auth/generate-dev-token: support sessions.

internal/auth/tokens.go

@@ -82,6 +82,8 @@ type TokenClaims struct {
 	PrimaryRegion string `json:"primary_region"`
 }
 
+func (t *Token) IsSessionToken() bool { return t.SessionToken != "" }
+
 func (t *Token) Claims(ctx context.Context) (*TokenClaims, error) {
 	if t.SessionToken != "" {
 		return parseClaims(ctx, strings.TrimPrefix(t.SessionToken, "st_"))

internal/cli/cmd/auth/devtoken.go

@@ -33,14 +33,13 @@ func NewGenerateDevTokenCmd() *cobra.Command {
 		}
 
 		if *outputPath != "" {
-			if err := os.WriteFile(*outputPath, []byte(res.DevelopmentToken), 0644); err != nil {
+			if err := os.WriteFile(*outputPath, []byte(res), 0644); err != nil {
 				return fnerrors.New("failed to write %q: %w", *outputPath, err)
 			}
-
-			return nil
+		} else {
+			fmt.Fprintln(console.Stdout(ctx), res)
 		}
 
-		fmt.Fprintln(console.Stdout(ctx), res.DevelopmentToken)
 		return nil
 	})
 }

internal/fnapi/fnapi.go

@@ -62,7 +62,7 @@ func AuthenticatedCall(ctx context.Context, endpoint string, method string, req
 	}.Do(ctx, req, StaticEndpoint(endpoint), handle)
 }
 
-func FetchSessionToken(ctx context.Context, sessionToken string, duration time.Duration) (string, error) {
+func IssueTenantTokenFromSession(ctx context.Context, sessionToken string, duration time.Duration) (string, error) {
 	req := IssueTenantTokenFromSessionRequest{
 		TokenDurationSecs: int64(duration.Seconds()),
 	}

internal/fnapi/tenants.go

@@ -6,6 +6,7 @@ package fnapi
 
 import (
 	"context"
+	"time"
 
 	"namespacelabs.dev/foundation/internal/fnerrors"
 )
@@ -150,15 +151,24 @@ func IssueIngressAccessToken(ctx context.Context, instanceId string) (IssueIngre
 	return res, nil
 }
 
-func IssueDevelopmentToken(ctx context.Context) (IssueDevelopmentTokenResponse, error) {
+func IssueDevelopmentToken(ctx context.Context) (string, error) {
+	tok, err := FetchToken(ctx)
+	if err != nil {
+		return "", err
+	}
+
+	if tok.IsSessionToken() {
+		return tok.IssueToken(ctx, time.Hour, IssueTenantTokenFromSession)
+	}
+
 	req := struct{}{}
 
 	var res IssueDevelopmentTokenResponse
 	if err := AuthenticatedCall(ctx, EndpointAddress, "nsl.tenants.TenantsService/IssueDevelopmentToken", req, DecodeJSONResponse(&res)); err != nil {
-		return IssueDevelopmentTokenResponse{}, err
+		return "", err
 	}
 
-	return res, nil
+	return res.DevelopmentToken, nil
 }
 
 func TrustAWSCognitoJWT(ctx context.Context, tenantID, identityPool, identityProvider string) error {

internal/fnapi/tokens.go

@@ -15,13 +15,14 @@ import (
 )
 
 type Token interface {
+	IsSessionToken() bool
 	Claims(context.Context) (*auth.TokenClaims, error)
 	PrimaryRegion(context.Context) (string, error)
 	IssueToken(context.Context, time.Duration, func(context.Context, string, time.Duration) (string, error)) (string, error)
 }
 
 func BearerToken(ctx context.Context, t Token) (string, error) {
-	raw, err := t.IssueToken(ctx, 5*time.Minute, FetchSessionToken)
+	raw, err := t.IssueToken(ctx, 5*time.Minute, IssueTenantTokenFromSession)
 	if err != nil {
 		return "", err
 	}
@@ -83,7 +84,7 @@ func IssueToken(ctx context.Context, minDur time.Duration) (string, error) {
 		return "", err
 	}
 
-	return t.IssueToken(ctx, minDur, FetchSessionToken)
+	return t.IssueToken(ctx, minDur, IssueTenantTokenFromSession)
 }
 
 func ResolveSpec() (string, error) {