teems 0.1.0

data/lib/teems/services/token_extractor.rb

@@ -0,0 +1,401 @@
+# frozen_string_literal: true
+
+require 'open3'
+require_relative 'token_extractor_scripts'
+require_relative 'token_exchange_scripts'
+require_relative 'headless_extract'
+require_relative 'safari_oauth'
+
+module Teems
+  module Services
+    # Safari automation: AppleScript execution and JS injection
+    module SafariAutomation
+      private
+
+      def run_safari_js(js_code)
+        escaped = js_code.gsub('\\', '\\\\\\\\').gsub('"', '\\"').gsub("\n", '\\n')
+        run_applescript(safari_js_script(escaped))
+      end
+
+      def run_safari_readystate
+        run_applescript(safari_readystate_script)
+      end
+
+      def safari_js_script(escaped_js)
+        <<~APPLESCRIPT
+          tell application "Safari"
+            if (count of windows) > 0 then
+              return do JavaScript "#{escaped_js}" in current tab of front window
+            end if
+            return ""
+          end tell
+        APPLESCRIPT
+      end
+
+      def safari_readystate_script
+        <<~APPLESCRIPT
+          tell application "Safari"
+            if (count of windows) > 0 then
+              set pageURL to URL of current tab of front window
+              try
+                set readyState to do JavaScript "document.readyState" in current tab of front window
+              on error
+                set readyState to "loading"
+              end try
+              return pageURL & "|" & readyState
+            end if
+            return ""
+          end tell
+        APPLESCRIPT
+      end
+
+      def run_safari_script(body)
+        run_applescript(<<~APPLESCRIPT)
+          tell application "Safari"
+            #{body}
+          end tell
+        APPLESCRIPT
+      end
+
+      def run_applescript(script)
+        output, _stderr, status = Open3.capture3('osascript', '-e', script)
+        return applescript_failure(status) unless status.success?
+
+        output.strip
+      rescue IOError, SystemCallError => e
+        log_applescript_error(e)
+      end
+
+      def applescript_failure(status)
+        log("AppleScript execution failed with status #{status.exitstatus}")
+        nil
+      end
+
+      def log_applescript_error(run_error)
+        error_text = format_applescript_error(run_error)
+        log(error_text)
+        nil
+      end
+
+      def format_applescript_error(run_error)
+        label = run_error.is_a?(Errno::ENOENT) ? 'osascript not found' : 'AppleScript I/O error'
+        "#{label}: #{run_error.message}"
+      end
+    end
+
+    # V2 token decryption via AES-CBC encrypted localStorage keys
+    module TokenV2Decryptor
+      include TokenExtractorScripts
+
+      DECRYPT_RESULT_KEY = '_teems_decrypt_result'
+
+      private
+
+      def extract_encrypted_tokens
+        poll_decrypt_result unless kick_off_decryption == 'no_key'
+      rescue JSON::ParserError => e
+        log("Failed to parse v2 token decryption result: #{e.message}")
+        nil
+      end
+
+      def kick_off_decryption
+        decrypt_js = DECRYPT_TOKENS_JS.gsub('{{result_key}}', DECRYPT_RESULT_KEY)
+        status = run_safari_js(decrypt_js).to_s.strip
+        log("Decryption kick-off: #{status}")
+        status
+      end
+
+      def poll_decrypt_result
+        read_js = READ_DECRYPT_RESULT_JS.gsub('{{result_key}}', DECRYPT_RESULT_KEY)
+        result = poll_decrypt_attempts(read_js)
+        log('Timed out waiting for v2 token decryption') unless result
+        result
+      end
+
+      def poll_decrypt_attempts(read_js)
+        10.times do |attempt|
+          result = check_decrypt_result(read_js, attempt)
+          return result if result
+        end
+        nil
+      end
+
+      def check_decrypt_result(read_js, attempt)
+        sleep 1
+        result = run_safari_js(read_js).to_s.strip
+        return nil if result.empty? || result == 'null'
+
+        parse_decrypt_result(result, attempt)
+      end
+
+      def parse_decrypt_result(result, attempt)
+        parsed = JSON.parse(result)
+        decrypt_error = parsed['error']
+        return log_decrypt_error(decrypt_error) if decrypt_error
+
+        finalize_decrypted_tokens(parsed, attempt)
+      end
+
+      def finalize_decrypted_tokens(parsed, attempt)
+        auth_token = parsed['auth_token']
+        return nil unless auth_token
+
+        log("V2 tokens decrypted after #{attempt + 1}s")
+        finalize_tokens(auth_token, parsed['skype_spaces_token'], **extract_v1_refresh_data)
+      end
+
+      def log_decrypt_error(message)
+        log("Decryption error: #{message}")
+        nil
+      end
+    end
+
+    # Token exchange: converting skype spaces token to skype token
+    module TokenExchanger
+      include TokenExchangeScripts
+
+      private
+
+      def exchange_skype_if_available(skype_spaces_token)
+        return nil unless skype_spaces_token
+
+        log('Exchanging skype spaces token via authsvc...')
