utils/auth/auth_utils library

Authentication utilities ported from neomage/src/utils/auth.ts.

Token management, API key validation, credential storage, OAuth handling, subscription checks, and cloud provider auth refresh flows.

Classes

AccountInfo

Account information from OAuth profile.

ApiKeyWithSource

Result of getAnthropicApiKeyWithSource.

AuthTokenSourceResult

Result of getAuthTokenSource.

OAuthTokens

OAuth tokens representation.

OrgValidationResult

Org validation result.

UserAccountInfo

User account info result.

Enums

ApiKeySource

Source of the API key.

AuthTokenSourceKind

Source of the auth token.

SubscriptionType

Subscription type enum matching OpenNeomage.

Constants

awsAuthRefreshTimeoutMs → const int

Timeout for AWS auth refresh command (3 minutes).

defaultApiKeyHelperTtl → const int

Default TTL for API key helper cache in milliseconds (5 minutes).

defaultAwsStsTtl → const int

Default STS credentials TTL - one hour.

defaultGcpCredentialTtl → const int

Default GCP credential TTL - 1 hour to match typical ADC token lifetime.

defaultOtelHeadersDebounceMs → const int

Default debounce for otel headers helper (29 minutes).

gcpAuthRefreshTimeoutMs → const int

Timeout for GCP auth refresh command (3 minutes).

gcpCredentialsCheckTimeoutMs → const int

Short timeout for GCP credentials probe.

neomageAiProfileScope → const String

Neomage AI profile scope constant.

Functions

calculateApiKeyHelperTtl() → int

Calculate TTL in milliseconds for the API key helper cache.

checkAndRefreshOAuthTokenIfNeeded({int retryCount = 0, bool force = false}) → Future<bool>

Check and refresh OAuth token if expired.

clearApiKeyHelperCache() → void

Clear the API key helper cache and bump epoch.

clearAwsCredentialsCache() → void

Clear AWS credentials cache.

clearGcpCredentialsCache() → void

Clear GCP credentials cache.

clearOAuthTokenCache() → void

Clear OAuth token cache.

getAccountInformation() → UserAccountInfo?

Get account information for display.

getAnthropicApiKey() → String?

Get the Anthropic API key (convenience wrapper).

getAnthropicApiKeyWithSource({bool skipRetrievingKeyFromApiKeyHelper = false}) → ApiKeyWithSource

Get the Anthropic API key along with its source.

getApiKeyFromApiKeyHelper(bool isNonInteractiveSession) → Future<String?>

Async fetch of API key from the configured helper command.

getApiKeyFromApiKeyHelperCached() → String?

Sync cache reader for the API key helper.

getApiKeyFromConfigOrKeychain() → ApiKeyWithSource?

Get API key from config or platform keychain.

getApiKeyFromFileDescriptor() → String?

Get API key from file descriptor.

getApiKeyHelperElapsedMs() → int

Returns how long the in-flight API key helper has been running.

getAuthTokenSource() → AuthTokenSourceResult

Determine where the auth token is sourced from.

getConfiguredApiKeyHelper() → String?

Get the configured apiKeyHelper from settings.

getConfiguredAwsAuthRefresh() → String?

Get the configured awsAuthRefresh from settings.

getConfiguredAwsCredentialExport() → String?

Get the configured awsCredentialExport from settings.

getConfiguredGcpAuthRefresh() → String?

Get the configured gcpAuthRefresh from settings.

getConfiguredOtelHeadersHelper() → String?

Get the configured otelHeadersHelper from settings.

getNeomageAIOAuthTokens() → OAuthTokens?

Get Neomage AI OAuth tokens (sync, memoized).

getNeomageAIOAuthTokensAsync() → Future<OAuthTokens?>

Async OAuth token reader.

getOauthAccountInfo() → AccountInfo?

Get OAuth account info (only for 1P Anthropic API).

getOAuthTokenFromFileDescriptor() → String?

