feat: add support for Forgejo

zimbatm · zimbatm · commit 4fd57b5e51df · 2025-07-08T11:50:23.000+02:00
diff --git a/README.md b/README.md
@@ -9,7 +9,7 @@ to get those tokens in the right place.
 ## Features
 
 - OAuth device flow authentication (no manual token creation needed)
-- Support for multiple providers (GitHub, GitHub Enterprise, GitLab, and Gitea)
+- Support for multiple providers (GitHub, GitHub Enterprise, GitLab, Gitea, and Forgejo)
 - Token storage in `~/.config/nix/nix.conf`
 - Token validation and status checking
 - Automatic backup creation before modifying configuration
@@ -85,6 +85,10 @@ nix-auth login gitlab --host gitlab.company.com --client-id <your-application-id
 # Gitea (uses Personal Access Token flow)
 nix-auth login gitea
 nix-auth login gitea --host gitea.company.com
+
+# Forgejo (uses Personal Access Token flow)
+nix-auth login codeberg               # for codeberg.org
+nix-auth login forgejo --host git.company.com  # for self-hosted Forgejo (--host required)
 ```
 
 The tool will:
@@ -96,7 +100,7 @@ The tool will:
 **Note for self-hosted instances**:
 - **GitHub Enterprise**: You'll need to create an OAuth App and provide the client ID via `--client-id`
 - **GitLab self-hosted**: You'll need to create an OAuth application and provide the client ID via `--client-id`
-- **Gitea**: Uses Personal Access Token flow instead of OAuth device flow (Gitea doesn't support device flow yet)
+- **Gitea/Forgejo**: Uses Personal Access Token flow instead of OAuth device flow (these platforms don't support device flow yet)
 
 The tool will guide you through this process if the client ID is not provided. You can also set the `GITHUB_CLIENT_ID` or `GITLAB_CLIENT_ID` environment variables as an alternative to the `--client-id` flag.
 
@@ -146,7 +150,7 @@ access-tokens = github.com=ghp_xxxxxxxxxxxxxxxxxxxx gitlab.com=glpat-xxxxxxxxxxx
 
 ## Future Plans
 
-- Support for more providers (Forgejo, Bitbucket, etc.)
+- Support for more providers (Bitbucket, etc.)
 - Token expiration notifications
 - Integration with system keychains for secure storage (will require patching
     Nix)
diff --git a/cmd/login.go b/cmd/login.go
@@ -15,12 +15,14 @@ import (
 var loginCmd = &cobra.Command{
 	Use:   "login [provider]",
 	Short: "Authenticate with a provider and save the access token",
-	Long: `Authenticate with a provider (GitHub, GitLab, Gitea, etc.) using OAuth device flow
+	Long: `Authenticate with a provider (GitHub, GitLab, Gitea, Forgejo, etc.) using OAuth device flow
 and save the access token to your nix.conf for use with Nix flakes.`,
 	Example: `  nix-auth login                      # defaults to GitHub
   nix-auth login github
   nix-auth login gitlab
   nix-auth login gitea
+  nix-auth login codeberg              # for codeberg.org
+  nix-auth login forgejo --host git.company.com  # --host required for forgejo
   nix-auth login github --host github.company.com --client-id abc123
   nix-auth login gitea --host gitea.company.com`,
 	Args: cobra.MaximumNArgs(1),
diff --git a/internal/provider/forgejo.go b/internal/provider/forgejo.go
@@ -0,0 +1,145 @@
+package provider
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/cli/browser"
+)
+
+func init() {
+	Register("forgejo", &ForgejoProvider{})
+	Register("codeberg", &ForgejoProvider{host: "codeberg.org"})
+}
+
+type ForgejoProvider struct {
+	host string
+}
+
+func (f *ForgejoProvider) SetHost(host string) {
+	f.host = host
+}
+
+func (f *ForgejoProvider) SetClientID(clientID string) {
+}
+
+func (f *ForgejoProvider) getBaseURL() string {
+	if f.host != "" {
