refactor(tokenstore): extract token storage into reusable sub-package (#14)

* refactor(tokenstore): extract token storage into reusable sub-package

- Move token store interface, file store, keyring store, secure store, and file lock into tokenstore/ package
- Apply idiomatic Go naming: TokenStore→Store, TokenStorage→Token, FileTokenStore→FileStore, KeyringTokenStore→KeyringStore
- Make TokenStorageMap unexported as internal implementation detail
- Parameterize NewSecureStore to accept serviceName for keyring probing
- Update main.go and main_test.go to import the new tokenstore package

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tokenstore): address PR review feedback

- Add input validation: Save() returns error for nil Token or empty ClientID
- Fix FileStore.Save() error handling: propagate read/parse errors instead of
  silently resetting the token map
- Refactor SecureStore: introduce Prober interface so KeyringStore.Probe()
  replaces the detached probeKeyring() function, removing serviceName parameter
- Remove unused useKeyring field from SecureStore
- Move stderr output from library to caller (main.go) for reusable package
- Fix probeKeyring to treat Delete failure as probe failure
- Distinguish ErrNotFound from real errors in main.go run() token loading
- Run go mod tidy to fix dependency annotations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: appleboy

go.mod

@@ -9,10 +9,12 @@ require (
 	github.com/appleboy/go-httpretry v0.11.0
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
+	github.com/zalando/go-keyring v0.2.6
 	golang.org/x/oauth2 v0.35.0
 )
 
 require (
+	al.essio.dev/pkg/shellescape v1.5.1 // indirect
 	github.com/charmbracelet/colorprofile v0.4.2 // indirect
 	github.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8 // indirect
 	github.com/charmbracelet/x/ansi v0.11.6 // indirect
@@ -21,6 +23,8 @@ require (
 	github.com/charmbracelet/x/windows v0.2.2 // indirect
 	github.com/clipperhouse/displaywidth v0.11.0 // indirect
 	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
 	github.com/mattn/go-runewidth v0.0.20 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect

go.sum

@@ -1,3 +1,5 @@
+al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
+al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
 charm.land/bubbles/v2 v2.0.0 h1:tE3eK/pHjmtrDiRdoC9uGNLgpopOd8fjhEe31B/ai5s=
 charm.land/bubbles/v2 v2.0.0/go.mod h1:rCHoleP2XhU8um45NTuOWBPNVHxnkXKTiZqcclL/qOI=
 charm.land/bubbletea/v2 v2.0.0 h1:p0d6CtWyJXJ9GfzMpUUqbP/XUUhhlk06+vCKWmox1wQ=
@@ -26,6 +28,14 @@ github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSE
 github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=
 github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
 github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
@@ -36,10 +46,18 @@ github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjc
 github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
+github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=
+github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
@@ -48,3 +66,5 @@ golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

main.go

@@ -23,20 +23,26 @@ import (
 	"golang.org/x/oauth2"
 
 	tea "charm.land/bubbletea/v2"
+	"github.com/go-authgate/device-cli/tokenstore"
 	"github.com/go-authgate/device-cli/tui"
 )
 
 var (
 	serverURL         string
 	clientID          string
 	tokenFile         string
+	tokenStoreMode    string
 	flagServerURL     *string
 	flagClientID      *string
 	flagTokenFile     *string
+	flagTokenStore    *string
 	configInitialized bool
 	retryClient       *retry.Client
+	tokenStore        tokenstore.Store
 )
 
+const defaultKeyringService = "authgate-device-cli"
+
 // Timeout configuration for different operations
 const (
 	deviceCodeRequestTimeout = 10 * time.Second
@@ -91,6 +97,11 @@ func init() {
 		"",
 		"Token storage file (default: .authgate-tokens.json or TOKEN_FILE env)",
 	)
+	flagTokenStore = flag.String(
+		"token-store",
+		"",
+		"Token storage backend: auto, file, keyring (default: auto or TOKEN_STORE env)",
+	)
 }
 
 // initConfig parses flags and initializes configuration
@@ -107,6 +118,7 @@ func initConfig() {
 	serverURL = getConfig(*flagServerURL, "SERVER_URL", "http://localhost:8080")
 	clientID = getConfig(*flagClientID, "CLIENT_ID", "")
 	tokenFile = getConfig(*flagTokenFile, "TOKEN_FILE", ".authgate-tokens.json")
+	tokenStoreMode = getConfig(*flagTokenStore, "TOKEN_STORE", "auto")
 