Get OAuth token from file descriptor.

getOtelHeadersFromHelper() → Map<String, String>

Get OTel headers from the configured helper.

getRateLimitTier() → String?

Get the rate limit tier.

getSubscriptionName() → String

Get a human-readable subscription name.

getSubscriptionType() → SubscriptionType?

Get the current subscription type.

handleOAuth401Error(String failedAccessToken) → Future<bool>

Handle a 401 OAuth error.

hasAnthropicApiKeyAuth() → bool

Check if there is Anthropic API key auth available.

hasOpusAccess() → bool

Whether the user has Opus access.

hasProfileScope() → bool

Check if OAuth token has the user:profile scope.

is1PApiCustomer() → bool

Whether the user is a 1P API customer (not subscriber, not 3P).

isAnthropicAuthEnabled() → bool

Whether direct 1P auth (OAuth) is enabled.

isApiKeyHelperFromProjectOrLocalSettings() → bool

Check if the apiKeyHelper comes from project or local settings.

isAwsAuthRefreshFromProjectSettings() → bool

Check if awsAuthRefresh comes from project settings.

isAwsCredentialExportFromProjectSettings() → bool

Check if awsCredentialExport comes from project settings.

isBareMode() → bool

Check if running in bare mode (no OAuth, no keychain).

isConsumerSubscriber() → bool

Check if the user is a consumer subscriber (pro or max).

isCustomApiKeyApproved(String apiKey) → bool

Check if a custom API key has been approved.

isEnterpriseSubscriber() → bool

Whether the user is an Enterprise subscriber.

isGcpAuthRefreshFromProjectSettings() → bool

Check if gcpAuthRefresh comes from project settings.

isManagedOAuthContext() → bool

Whether we are in a managed OAuth context (CCR or Neomage Desktop).

isMaxSubscriber() → bool

Whether the user is a Max subscriber.

isNeomageAISubscriber() → bool

Whether the current user is a Neomage AI subscriber.

isOtelHeadersHelperFromProjectOrLocalSettings() → bool

Check if otelHeadersHelper comes from project or local settings.

isOverageProvisioningAllowed() → bool

Check if overage provisioning is allowed.

isProSubscriber() → bool

Whether the user is a Pro subscriber.

isRunningOnHomespace() → bool

Check if running on homespace.

isTeamPremiumSubscriber() → bool

Whether the user is a Team Premium subscriber.

isTeamSubscriber() → bool

Whether the user is a Team subscriber.

isUsing3PServices() → bool

Check if using third-party services (Bedrock, Vertex, Foundry, OpenAI, Gemini).

isValidApiKey(String apiKey) → bool

Validate that an API key has the correct format.

normalizeApiKeyForConfig(String apiKey) → String

Normalize an API key for config storage (truncated form).

prefetchApiKeyFromApiKeyHelperIfSafe(bool isNonInteractiveSession) → void

Prefetch API key from helper if safe (trust already established).

prefetchAwsCredentialsAndBedrockInfoIfSafe() → void

Prefetch AWS credentials if safe (trust already established).

prefetchGcpCredentialsIfSafe() → void

Prefetch GCP credentials if safe.

refreshAndGetAwsCredentials() → Future<({String accessKeyId, String secretAccessKey, String sessionToken})?>

Refresh and get AWS credentials with caching.

refreshAwsAuth(String awsAuthRefresh) → Future<bool>

Refresh AWS auth (exposed for direct use).

refreshGcpAuth(String gcpAuthRefresh) → Future<bool>

Refresh GCP auth (exposed for direct use).

refreshGcpCredentialsIfNeeded() → Future<bool>

Refresh GCP credentials if needed.

removeApiKey() → Future<void>

Remove the stored API key.

saveApiKey(String apiKey) → Future<void>

Save an API key to secure storage and config.

saveOAuthTokensIfNeeded(OAuthTokens tokens) → ({bool success, String? warning})

Save OAuth tokens if needed.

validateForceLoginOrg() → Future<OrgValidationResult>

Validate that the active OAuth token belongs to the required org.