Add API authentication commands for SDK/Terraform integration

Add new `stackit auth api` commands that provide separate credential
storage for the STACKIT Terraform Provider and SDK. This allows using
different accounts for CLI usage vs SDK/Provider usage.

New commands:
- stackit auth api login
- stackit auth api logout
- stackit auth api get-access-token
- stackit auth api status

The implementation adds a storage context system to isolate credentials
between CLI and API contexts, with tokens stored in the OS keychain
(with fallback to local storage).

Author: franklouwers

docs/stackit_auth.md

@@ -31,6 +31,7 @@ stackit auth [flags]
 
 * [stackit](./stackit.md)	 - Manage STACKIT resources using the command line
 * [stackit auth activate-service-account](./stackit_auth_activate-service-account.md)	 - Authenticates using a service account
+* [stackit auth api](./stackit_auth_api.md)	 - Manages authentication for the STACKIT Terraform Provider and SDK
 * [stackit auth get-access-token](./stackit_auth_get-access-token.md)	 - Prints a short-lived access token.
 * [stackit auth login](./stackit_auth_login.md)	 - Logs in to the STACKIT CLI
 * [stackit auth logout](./stackit_auth_logout.md)	 - Logs the user account out of the STACKIT CLI

docs/stackit_auth_api.md

@@ -0,0 +1,41 @@
+## stackit auth api
+
+Manages authentication for the STACKIT Terraform Provider and SDK
+
+### Synopsis
+
+Manages authentication for the STACKIT Terraform Provider and SDK.
+
+These commands allow you to authenticate with your personal STACKIT account
+and share the credentials with the STACKIT Terraform Provider and SDK.
+This provides an alternative to using service accounts for local development.
+
+```
+stackit auth api [flags]
+```
+
+### Options
+
+```
+  -h, --help   Help for "stackit auth api"
+```
+
+### Options inherited from parent commands
+
+```
+  -y, --assume-yes             If set, skips all confirmation prompts
+      --async                  If set, runs the command asynchronously
+  -o, --output-format string   Output format, one of ["json" "pretty" "none" "yaml"]
+  -p, --project-id string      Project ID
+      --region string          Target region for region-specific requests
+      --verbosity string       Verbosity of the CLI, one of ["debug" "info" "warning" "error"] (default "info")
+```
+
+### SEE ALSO
+
+* [stackit auth](./stackit_auth.md)	 - Authenticates the STACKIT CLI
+* [stackit auth api get-access-token](./stackit_auth_api_get-access-token.md)	 - Prints a short-lived access token for the STACKIT Terraform Provider and SDK
+* [stackit auth api login](./stackit_auth_api_login.md)	 - Logs in for the STACKIT Terraform Provider and SDK
+* [stackit auth api logout](./stackit_auth_api_logout.md)	 - Logs out from the STACKIT Terraform Provider and SDK
+* [stackit auth api status](./stackit_auth_api_status.md)	 - Shows authentication status for the STACKIT Terraform Provider and SDK
+

docs/stackit_auth_api_get-access-token.md

@@ -0,0 +1,40 @@
+## stackit auth api get-access-token
+
+Prints a short-lived access token for the STACKIT Terraform Provider and SDK
+
+### Synopsis
+
+Prints a short-lived access token for the STACKIT Terraform Provider and SDK which can be used e.g. for API calls.
+
+```
+stackit auth api get-access-token [flags]
+```
+
+### Examples
+
+```
+  Print a short-lived access token for the STACKIT Terraform Provider and SDK
+  $ stackit auth api get-access-token
+```
+
+### Options
+
+```
+  -h, --help   Help for "stackit auth api get-access-token"
+```
+
+### Options inherited from parent commands
+
+```
+  -y, --assume-yes             If set, skips all confirmation prompts
+      --async                  If set, runs the command asynchronously
+  -o, --output-format string   Output format, one of ["json" "pretty" "none" "yaml"]
+  -p, --project-id string      Project ID
+      --region string          Target region for region-specific requests
+      --verbosity string       Verbosity of the CLI, one of ["debug" "info" "warning" "error"] (default "info")
+```
+
+### SEE ALSO
+
+* [stackit auth api](./stackit_auth_api.md)	 - Manages authentication for the STACKIT Terraform Provider and SDK
+