+        result = exchange_skype_token(skype_spaces_token)
+        result&.dig(:skype_token)
+      end
+
+      def exchange_skype_token(skype_spaces_token)
+        parse_exchange_result(run_safari_js(build_exchange_script(skype_spaces_token)))
+      rescue JSON::ParserError => e
+        log("Failed to parse token exchange result: #{e.message}")
+        nil
+      end
+
+      def parse_exchange_result(result)
+        return nil if result.to_s.empty?
+
+        parsed = JSON.parse(result)
+        return nil if parsed['error']
+
+        { skype_token: parsed['skype_token'], region: parsed['region'], chat_service: parsed['chat_service'] }
+      end
+
+      def build_exchange_script(skype_spaces_token)
+        format(EXCHANGE_TOKEN_JS, JSON.generate(skype_spaces_token))
+      end
+    end
+
+    # Token polling: v1/v2 extraction loop and finalization
+    module TokenPolling
+      include TokenExtractorScripts
+
+      TOKEN_POLL_MAX_SECONDS = 30
+      TOKEN_POLL_INTERVAL = 1
+      V1_POLL_MAX_SECONDS = 5
+
+      private
+
+      def wait_for_tokens
+        @v2_attempted = false
+        TOKEN_POLL_MAX_SECONDS.times do |attempt|
+          tokens = poll_iteration(attempt)
+          return tokens if tokens
+        end
+        nil
+      end
+
+      def poll_iteration(attempt)
+        tokens = poll_once(attempt)
+        return tokens if tokens&.dig(:auth_token)
+
+        log_poll_progress(attempt)
+        sleep TOKEN_POLL_INTERVAL
+        nil
+      end
+
+      def poll_once(attempt)
+        tokens = extract_plaintext_tokens
+        return tokens if tokens&.dig(:auth_token)
+
+        try_v2_if_needed(attempt)
+      end
+
+      def try_v2_if_needed(attempt)
+        return nil if @v2_attempted || attempt < V1_POLL_MAX_SECONDS
+
+        log('V1 tokens not found, trying v2 encrypted token decryption...')
+        @v2_attempted = true
+        extract_encrypted_tokens
+      end
+
+      def log_poll_progress(attempt)
+        elapsed = attempt + 1
+        log("Tokens not yet available, retrying... (#{elapsed}s)") if (elapsed % 5).zero?
+      end
+
+      def extract_plaintext_tokens
+        build_v1_tokens(parse_safari_json(EXTRACT_TOKENS_JS))
+      rescue JSON::ParserError => e
+        log("Failed to parse v1 token extraction result: #{e.message}")
+        nil
+      end
+
+      def build_v1_tokens(parsed)
+        return nil unless parsed&.dig('auth_token')
+
+        finalize_tokens(parsed['auth_token'], parsed['skype_spaces_token'], **v1_extras(parsed))
+      end
+
+      def parse_safari_json(js_code)
+        result = run_safari_js(js_code)
+        return nil if result.to_s.empty?
+
+        JSON.parse(result)
+      end
+
+      # Extract refresh token data from V1 localStorage (always unencrypted)
+      def extract_v1_refresh_data
+        parsed = parse_safari_json(EXTRACT_TOKENS_JS)
+        return {} unless parsed&.dig('refresh_token')
+
+        v1_extras(parsed)
+      rescue JSON::ParserError
+        {}
+      end
+
+      def v1_extras(parsed)
+        { refresh_token: parsed['refresh_token'],
+          client_id: parsed['client_id'],
+          tenant_id: parsed['tenant_id'] }
+      end
+
+      def finalize_tokens(auth_token, skype_spaces_token, **extras)
+        skype_token = exchange_skype_if_available(skype_spaces_token)
+        { auth_token: auth_token, skype_token: skype_token,
+          skype_spaces_token: skype_spaces_token, chatsvc_token: nil,
+          refresh_token: nil, client_id: nil, tenant_id: nil, **extras }
+      end
+    end
+
+    # Extracts Teams authentication tokens using Safari automation
+    class TokenExtractor
+      include TokenExtractorScripts
+      include TokenExchangeScripts
+      include SafariAutomation
+      include TokenV2Decryptor
+      include TokenExchanger
+      include TokenPolling
+      include HeadlessExtract
+      include SafariOAuth
+
+      TEAMS_URL = 'https://teams.microsoft.com'
+
+      def initialize(output: nil, auth_mode: :default)
+        @output = output
+        @auth_mode = auth_mode
+      end
+
+      def extract
+        try_headless_extract || try_safari_oauth || safari_extract
+      end
+
+      def manual_instructions = MANUAL_TOKEN_INSTRUCTIONS
+
+      private
+
+      def try_headless_extract
+        tokens = super
+        tokens if tokens&.dig(:auth_token) && tokens[:skype_token]
+      end
+
+      def safari_extract
+        unless safari_available?