 	// Validate SERVER_URL format
 	if err := validateServerURL(serverURL); err != nil {
@@ -171,6 +183,31 @@ func initConfig() {
 	if err != nil {
 		panic(fmt.Sprintf("failed to create retry client: %v", err))
 	}
+
+	// Initialize token store based on mode
+	fileStore := tokenstore.NewFileStore(tokenFile)
+	switch tokenStoreMode {
+	case "file":
+		tokenStore = fileStore
+	case "keyring":
+		tokenStore = tokenstore.NewKeyringStore(defaultKeyringService)
+	case "auto":
+		kr := tokenstore.NewKeyringStore(defaultKeyringService)
+		tokenStore = tokenstore.NewSecureStore(kr, fileStore)
+		if !tokenStore.(*tokenstore.SecureStore).UseKeyring() {
+			fmt.Fprintln(
+				os.Stderr,
+				"⚠️  OS keyring unavailable, falling back to file-based token storage",
+			)
+		}
+	default:
+		fmt.Fprintf(
+			os.Stderr,
+			"Error: Invalid token-store value: %s (must be auto, file, or keyring)\n",
+			tokenStoreMode,
+		)
+		os.Exit(1)
+	}
 }
 
 // getConfig returns value with priority: flag > env > default
@@ -240,20 +277,6 @@ func validateTokenResponse(accessToken, tokenType string, expiresIn int) error {
 	return nil
 }
 
-// TokenStorage represents saved tokens for a specific client
-type TokenStorage struct {
-	AccessToken  string    `json:"access_token"`
-	RefreshToken string    `json:"refresh_token"`
-	TokenType    string    `json:"token_type"`
-	ExpiresAt    time.Time `json:"expires_at"`
-	ClientID     string    `json:"client_id"`
-}
-
-// TokenStorageMap manages tokens for multiple clients
-type TokenStorageMap struct {
-	Tokens map[string]*TokenStorage `json:"tokens"` // key = client_id
-}
-
 // isTTY reports whether stderr is a character device (interactive terminal).
 // We check stderr because the TUI renders to stderr, allowing stdout to be piped.
 func isTTY() bool {
@@ -302,11 +325,17 @@ func run(d tui.Displayer) error {
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	defer stop()
 
-	var storage *TokenStorage
+	var storage *tokenstore.Token
 
 	// Try to load existing tokens
-	storage, err := loadTokens()
-	if err == nil && storage != nil {
+	storage, err := tokenStore.Load(clientID)
+	switch {
+	case err != nil && !errors.Is(err, tokenstore.ErrNotFound):
+		d.Fatal(err)
+		return err
+	case err != nil:
+		d.TokensNotFound()
+	case storage != nil:
 		d.TokensFound()
 
 		// Check if access token is still valid
@@ -326,7 +355,7 @@ func run(d tui.Displayer) error {
 				d.RefreshOK()
 			}
 		}
-	} else {
+	default:
 		d.TokensNotFound()
 	}
 
@@ -444,7 +473,7 @@ func requestDeviceCode(ctx context.Context) (*oauth2.DeviceAuthResponse, error)
 }
 
 // performDeviceFlow performs the OAuth device authorization flow
-func performDeviceFlow(ctx context.Context, d tui.Displayer) (*TokenStorage, error) {
+func performDeviceFlow(ctx context.Context, d tui.Displayer) (*tokenstore.Token, error) {
 	config := &oauth2.Config{
 		ClientID: clientID,
 		Endpoint: oauth2.Endpoint{
@@ -476,19 +505,19 @@ func performDeviceFlow(ctx context.Context, d tui.Displayer) (*TokenStorage, err
 
 	d.AuthSuccess()
 
-	// Convert to TokenStorage and save
-	storage := &TokenStorage{
+	// Convert to Token and save
+	storage := &tokenstore.Token{
 		AccessToken:  token.AccessToken,
 		RefreshToken: token.RefreshToken,
 		TokenType:    token.Type(),
 		ExpiresAt:    token.Expiry,
 		ClientID:     clientID,
 	}
 
-	if err := saveTokens(storage); err != nil {
+	if err := tokenStore.Save(storage); err != nil {
 		d.TokenSaveFailed(err)
 	} else {
-		d.TokenSaved(tokenFile)
+		d.TokenSaved(tokenStore.String())
 	}
 
 	return storage, nil
@@ -681,101 +710,12 @@ func verifyToken(ctx context.Context, accessToken string, d tui.Displayer) error
 	return nil
 }
 
