Tracking: migrate remaining OpenDAL auth to reqsign

[Xuanwo]

Background

reqsign's goal is to provide a unified credential loading + request signing implementation for all OpenDAL services, so OpenDAL backends can remove per-service auth code.

Current progress (OpenDAL integration)

The following OpenDAL services are already using reqsign-based credential loading and/or signing:

• AWS S3: reqsign-aws-v4 + reqsign-core (including AssumeRole credential chain)
• Aliyun OSS: reqsign-aliyun-oss
• Tencent COS: reqsign-tencent-cos
• HuaweiCloud OBS: reqsign-huaweicloud-obs
• Azure Storage (azblob/azfile/azdls, plus ghac writer): reqsign-azure-storage
• Google Cloud Storage (GCS): reqsign-google

Remaining OpenDAL services with local auth implementations

The following OpenDAL services still implement local credential/token loading and/or signing logic without reqsign:

• aliyun-drive (OAuth refresh flow, local signer)
• b2 (authorize-account exchange + token cache/refresh)
• seafile (token fetch + cache, repo id discovery)
• koofr (email/password -> token exchange + cache)
• onedrive (OAuth2 refresh flow, token cache)
• dropbox (Bearer access token injection)
• gdrive (Bearer access token injection)
• github (optional Bearer token injection + fixed headers)
• cloudflare-kv (Authorization header injection)
• vercel-blob (Bearer token injection)
• yandex-disk (OAuth token injection)
• swift (X-Auth-Token header injection)
• upyun (HMAC-based request signature)

Proposed task breakdown (reqsign side)

A. Token-only / header injection

Target services:

• github (Bearer token + fixed headers)
• vercel-blob (Authorization: Bearer <token>)
• yandex-disk (Authorization: OAuth <token>)
• cloudflare-kv (Authorization: <api_token>)
• dropbox (Authorization: Bearer <access_token>)
• gdrive (Authorization: Bearer <access_token>)
• swift (X-Auth-Token: <token>)

Deliverable:

• Minimal service crates (or a shared helper in reqsign-core) that expose config/credential types and implement request signing.

B. Login/exchange token + caching

Target services:

• b2 (Basic auth -> authorization token, valid up to 24h)
• seafile (fetch auth token, then Authorization: Token <token>, plus repo id discovery)
• koofr (exchange email/password for Token token=<...>)

Deliverable:

• Service-specific ProvideCredential implementation with caching/expiration where applicable.

C. OAuth2 refresh token flow

Target services:

• aliyun-drive (refresh_token -> access_token, refresh_token update, expiration tracking)
• onedrive (OAuth2 refresh endpoint)

Deliverable:

• Service-specific providers using reqsign-core contexts (HttpSend, FileRead, env) and returning typed credentials.

D. Request signature (HMAC)

Target services:

• upyun (HMAC-SHA1 signature and required headers)

Deliverable:

• Service crate implementing the signing algorithm and test vectors.

Acceptance criteria

• Each listed service has a reqsign-backed credential loader/provider (where applicable) and signer.
• OpenDAL service crates can delete local signer/token-refresh code and depend on reqsign instead.
• Unit tests cover:
  • canonical header format
  • token refresh/caching behavior
  • signature correctness (for HMAC-based services)

Tracking checklist

• reqsign-upyun
• reqsign-b2
• reqsign-seafile
• reqsign-koofr
• reqsign-aliyun-drive
• reqsign-onedrive
• reqsign-dropbox
• reqsign-gdrive
• reqsign-github
• reqsign-cloudflare-kv
• reqsign-vercel-blob
• reqsign-yandex-disk
• reqsign-swift

---

Parts of this issue were drafted with assistance from Codex (with gpt-5.2) and fully reviewed and edited by me. I take full responsibility for all changes.