@agentxm/client-core 0.6.0 → 0.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/src/unstable/auth/auth-client.d.ts +17 -3
- package/dist/src/unstable/auth/auth-client.d.ts.map +1 -1
- package/dist/src/unstable/auth/auth-client.js +127 -58
- package/dist/src/unstable/auth/auth-client.js.map +1 -1
- package/dist/src/unstable/auth/credential-store.d.ts +5 -4
- package/dist/src/unstable/auth/credential-store.d.ts.map +1 -1
- package/dist/src/unstable/auth/credential-store.js +115 -9
- package/dist/src/unstable/auth/credential-store.js.map +1 -1
- package/dist/src/unstable/auth/device-login.d.ts +4 -1
- package/dist/src/unstable/auth/device-login.d.ts.map +1 -1
- package/dist/src/unstable/auth/device-login.js +13 -15
- package/dist/src/unstable/auth/device-login.js.map +1 -1
- package/dist/src/unstable/auth/index.d.ts +4 -1
- package/dist/src/unstable/auth/index.d.ts.map +1 -1
- package/dist/src/unstable/auth/index.js +3 -0
- package/dist/src/unstable/auth/index.js.map +1 -1
- package/dist/src/unstable/auth/login-strategy.d.ts +21 -0
- package/dist/src/unstable/auth/login-strategy.d.ts.map +1 -0
- package/dist/src/unstable/auth/login-strategy.js +25 -0
- package/dist/src/unstable/auth/login-strategy.js.map +1 -0
- package/dist/src/unstable/auth/loopback-login.d.ts +16 -0
- package/dist/src/unstable/auth/loopback-login.d.ts.map +1 -0
- package/dist/src/unstable/auth/loopback-login.js +86 -0
- package/dist/src/unstable/auth/loopback-login.js.map +1 -0
- package/dist/src/unstable/auth/loopback-server.d.ts +36 -0
- package/dist/src/unstable/auth/loopback-server.d.ts.map +1 -0
- package/dist/src/unstable/auth/loopback-server.js +136 -0
- package/dist/src/unstable/auth/loopback-server.js.map +1 -0
- package/dist/src/unstable/commands/operations/publish.js +1 -1
- package/dist/src/unstable/commands/operations/publish.js.map +1 -1
- package/dist/src/unstable/install-meta/install-meta.d.ts +1 -1
- package/dist/src/unstable/install-meta/install-meta.js +1 -1
- package/dist/src/unstable/install-method/install-method.d.ts +1 -4
- package/dist/src/unstable/install-method/install-method.d.ts.map +1 -1
- package/dist/src/unstable/install-method/install-method.js +29 -24
- package/dist/src/unstable/install-method/install-method.js.map +1 -1
- package/dist/src/unstable/mcp-servers/operations/publish.js +1 -1
- package/dist/src/unstable/mcp-servers/operations/publish.js.map +1 -1
- package/dist/src/unstable/packs/operations/publish.js +1 -1
- package/dist/src/unstable/packs/operations/publish.js.map +1 -1
- package/dist/src/unstable/registry/__generated__/registry-client.d.ts +170 -96
- package/dist/src/unstable/registry/__generated__/registry-client.d.ts.map +1 -1
- package/dist/src/unstable/registry/__generated__/registry-client.js +152 -64
- package/dist/src/unstable/registry/__generated__/registry-client.js.map +1 -1
- package/dist/src/unstable/settings/schema.d.ts.map +1 -1
- package/dist/src/unstable/settings/schema.js +39 -34
- package/dist/src/unstable/settings/schema.js.map +1 -1
- package/dist/src/unstable/skills/operations/publish.js +1 -1
- package/dist/src/unstable/skills/operations/publish.js.map +1 -1
- package/dist/src/unstable/subagents/operations/publish.js +1 -1
- package/dist/src/unstable/subagents/operations/publish.js.map +1 -1
- package/dist/src/unstable/telemetry/__generated__/telemetry-client.d.ts +3 -0
- package/dist/src/unstable/telemetry/__generated__/telemetry-client.d.ts.map +1 -1
- package/dist/src/unstable/telemetry/__generated__/telemetry-client.js +1 -0
- package/dist/src/unstable/telemetry/__generated__/telemetry-client.js.map +1 -1
- package/dist/src/unstable/telemetry/client.d.ts.map +1 -1
- package/dist/src/unstable/telemetry/client.js +9 -1
- package/dist/src/unstable/telemetry/client.js.map +1 -1
- package/dist/src/unstable/update-check/update-check.d.ts.map +1 -1
- package/dist/src/unstable/update-check/update-check.js +1 -11
- package/dist/src/unstable/update-check/update-check.js.map +1 -1
- package/dist/src/unstable/utils/build-zip-archive.d.ts +8 -7
- package/dist/src/unstable/utils/build-zip-archive.d.ts.map +1 -1
- package/dist/src/unstable/utils/build-zip-archive.js +42 -52
- package/dist/src/unstable/utils/build-zip-archive.js.map +1 -1
- package/dist/src/unstable/utils/environment.d.ts +3 -3
- package/dist/src/unstable/utils/environment.d.ts.map +1 -1
- package/dist/src/unstable/utils/environment.js +7 -9
- package/dist/src/unstable/utils/environment.js.map +1 -1
- package/package.json +5 -2
- package/site-content/__generated__/schemas/settings.schema.json +36 -39
- package/site-content/docs/quickstart.md +8 -5
- package/site-content/install.cmd +2 -2
- package/site-content/install.md +122 -285
- package/site-content/install.ps1 +2 -2
|
