[envsec] Ensure id token is refreshed (#166)

## Summary

* Ensure refresh updates id token, previously it was only updating
access token.
* Changed GetSession and a few internal functions to return errors
instead of just swallowing it up.

## How was it tested?

```
envsec auth logout
envsec auth whoami
envsec auth login
envsec auth whoami
envsec auth refresh
# inspected id token to ensure it was refreshed
```

Author: mikeland73

envsec/internal/envcli/auth.go

@@ -6,7 +6,6 @@ package envcli
 import (
 	"fmt"
 
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"go.jetpack.io/envsec/internal/envvar"
 	"go.jetpack.io/pkg/sandbox/auth"
@@ -20,7 +19,6 @@ func authCmd() *cobra.Command {
 
 	cmd.AddCommand(loginCmd())
 	cmd.AddCommand(logoutCmd())
-	cmd.AddCommand(refreshCmd())
 	cmd.AddCommand(whoAmICmd())
 
 	return cmd
@@ -70,31 +68,6 @@ func logoutCmd() *cobra.Command {
 	return cmd
 }
 
-// This is for debugging purposes only. Hidden.
-func refreshCmd() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:    "refresh",
-		Short:  "Refresh credentials",
-		Args:   cobra.ExactArgs(0),
-		Hidden: true,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := newAuthClient()
-			if err != nil {
-				return err
-			}
-
-			_, ok := client.GetSession(cmd.Context())
-			if !ok {
-				return errors.New("Failed to refresh: not logged in. Run `envsec auth login` to log in")
-			}
-			fmt.Fprintln(cmd.OutOrStdout(), "Refreshed successfully")
-			return nil
-		},
-	}
-
-	return cmd
-}
-
 type whoAmICmdFlags struct {
 	showTokens bool
 }
@@ -111,9 +84,9 @@ func whoAmICmd() *cobra.Command {
 				return err
 			}
 
-			tok, ok := client.GetSession(cmd.Context())
-			if !ok {
-				return errors.New("not logged in. Run `envsec auth login` to log in")
+			tok, err := client.GetSession(cmd.Context())
+			if err != nil {
+				return fmt.Errorf("error: %w. Run `envsec auth login` to log in", err)
 			}
 			idClaims := tok.IDClaims()
 
@@ -136,7 +109,6 @@ func whoAmICmd() *cobra.Command {
 				fmt.Fprintf(cmd.OutOrStdout(), "Access Token: %s\n", tok.AccessToken)
 				fmt.Fprintf(cmd.OutOrStdout(), "ID Token: %s\n", tok.IDToken)
 				fmt.Fprintf(cmd.OutOrStdout(), "Refresh Token: %s\n", tok.RefreshToken)
-
 			}
 
 			return nil

envsec/internal/envcli/flags.go

@@ -5,6 +5,7 @@ package envcli
 
 import (
 	"context"
+	"fmt"
 	"os"
 
 	"github.com/pkg/errors"
@@ -56,8 +57,8 @@ func (f *configFlags) validateProjectID(orgID typeids.OrganizationID) (string, e
 	}
 	config, err := jetcloud.ProjectConfig(wd)
 	if errors.Is(err, os.ErrNotExist) {
-		return "", errors.Errorf(
-			"Project ID not specified. You must run `envsec init` or specify --project-id in this directory",
+		return "", fmt.Errorf(
+			"project ID not specified. You must run `envsec init` or specify --project-id in this directory",
 		)
 	} else if err != nil {
 		return "", errors.WithStack(err)
@@ -81,7 +82,6 @@ type cmdConfig struct {
 
 func (f *configFlags) genConfig(ctx context.Context) (*cmdConfig, error) {
 	var tok *session.Token
-	var ok bool
 	var err error
 
 	if f.orgID == "" {
@@ -90,10 +90,11 @@ func (f *configFlags) genConfig(ctx context.Context) (*cmdConfig, error) {
 			return nil, err
 		}
 
