@0dai-dev/cli 4.3.6 → 4.3.7

package/lib/python/auth.py

@@ -0,0 +1,443 @@
+#!/usr/bin/env python3
+"""0dai Auth — cloud authentication for team and enterprise features.
+
+Core CLI works without auth. Team features require `0dai auth login`.
+Token stored locally at ~/.0dai/auth.json, refreshes weekly.
+
+Usage:
+    0dai auth login                    # authenticate via browser
+    0dai auth login --code XXXX-YYYY   # paste code directly
+    0dai auth signup --email <e>       # create account
+    0dai auth status                   # show current auth state
+    0dai auth refresh                  # refresh token manually
+    0dai auth logout                   # remove token
+    0dai auth --json                   # JSON output
+"""
+from __future__ import annotations
+
+import hashlib
+import json
+import os
+import pathlib
+import sys
+import time
+import urllib.request
+import urllib.error
+
+AUTH_DIR = pathlib.Path.home() / ".0dai"
+TOKEN_PATH = AUTH_DIR / "auth.json"
+TOKEN_TTL_SECONDS = 7 * 24 * 3600  # 7 days offline
+API_BASE = os.environ.get("ODAI_API_URL", "https://api.0dai.dev")
+GOTRUE_URL = os.environ.get("ODAI_GOTRUE_URL", "http://localhost:9999")
+
+
+def _now_iso() -> str:
+    return time.strftime("%Y-%m-%dT%H:%M:%S+00:00", time.gmtime())
+
+
+def _now_ts() -> float:
+    return time.time()
+
+
+def _api_post_status(endpoint: str, payload: dict, timeout: int = 15) -> tuple[dict | None, bool]:
+    """POST to cloud API. Returns ``(response|None, reached)``.
+
+    ``reached`` is True when the server answered at all — including an HTTP
+    error status (a rejection) or an unparseable body — and False only when
+    the server was unreachable (DNS/connection/timeout). Callers must not
+    treat a rejection as "offline" (#4363).
+    """
+    url = f"{API_BASE}{endpoint}"
+    body = json.dumps(payload, ensure_ascii=False).encode("utf-8")
+    req = urllib.request.Request(
+        url, data=body,
+        headers={"Content-Type": "application/json", "User-Agent": "0dai-cli/0.9"},
+        method="POST",
+    )
+    try:
+        with urllib.request.urlopen(req, timeout=timeout) as resp:
+            return json.loads(resp.read().decode("utf-8")), True
+    except urllib.error.HTTPError:
+        return None, True  # server reached and rejected the request
+    except json.JSONDecodeError:
+        return None, True  # server answered, just not parseable
+    except (urllib.error.URLError, OSError):
+        return None, False  # unreachable
+
+
+def _api_post(endpoint: str, payload: dict, timeout: int = 15) -> dict | None:
+    """POST to cloud API. Returns response dict or None on failure."""
+    result, _reached = _api_post_status(endpoint, payload, timeout=timeout)
+    return result
+
+
+def load_token() -> dict | None:
+    if not TOKEN_PATH.is_file():
+        return None
+    try:
+        return json.loads(TOKEN_PATH.read_text(encoding="utf-8"))
+    except (json.JSONDecodeError, OSError):
+        return None
+
+
+def save_token(token: dict) -> None:
+    AUTH_DIR.mkdir(parents=True, exist_ok=True)
+    TOKEN_PATH.write_text(json.dumps(token, indent=2, ensure_ascii=False) + "\n", encoding="utf-8")
+    try:
+        TOKEN_PATH.chmod(0o600)
+    except OSError:
+        pass
+
+
+def remove_token() -> None:
+    if TOKEN_PATH.is_file():
+        TOKEN_PATH.unlink()
+
+
+def is_authenticated() -> bool:
+    token = load_token()
+    if not token:
+        return False
+    expires = token.get("expires_at", 0)
+    if isinstance(expires, str):
+        try:
+            import datetime
+            dt = datetime.datetime.fromisoformat(expires.replace("+00:00", "+00:00"))
+            expires = dt.timestamp()
+        except (ValueError, AttributeError):
+            return False
+    return _now_ts() < expires
+
+
+def get_plan() -> str:
+    token = load_token()
+    if not token or not is_authenticated():
+        return "free"
+    return token.get("plan", "free")
+
+
+def check_cloud_tier(required: str) -> bool:
+    if required == "free":
+        return True
+    if not is_authenticated():
+        return False
+    token = load_token()
+    if not token:
+        return False
+    current = token.get("plan", "free")
+    levels = {"free": 0, "team": 1, "enterprise": 2}
+    return levels.get(current, 0) >= levels.get(required, 0)
+
+
+def _validate_code(code: str) -> dict | None:
+    """Validate auth code against cloud API with local fallback."""