+          log('Safari is not available')
+          return
+        end
+
+        log('Opening Teams in Safari...')
+        open_teams_in_safari
+        extract_and_close
+      end
+
+      def extract_and_close
+        log('Waiting for login to complete...')
+        wait_for_login
+        log('Extracting tokens...')
+        tokens = wait_for_tokens
+        validate_tokens(tokens)
+      ensure
+        close_teams_tab
+      end
+
+      def validate_tokens(tokens)
+        if tokens&.dig(:auth_token)
+          log('Tokens extracted successfully')
+          tokens
+        else
+          log('Failed to extract tokens')
+          nil
+        end
+      end
+
+      def safari_available? = system('which', 'osascript', out: File::NULL, err: File::NULL)
+
+      def open_teams_in_safari
+        run_applescript(open_teams_script)
+      end
+
+      def open_teams_script
+        <<~APPLESCRIPT
+          tell application "Safari"
+            activate
+            if (count of windows) = 0 then
+              make new document with properties {URL:"#{TEAMS_URL}"}
+            else
+              tell front window
+                set current tab to (make new tab with properties {URL:"#{TEAMS_URL}"})
+              end tell
+            end if
+          end tell
+        APPLESCRIPT
+      end
+
+      def close_teams_tab
+        run_safari_script(<<~APPLESCRIPT)
+          if (count of windows) > 0 then
+            close current tab of front window
+          end if
+        APPLESCRIPT
+      end
+
+      def wait_for_login
+        consecutive_ready = 0
+        60.times do |second|
+          consecutive_ready = check_login_readiness(consecutive_ready, second)
+          break if consecutive_ready >= 3
+        end
+      end
+
+      def check_login_readiness(consecutive_ready, second)
+        sleep 1
+        consecutive_ready = page_ready? ? consecutive_ready + 1 : 0
+        log_login_wait(second + 1)
+        consecutive_ready
+      end
+
+      def log_login_wait(elapsed)
+        log("Waiting... (#{elapsed}s)") if (elapsed % 10).zero?
+      end
+
+      def page_ready?
+        result = run_safari_readystate
+        return false unless result
+
+        page_url, ready_state = result.split('|', 2)
+        page_url.to_s.match?(/teams\.microsoft\.com(?!.*login)/) && ready_state.to_s == 'complete'
+      end
+
+      def log(message) = @output&.debug(message)
+    end
+  end
+end

data/lib/teems/services/token_extractor_scripts.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+module Teems
+  module Services
+    # JavaScript constants used by TokenExtractor for v1 token extraction
+    # and v2 AES-CBC decryption. Separated to keep modules under line limits.
+    module TokenExtractorScripts
+      # JavaScript to extract tokens from Teams web app localStorage.
+      EXTRACT_TOKENS_JS = <<~JS
+        (function() {
+          var result = { auth_token: null, skype_spaces_token: null,
+                         refresh_token: null, client_id: null, tenant_id: null };
+
+          try {
+            for (var i = 0; i < localStorage.length; i++) {
+              var key = localStorage.key(i);
+
+              // Teams v1 / MSAL format: accesstoken keys with secret field
+              if (key.includes('accesstoken')) {
+                var value = localStorage.getItem(key);
+                var parsed = JSON.parse(value);
+                if (parsed.secret) {
+                  if (key.includes('graph.microsoft.com')) {
+                    result.auth_token = parsed.secret;
+                  }
+                  if (key.includes('api.spaces.skype.com')) {
+                    result.skype_spaces_token = parsed.secret;
+                  }
+                }
+              }
+
+              // MSAL refresh token (always v1/unencrypted)
+              if (key.includes('refreshtoken')) {
+                var rtVal = localStorage.getItem(key);
+                var rt = JSON.parse(rtVal);
+                if (rt.secret) {
+                  result.refresh_token = rt.secret;
+                  result.client_id = rt.clientId;
+                  if (rt.homeAccountId && rt.homeAccountId.indexOf('.') !== -1) {
+                    result.tenant_id = rt.homeAccountId.split('.')[1];
+                  }
+                }
+              }
+            }
+          } catch(e) {}
+
+          return JSON.stringify(result);
+        })()
+      JS
+
+      # JavaScript to kick off async decryption of Teams v2 encrypted tokens.
