feat: oauth authentication

[gabrielmfern]

this will only work with the staging api for now, but that's fine. the cleint id is hard coded, and, for consistency, I think we should ensure this exact client id also used in the production oauth client for the CLI

I've verified this does indeed work with the non-sending apis

---

Summary by cubic

Adds OAuth authentication to the CLI with a browser-based PKCE flow and automatic token refresh. API keys remain supported; the CLI now resolves either an API key or an OAuth grant across commands with improved scope-to-permission handling.

• New Features

  • resend login: "Login with Resend" opens the browser, runs a local callback server with state verification and timeout, exchanges the code, and saves the grant per profile.
  • OAuth grants are stored with access/refresh expiries (access expiry from JWT exp), refreshed automatically, and respect RESEND_BASE_URL; client ID is set in OAUTH_CLIENT_ID.
  • Unified resolver resolveAuthentication returns either an API key or an OAuth grant; createClient/requireClient use the right token.
  • Permission checks map OAuth scopes (full_access, emails:send) to CLI permissions; error messages refer to "credentials" not just keys.
  • whoami and doctor display OAuth details, mask tokens, and skip key-only validation paths; whoami does not refresh expired access tokens.
  • When replacing a secure-storage API key with OAuth, the old keychain secret is deleted to avoid shadowing the new grant.

• Migration

  • No action required; existing API keys keep working.
  • The credentials file now stores a type per profile and supports OAuth grants; legacy profiles are read and migrated in memory.
  • Secure-storage API keys are removed automatically if overwritten by an OAuth grant.
  • To use OAuth, run resend login and choose "Login with Resend".

^{Written for commit 6346679. Summary will update on new commits.}

[cubic-dev-ai]

0 issues found across 6 files (changes from recent commits).

<sub>Requires human review: This PR introduces a new OAuth authentication flow with PKCE, token refresh, and credential migration across multiple commands and core libraries, which is a high-risk change to critical authentication logic that requires human review for security, correctness, and integration with existing API key

Re-trigger cubic</sub>

[cubic-dev-ai]

7 issues found

<sub>Tip: instead of fixing issues one by one fix them all with cubic

Re-trigger cubic</sub>

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

<sub>Requires human review: Auto-approval blocked by 6 unresolved issues from previous reviews.

Re-trigger cubic</sub>

[felipefreitag]

I think it would be safer to validate the token structure here and throw in case there's anything wrong with it, otherwise users will have inconsistent states later

[felipefreitag]

What happens if this fails, i.e. the user is logged out?
doctor and whoami call this, there's no error handling, so if I understood correctly, a user checking their expired auth would get unhandled errors instead of a message to login

[felipefreitag]

whoami's help message says it's a local command, but now it hits the network, we should clear that - or not call the actual auth here at all.

[gabrielmfern]

added a treatment for that, can you check again?

[felipefreitag]

the plain text credentials file is just supposed to store references for the name the user chose for their profile and the secure storage data; we shouldn't store the grand in plain text, it should go to secure storage

[felipefreitag]

this is plain text; maybe we should validate this format here?

[felipefreitag]

is it possible to have response.ok AND not have a valid token here? wondering if we should validate the schema to be safe

[felipefreitag]

should we always choose "authentication complete" regardless of the code/state/error?

[cubic-dev-ai]

2 issues found across 5 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="src/lib/oauth.ts">

<violation number="1" location="src/lib/oauth.ts:59">
P2: Unconditionally using `refresh_token_expires_in` can persist `NaN` and break refresh-expiry handling when the field is omitted.</violation>
</file>

<file name="src/lib/config.ts">

<violation number="1" location="src/lib/config.ts:543">
P2: This delete assumes every `api_key` profile in a `secure_storage` file has a keychain secret, so OAuth login can fail for preserved file-backed profiles.</violation>
</file>

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Fix all with cubic | Re-trigger cubic</sub>

[cubic-dev-ai]

P2: Unconditionally using refresh_token_expires_in can persist NaN and break refresh-expiry handling when the field is omitted.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At src/lib/oauth.ts, line 59:

<comment>Unconditionally using `refresh_token_expires_in` can persist `NaN` and break refresh-expiry handling when the field is omitted.</comment>

<file context>
@@ -52,13 +52,11 @@ export async function refreshOAuthGrant(
-  const newRefreshTokenExpiresAt = data.refresh_token_expires_in
-    ? nowSeconds + data.refresh_token_expires_in
-    : grant.refresh_token_expires_at;
+  const newRefreshTokenExpiresAt = nowSeconds + data.refresh_token_expires_in;
 
   await storeOAuthGrant(
</file context>

[cubic-dev-ai]

P2: This delete assumes every api_key profile in a secure_storage file has a keychain secret, so OAuth login can fail for preserved file-backed profiles.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At src/lib/config.ts, line 543:

<comment>This delete assumes every `api_key` profile in a `secure_storage` file has a keychain secret, so OAuth login can fail for preserved file-backed profiles.</comment>

<file context>
@@ -522,6 +531,24 @@ export async function storeOAuthGrant(
+    ) {
+      const backend = await getCredentialBackend();
+      if (backend.isSecure) {
+        const deleted = await backend.delete(SERVICE_NAME, profile);
+        if (!deleted) {
+          throw new Error(
</file context>

[felipefreitag]

Our other direct fetch calls use AbortSignal.timeout to prevent them from hanging?
I mean adding them to every fetch call added here.
For example

  let response: Response;
  try {
    response = await fetch(`${baseUrl}/oauth/token`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
      body: new URLSearchParams({
        grant_type: 'refresh_token',
        client_id: OAUTH_CLIENT_ID,
        refresh_token: grant.refresh_token,
      }),
      signal: AbortSignal.timeout(30_000),
    });
  } catch (err) {
    if (err instanceof Error && err.name === 'TimeoutError') {
      throw new Error(
        'Token refresh timed out after 30s. Check your connection and try again.',
      );
    }
    throw new Error(
      'Could not reach the Resend API to refresh your session. Check your connection and try again.',
    );
  }

  if (!response.ok) {
    throw new Error(
      `Token refresh failed (${response.status}). Please run \`resend login\` again.`,
    );
  }