skipped `_recompute_counts()` after saving, `compute_hidden_ids` lacked `done`/`pending` predicates, and `run_sync` defaulted to `sync` instead of listing available actions. Solution: Replace `s:save()` with `_save_and_notify()` in `M.edit()`, add `done` and `pending` filter predicates, and list backend actions when no action is specified. * refactor(gcal): per-category calendars, async push, error notifications Problem: gcal used a single hardcoded calendar name, ran synchronously blocking the editor, and silently dropped some API errors. Solution: Fetch all calendars and map categories to calendars (creating on demand), wrap push in `oauth.async()`, notify on individual API failures, track `_gcal_calendar_id` in `_extra`, and remove the `$` anchor from `next_day` pattern. * refactor: formatting fixes, config cleanup, health simplification Problem: Formatter disagreements in `init.lua` and `gtasks.lua`, stale `calendar` field in gcal config, and redundant health checks for data directory existence. Solution: Apply stylua formatting, remove `calendar` field from `pending.GcalConfig`, drop data-dir and no-file health messages, add `done`/`pending` to filter tab-completion candidates. * docs: update vimdoc for sync refactor, remove demo scripts Problem: Docs still referenced openssl dependency, defaulting to `sync` action, and the `calendar` config field. Demo scripts used the old singleton `store` API. Solution: Update vimdoc and README to reflect explicit actions, per- category calendars, and pure-Lua PKCE. Remove stale demo scripts and update sync specs to match new behavior. * fix(types): correct LuaLS annotations in oauth and gcal
405 lines
10 KiB
Lua
405 lines
10 KiB
Lua
local config = require('pending.config')
|
|
|
|
local TOKEN_URL = 'https://oauth2.googleapis.com/token'
|
|
local AUTH_URL = 'https://accounts.google.com/o/oauth2/v2/auth'
|
|
|
|
local BUNDLED_CLIENT_ID = 'PLACEHOLDER'
|
|
local BUNDLED_CLIENT_SECRET = 'PLACEHOLDER'
|
|
|
|
---@class pending.OAuthCredentials
|
|
---@field client_id string
|
|
---@field client_secret string
|
|
|
|
---@class pending.OAuthTokens
|
|
---@field access_token string
|
|
---@field refresh_token string
|
|
---@field expires_in? integer
|
|
---@field obtained_at? integer
|
|
|
|
---@class pending.OAuthClient
|
|
---@field name string
|
|
---@field scope string
|
|
---@field port integer
|
|
---@field config_key string
|
|
local OAuthClient = {}
|
|
OAuthClient.__index = OAuthClient
|
|
|
|
---@class pending.oauth
|
|
local M = {}
|
|
|
|
---@param args string[]
|
|
---@param opts? table
|
|
---@return { code: integer, stdout: string, stderr: string }
|
|
function M.system(args, opts)
|
|
local co = coroutine.running()
|
|
if not co then
|
|
return vim.system(args, opts or {}):wait() --[[@as { code: integer, stdout: string, stderr: string }]]
|
|
end
|
|
vim.system(args, opts or {}, function(result)
|
|
vim.schedule(function()
|
|
coroutine.resume(co, result)
|
|
end)
|
|
end)
|
|
return coroutine.yield() --[[@as { code: integer, stdout: string, stderr: string }]]
|
|
end
|
|
|
|
---@param fn fun(): nil
|
|
function M.async(fn)
|
|
coroutine.resume(coroutine.create(fn))
|
|
end
|
|
|
|
---@param str string
|
|
---@return string
|
|
function M.url_encode(str)
|
|
return (
|
|
str:gsub('([^%w%-%.%_%~])', function(c)
|
|
return string.format('%%%02X', string.byte(c))
|
|
end)
|
|
)
|
|
end
|
|
|
|
---@param path string
|
|
---@return table?
