refactor(tui): deduplicate shared utilities and simplify flow runners

browser_flow.go

@@ -2,16 +2,11 @@ package main
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
-	"net/http"
 	"net/url"
-	"strings"
 	"time"
 
-	retry "github.com/appleboy/go-httpretry"
 	"github.com/go-authgate/cli/tui"
 	"github.com/go-authgate/sdk-go/credstore"
 )
@@ -39,59 +34,18 @@ func exchangeCode(ctx context.Context, code, codeVerifier string) (*credstore.To
 	data.Set("code", code)
 	data.Set("redirect_uri", redirectURI)
 	data.Set("client_id", clientID)
+	data.Set("code_verifier", codeVerifier)
 
-	if isPublicClient() {
-		data.Set("code_verifier", codeVerifier)
-	} else {
+	if !isPublicClient() {
 		data.Set("client_secret", clientSecret)
-		data.Set("code_verifier", codeVerifier)
 	}
 
-	resp, err := retryClient.Post(ctx, serverURL+"/oauth/token",
-		retry.WithBody("application/x-www-form-urlencoded", strings.NewReader(data.Encode())),
-	)
+	tokenResp, err := doTokenExchange(ctx, serverURL+"/oauth/token", data, nil)
 	if err != nil {
-		return nil, fmt.Errorf("request failed: %w", err)
+		return nil, err
 	}
-	defer resp.Body.Close()
 
-	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseBodySize))
-	if err != nil {
-		return nil, fmt.Errorf("failed to read response: %w", err)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		var errResp ErrorResponse
-		if jsonErr := json.Unmarshal(body, &errResp); jsonErr == nil && errResp.Error != "" {
-			return nil, fmt.Errorf("%s: %s", errResp.Error, errResp.ErrorDescription)
-		}
-		return nil, fmt.Errorf(
-			"token exchange failed with status %d: %s",
-			resp.StatusCode,
-			string(body),
-		)
-	}
-
-	var tokenResp tokenResponse
-	if err := json.Unmarshal(body, &tokenResp); err != nil {
-		return nil, fmt.Errorf("failed to parse token response: %w", err)
-	}
-
-	if err := validateTokenResponse(
-		tokenResp.AccessToken,
-		tokenResp.TokenType,
-		tokenResp.ExpiresIn,
-	); err != nil {
-		return nil, fmt.Errorf("invalid token response: %w", err)
-	}
-
-	return &credstore.Token{
-		AccessToken:  tokenResp.AccessToken,
-		RefreshToken: tokenResp.RefreshToken,
-		TokenType:    tokenResp.TokenType,
-		ExpiresAt:    time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second),
-		ClientID:     clientID,
-	}, nil
+	return tokenResponseToCredstore(tokenResp), nil
 }
 
 // performBrowserFlowWithUpdates runs the Authorization Code Flow with PKCE
@@ -181,20 +135,29 @@ func performBrowserFlowWithUpdates(
 			select {
 			case <-done:
 				return
+			case <-ctx.Done():
+				return
 			case <-ticker.C:
 				elapsed := time.Since(startTime)
 				progress := float64(elapsed) / float64(callbackTimeout)
 				if progress > 1.0 {
 					progress = 1.0
 				}
-				updates <- tui.FlowUpdate{
+				update := tui.FlowUpdate{
 					Type:     tui.TimerTick,
 					Progress: progress,
 					Data: map[string]any{
 						"elapsed": elapsed,
 						"timeout": callbackTimeout,
 					},
 				}
+				select {
+				case updates <- update:
+				case <-done:
+					return
+				case <-ctx.Done():
+					return
+				}
 			}
 		}
 	}()

error_sanitizer.go

@@ -1,24 +1,31 @@
 package main
 
+import "github.com/go-authgate/cli/tui"
+
+// browserErrorMessages overrides the TUI messages with shorter, browser-safe versions.
+// Only codes that need different wording for the browser are listed here.
+var browserErrorMessages = map[string]string{
+	"access_denied":           "Authorization was denied. You may close this window.",
+	"invalid_request":         "Invalid request. Please contact support.",
+	"unauthorized_client":     "Client is not authorized.",
+	"server_error":            "Server error. Please try again later.",
+	"temporarily_unavailable": "Service is temporarily unavailable. Please try again later.",
+}
+
 // sanitizeOAuthError maps standard OAuth error codes to user-friendly messages
 // that are safe to display in the browser. This prevents information disclosure
 // while maintaining a good user experience.
 // The errorDescription parameter is intentionally ignored to prevent leaking details.
 func sanitizeOAuthError(errorCode, _ string) string {
-	switch errorCode {
-	case "access_denied":
-		return "Authorization was denied. You may close this window."
-	case "invalid_request":
-		return "Invalid request. Please contact support."
-	case "unauthorized_client":
-		return "Client is not authorized."
-	case "server_error":
-		return "Server error. Please try again later."
-	case "temporarily_unavailable":
-		return "Service is temporarily unavailable. Please try again later."
-	default:
-		return "Authentication failed. Please check your terminal for details."
+	// Check browser-specific overrides first
+	if msg, ok := browserErrorMessages[errorCode]; ok {
+		return msg
+	}
+	// Fall back to the shared TUI error map
+	if msg, ok := tui.OAuthErrorMessage(errorCode); ok {
+		return msg
 	}
+	return "Authentication failed. Please check your terminal for details."
 }
 
 // sanitizeTokenExchangeError sanitizes backend token exchange errors to prevent

main.go

@@ -10,7 +10,6 @@ import (
 	"net/url"
 	"os"
 	"os/signal"
-	"strings"
 	"syscall"
 	"time"
 