+      DECRYPT_TOKENS_JS = <<~JS
+        (function() {
+          var RESULT_KEY = '{{result_key}}';
+          localStorage.removeItem(RESULT_KEY);
+
+          var keyDataRaw = localStorage.getItem('tmp.auth.v1.GLOBAL.ExportedEncryptionKey.ExportedEncryptionKey');
+          if (!keyDataRaw) {
+            localStorage.setItem(RESULT_KEY, JSON.stringify({error: 'no_encryption_key'}));
+            return 'no_key';
+          }
+
+          var keyData = JSON.parse(keyDataRaw);
+          var exportedKey = keyData.item.exportedKey;
+          var keyBytes = Uint8Array.from(atob(exportedKey), function(c) { return c.charCodeAt(0); });
+
+          function getEncItem(keyPart) {
+            for (var i = 0; i < localStorage.length; i++) {
+              var k = localStorage.key(i);
+              if (k.includes(keyPart)) {
+                var val = JSON.parse(localStorage.getItem(k));
+                return val.item || val;
+              }
+            }
+            return null;
+          }
+
+          function decryptToken(item) {
+            if (!item || !item.encryptedToken || !item.iv) return Promise.resolve(null);
+            var iv = Uint8Array.from(atob(item.iv), function(c) { return c.charCodeAt(0); });
+            var enc = Uint8Array.from(atob(item.encryptedToken), function(c) { return c.charCodeAt(0); });
+            return crypto.subtle.importKey('raw', keyBytes, {name: 'AES-CBC'}, false, ['decrypt'])
+              .then(function(ck) { return crypto.subtle.decrypt({name: 'AES-CBC', iv: iv}, ck, enc); })
+              .then(function(d) {
+                var text = new TextDecoder().decode(d);
+                var padLen = text.charCodeAt(text.length - 1);
+                if (padLen > 0 && padLen <= 16) text = text.substring(0, text.length - padLen);
+                return text;
+              })
+              .catch(function() { return null; });
+          }
+
+          var graph = getEncItem('Token.HTTPS://GRAPH.MICROSOFT.COM');
+          var skype = getEncItem('Token.HTTPS://API.SPACES.SKYPE.COM');
+
+          Promise.all([decryptToken(graph), decryptToken(skype)])
+            .then(function(results) {
+              var r = { auth_token: results[0], skype_spaces_token: results[1] };
+              localStorage.setItem(RESULT_KEY, JSON.stringify(r));
+            })
+            .catch(function(e) {
+              localStorage.setItem(RESULT_KEY, JSON.stringify({error: e.message}));
+            });
+
+          return 'started';
+        })()
+      JS
+
+      READ_DECRYPT_RESULT_JS = <<~JS
+        (function() {
+          return localStorage.getItem('{{result_key}}');
+        })()
+      JS
+    end
+  end
+end

data/lib/teems/services/token_refresher.rb

@@ -0,0 +1,169 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'json'
+require 'uri'
+require 'openssl'
+
+module Teems
+  module Services
+    # OIDC refresh: exchange refresh_token for new access tokens via Entra ID
+    module OidcRefresh
+      OIDC_TOKEN_ENDPOINT = 'https://login.microsoftonline.com/%s/oauth2/v2.0/token'
+      GRAPH_SCOPE = 'https://graph.microsoft.com/.default'
+      SKYPE_SCOPE = 'https://api.spaces.skype.com/.default'
+
+      private
+
+      def oidc_capable?
+        @token_store.refresh_token && @token_store.client_id && @token_store.tenant_id
+      end
+
+      def try_oidc_refresh
+        oidc_refresh
+      rescue *TokenRefresher::RECOVERABLE_ERRORS => e
+        log("OIDC refresh error: #{e.class}: #{e.message}, falling back to authsvc...")
+        nil
+      end
+
+      def oidc_refresh
+        log('Attempting OIDC token refresh...')