+    code = code.strip().upper()
+    parts = code.split("-")
+    if len(parts) != 2 or len(parts[0]) != 4 or len(parts[1]) != 4:
+        return None
+
+    # Ask the server. A reachable server that does not validate the code is an
+    # explicit rejection — never fall through to an offline grant on a rejected
+    # code (that let any well-formed XXXX-YYYY mint team/enterprise) (#4363).
+    api_result, reached = _api_post_status("/auth/validate", {"code": code})
+    if api_result and api_result.get("token_id"):
+        api_result["expires_at"] = api_result.get("expires_at", time.strftime(
+            "%Y-%m-%dT%H:%M:%S+00:00", time.gmtime(_now_ts() + TOKEN_TTL_SECONDS),
+        ))
+        return api_result
+    if reached:
+        return None  # server answered and did not validate the code
+
+    # Server unreachable: an offline grant is dev-only and opt-in (it confers a
+    # plan from the code prefix with no server trust, so it must never be the
+    # default for a normal user). Gate it behind ODAI_AUTH_OFFLINE_DEV=1.
+    if os.environ.get("ODAI_AUTH_OFFLINE_DEV", "").strip().lower() not in {"1", "true", "yes", "on"}:
+        return None
+    code_hash = hashlib.sha256(code.encode()).hexdigest()[:12]
+    plan = "enterprise" if code.startswith("ENT") else "team"
+    return {
+        "token_id": f"tok_{code_hash}",
+        "user": os.environ.get("USER", "dev") + "@local",
+        "team": "Local" if plan == "team" else "Enterprise Local",
+        "plan": plan,
+        "seats": 999 if plan == "enterprise" else 10,
+        "authenticated_at": _now_iso(),
+        "expires_at": time.strftime(
+            "%Y-%m-%dT%H:%M:%S+00:00",
+            time.gmtime(_now_ts() + TOKEN_TTL_SECONDS),
+        ),
+        "refresh_url": f"{API_BASE}/auth/refresh",
+        "mode": "offline",
+    }
+
+
+def _gotrue_post(endpoint: str, payload: dict, timeout: int = 15) -> dict | None:
+    """POST to GoTrue auth server."""
+    url = f"{GOTRUE_URL}{endpoint}"
+    body = json.dumps(payload, ensure_ascii=False).encode("utf-8")
+    req = urllib.request.Request(
+        url, data=body,
+        headers={"Content-Type": "application/json", "User-Agent": "0dai-cli/0.9"},
+        method="POST",
+    )
+    try:
+        with urllib.request.urlopen(req, timeout=timeout) as resp:
+            return json.loads(resp.read().decode("utf-8"))
+    except (urllib.error.URLError, json.JSONDecodeError, OSError):
+        return None
+
+
+def _signup(email: str, password: str = "") -> dict | None:
+    """Register via GoTrue, with offline fallback."""
+    if not password:
+        password = hashlib.sha256(email.encode()).hexdigest()[:16]
+
+    # Try real GoTrue signup
+    result = _gotrue_post("/signup", {"email": email, "password": password})
+    if result and result.get("access_token"):
+        user = result.get("user", {})
+        code_hash = hashlib.sha256(email.encode()).hexdigest()[:8]
+        auth_code = f"{code_hash[:4].upper()}-{code_hash[4:8].upper()}"
+        return {
+            "success": True,
+            "user": email,
+            "user_id": user.get("id", ""),
+            "team": email.split("@", maxsplit=1)[0] + "-team",
+            "auth_code": auth_code,
+            "access_token": result["access_token"],
+            "refresh_token": result.get("refresh_token", ""),
+            "message": "Account created via GoTrue.",
+            "mode": "gotrue",
+        }
+
+    # Offline fallback
+    code_hash = hashlib.sha256(email.encode()).hexdigest()[:8]
+    return {
+        "success": True,
+        "user": email,
+        "team": email.split("@", maxsplit=1)[0] + "-team",
+        "auth_code": f"{code_hash[:4].upper()}-{code_hash[4:8].upper()}",
+        "message": "Account created (offline mode). Use auth code to login.",
+        "mode": "offline",
+    }
+
+
+def _refresh_token(token: dict) -> dict | None:
+    """Refresh token via GoTrue or extend TTL offline."""