|
|
function M.load_json_file(path)
|
|
local f = io.open(path, 'r')
|
|
if not f then
|
|
return nil
|
|
end
|
|
local content = f:read('*a')
|
|
f:close()
|
|
if content == '' then
|
|
return nil
|
|
end
|
|
local ok, decoded = pcall(vim.json.decode, content)
|
|
if not ok then
|
|
return nil
|
|
end
|
|
return decoded
|
|
end
|
|
|
|
---@param path string
|
|
---@param data table
|
|
---@return boolean
|
|
function M.save_json_file(path, data)
|
|
local dir = vim.fn.fnamemodify(path, ':h')
|
|
if vim.fn.isdirectory(dir) == 0 then
|
|
vim.fn.mkdir(dir, 'p')
|
|
end
|
|
local f = io.open(path, 'w')
|
|
if not f then
|
|
return false
|
|
end
|
|
f:write(vim.json.encode(data))
|
|
f:close()
|
|
vim.fn.setfperm(path, 'rw-------')
|
|
return true
|
|
end
|
|
|
|
---@param method string
|
|
---@param url string
|
|
---@param headers? string[]
|
|
---@param body? string
|
|
---@return table? result
|
|
---@return string? err
|
|
function M.curl_request(method, url, headers, body)
|
|
local args = { 'curl', '-s', '-X', method }
|
|
for _, h in ipairs(headers or {}) do
|
|
table.insert(args, '-H')
|
|
table.insert(args, h)
|
|
end
|
|
if body then
|
|
table.insert(args, '-d')
|
|
table.insert(args, body)
|
|
end
|
|
table.insert(args, url)
|
|
local result = M.system(args, { text = true })
|
|
if result.code ~= 0 then
|
|
return nil, 'curl failed: ' .. (result.stderr or '')
|
|
end
|
|
if not result.stdout or result.stdout == '' then
|
|
return {}, nil
|
|
end
|
|
local ok, decoded = pcall(vim.json.decode, result.stdout)
|
|
if not ok then
|
|
return nil, 'failed to parse response: ' .. result.stdout
|
|
end
|
|
if decoded.error then
|
|
return nil, 'API error: ' .. (decoded.error.message or vim.json.encode(decoded.error))
|
|
end
|
|
return decoded, nil
|
|
end
|
|
|
|
---@param access_token string
|
|
---@return string[]
|
|
function M.auth_headers(access_token)
|
|
return {
|
|
'Authorization: Bearer ' .. access_token,
|
|
'Content-Type: application/json',
|
|
}
|
|
end
|
|
|
|
---@param backend_name string
|
|
---@return nil
|
|
function M.health(backend_name)
|
|
if vim.fn.executable('curl') == 1 then
|
|
vim.health.ok('curl found (required for ' .. backend_name .. ' sync)')
|
|
else
|
|
vim.health.warn('curl not found (needed for ' .. backend_name .. ' sync)')
|
|
end
|
|
end
|
|
|
|
---@return string
|
|
function OAuthClient:token_path()
|
|
return vim.fn.stdpath('data') .. '/pending/' .. self.name .. '_tokens.json'
|
|
end
|
|
|
|
---@return pending.OAuthCredentials
|
|
function OAuthClient:resolve_credentials()
|
|
local cfg = config.get()
|
|
local backend_cfg = (cfg.sync and cfg.sync[self.config_key]) or {}
|
|
|
|
if backend_cfg.client_id and backend_cfg.client_secret then
|
|
return {
|
|
client_id = backend_cfg.client_id,
|
|
client_secret = backend_cfg.client_secret,
|
|
}
|
|
end
|
|
|
|
local cred_path = backend_cfg.credentials_path
|
|
or (vim.fn.stdpath('data') .. '/pending/' .. self.name .. '_credentials.json')
|
|
local creds = M.load_json_file(cred_path)
|
|
if creds then
|
|
if creds.installed then
|
|
creds = creds.installed
|
|
end
|
|
if creds.client_id and creds.client_secret then
|
|
return creds --[[@as pending.OAuthCredentials]]
|
|
end
|
|
end
|
|
|
|
return {
|
|
client_id = BUNDLED_CLIENT_ID,
|
|
client_secret = BUNDLED_CLIENT_SECRET,
|
|
}
|
|
end
|
|
|
|
---@return pending.OAuthTokens?