@@ -175,55 +174,23 @@ func refreshAccessToken(ctx context.Context, refreshToken string) (*credstore.To
 		data.Set("client_secret", clientSecret)
 	}
 
-	resp, err := retryClient.Post(ctx, serverURL+"/oauth/token",
-		retry.WithBody("application/x-www-form-urlencoded", strings.NewReader(data.Encode())),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("refresh request failed: %w", err)
-	}
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseBodySize))
-	if err != nil {
-		return nil, fmt.Errorf("failed to read response: %w", err)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		var errResp ErrorResponse
-		if jsonErr := json.Unmarshal(body, &errResp); jsonErr == nil {
+	tokenResp, err := doTokenExchange(ctx, serverURL+"/oauth/token", data,
+		func(errResp ErrorResponse, _ []byte) error {
 			if errResp.Error == "invalid_grant" || errResp.Error == "invalid_token" {
-				return nil, ErrRefreshTokenExpired
+				return ErrRefreshTokenExpired
 			}
-			return nil, fmt.Errorf("%s: %s", errResp.Error, errResp.ErrorDescription)
-		}
-		return nil, fmt.Errorf("refresh failed with status %d: %s", resp.StatusCode, string(body))
-	}
-
-	var tokenResp tokenResponse
-	if err := json.Unmarshal(body, &tokenResp); err != nil {
-		return nil, fmt.Errorf("failed to parse token response: %w", err)
+			return nil // fall through to default error formatting
+		},
+	)
+	if err != nil {
+		return nil, err
 	}
 
-	if err := validateTokenResponse(
-		tokenResp.AccessToken,
-		tokenResp.TokenType,
-		tokenResp.ExpiresIn,
-	); err != nil {
-		return nil, fmt.Errorf("invalid token response: %w", err)
-	}
+	storage := tokenResponseToCredstore(tokenResp)
 
 	// Preserve the old refresh token in fixed-mode (server may not return a new one).
-	newRefreshToken := tokenResp.RefreshToken
-	if newRefreshToken == "" {
-		newRefreshToken = refreshToken
-	}
-
-	storage := &credstore.Token{
-		AccessToken:  tokenResp.AccessToken,
-		RefreshToken: newRefreshToken,
-		TokenType:    tokenResp.TokenType,
-		ExpiresAt:    time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second),
-		ClientID:     clientID,
+	if storage.RefreshToken == "" {
+		storage.RefreshToken = refreshToken
 	}
 
 	if err := tokenStore.Save(clientID, *storage); err != nil {

tokens.go

@@ -1,8 +1,18 @@
 package main
 
 import (
+	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	retry "github.com/appleboy/go-httpretry"
+	"github.com/go-authgate/sdk-go/credstore"
 )
 
 // ErrorResponse is an OAuth error payload.
@@ -14,6 +24,80 @@ type ErrorResponse struct {
 // ErrRefreshTokenExpired indicates the refresh token has expired or is invalid.
 var ErrRefreshTokenExpired = errors.New("refresh token expired or invalid")
 
+// doTokenExchange performs a standard OAuth 2.0 token POST and returns the
+// parsed tokenResponse on success. On non-200 responses it returns a formatted
+// error including the OAuth error code/description when available.
+// The optional errHook is called with the parsed ErrorResponse before the
+// default error formatting, allowing callers to handle specific error codes
+// (e.g., invalid_grant → ErrRefreshTokenExpired). If errHook returns a
+// non-nil error, that error is returned directly.
+func doTokenExchange(
+	ctx context.Context,
+	tokenURL string,
+	data url.Values,
+	errHook func(errResp ErrorResponse, body []byte) error,
+) (*tokenResponse, error) {
+	resp, err := retryClient.Post(ctx, tokenURL,
+		retry.WithBody("application/x-www-form-urlencoded", strings.NewReader(data.Encode())),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseBodySize))
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		var errResp ErrorResponse
+		if jsonErr := json.Unmarshal(body, &errResp); jsonErr == nil && errResp.Error != "" {
+			if errHook != nil {
+				if hookErr := errHook(errResp, body); hookErr != nil {
+					return nil, hookErr
+				}
+			}
+			desc := strings.TrimSpace(errResp.ErrorDescription)
+			if desc == "" {
+				return nil, fmt.Errorf("%s", errResp.Error)
+			}
+			return nil, fmt.Errorf("%s: %s", errResp.Error, desc)
+		}
+		return nil, fmt.Errorf(
+			"token exchange failed with status %d: %s",
+			resp.StatusCode,
+			string(body),
+		)
+	}
+
+	var tokenResp tokenResponse
+	if err := json.Unmarshal(body, &tokenResp); err != nil {
+		return nil, fmt.Errorf("failed to parse token response: %w", err)
+	}
+
+	if err := validateTokenResponse(
+		tokenResp.AccessToken,
+		tokenResp.TokenType,
+		tokenResp.ExpiresIn,
+	); err != nil {
+		return nil, fmt.Errorf("invalid token response: %w", err)
+	}
+
+	return &tokenResp, nil
+}
+
+// tokenResponseToCredstore converts a tokenResponse to a credstore.Token.
+func tokenResponseToCredstore(tr *tokenResponse) *credstore.Token {
+	return &credstore.Token{
+		AccessToken:  tr.AccessToken,
+		RefreshToken: tr.RefreshToken,
+		TokenType:    tr.TokenType,
+		ExpiresAt:    time.Now().Add(time.Duration(tr.ExpiresIn) * time.Second),
+		ClientID:     clientID,
+	}
+}
+
 // validateTokenResponse performs basic sanity checks on a token response.
 func validateTokenResponse(accessToken, tokenType string, expiresIn int) error {
 	if accessToken == "" {