+		return fmt.Sprintf("https://%s", f.host)
+	}
+	// This should not happen as we validate in Authenticate()
+	return ""
+}
+
+func (f *ForgejoProvider) getAPIURL() string {
+	return fmt.Sprintf("%s/api/v1", f.getBaseURL())
+}
+
+func (f *ForgejoProvider) makeForgejoAPIRequest(ctx context.Context, token string, endpoint string) (*http.Response, error) {
+	headers := map[string]string{
+		"Accept": "application/json",
+	}
+	return makeAuthenticatedRequest(ctx, "GET", endpoint, "token "+token, headers)
+}
+
+func (f *ForgejoProvider) Name() string {
+	return "forgejo"
+}
+
+func (f *ForgejoProvider) Host() string {
+	return f.host
+}
+
+func (f *ForgejoProvider) GetScopes() []string {
+	return []string{"read:repository", "read:user"}
+}
+
+func (f *ForgejoProvider) Authenticate(ctx context.Context) (string, error) {
+	// Validate that we have a host
+	if f.host == "" {
+		return "", fmt.Errorf("--host flag is required for forgejo provider (e.g., --host git.company.com)")
+	}
+
+	fmt.Println()
+	fmt.Println("Forgejo does not support OAuth device flow. You'll need to create a Personal Access Token.")
+	fmt.Println()
+	fmt.Println("Instructions:")
+	fmt.Printf("1. Go to %s/user/settings/applications\n", f.getBaseURL())
+	fmt.Println("2. In the 'Generate New Token' section, enter a token name (e.g., 'nix-auth')")
+	fmt.Println("3. Select the following access and permissions:")
+	fmt.Println("   - Repository and Organization Access: All (public, private, and limited)")
+	fmt.Println("   - Permissions: read:repository, read:user")
+	fmt.Println("4. Click 'Generate Token'")
+	fmt.Println("5. Copy the generated token")
+	fmt.Println()
+
+	tokenURL := fmt.Sprintf("%s/user/settings/applications", f.getBaseURL())
+	fmt.Printf("Opening %s in your browser...\n", tokenURL)
+	
+	if err := browser.OpenURL(tokenURL); err != nil {
+		fmt.Println("Could not open browser automatically.")
+		fmt.Printf("Please manually visit: %s\n", tokenURL)
+	}
+
+	fmt.Println()
+	var token string
+	fmt.Print("Enter your Personal Access Token: ")
+	if _, err := fmt.Scanln(&token); err != nil {
+		return "", fmt.Errorf("failed to read token: %w", err)
+	}
+
+	token = strings.TrimSpace(token)
+	if token == "" {
+		return "", fmt.Errorf("token cannot be empty")
+	}
+
+	if err := f.ValidateToken(ctx, token); err != nil {
+		return "", fmt.Errorf("invalid token: %w", err)
+	}
+
+	return token, nil
+}
+
+func (f *ForgejoProvider) ValidateToken(ctx context.Context, token string) error {
+	userURL := fmt.Sprintf("%s/user", f.getAPIURL())
+	resp, err := f.makeForgejoAPIRequest(ctx, token, userURL)
+	if err != nil {
+		return fmt.Errorf("failed to validate token: %w", err)
+	}
+	defer resp.Body.Close()
+
+	return nil
+}
+
+func (f *ForgejoProvider) GetUserInfo(ctx context.Context, token string) (username, fullName string, err error) {
+	userURL := fmt.Sprintf("%s/user", f.getAPIURL())
+	resp, err := f.makeForgejoAPIRequest(ctx, token, userURL)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to get user info: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var user struct {
+		Login    string `json:"login"`
+		Username string `json:"username"`
+		FullName string `json:"full_name"`
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&user); err != nil {
+		return "", "", fmt.Errorf("failed to decode response: %w", err)
+	}
+
+	username = user.Username
+	if username == "" {
+		username = user.Login
+	}
+
+	return username, user.FullName, nil
+}
+
+func (f *ForgejoProvider) GetTokenScopes(ctx context.Context, token string) ([]string, error) {
+	return f.GetScopes(), nil
+}