|
|
function OAuthClient:load_tokens()
|
|
return M.load_json_file(self:token_path()) --[[@as pending.OAuthTokens?]]
|
|
end
|
|
|
|
---@param tokens pending.OAuthTokens
|
|
---@return boolean
|
|
function OAuthClient:save_tokens(tokens)
|
|
return M.save_json_file(self:token_path(), tokens)
|
|
end
|
|
|
|
---@param creds pending.OAuthCredentials
|
|
---@param tokens pending.OAuthTokens
|
|
---@return pending.OAuthTokens?
|
|
function OAuthClient:refresh_access_token(creds, tokens)
|
|
local body = 'client_id='
|
|
.. M.url_encode(creds.client_id)
|
|
.. '&client_secret='
|
|
.. M.url_encode(creds.client_secret)
|
|
.. '&grant_type=refresh_token'
|
|
.. '&refresh_token='
|
|
.. M.url_encode(tokens.refresh_token)
|
|
local result = M.system({
|
|
'curl',
|
|
'-s',
|
|
'-X',
|
|
'POST',
|
|
'-H',
|
|
'Content-Type: application/x-www-form-urlencoded',
|
|
'-d',
|
|
body,
|
|
TOKEN_URL,
|
|
}, { text = true })
|
|
if result.code ~= 0 then
|
|
return nil
|
|
end
|
|
local ok, decoded = pcall(vim.json.decode, result.stdout or '')
|
|
if not ok or not decoded.access_token then
|
|
return nil
|
|
end
|
|
tokens.access_token = decoded.access_token --[[@as string]]
|
|
tokens.expires_in = decoded.expires_in --[[@as integer?]]
|
|
tokens.obtained_at = os.time()
|
|
self:save_tokens(tokens)
|
|
return tokens
|
|
end
|
|
|
|
---@return string?
|
|
function OAuthClient:get_access_token()
|
|
local creds = self:resolve_credentials()
|
|
local tokens = self:load_tokens()
|
|
if not tokens or not tokens.refresh_token then
|
|
self:auth()
|
|
tokens = self:load_tokens()
|
|
if not tokens then
|
|
return nil
|
|
end
|
|
end
|
|
local now = os.time()
|
|
local obtained = tokens.obtained_at or 0
|
|
local expires = tokens.expires_in or 3600
|
|
if now - obtained > expires - 60 then
|
|
tokens = self:refresh_access_token(creds, tokens)
|
|
if not tokens then
|
|
vim.notify('pending.nvim: Failed to refresh access token.', vim.log.levels.ERROR)
|
|
return nil
|
|
end
|
|
end
|
|
return tokens.access_token
|
|
end
|
|
|
|
---@return nil
|
|
function OAuthClient:auth()
|
|
local creds = self:resolve_credentials()
|
|
local port = self.port
|
|
|
|
local verifier_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~'
|
|
local verifier = {}
|
|
math.randomseed(vim.uv.hrtime())
|
|
for _ = 1, 64 do
|
|
local idx = math.random(1, #verifier_chars)
|
|
table.insert(verifier, verifier_chars:sub(idx, idx))
|
|
end
|
|
local code_verifier = table.concat(verifier)
|
|
|
|
local hex = vim.fn.sha256(code_verifier)
|
|
local binary = hex:gsub('..', function(h)
|
|
return string.char(tonumber(h, 16))
|
|
end)
|
|
local code_challenge = vim.base64.encode(binary):gsub('+', '-'):gsub('/', '_'):gsub('=', '')
|
|
|
|
local auth_url = AUTH_URL
|
|
.. '?client_id='
|
|
.. M.url_encode(creds.client_id)
|
|
.. '&redirect_uri='
|
|
.. M.url_encode('http://127.0.0.1:' .. port)
|
|
.. '&response_type=code'
|
|
.. '&scope='
|
|
.. M.url_encode(self.scope)
|
|
.. '&access_type=offline'
|
|
.. '&prompt=consent'
|
|
.. '&code_challenge='
|
|
.. M.url_encode(code_challenge)
|
|
.. '&code_challenge_method=S256'
|
|
|
|
vim.ui.open(auth_url)
|
|
vim.notify('pending.nvim: Opening browser for Google authorization...')
