decodeCQPDClaims reads the unverified claims payload of a cqpd_ token. The CLI only needs routing/identity hints (api_url, team) to decide where and as whom to call; the platform still authenticates the token. Wire format is "cqpd_" + base64url(claimsJSON) + "." + base64url(sig). Returns empty strin
(token string)
| 250 | // for a malformed or non-cqpd_ token. Mirrors the destination plugin's decoder |
| 251 | // (separate repos — keep the claim keys in sync). |
| 252 | func decodeCQPDClaims(token string) (apiURL, team string) { |
| 253 | rest, ok := strings.CutPrefix(token, cqpdPrefix) |
| 254 | if !ok { |
| 255 | return "", "" |
| 256 | } |
| 257 | enc, _, ok := strings.Cut(rest, ".") |
| 258 | if !ok { |
| 259 | return "", "" |
| 260 | } |
| 261 | payload, err := base64.RawURLEncoding.DecodeString(enc) |
| 262 | if err != nil { |
| 263 | return "", "" |
| 264 | } |
| 265 | var claims struct { |
| 266 | APIURL string `json:"u"` |
| 267 | Team string `json:"tm"` |
| 268 | } |
| 269 | if err := json.Unmarshal(payload, &claims); err != nil { |
| 270 | return "", "" |
| 271 | } |
| 272 | return claims.APIURL, claims.Team |
| 273 | } |
| 274 | |
| 275 | // MaybeInjectDestination injects a `platform` destination carrying a freshly |
| 276 | // minted cqpd_ token — but only when the spec opts in by listing `platform` in |
no outgoing calls
no test coverage detected