Lift the per-tool [Store] modules into one [Gauth.Local_store]. All
three Google CLI tools ([gdocs], [gsheets], [gslides]) now point at a
single XDG config directory ([$XDG_CONFIG_HOME/google/{client,token}.json])
so a user runs [install] and [login] once and every tool that
recognizes the granted scopes can read the resulting token.

Before, each package had a near-identical 60-line [Store] (atomic
write, save/load client and token, [acquire] returning a refreshable
[Gauth.token]) keyed off its own per-tool app name -- three copies
with cosmetic differences (the [cli_name] in the
"Run [<tool> install] first" diagnostic). Each per-tool [Store] is
now a thin wrapper:

include Gauth.Local_store
let acquire http ~clock ~fs =
Gauth.Local_store.acquire http ~clock ~fs ~cli_name:"<tool>"

The shared [Local_store] keeps the atomic-write pattern from the
prior [ocaml-gdocs] / [ocaml-gsheets] / [ocaml-gslides] commits
(sibling [.tmp.<pid>] file with [`Exclusive 0o600], then [rename]
over the target -- no chmod-after-write race, crash-before-rename
leaves the original target untouched).

Side-effect: on first run after this lands, users must re-run
[install] and [login] -- their existing
[~/.config/{gdocs,gsheets,gslides}/] directories are no longer
consulted. Pre-1.0 packages, no migration script.

Move:

- [Gauth.Local_store] in [gauth/lib/gauth.{ml,mli}]: client record,
config_dir/client_path/token_path, save_client/load_client,
save_token/load_token, clear_token, persist, acquire (with
[~cli_name:string] for the diagnostic).
- [gauth] now depends on [nox-xdge] for XDG paths (and [unix] which
was already pulled in transitively).
- [Gdocs.Store], [Gsheets.Store], [Gslides.Store] reduce to ~3 lines
each ([include Gauth.Local_store] + specialized [acquire]).
- Per-tool [lib/dune] and [dune-project] drop their direct
[nox-xdge] / [unix] deps -- those come transitively through gauth.
- Two store tests updated: the "config dir contains '<tool>'"
assertions become "config dir is shared 'google'" since the path
is now [.../google/...] for every tool.

All 307 tests across the four packages pass: gauth (5), gdocs (61),
gsheets (156), gslides (85). [monopam lint] reports the same
pre-existing [oauth unused] / [base64 ptime unused] false positives,
nothing new.

Followups still in flight: the [nox-xdge] -> [nox-xdg] rename is
tracked separately so it can sweep every consumer in one commit
without conflating with this refactor.

e6a99bcf

Thomas Gazagnaire

18 hours ago

Drop dead libraries flagged by monopam Dead_lib across the repo

169c833c

Thomas Gazagnaire

2 days ago

branches 1

main 16 hours ago default

README.md

gauth#

Google API authentication for OCaml.

Two flows: service-account JWT bearer (RFC 7523) for server-to-server access from a JSON key file, and an interactive local OAuth flow for CLI tools that spins up a localhost listener and exchanges the authorization code for tokens. Both return a token that transparently refreshes credentials near expiry.

Installation#

Install with opam:

$ opam install gauth

If opam cannot find the package, it may not yet be released in the public opam-repository. Add the overlay repository, then install it:

$ opam repo add samoht https://tangled.org/gazagnaire.org/opam-overlay.git
$ opam update
$ opam install gauth

Usage#

Service account#

Parse a service-account JSON key and mint an access token for a set of OAuth scopes. The Requests.t HTTP client and the Eio clock are required for refresh:

let fetch_token http ~clock ~key_path =
  match Gauth.Service_account.of_file key_path with
  | Error (`Msg m) -> Error m
  | Ok key ->
      let scopes =
        [ "https://www.googleapis.com/auth/documents.readonly" ] in
      match Gauth.Service_account.token http ~clock ~scopes key with
      | Ok token -> Ok (Gauth.access token)
      | Error (`Msg m) -> Error m

Pass ?subject:"alice@example.com" to Service_account.token to use domain-wide delegation and impersonate a Workspace user.

Interactive local flow#

Local_flow.run binds an ephemeral port on 127.0.0.1, prints a Google consent URL to stderr, and waits up to ?timeout seconds (default 120) for the user to complete the flow:

let login http ~clock ~net ~sw ~client_id ~client_secret =
  Gauth.Local_flow.run http ~clock ~net ~sw
    ~client_id ~client_secret
    ~scopes:[ "https://www.googleapis.com/auth/documents.readonly" ]
    ()

Override ?on_url to launch a browser automatically instead of printing the URL.

Persistence#

Serialize a token to JSON, restore it later — useful for "login once, use many times" CLIs:

let save token = Gauth.to_json token

let restore http ~clock ~client_id ~client_secret json =
  Gauth.of_json http ~clock ~client_id ~client_secret json

access and try_access return a current access token, refreshing synchronously if the cached one is near expiry.

Licence#

MIT

Configure Feed