Conversation
cbrianhill
reviewed
Mar 25, 2026
Contributor
Author
|
This change is safe to release now, required endpoints are live in prod. |
cbrianhill
approved these changes
Mar 28, 2026
Replace the custom device-code login flow with industry-standard OAuth2 Authorization Code + PKCE. This addresses three pentest findings: - PCC-675: Tokens now auto-refresh (1-day access token + long-lived refresh token with rotation), eliminating "please run pcc auth login" - PCC-677: PKCE + localhost callback eliminates the phishing/session hijacking vector of the old polling-based device-code flow - PCC-678: Logout now revokes tokens server-side via /auth/logout Changes: - auth.py: Replace _AuthFlow/FlowManager device-code with PKCE flow (code_verifier, localhost callback server, Clerk token exchange) - auth.py: Logout calls /auth/logout to revoke tokens server-side - auth.py: Whoami shows email instead of internal Clerk user ID - api.py: Auto-refresh expired OAuth tokens before API calls - config.py: Store refresh_token and token_expires_at in TOML config, update in-memory config after writes
Address PR review feedback: - Replace hardcoded Clerk domain, client ID, and scopes with runtime discovery via GET /auth/config + OIDC discovery (RFC 8414). The CLI only needs to know the API URL — everything else is discovered. - Replace fixed port 8080 with a range (8400-8404) tried in order. Uses a less-common range to avoid conflicting with dev servers. Each port is registered as a redirect URI in the Clerk OAuth app.
- `pcc auth use-pat <token>` command to validate and store a PAT - API client detects pcc_pat_ prefix and skips OAuth token refresh - `pcc auth whoami` shows auth method (PAT vs OAuth) - PIPECAT_TOKEN env var with a PAT just works (no login needed) - Preserves active org when switching to PAT auth
Dark background (#0a0a0a), Pipecat cat logo, green/red status icons, system font stack. Replaces the plain HTML "Authentication successful!" page with a branded experience.
PR #142 replaced `import warnings` with `import sys` but this branch still had a `warnings.warn()` call for config problems. Replace it with `raise ConfigError(...)` to match the intent of that PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change depends on code changes in the API which are not yet live, it should not be merged until @mattshep confirms that those changes are deployed to and available in the production environment. Those API changes are currently live in the staging environment, and can be tested by installing the CLI from this branch.
Replace the custom device-code login flow with industry-standard OAuth2 Authorization Code + PKCE. This addresses three pentest findings:
Changes: