OAuth Authentication - JohanDevl/Export_Trakt_4_Letterboxd GitHub Wiki

🔑 OAuth Authentication Guide

đŸŽ¯ Problem Solved

✅ No more expired tokens! The application now automatically manages:

  • OAuth 2.0 authentication with Trakt.tv
  • Automatic token renewal
  • Secure credential storage
  • Clear and informative error messages

🚀 Quick Setup

1. Configure your Trakt.tv application

  1. Go to https://trakt.tv/oauth/applications
  2. Create a new application or modify an existing one
  3. Important: Set the Redirect URI to: http://localhost:8080/callback
  4. Note your Client ID and Client Secret

2. Update your configuration

In your config/config.toml:

[trakt]
client_id = "YOUR_CLIENT_ID"
client_secret = "YOUR_CLIENT_SECRET"
# access_token = ""  # No longer needed!

[auth]
use_oauth = true
auto_refresh = true
redirect_uri = "http://localhost:8080/callback"
callback_port = 8080

3. Initial authentication

# In your Docker container
docker exec -it <container_name> /app/export-trakt auth

Follow the interactive instructions:

  1. An authorization URL will be displayed
  2. Open it in your browser
  3. Authorize the application on Trakt.tv
  4. You will be redirected automatically
  5. The token will be stored securely

📋 New Available Commands

auth - Interactive Authentication

docker exec -it <container> /app/export-trakt auth

Launches the complete OAuth authentication process.

token-status - Check Token Status

docker exec -it <container> /app/export-trakt token-status

Displays the current token status (valid, expired, time remaining).

token-refresh - Manual Refresh

docker exec -it <container> /app/export-trakt token-refresh

Forces token renewal (useful for testing).

token-clear - Clear Tokens

docker exec -it <container> /app/export-trakt token-clear

Removes all stored tokens (in case of issues).

🔄 Automatic Operation

Once configured, the application:

  1. Automatically detects expired tokens
  2. Automatically renews tokens in the background
  3. Transparently retries API requests after renewal
  4. Clearly logs all authentication operations

đŸŗ Docker Usage

Docker Compose with OAuth

Your existing docker-compose.yml works without changes:

# Initial authentication
docker compose --profile setup up

# Then normal operation
docker compose --profile schedule-6h up -d

Environment Variables

For automated deployments:

# In your .env or docker-compose.yml
TRAKT_CLIENT_ID=your_client_id
TRAKT_CLIENT_SECRET=your_client_secret

🔒 Security

Tokens are stored securely via:

  • System keyring (macOS Keychain, Windows Credential Store, etc.)
  • AES encryption for file storage
  • Environment variables for containers

🆘 Troubleshooting

Token not found

❌ No token found. Run 'auth' command to authenticate:
   docker exec -it <container> /app/export-trakt auth

Expired token without refresh token

❌ Token expired - re-authentication required
Run: auth

Configuration error

❌ Missing Trakt.tv API credentials
Please configure your Trakt.tv API credentials:
1. Go to https://trakt.tv/oauth/applications
2. Create a new application or modify existing one
3. Set client_id and client_secret in your config file
4. Set redirect_uri to: http://localhost:8080/callback

📊 Logs and Monitoring

New OAuth operations are logged:

ℹī¸ oauth.auth_url_generated
ℹī¸ oauth.token_exchange_success  
ℹī¸ oauth.token_refresh_success
ℹī¸ api.token_expired_refreshing

🎉 Benefits

✅ Never deal with expired tokens again
✅ Guided and simple authentication
✅ Transparent renewal
✅ Backward compatible with existing tokens
✅ Enhanced security
✅ Clear error messages

🔮 Future Usage

Once configured, you don't need to do anything! The application handles everything automatically:

# Your usual commands work without changes
docker compose --profile schedule-6h up -d

# Exports continue automatically, even after token expiration

🏗ī¸ Technical Implementation

Architecture Overview

The OAuth implementation consists of three main components:

  1. OAuth Manager (pkg/auth/oauth.go)

    • Handles OAuth 2.0 Authorization Code flow
    • Manages authorization URL generation
    • Exchanges authorization codes for tokens
    • Provides token validation

  2. Token Manager (pkg/auth/token_manager.go)

    • Manages token storage and retrieval
    • Handles automatic token refresh
    • Provides token status information
    • Integrates with secure storage backends

  3. Enhanced API Client (pkg/api/trakt.go)

    • Automatically detects authentication failures
    • Triggers token refresh on 401 errors
    • Transparently retries failed requests
    • Maintains backward compatibility

Security Features

  • Secure Storage: Uses system keyring or encrypted file storage
  • Token Rotation: Automatic refresh before expiration
  • State Validation: CSRF protection during OAuth flow
  • Secure Defaults: HTTPS enforcement and secure callback handling

Configuration Options

[auth]
use_oauth = true                              # Enable OAuth (default: true)
auto_refresh = true                           # Auto-refresh tokens (default: true)
redirect_uri = "http://localhost:8080/callback"  # OAuth callback URL
callback_port = 8080                          # Local server port

Error Handling

The implementation provides comprehensive error handling:

  • Network failures with retry logic
  • Invalid credentials with clear messages
  • Token expiration with automatic recovery
  • Configuration issues with helpful guidance

đŸŽ¯ Summary: Configure once, enjoy forever!

⚠ī¸ **GitHub.com Fallback** ⚠ī¸