New login flow PoC #50
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Summary
This PR implements a new OAuth-based authentication flow for the Corgea CLI as an alternative to the existing token-based login system. The changes introduce a browser-based login experience where users can authenticate via corgea login or corgea login --scope client-url-slug for custom domains.
The implementation adds a new authorize.rs module that creates a local HTTP server on localhost (starting from port 9876) to handle OAuth callbacks. When users run the login command, the CLI opens their default browser to the Corgea authentication page, waits for the OAuth callback with an authorization code, then exchanges this code for a user token using the new exchange_code_for_token function in api.rs. The system maintains backward compatibility by keeping the existing token-based authentication as the primary flow when a token is explicitly provided.
Key architectural changes include:
- Seven new dependencies in
Cargo.tomlsupporting async operations (tokio), HTTP server functionality (hyper ecosystem), URL manipulation, and browser integration - Optional token and scope parameters in the Login command structure, allowing flexible authentication methods
- Sophisticated error handling and user feedback with styled HTML responses for success/error states
- Support for custom Corgea instances through the scope parameter, enabling enterprise customers with custom subdomains
The OAuth flow integrates seamlessly with the existing configuration system to store authentication credentials and base URLs, while providing a more user-friendly experience that eliminates manual token copying from web interfaces.
Confidence score: 4/5
- This PR is generally safe to merge with some minor considerations around the local HTTP server implementation
- Score reflects well-structured OAuth implementation with proper error handling, though the local server component introduces some complexity that warrants attention
- Pay close attention to
src/authorize.rsfor the HTTP server logic and port binding behavior
4 files reviewed, 1 comment
| let response = client | ||
| .get(&exchange_url) | ||
| .query(&[("code", code)]) | ||
| .send()?; |
There was a problem hiding this comment.
style: Missing warning check that other API functions in this module use via check_for_warnings(response.headers(), response.status())
| .send()?; | |
| let response = client | |
| .get(&exchange_url) | |
| .query(&[("code", code)]) | |
| .send()?; | |
| check_for_warnings(response.headers(), response.status()); |
Updated login flow for better dev experience, now we have
corgea login&corgea login --scope client-url-slugScreen.Recording.2025-08-24.110519.mp4