NationTech/harmony
3
0
Fork 2
Code Issues 38 Pull Requests 29 Actions Packages Projects Releases 1 Wiki Activity
Files
feat/auth-add-next-url-redirect
harmony/harmony_secret/Cargo.toml
Sylvain Tremblay 9eb6bda257
All checks were successful
Run Check Script / check (pull_request) Successful in 2m48s
Details
feat(harmony_secret): SSO auth hardening — silent refresh, renewal, namespacing 
Net-diff PR (1 of 4) splitting feat/unified-config-and-secrets into
reviewable pieces. harmony_secret changes only; compiles against master.

- Silent OIDC refresh + clearer device-code error surfacing
- renew-self on cached OpenBao token; auto-open device-flow browser
- OIDC session cache scoped by sso_url + client_id (was one shared file)
- LocalFileSecretStore nested per namespace
- validate cached token via lookup-self (default policy), not lookup (sudo)
- drop dead HARMONY_SECRETS_URL var and OidcSession::is_openbao_token_expired

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 13:23:03 -04:00

41 lines
1.3 KiB
TOML
Raw Permalink Blame History

[package]
name = "harmony_secret"
edition = "2024"
version.workspace = true
readme.workspace = true
license.workspace = true
# `secrete2etest` is a custom cfg flag used to gate integration tests
# that require a live OpenBao instance. Declare it here so rustc doesn't
# emit `unexpected_cfg` warnings.
[lints.rust]
unexpected_cfgs = { level = "warn", check-cfg = ['cfg(secrete2etest)'] }
[dependencies]
harmony_secret_derive = { version = "0.1.0", path = "../harmony_secret_derive" }
serde = { version = "1.0.209", features = ["derive", "rc"] }
serde_json = "1.0.127"
thiserror.workspace = true
lazy_static.workspace = true
directories.workspace = true
log.workspace = true
# infisical = "0.0.2"
infisical = { git = "https://github.com/jggc/rust-sdk.git", branch = "patch-1" }
tokio.workspace = true
async-trait.workspace = true
http.workspace = true
inquire.workspace = true
interactive-parse = "0.1.5"
schemars = "0.8"
vaultrs = "0.7.4"
reqwest = { workspace = true, features = ["json"] }
url.workspace = true
# Used by ZitadelOidcAuth to best-effort launch the device-flow
# URL in the operator's browser. Failure to open is non-fatal —
# the URL is already printed to the terminal.
webbrowser = "1"
[dev-dependencies]
pretty_assertions.workspace = true
tempfile.workspace = true
Reference in New Issue View Git Blame Copy Permalink