|
|
|
|
local server = vim.uv.new_tcp()
|
|
local server_closed = false
|
|
local function close_server()
|
|
if server_closed then
|
|
return
|
|
end
|
|
server_closed = true
|
|
server:close()
|
|
end
|
|
|
|
server:bind('127.0.0.1', port)
|
|
server:listen(1, function(err)
|
|
if err then
|
|
return
|
|
end
|
|
local conn = vim.uv.new_tcp()
|
|
server:accept(conn)
|
|
conn:read_start(function(read_err, data)
|
|
if read_err or not data then
|
|
conn:close()
|
|
close_server()
|
|
return
|
|
end
|
|
local code = data:match('[?&]code=([^&%s]+)')
|
|
local response_body = code
|
|
and '<html><body><h1>Authorization successful</h1><p>You can close this tab.</p></body></html>'
|
|
or '<html><body><h1>Authorization failed</h1></body></html>'
|
|
local http_response = 'HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n'
|
|
.. response_body
|
|
conn:write(http_response, function()
|
|
conn:shutdown(function()
|
|
conn:close()
|
|
end)
|
|
end)
|
|
close_server()
|
|
if code then
|
|
vim.schedule(function()
|
|
self:_exchange_code(creds, code, code_verifier, port)
|
|
end)
|
|
end
|
|
end)
|
|
end)
|
|
|
|
vim.defer_fn(function()
|
|
if not server_closed then
|
|
close_server()
|
|
vim.notify('pending.nvim: OAuth callback timed out (120s).', vim.log.levels.WARN)
|
|
end
|
|
end, 120000)
|
|
end
|
|
|
|
---@param creds pending.OAuthCredentials
|
|
---@param code string
|
|
---@param code_verifier string
|
|
---@param port integer
|
|
---@return nil
|
|
function OAuthClient:_exchange_code(creds, code, code_verifier, port)
|
|
local body = 'client_id='
|
|
.. M.url_encode(creds.client_id)
|
|
.. '&client_secret='
|
|
.. M.url_encode(creds.client_secret)
|
|
.. '&code='
|
|
.. M.url_encode(code)
|
|
.. '&code_verifier='
|
|
.. M.url_encode(code_verifier)
|
|
.. '&grant_type=authorization_code'
|
|
.. '&redirect_uri='
|
|
.. M.url_encode('http://127.0.0.1:' .. port)
|
|
|
|
local result = M.system({
|
|
'curl',
|
|
'-s',
|
|
'-X',
|
|
'POST',
|
|
'-H',
|
|
'Content-Type: application/x-www-form-urlencoded',
|
|
'-d',
|
|
body,
|
|
TOKEN_URL,
|
|
}, { text = true })
|
|
|
|
if result.code ~= 0 then
|
|
vim.notify('pending.nvim: Token exchange failed.', vim.log.levels.ERROR)
|
|
return
|
|
end
|
|
|
|
local ok, decoded = pcall(vim.json.decode, result.stdout or '')
|
|
if not ok or not decoded.access_token then
|
|
vim.notify('pending.nvim: Invalid token response.', vim.log.levels.ERROR)
|
|
return
|
|
end
|
|
|
|
decoded.obtained_at = os.time()
|
|
self:save_tokens(decoded)
|
|
vim.notify('pending.nvim: ' .. self.name .. ' authorized successfully.')
|
|
end
|
|
|
|
---@param opts { name: string, scope: string, port: integer, config_key: string }
|
|
---@return pending.OAuthClient
|
|
function M.new(opts)
|
|
return setmetatable({
|
|
name = opts.name,
|
|
scope = opts.scope,
|
|
port = opts.port,
|
|
config_key = opts.config_key,
|
|
}, OAuthClient)
|
|
end
|
|
|
|
M._BUNDLED_CLIENT_ID = BUNDLED_CLIENT_ID
|
|
M._BUNDLED_CLIENT_SECRET = BUNDLED_CLIENT_SECRET
|
|
|
|
return M
|