-		tok, ok = client.GetSession(ctx)
-		if !ok {
-			return nil, errors.Errorf(
-				"To use envsec you must log in (`envsec auth login`) or specify --project-id and --org-id",
+		tok, err = client.GetSession(ctx)
+		if err != nil {
+			return nil, fmt.Errorf(
+				"error: %w. To use envsec you must log in (`envsec auth login`) or specify --project-id and --org-id",
+				err,
 			)
 		}
 	}

envsec/internal/envcli/init.go

@@ -19,9 +19,9 @@ func initCmd() *cobra.Command {
 			if err != nil {
 				return err
 			}
-			tok, ok := client.GetSession(cmd.Context())
-			if !ok {
-				return errors.New("not logged in, run `envsec auth login`")
+			tok, err := client.GetSession(cmd.Context())
+			if err != nil {
+				return fmt.Errorf("error: %w, run `envsec auth login`", err)
 			}
 
 			wd, err := os.Getwd()

pkg/sandbox/auth/auth.go

@@ -2,6 +2,7 @@ package auth
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -15,6 +16,8 @@ import (
 	"go.jetpack.io/pkg/sandbox/auth/internal/tokenstore"
 )
 
+var ErrNotLoggedIn = fmt.Errorf("not logged in")
+
 type Client struct {
 	issuer   string
 	clientID string
@@ -58,40 +61,37 @@ func (c *Client) LogoutFlow() error {
 	return c.RevokeSession()
 }
 
-// GetSession returns the current valid session token, if any. If token is expired,
-// it will attempt to refresh it. If no token is found, or is unable to be refreshed,
-// it will return nil and false.
-// TODO: automatically refresh token as needed
-func (c *Client) GetSession(ctx context.Context) (*session.Token, bool) {
-	tok := c.store.ReadToken(c.issuer, c.clientID)
-	if tok == nil {
-		return nil, false
+// GetSession returns the current valid session token, if any. If token is
+// expired, it will attempt to refresh it. If no token is found, or is unable
+// to be refreshed, it will return error.
+func (c *Client) GetSession(ctx context.Context) (*session.Token, error) {
+	tok, err := c.store.ReadToken(c.issuer, c.clientID)
+	if errors.Is(err, os.ErrNotExist) {
+		return nil, ErrNotLoggedIn
+	} else if err != nil {
+		return nil, err
 	}
 
 	// Refresh if the token is no longer valid:
 	if !tok.Valid() {
-		tok = c.refresh(ctx, tok)
-		if !tok.Valid() {
-			return nil, false
+		tok, err = c.refresh(ctx, tok)
+		if err != nil {
+			return nil, err
 		}
 	}
 
-	return tok, true
+	return tok, nil
 }
 
 func (c *Client) refresh(
 	ctx context.Context,
 	tok *session.Token,
-) *session.Token {
-	if tok == nil {
-		return nil
-	}
-
+) (*session.Token, error) {
 	// TODO: figure out how to share oidc provider and oauth2 client
 	// with auth flow:
 	provider, err := oidc.NewProvider(ctx, c.issuer)
 	if err != nil {
-		return tok
+		return tok, err
 	}
 
 	conf := oauth2.Config{
@@ -104,18 +104,19 @@ func (c *Client) refresh(
 	tokenSource := conf.TokenSource(ctx, &tok.Token)
 	newToken, err := tokenSource.Token()
 	if err != nil {
-		return tok
+		return tok, err
 	}
 
 	if newToken.AccessToken != tok.AccessToken {
 		tok.Token = *newToken
+		tok.IDToken = newToken.Extra("id_token").(string)
 		err = c.store.WriteToken(c.issuer, c.clientID, tok)
 		if err != nil {
-			return tok
+			return tok, err
 		}
 	}
 
-	return tok
+	return tok, nil
 }
 
 func (c *Client) RevokeSession() error {

pkg/sandbox/auth/internal/tokenstore/tokenstore.go

@@ -23,14 +23,14 @@ func New(rootDir string) (*Store, error) {
 	}, nil
 }
 
-func (s *Store) ReadToken(issuer string, clientID string) *session.Token {
+func (s *Store) ReadToken(issuer string, clientID string) (*session.Token, error) {
 	var tok session.Token
 	path := s.path(issuer, clientID)
 	err := readJSONFile(path, &tok)
 	if err != nil {
-		return nil
+		return nil, err
 	}
-	return &tok
+	return &tok, nil
 }
 
 func (s *Store) WriteToken(issuer string, clientID string, tok *session.Token) error {