feat(auth): self-service browser login (OAuth device flow)#4
Merged
Conversation
`ft login` (no --key) now runs the OAuth 2.0 Device Authorization Grant (RFC 8628): prints a user code, opens the browser, and polls POST /auth/device/token (honoring slow_down/expired_token/access_denied) until approval, then stores the minted session and verifies it via /me. Anyone with a FreeTicket account can log in without a backend-issued API key; `ft login --key ft_live_…` stays for headless CI. Regenerates the client from the production contract (free-admin#160: POST /auth/device/code + POST /auth/device/token) and points sync-openapi at production by default (local backend via FT_OPENAPI_URL). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
ft login(no--key) now runs the OAuth 2.0 Device Authorization Grant (RFC 8628):POST /auth/device/code→ prints a short user code + URL and opens the browser.POST /auth/device/token, honoringslow_down/expired_token/access_denied.access_token+ workspace and verifies via/me.Anyone with a FreeTicket account can now log in without a backend-issued API key.
ft login --key ft_live_…stays for headless CI.Contract
Consumes
POST /auth/device/code+POST /auth/device/token(AppFreeticket/free-admin#160). Client regenerated from the production spec;sync-openapinow defaults to production (local backend viaFT_OPENAPI_URL).Notes
access_token+workspaces[]; with multiple workspaces the CLI uses the first and prints how to switch (--workspace).configureClient,saveConfig) unchanged — the token is stored and sent asBearer, same as an API key.Test
typecheck✓ ·vitest✓ ·build✓ ·ft login --helpshows--keynow optional. End-to-end device flow needs the live backend.🤖 Generated with Claude Code