docs/stackit_auth_api_login.md

@@ -0,0 +1,42 @@
+## stackit auth api login
+
+Logs in for the STACKIT Terraform Provider and SDK
+
+### Synopsis
+
+Logs in for the STACKIT Terraform Provider and SDK using a user account.
+The authentication is done via a web-based authorization flow, where the command will open a browser window in which you can login to your STACKIT account.
+The credentials are stored separately from the CLI authentication and will be used by the STACKIT Terraform Provider and SDK.
+
+```
+stackit auth api login [flags]
+```
+
+### Examples
+
+```
+  Login for the STACKIT Terraform Provider and SDK. This command will open a browser window where you can login to your STACKIT account
+  $ stackit auth api login
+```
+
+### Options
+
+```
+  -h, --help   Help for "stackit auth api login"
+```
+
+### Options inherited from parent commands
+
+```
+  -y, --assume-yes             If set, skips all confirmation prompts
+      --async                  If set, runs the command asynchronously
+  -o, --output-format string   Output format, one of ["json" "pretty" "none" "yaml"]
+  -p, --project-id string      Project ID
+      --region string          Target region for region-specific requests
+      --verbosity string       Verbosity of the CLI, one of ["debug" "info" "warning" "error"] (default "info")
+```
+
+### SEE ALSO
+
+* [stackit auth api](./stackit_auth_api.md)	 - Manages authentication for the STACKIT Terraform Provider and SDK
+

docs/stackit_auth_api_logout.md

@@ -0,0 +1,40 @@
+## stackit auth api logout
+
+Logs out from the STACKIT Terraform Provider and SDK
+
+### Synopsis
+
+Logs out from the STACKIT Terraform Provider and SDK. This does not affect CLI authentication.
+
+```
+stackit auth api logout [flags]
+```
+
+### Examples
+
+```
+  Log out from the STACKIT Terraform Provider and SDK
+  $ stackit auth api logout
+```
+
+### Options
+
+```
+  -h, --help   Help for "stackit auth api logout"
+```
+
+### Options inherited from parent commands
+
+```
+  -y, --assume-yes             If set, skips all confirmation prompts
+      --async                  If set, runs the command asynchronously
+  -o, --output-format string   Output format, one of ["json" "pretty" "none" "yaml"]
+  -p, --project-id string      Project ID
+      --region string          Target region for region-specific requests
+      --verbosity string       Verbosity of the CLI, one of ["debug" "info" "warning" "error"] (default "info")
+```
+
+### SEE ALSO
+
+* [stackit auth api](./stackit_auth_api.md)	 - Manages authentication for the STACKIT Terraform Provider and SDK
+

docs/stackit_auth_api_status.md

@@ -0,0 +1,40 @@
+## stackit auth api status
+
+Shows authentication status for the STACKIT Terraform Provider and SDK
+
+### Synopsis
+
+Shows authentication status for the STACKIT Terraform Provider and SDK, including whether you are authenticated and with which account.
+
+```
+stackit auth api status [flags]
+```
+
+### Examples
+
+```
+  Show authentication status for the STACKIT Terraform Provider and SDK
+  $ stackit auth api status
+```
+
+### Options
+
+```
+  -h, --help   Help for "stackit auth api status"
+```
+
+### Options inherited from parent commands
+
+```
+  -y, --assume-yes             If set, skips all confirmation prompts
+      --async                  If set, runs the command asynchronously
+  -o, --output-format string   Output format, one of ["json" "pretty" "none" "yaml"]
+  -p, --project-id string      Project ID
+      --region string          Target region for region-specific requests
+      --verbosity string       Verbosity of the CLI, one of ["debug" "info" "warning" "error"] (default "info")
+```
+
+### SEE ALSO
+
+* [stackit auth api](./stackit_auth_api.md)	 - Manages authentication for the STACKIT Terraform Provider and SDK
+