+    refresh_tok = token.get("refresh_token", "")
+    if refresh_tok:
+        result = _gotrue_post("/token?grant_type=refresh_token", {"refresh_token": refresh_tok})
+        if result and result.get("access_token"):
+            token["access_token"] = result["access_token"]
+            token["refresh_token"] = result.get("refresh_token", refresh_tok)
+            token["expires_at"] = time.strftime(
+                "%Y-%m-%dT%H:%M:%S+00:00",
+                time.gmtime(_now_ts() + TOKEN_TTL_SECONDS),
+            )
+            token["refreshed_at"] = _now_iso()
+            token["mode"] = "gotrue"
+            return token
+
+    # Offline: extend TTL locally
+    token["expires_at"] = time.strftime(
+        "%Y-%m-%dT%H:%M:%S+00:00",
+        time.gmtime(_now_ts() + TOKEN_TTL_SECONDS),
+    )
+    token["refreshed_at"] = _now_iso()
+    token["mode"] = "offline"
+    return token
+
+
+def cmd_login(code: str = "") -> None:
+    if is_authenticated():
+        token = load_token()
+        print(f"[0dai] already authenticated as {token.get('user', '?')}")
+        print(f"[0dai] plan: {token.get('plan', 'free')} ({token.get('team', '')})")
+        print("[0dai] run '0dai auth logout' first to re-authenticate")
+        return
+
+    if not code:
+        print("[0dai] Authenticate with 0dai Cloud")
+        print("")
+        print(f"  1. Go to: {API_BASE}/auth")
+        print("  2. Sign in or create an account")
+        print("  3. Copy the auth code (format: XXXX-YYYY)")
+        print("")
+        print("  No account yet? Run: 0dai auth signup --email you@example.com")
+        print("")
+        try:
+            code = input("[0dai] Paste auth code: ").strip()
+        except (EOFError, KeyboardInterrupt):
+            print("\n[0dai] cancelled")
+            return
+
+    if not code:
+        print("[0dai] no code provided")
+        return
+
+    result = _validate_code(code)
+    if not result:
+        print("[0dai] invalid auth code. Format: XXXX-YYYY")
+        sys.exit(1)
+
+    save_token(result)
+    mode = f" ({result['mode']})" if result.get("mode") == "offline" else ""
+    print(f"[0dai] authenticated as {result['user']}{mode}")
+    print(f"[0dai] team: {result['team']}")
+    print(f"[0dai] plan: {result['plan']} ({result['seats']} seats)")
+    print(f"[0dai] token saved to {TOKEN_PATH}")
+    print(f"[0dai] expires: {result['expires_at'][:10]} (auto-refresh when online)")
+
+
+def cmd_signup(email: str) -> None:
+    if not email or "@" not in email:
+        print("[0dai] invalid email")
+        sys.exit(1)
+
+    print(f"[0dai] creating account for {email}...")
+    result = _signup(email)
+    if not result:
+        print(f"[0dai] signup failed. Try again or visit {API_BASE}/auth")
+        sys.exit(1)
+
+    mode = f" ({result['mode']})" if result.get("mode") == "offline" else ""
+    print(f"[0dai] account created{mode}")
+    print(f"[0dai] team: {result.get('team', '?')}")
+
+    # If GoTrue returned a token, auto-login
+    if result.get("access_token"):
+        token = {
+            "token_id": f"tok_{result.get('user_id', '')[:12]}",
+            "user": email,
+            "team": result.get("team", ""),
+            "plan": "free",
+            "seats": 1,
+            "authenticated_at": _now_iso(),
+            "expires_at": time.strftime("%Y-%m-%dT%H:%M:%S+00:00", time.gmtime(_now_ts() + TOKEN_TTL_SECONDS)),
+            "access_token": result["access_token"],
+            "refresh_token": result.get("refresh_token", ""),
+            "mode": "gotrue",
+        }
+        save_token(token)
+        print(f"[0dai] auto-logged in as {email}")
+        print(f"[0dai] token saved to {TOKEN_PATH}")
+    else:
+        print(f"[0dai] auth code: {result.get('auth_code', '?')}")
+        print("")
+        print(f"  Login now: 0dai auth login --code {result.get('auth_code', '?')}")
+
+
+def cmd_refresh() -> None:
+    token = load_token()
+    if not token:
+        print("[0dai] not authenticated. Run: 0dai auth login")
+        return
+
+    print("[0dai] refreshing token...")
