feat: add OIDC authentication for server mode

2026-04-01 19:33:15 +02:00
parent 7bce56384f
commit 52a975b66d
13 changed files with 515 additions and 7 deletions
--- a/service/api_client.go
+++ b/service/api_client.go
@@ -28,13 +28,27 @@ func (c *apiClient) do(method, path string, body any) (*http.Response, error) {
 	if err != nil {
 		return nil, err
 	}
-	req.Header.Set("X-Ax-User", c.user)
+	if err := c.setAuth(req); err != nil {
+		return nil, err
+	}
 	if body != nil {
 		req.Header.Set("Content-Type", "application/json")
 	}
 	return c.http.Do(req)
 }

+// setAuth attaches either a Bearer token (when a session exists) or the
+// X-Ax-User header (no session / non-OIDC servers).
+func (c *apiClient) setAuth(req *http.Request) error {
+	sess, err := LoadSession()
+	if err != nil || sess == nil || sess.Token == "" {
+		req.Header.Set("X-Ax-User", c.user)
+		return nil
+	}
+	req.Header.Set("Authorization", "Bearer "+sess.Token)
+	return nil
+}
+
 func apiDecode[T any](resp *http.Response) (T, error) {
 	var v T
 	defer resp.Body.Close()