-// loadTokens loads tokens from file for the current client
-func loadTokens() (*TokenStorage, error) {
-	data, err := os.ReadFile(tokenFile)
-	if err != nil {
-		return nil, err
-	}
-
-	var storageMap TokenStorageMap
-	if err := json.Unmarshal(data, &storageMap); err != nil {
-		return nil, fmt.Errorf("failed to parse token file: %w", err)
-	}
-
-	if storageMap.Tokens == nil {
-		return nil, errors.New("no tokens found in token file")
-	}
-
-	// Look up token for current client_id
-	if storage, ok := storageMap.Tokens[clientID]; ok {
-		return storage, nil
-	}
-
-	return nil, fmt.Errorf("no tokens found for client_id: %s", clientID)
-}
-
-// saveTokens saves tokens to file (merges with existing tokens for other clients)
-// Uses file locking to prevent race conditions when multiple processes access the same file
-func saveTokens(storage *TokenStorage) error {
-	// Ensure ClientID is set
-	if storage.ClientID == "" {
-		storage.ClientID = clientID
-	}
-
-	// Acquire file lock to prevent concurrent access
-	lock, err := acquireFileLock(tokenFile)
-	if err != nil {
-		return fmt.Errorf("failed to acquire lock: %w", err)
-	}
-	defer func() {
-		if releaseErr := lock.release(); releaseErr != nil {
-			fmt.Fprintf(os.Stderr, "failed to release lock: %v\n", releaseErr)
-		}
-	}()
-
-	// Load existing token map (inside lock to ensure consistency)
-	var storageMap TokenStorageMap
-	existingData, err := os.ReadFile(tokenFile)
-	if err == nil {
-		// File exists, try to load it
-		if unmarshalErr := json.Unmarshal(existingData, &storageMap); unmarshalErr != nil {
-			// If unmarshal fails, start with empty map
-			storageMap.Tokens = make(map[string]*TokenStorage)
-		}
-	}
-
-	// Initialize map if nil
-	if storageMap.Tokens == nil {
-		storageMap.Tokens = make(map[string]*TokenStorage)
-	}
-
-	// Add or update token for current client
-	storageMap.Tokens[storage.ClientID] = storage
-
-	// Marshal data
-	data, err := json.MarshalIndent(storageMap, "", "  ")
-	if err != nil {
-		return err
-	}
-
-	// Write to temp file first (atomic write pattern)
-	tempFile := tokenFile + ".tmp"
-	if err := os.WriteFile(tempFile, data, 0o600); err != nil {
-		return fmt.Errorf("failed to write temp file: %w", err)
-	}
-
-	// Atomic rename (replaces old file)
-	if err := os.Rename(tempFile, tokenFile); err != nil {
-		if removeErr := os.Remove(tempFile); removeErr != nil {
-			return fmt.Errorf(
-				"failed to rename temp file: %v; additionally failed to remove temp file: %w",
-				err,
-				removeErr,
-			)
-		}
-		return fmt.Errorf("failed to rename temp file: %w", err)
-	}
-
-	return nil
-}
-
 // refreshAccessToken refreshes the access token using refresh token
 func refreshAccessToken(
 	ctx context.Context,
 	refreshToken string,
 	d tui.Displayer,
-) (*TokenStorage, error) {
+) (*tokenstore.Token, error) {
 	// Create request with timeout
 	reqCtx, cancel := context.WithTimeout(ctx, refreshTokenTimeout)
 	defer cancel()
@@ -844,7 +784,7 @@ func refreshAccessToken(
 		newRefreshToken = refreshToken
 	}
 
-	storage := &TokenStorage{
+	storage := &tokenstore.Token{
 		AccessToken:  tokenResp.AccessToken,
 		RefreshToken: newRefreshToken,
 		TokenType:    tokenResp.TokenType,
@@ -853,15 +793,19 @@ func refreshAccessToken(
 	}
 
 	// Save updated tokens
-	if err := saveTokens(storage); err != nil {
+	if err := tokenStore.Save(storage); err != nil {
 		d.TokenSaveFailed(err)
 	}
 
 	return storage, nil
 }
 
 // makeAPICallWithAutoRefresh demonstrates automatic refresh on 401
-func makeAPICallWithAutoRefresh(ctx context.Context, storage *TokenStorage, d tui.Displayer) error {
+func makeAPICallWithAutoRefresh(
+	ctx context.Context,
+	storage *tokenstore.Token,
+	d tui.Displayer,
+) error {
 	// Try with current access token
 	reqCtx, cancel := context.WithTimeout(ctx, tokenVerificationTimeout)
 	defer cancel()