Kyle Isom
edef642025
Replace per-call SSH signing with a two-layer auth system: Server: AuthInterceptor verifies JWT tokens (HMAC-SHA256 signed with repo-local jwt.key). Authenticate RPC accepts SSH-signed challenges and issues 30-day JWTs. Expired-but-valid tokens return a ReauthChallenge in error details (server-provided nonce for fast re-auth). Authenticate RPC is exempt from token requirement. Client: TokenCredentials replaces SSHCredentials as the primary PerRPCCredentials. NewWithAuth creates clients with auto-renewal — EnsureAuth obtains initial token, retryOnAuth catches Unauthenticated errors and re-authenticates transparently. Token cached at $XDG_STATE_HOME/sgard/token (0600). CLI: dialRemote() helper handles token loading, connection setup, and initial auth. Push/pull/prune commands simplified to use it. Proto: Added Authenticate RPC, AuthenticateRequest/Response, ReauthChallenge messages. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
45 lines
697 B
Go
45 lines
697 B
Go
package main
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/kisom/sgard/garden"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
var pullCmd = &cobra.Command{
|
|
Use: "pull",
|
|
Short: "Pull checkpoint from remote server",
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
ctx := context.Background()
|
|
|
|
g, err := garden.Open(repoFlag)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
c, cleanup, err := dialRemote(ctx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer cleanup()
|
|
|
|
pulled, err := c.Pull(ctx, g)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if pulled == 0 {
|
|
fmt.Println("Already up to date.")
|
|
} else {
|
|
fmt.Printf("Pulled %d blob(s).\n", pulled)
|
|
}
|
|
return nil
|
|
},
|
|
}
|
|
|
|
func init() {
|
|
rootCmd.AddCommand(pullCmd)
|
|
}
|