+    new_token = _refresh_token(token)
+    if new_token:
+        save_token(new_token)
+        mode = f" ({new_token['mode']})" if new_token.get("mode") == "offline" else ""
+        print(f"[0dai] token refreshed{mode}")
+        print(f"[0dai] expires: {new_token.get('expires_at', '?')[:10]}")
+    else:
+        print("[0dai] refresh failed. Run: 0dai auth login")
+
+
+def cmd_status() -> None:
+    token = load_token()
+    if not token:
+        print("[0dai] not authenticated")
+        print("  Run: 0dai auth login")
+        print("  Core CLI works without auth. Team features require authentication.")
+        return
+
+    valid = is_authenticated()
+    mode = f" ({token.get('mode', 'cloud')})" if token.get("mode") else ""
+    print("Auth Status:")
+    print(f"  User:    {token.get('user', '?')}")
+    print(f"  Team:    {token.get('team', '?')}")
+    print(f"  Plan:    {token.get('plan', 'free')}")
+    print(f"  Seats:   {token.get('seats', '?')}")
+    print(f"  Status:  {'active' if valid else 'EXPIRED'}{mode}")
+    print(f"  Expires: {token.get('expires_at', '?')[:10]}")
+    print(f"  Token:   {TOKEN_PATH}")
+    if not valid:
+        print("\n  Token expired. Run '0dai auth login' to re-authenticate.")
+
+
+def cmd_logout() -> None:
+    if not TOKEN_PATH.is_file():
+        print("[0dai] not authenticated")
+        return
+    remove_token()
+    print("[0dai] logged out. Token removed.")
+    print("[0dai] core CLI continues to work. Team features require re-authentication.")
+
+
+def cmd_json() -> None:
+    token = load_token()
+    print(json.dumps({
+        "authenticated": is_authenticated(),
+        "plan": get_plan(),
+        "token": token,
+    }, indent=2, ensure_ascii=False))
+
+
+def require_auth(feature_name: str = "This feature") -> None:
+    if is_authenticated() and check_cloud_tier("team"):
+        return
+    print(f"[0dai] {feature_name} requires a Team plan.")
+    print("")
+    if not is_authenticated():
+        print("  Authenticate:  0dai auth login")
+        print("  Create account: 0dai auth signup --email you@example.com")
+        print(f"  Pricing:       {API_BASE}/pricing")
+    else:
+        print(f"  Current plan:  {get_plan()}")
+        print(f"  Upgrade:       {API_BASE}/pricing")
+    print("")
+    print("  Free tier: init-existing, sync, doctor, detect, serve, harvest, promote, search, mcp.")
+    sys.exit(0)
+
+
+def main() -> None:
+    subcmd = "status"
+    code = ""
+    email = ""
+    json_mode = False
+    args = sys.argv[1:]
+
+    i = 0
+    while i < len(args):
+        if args[i] == "--code" and i + 1 < len(args):
+            code = args[i + 1]
+            i += 2
+        elif args[i] == "--email" and i + 1 < len(args):
+            email = args[i + 1]
+            i += 2
+        elif args[i] == "--json":
+            json_mode = True
+            i += 1
+        elif args[i] in ("login", "status", "logout", "signup", "refresh"):
+            subcmd = args[i]
+            i += 1
+        else:
+            i += 1
+
+    if json_mode:
+        cmd_json()
+    elif subcmd == "login":
+        cmd_login(code)
+    elif subcmd == "signup":
+        cmd_signup(email)
+    elif subcmd == "refresh":
+        cmd_refresh()
+    elif subcmd == "logout":
+        cmd_logout()
+    else:
+        cmd_status()
+
+
+if __name__ == "__main__":
+    main()