Adds token refresh logic (#162)

## Summary
Adds token refresh logic

## How was it tested?
I'm actually unsure how best to test this other than going through the
auth flow, waiting for my token to expire, and running again. Any ideas
on how best to shortcut that process? Is there a way to purposefully
give myself an expired token on the first try?

---------

Co-authored-by: Mike Landau <mikeland86@gmail.com>

Author: loreto

envsec/internal/envcli/auth.go

@@ -83,7 +83,11 @@ func refreshCmd() *cobra.Command {
 				return err
 			}
 
-			_ = client.RefreshSession()
+			_, ok := client.GetSession(cmd.Context())
+			if !ok {
+				return errors.New("Failed to refresh: not logged in. Run `envsec auth login` to log in")
+			}
+			fmt.Fprintln(cmd.OutOrStdout(), "Refreshed successfully")
 			return nil
 		},
 	}
@@ -102,7 +106,7 @@ func whoAmICmd() *cobra.Command {
 				return err
 			}
 
-			tok, ok := client.GetSession()
+			tok, ok := client.GetSession(cmd.Context())
 			if !ok {
 				return errors.New("not logged in. Run `envsec auth login` to log in")
 			}

envsec/internal/envcli/flags.go

@@ -90,7 +90,7 @@ func (f *configFlags) genConfig(ctx context.Context) (*cmdConfig, error) {
 			return nil, err
 		}
 
-		tok, ok = client.GetSession()
+		tok, ok = client.GetSession(ctx)
 		if !ok {
 			return nil, errors.Errorf(
 				"To use envsec you must log in (`envsec auth login`) or specify --project-id and --org-id",

envsec/internal/envcli/init.go

@@ -19,7 +19,7 @@ func initCmd() *cobra.Command {
 			if err != nil {
 				return err
 			}
-			tok, ok := client.GetSession()
+			tok, ok := client.GetSession(cmd.Context())
 			if !ok {
 				return errors.New("not logged in, run `envsec auth login`")
 			}

pkg/sandbox/auth/auth.go

@@ -1,11 +1,14 @@
 package auth
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"path/filepath"
 
+	"github.com/coreos/go-oidc/v3/oidc"
 	"go.jetpack.io/pkg/sandbox/auth/session"
+	"golang.org/x/oauth2"
 
 	"go.jetpack.io/pkg/sandbox/auth/internal/authflow"
 	"go.jetpack.io/pkg/sandbox/auth/internal/callbackserver"
@@ -59,16 +62,60 @@ func (c *Client) LogoutFlow() error {
 // it will attempt to refresh it. If no token is found, or is unable to be refreshed,
 // it will return nil and false.
 // TODO: automatically refresh token as needed
-func (c *Client) GetSession() (*session.Token, bool) {
+func (c *Client) GetSession(ctx context.Context) (*session.Token, bool) {
 	tok := c.store.ReadToken(c.issuer, c.clientID)
-	if tok == nil || !tok.Valid() {
+	if tok == nil {
 		return nil, false
 	}
+
+	// Refresh if the token is no longer valid:
+	if !tok.Valid() {
+		tok = c.refresh(ctx, tok)
+		if !tok.Valid() {
+			return nil, false
+		}
+	}
+
 	return tok, true
 }
 
-func (c *Client) RefreshSession() *session.Token {
-	panic("refresh session not implemented")
+func (c *Client) refresh(
+	ctx context.Context,
+	tok *session.Token,
+) *session.Token {
+	if tok == nil {
+		return nil
+	}
+
+	// TODO: figure out how to share oidc provider and oauth2 client
+	// with auth flow:
+	provider, err := oidc.NewProvider(ctx, c.issuer)
+	if err != nil {
+		return tok
+	}
+
+	conf := oauth2.Config{
+		ClientID: c.clientID,
+		Endpoint: provider.Endpoint(),
+		Scopes:   []string{"openid", "offline_access"},
+	}
+
+	// Refresh logic:
+	tokenSource := conf.TokenSource(ctx, &tok.Token)
+	newToken, err := tokenSource.Token()
+	if err != nil {
+		return tok
+	}
+
+	if newToken.AccessToken != tok.AccessToken {
+		tok.Token = *newToken
+		err = c.store.WriteToken(c.issuer, c.clientID, tok)
+		if err != nil {
+			return tok
+		}
+	}
+
+	return tok
 }
 
 func (c *Client) RevokeSession() error {