internal/cmd/auth/api/get-access-token/get_access_token.go

@@ -0,0 +1,77 @@
+package getaccesstoken
+
+import (
+	"github.com/spf13/cobra"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
+	cliErr "github.com/stackitcloud/stackit-cli/internal/pkg/errors"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/examples"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/globalflags"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/print"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/types"
+)
+
+type inputModel struct {
+	*globalflags.GlobalFlagModel
+}
+
+func NewCmd(p *types.CmdParams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "get-access-token",
+		Short: "Prints a short-lived access token for the STACKIT Terraform Provider and SDK",
+		Long:  "Prints a short-lived access token for the STACKIT Terraform Provider and SDK which can be used e.g. for API calls.",
+		Args:  args.NoArgs,
+		Example: examples.Build(
+			examples.NewExample(
+				`Print a short-lived access token for the STACKIT Terraform Provider and SDK`,
+				"$ stackit auth api get-access-token"),
+		),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			model, err := parseInput(p.Printer, cmd, args)
+			if err != nil {
+				return err
+			}
+
+			userSessionExpired, err := auth.UserSessionExpiredWithContext(auth.StorageContextAPI)
+			if err != nil {
+				return err
+			}
+			if userSessionExpired {
+				return &cliErr.SessionExpiredError{}
+			}
+
+			accessToken, err := auth.GetValidAccessTokenWithContext(p.Printer, auth.StorageContextAPI)
+			if err != nil {
+				p.Printer.Debug(print.ErrorLevel, "get valid access token: %v", err)
+				return &cliErr.SessionExpiredError{}
+			}
+
+			result := map[string]string{
+				"access_token": accessToken,
+			}
+			return p.Printer.OutputResult(model.OutputFormat, result, func() error {
+				p.Printer.Outputln(accessToken)
+				return nil
+			})
+		},
+	}
+
+	// hide project id flag from help command because it could mislead users
+	cmd.SetHelpFunc(func(command *cobra.Command, strings []string) {
+		cobra.CheckErr(command.Flags().MarkHidden(globalflags.ProjectIdFlag))
+		command.Parent().HelpFunc()(command, strings)
+	})
+
+	return cmd
+}
+
+func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel, error) {
+	globalFlags := globalflags.Parse(p, cmd)
+
+	model := inputModel{
+		GlobalFlagModel: globalFlags,
+	}
+
+	p.DebugInputModel(model)
+	return &model, nil
+}

internal/cmd/auth/api/login/login.go

@@ -0,0 +1,39 @@
+package login
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/examples"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/types"
+)
+
+func NewCmd(p *types.CmdParams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "login",
+		Short: "Logs in for the STACKIT Terraform Provider and SDK",
+		Long: fmt.Sprintf("%s\n%s\n%s",
+			"Logs in for the STACKIT Terraform Provider and SDK using a user account.",
+			"The authentication is done via a web-based authorization flow, where the command will open a browser window in which you can login to your STACKIT account.",
+			"The credentials are stored separately from the CLI authentication and will be used by the STACKIT Terraform Provider and SDK."),
+		Args: args.NoArgs,
+		Example: examples.Build(
+			examples.NewExample(
+				`Login for the STACKIT Terraform Provider and SDK. This command will open a browser window where you can login to your STACKIT account`,
+				"$ stackit auth api login"),
+		),
+		RunE: func(_ *cobra.Command, _ []string) error {
+			err := auth.AuthorizeUser(p.Printer, auth.StorageContextAPI, false)
+			if err != nil {
+				return fmt.Errorf("authorization failed: %w", err)
+			}
+
+			p.Printer.Outputln("Successfully logged in for STACKIT Terraform Provider and SDK.\n")
+
+			return nil
+		},
+	}
+	return cmd
+}

internal/cmd/auth/api/logout/logout.go

@@ -0,0 +1,35 @@
+package logout
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/examples"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/types"
+)
+
+func NewCmd(p *types.CmdParams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "logout",
+		Short: "Logs out from the STACKIT Terraform Provider and SDK",
+		Long:  "Logs out from the STACKIT Terraform Provider and SDK. This does not affect CLI authentication.",
+		Args:  args.NoArgs,
+		Example: examples.Build(
+			examples.NewExample(
+				`Log out from the STACKIT Terraform Provider and SDK`,
+				"$ stackit auth api logout"),
+		),
+		RunE: func(_ *cobra.Command, _ []string) error {
+			err := auth.LogoutUserWithContext(auth.StorageContextAPI)
+			if err != nil {
+				return fmt.Errorf("log out failed: %w", err)
+			}
+
+			p.Printer.Info("Successfully logged out from STACKIT Terraform Provider and SDK.\n")
+			return nil
+		},
+	}
+	return cmd
+}