chore: update to v1.2.2 (#4) (#5)

* If the cached token is not expired, but somehow became invalid go
through the device auth loop again.

Closes okta#118

* Preparing 1.2.2 release

* bump go version in GH actions

---------

Co-authored-by: Mike Mondragon <[email protected]>
Co-authored-by: Mike Mondragon <[email protected]>

.github/workflows/ci.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
         with:
-          go-version: 1.19
+          go-version: 1.21
 
       - name: Setup Go Tools
         run: make tools

.github/workflows/release.yml

@@ -18,7 +18,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 #v3.5.0
         with:
-          go-version: 1.19
+          go-version: 1.21
       -
         name: Run GoReleaser
         uses: goreleaser/[email protected]

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 1.2.2 (August 30, 2023)
+
+* Ensure evaluation of CLI flag for profile is in the same order as the other flags [#124](https://github.com/okta/okta-aws-cli/pull/124)
+* Retry cached access token if it isn't expired by but receives API error [#127](https://github.com/okta/okta-aws-cli/pull/127)
+
 ## 1.2.1 (August 15, 2023)
 
 * Friendly IdP and Role labels don't also print out ARN value (less text clutter in the UI)

internal/config/config.go

@@ -31,7 +31,7 @@ import (
 
 const (
 	// Version app version
-	Version = "1.2.1"
+	Version = "1.2.2"
 
 	// AWSCredentialsFormat format const
 	AWSCredentialsFormat = "aws-credentials"

internal/sessiontoken/sessiontoken.go

@@ -167,28 +167,49 @@ func NewSessionToken(config *config.Config) (token *SessionToken, err error) {
 func (s *SessionToken) EstablishToken() error {
 	clientID := s.config.OIDCAppID()
 	var at *accessToken
+	var apps []*oktaApplication
+	var err error
 	at = s.cachedAccessToken()
-	if at == nil {
-		deviceAuth, err := s.authorize(clientID)
-		if err != nil {
-			return err
-		}
 
-		s.promptAuthentication(deviceAuth)
+	// If there is a cached token, and it isn't expired, but the API 401s redo
+	// the authorize step.
+	for attempt := 1; attempt <= 2; attempt++ {
+		err = nil
+		if at == nil {
+			deviceAuth, err := s.authorize(clientID)
+			if err != nil {
+				return err
+			}
 
-		at, err = s.fetchAccessToken(clientID, deviceAuth)
-		if err != nil {
+			s.promptAuthentication(deviceAuth)
+
+			at, err = s.fetchAccessToken(clientID, deviceAuth)
+			if err != nil {
+				return err
+			}
+			at.Expiry = time.Now().Add(time.Duration(at.ExpiresIn) * time.Second).Format(time.RFC3339)
+			s.cacheAccessToken(at)
+		}
+		if s.config.FedAppID() != "" {
+			// Alternate path when operator knows their AWS Fed app ID
+			err = s.establishTokenWithFedAppID(clientID, s.config.FedAppID(), at)
+			if at != nil && err != nil {
+				// possible bad cached access token, retry
+				at = nil
+				continue
+			}
 			return err
 		}
-		at.Expiry = time.Now().Add(time.Duration(at.ExpiresIn) * time.Second).Format(time.RFC3339)
-		s.cacheAccessToken(at)
-	}
-	if s.config.FedAppID() != "" {
-		// Alternate path when operator knows their AWS Fed app ID
-		return s.establishTokenWithFedAppID(clientID, s.config.FedAppID(), at)
+
+		apps, err = s.listFedApps(clientID, at)
+		if at != nil && err != nil {
+			// possible bad cached access token, retry
+			at = nil
+			continue
+		}
+		break
 	}
 
-	apps, err := s.listFedApps(clientID, at)
 	if err != nil {
 		return err
 	}
@@ -946,14 +967,11 @@ func (s *SessionToken) isClassicOrg() bool {
 // cachedAccessToken will returned the cached access token if it exists and is
 // not expired.
 func (s *SessionToken) cachedAccessToken() (at *accessToken) {
-	cUser, err := user.Current()
+	homeDir, err := os.UserHomeDir()
 	if err != nil {
 		return
 	}
-	if cUser.HomeDir == "" {
-		return
-	}
-	configPath := filepath.Join(cUser.HomeDir, dotOktaDir, tokenFileName)
+	configPath := filepath.Join(homeDir, dotOktaDir, tokenFileName)
 	atJSON, err := os.ReadFile(configPath)
 	if err != nil {
 		return