+        return nil unless (tokens = fetch_oidc_tokens)
+
+        @token_store.update_all_tokens(**tokens)
+        log('OIDC token refresh successful')
+        true
+      end
+
+      def fetch_oidc_tokens
+        graph = oidc_token_request(GRAPH_SCOPE, @token_store.refresh_token)
+        return nil unless graph
+
+        skype = oidc_token_request(SKYPE_SCOPE, graph['refresh_token'])
+        return nil unless skype
+
+        build_oidc_result(graph, skype)
+      end
+
+      def build_oidc_result(graph, skype)
+        skype_access, skype_refresh = skype.values_at('access_token', 'refresh_token')
+        skype_token = exchange_token(skype_access)
+        return nil unless skype_token
+
+        { auth_token: graph['access_token'], skype_spaces_token: skype_access,
+          skype_token: skype_token, refresh_token: skype_refresh }
+      end
+
+      def oidc_token_request(scope, refresh_token)
+        response = send_oidc_request(scope, refresh_token)
+        return log_oidc_failure(response) unless response.is_a?(Net::HTTPSuccess)
+
+        JSON.parse(response.body)
+      end
+
+      def send_oidc_request(scope, refresh_token)
+        uri = oidc_token_uri
+        post = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/x-www-form-urlencoded',
+                                        'Origin' => 'https://teams.microsoft.com')
+        post.body = oidc_request_body(scope, refresh_token)
+        Net::HTTP.start(uri.host, uri.port, use_ssl: true, open_timeout: 10,
+                                            read_timeout: 30) { |http| http.request(post) }
+      end
+
+      def oidc_request_body(scope, token)
+        URI.encode_www_form(
+          'client_id' => @token_store.client_id, 'grant_type' => 'refresh_token',
+          'refresh_token' => token, 'scope' => scope
+        )
+      end
+
+      def log_oidc_failure(response)
+        log("OIDC token request failed: HTTP #{response.code}")
+        nil
+      end
+
+      def oidc_token_uri
+        @oidc_token_uri ||= URI(format(OIDC_TOKEN_ENDPOINT, @token_store.tenant_id))
+      end
+    end
+
+    # Refreshes tokens via OIDC refresh_token flow or authsvc exchange fallback
+    class TokenRefresher
+      include OidcRefresh
+
+      AUTHSVC_URL = 'https://teams.microsoft.com/api/authsvc/v1.0/authz'
+
+      RECOVERABLE_ERRORS = [
+        SocketError, Errno::ECONNREFUSED, Errno::ECONNRESET, Errno::ETIMEDOUT,
+        Errno::EHOSTUNREACH, Net::OpenTimeout, Net::ReadTimeout,
+        OpenSSL::SSL::SSLError, JSON::ParserError
+      ].freeze
+
+      def initialize(token_store:, output: nil)
+        @token_store = token_store
+        @output = output
+      end
+
+      def refresh
+        (oidc_capable? && try_oidc_refresh) || attempt_authsvc_refresh
+      rescue *RECOVERABLE_ERRORS => e
+        log("Token exchange error: #{e.class}: #{e.message}")
+        false
+      end
+
+      private
+
+      def attempt_authsvc_refresh
+        skype_spaces_token = @token_store.skype_spaces_token
+        return log_and_abandon('No skype_spaces_token available for refresh') unless skype_spaces_token
+
+        attempt_refresh(skype_spaces_token)
+      end
+
+      def attempt_refresh(token)
+        new_token = exchange_and_log(token)
+        return log_and_abandon('Token refresh failed - skype_spaces_token may be expired') unless new_token
+
+        @token_store.update_skype_token(new_token)
+        log('Token refresh successful')
+        true
+      end
+
+      def exchange_and_log(token)
+        log('Attempting to refresh skype_token...')
+        exchange_token(token)
+      end
+
+      def exchange_token(skype_spaces_token)
+        response = post_authsvc_exchange(skype_spaces_token)
+        return log_exchange_failure(response) unless response.is_a?(Net::HTTPSuccess)
+
+        JSON.parse(response.body).dig('tokens', 'skypeToken')
+      end
+
+      def post_authsvc_exchange(token)
+        post = Net::HTTP::Post.new(authsvc_uri,
+                                   'Authorization' => "Bearer #{token}",
+                                   'Content-Type' => 'application/json')
+        post.body = '{}'
+        Net::HTTP.start(authsvc_uri.host, authsvc_uri.port,
+                        use_ssl: true, open_timeout: 10,
+                        read_timeout: 30) { |http| http.request(post) }
+      end
+
+      def log_exchange_failure(response)
+        log("Token exchange failed: HTTP #{response.code}")
+        nil
+      end
+
+      def authsvc_uri = @authsvc_uri ||= URI(AUTHSVC_URL)
+
+      def log_and_abandon(message)
+        log(message)
+        nil
+      end
+
+      def log(message) = @output&.debug(message)
+    end
+  end
+end