fix(client): use form-urlencoded for OAuth token endpoint

[omarshahine]

Problem

Three bugs in the API client that make eightctl unreliable or non-functional:

1. Wrong OAuth content type and credentials in token endpoint

authTokenEndpoint() sends application/json but the Eight Sleep auth server (auth-api.8slp.net/v1/tokens) expects standard OAuth2 application/x-www-form-urlencoded. It also hardcodes client_id: "sleep-client" with an empty client_secret instead of using the actual app credentials.

The JSON request always returns 400 (Joi validation), causing every authentication to fall through to authLegacyLogin(). After a few attempts the rate limiter kicks in.

Note: PR #15 correctly identified the credential issue but kept JSON encoding, which is why the token endpoint still fails even with that fix applied.

2. Gzip responses not decompressed

do() sets Accept-Encoding: gzip explicitly, which disables Go's automatic transparent decompression. The response body arrives as raw gzip bytes, causing:

Error: invalid character '\x1f' looking for beginning of value

3. Infinite retry loops on 429 and 401

Both 429 (rate limited) and 401 (unauthorized) responses trigger unbounded recursive retries with no backoff, leading to permanent loops when auth is broken.

Fix

OAuth auth:

• Use application/x-www-form-urlencoded content type (standard OAuth2 token request format)
• Use c.ClientID and c.ClientSecret instead of hardcoded "sleep-client" / ""
• Make authURL a package-level var (was const) so tests can redirect it to a local server

Drop legacy /login fallback:

• The legacy /login endpoint no longer works reliably upstream
• The silent fallback was masking real OAuth errors — with form-encoding fixed, OAuth works correctly
• Authenticate() now calls the token endpoint directly

Gzip decompression:

• Remove explicit Accept-Encoding: gzip header from do()
• Go's http.Transport handles gzip transparently when the header is not set manually
• Credit to @petersentaylor (Fix OAuth client credentials and gzip decoding #27) for identifying this simpler approach

Bounded retries:

• Cap 429 and 401 retries at 3 attempts with exponential backoff (2s, 4s, 6s)
• Return a clear error message when retries are exhausted
• Credit to @davidfencik (fix: gzip decompression, infinite retry loops, and keychain hangs #16) for the retry pattern

Tests added:

• Token endpoint sends form-urlencoded with correct client credentials
• Auth returns error on failure (no silent fallback)
• No explicit gzip header sent (Go Transport handles it)
• Bounded 429 retry with backoff
• Retry cap prevents infinite loops

Tested against a live Pod 2 Pro.

Fixes #5, fixes #7, fixes #8, fixes #12, fixes #14, fixes #29

---

Note: Issue #10 (keyring hang in headless environments) is not addressed in this PR. A separate PR with the headless keyring fallback (credit to @davidfencik) can follow.

[omarshahine]

Hey @steipete — friendly ping on this and #26. This one fixes the OAuth token endpoint (form-urlencoded per spec) and gzip decompression, and #26 adds away/vacation mode. Happy to adjust anything if needed!

[omarshahine]

Code Review

+164 / -79 lines across 4 files, 5 commits

Overview

Fixes the three interconnected bugs that made eightctl non-functional: wrong OAuth encoding, explicit gzip header disabling Go's transparent decompression, and unbounded retry loops. Also removes the dead legacy /login fallback that was masking the real auth problem, and fixes CI (golangci-lint v2 + config cleanup).

Correctness

• OAuth form-encoding: Correct. RFC 6749 specifies application/x-www-form-urlencoded for token requests. The old JSON body was failing server-side Joi validation.
• Gzip: Correct. Removing the explicit Accept-Encoding: gzip header lets http.Transport add it and auto-decompress. Zero new code needed.
• Bounded retries: Correct. doRetry caps at maxRetries (3) with linear backoff (2s, 4s, 6s). Both 429 and 401 paths check the cap before recursing.
• Legacy login removal: Correct. No remaining references to authLegacyLogin, /login, or the legacy code path anywhere in the codebase. The silent fallback was masking real OAuth errors.

Test Coverage

Area	Test	Status
Form-encoded auth	TestAuthTokenEndpoint_FormEncoded	Verifies content-type, credentials, grant_type
Auth failure	TestAuthTokenEndpoint_ReturnsErrorOnFailure	No silent fallback
Gzip transparency	TestNoExplicitGzipHeader	Confirms Go Transport handles it
429 retry + backoff	Test429Retry	Verifies 2s+ backoff on first retry
429 retry cap	Test429RetryCapped	Confirms error after maxRetries

Notes

• Issue Keyring token caching fails on macOS - tokens don't persist between commands #10 (keyring hang in headless environments) is noted for a follow-up PR, not included here.
• CI was broken on main too (golangci-lint v1.60.1 incompatible with Go 1.24). Fixed as part of this PR by upgrading to golangci-lint v2.1 with the official GitHub Action.
• Tested against a live Pod 2 Pro.

Reviewed and tested locally. CI passing.

[omarshahine]

Closes #5, #7, #8, #12, #14, #29