@@ -17,7 +17,6 @@ import { type AppError } from "../app-error/index.js";
|
|
|
17
17
|
import { type Handle } from "../extensions/handle.js";
|
|
18
18
|
import { type NormalizedTokenResponse } from "./oauth-contract.js";
|
|
19
19
|
import { RegistryUrl } from "./registry-url.js";
|
|
20
|
-
import * as GeneratedRegistryClient from "../registry/__generated__/registry-client.js";
|
|
21
20
|
export interface DeviceFlowResponse {
|
|
22
21
|
readonly device_code: string;
|
|
23
22
|
readonly user_code: string;
|
|
@@ -37,6 +36,18 @@ export interface MeResponse {
|
|
|
37
36
|
readonly handle: Handle;
|
|
38
37
|
}>;
|
|
39
38
|
}
|
|
39
|
+
export interface BuildAuthorizeUrlParams {
|
|
40
|
+
readonly challenge: string;
|
|
41
|
+
readonly expiresAt?: Date;
|
|
42
|
+
readonly state: string;
|
|
43
|
+
readonly redirectUri: string;
|
|
44
|
+
readonly scopes?: ReadonlyArray<string>;
|
|
45
|
+
}
|
|
46
|
+
export interface ExchangePkceCodeParams {
|
|
47
|
+
readonly code: string;
|
|
48
|
+
readonly verifier: string;
|
|
49
|
+
readonly redirectUri: string;
|
|
50
|
+
}
|
|
40
51
|
/** Result of a single poll iteration. */
|
|
41
52
|
export type PollResult = {
|
|
42
53
|
readonly _tag: "Pending";
|
|
@@ -51,10 +62,13 @@ export type PollResult = {
|
|
|
51
62
|
readonly _tag: "ExpiredToken";
|
|
52
63
|
};
|
|
53
64
|
export interface AuthClientService {
|
|
65
|
+
readonly buildAuthorizeUrl: (params: BuildAuthorizeUrlParams) => string;
|
|
66
|
+
readonly getAuthorizationIssuer: () => string;
|
|
67
|
+
readonly exchangePkceCode: (params: ExchangePkceCodeParams) => Effect.Effect<NormalizedTokenResponse, AppError>;
|
|
54
68
|
readonly initiateDeviceFlow: () => Effect.Effect<DeviceFlowResponse, AppError>;
|
|
55
69
|
readonly pollDeviceToken: (deviceCode: string, interval: number) => Effect.Effect<NormalizedTokenResponse, AppError>;
|
|
56
70
|
readonly refreshToken: (refreshTokenValue: string) => Effect.Effect<NormalizedTokenResponse, AppError>;
|
|
57
|
-
readonly revokeToken: (
|
|
71
|
+
readonly revokeToken: (token: string) => Effect.Effect<void, AppError>;
|
|
58
72
|
readonly getMe: (accessToken: string) => Effect.Effect<MeResponse, AppError>;
|
|
59
73
|
}
|
|
60
74
|
declare const AuthClient_base: ServiceMap.ServiceClass<AuthClient, "@agentxm/client-core/unstable/auth/auth-client/AuthClient", AuthClientService>;
|
|
@@ -66,7 +80,7 @@ export declare class AuthClient extends AuthClient_base {
|
|
|
66
80
|
* Transient HTTP failures are collapsed into AUTH_LOGIN_FAILED; this seam does
|
|
67
81
|
* not retry on its own. For the retrying variant, use `pollDeviceToken`.
|
|
68
82
|
*/
|
|
69
|
-
export declare const pollOnce: (
|
|
83
|
+
export declare const pollOnce: (httpClient: HttpClient.HttpClient, registryUrl: string, deviceCode: string) => Effect.Effect<PollResult, AppError>;
|
|
70
84
|
export declare const AuthClientLive: Layer.Layer<AuthClient, never, RegistryUrl | HttpClient.HttpClient>;
|
|
71
85
|
export declare const AuthClientTest: (overrides?: Partial<AuthClientService>) => Layer.Layer<AuthClient, never, never>;
|
|
72
86
|
export {};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth-client.d.ts","sourceRoot":"","sources":["../../../../src/unstable/auth/auth-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,UAAU,MAAM,iCAAiC,CAAC;
|
|
1
|
+
{"version":3,"file":"auth-client.d.ts","sourceRoot":"","sources":["../../../../src/unstable/auth/auth-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,UAAU,MAAM,iCAAiC,CAAC;AAK9D,OAAO,KAAK,UAAU,MAAM,gBAAgB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AACxC,OAAO,KAAK,KAAK,MAAM,cAAc,CAAC;AAGtC,OAAO,EAAE,KAAK,QAAQ,EAAgB,MAAM,uBAAuB,CAAC;AACpE,OAAO,EAAmB,KAAK,MAAM,EAAE,MAAM,yBAAyB,CAAC;AACvE,OAAO,EAAE,KAAK,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AA4BhD,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,yBAAyB,CAAC,EAAE,MAAM,CAAC;IAC5C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;QAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChF;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CACzC;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAMD,yCAAyC;AACzC,MAAM,MAAM,UAAU,GAClB;IAAE,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAA;CAAE,GAC5B;IAAE,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;CAAE,GAC7B;IAAE,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,uBAAuB,CAAA;CAAE,GACrE;IAAE,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAA;CAAE,GACjC;IAAE,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAA;CAAE,CAAC;AAMtC,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,iBAAiB,EAAE,CAAC,MAAM,EAAE,uBAAuB,KAAK,MAAM,CAAC;IACxE,QAAQ,CAAC,sBAAsB,EAAE,MAAM,MAAM,CAAC;IAC9C,QAAQ,CAAC,gBAAgB,EAAE,CACzB,MAAM,EAAE,sBAAsB,KAC3B,MAAM,CAAC,MAAM,CAAC,uBAAuB,EAAE,QAAQ,CAAC,CAAC;IACtD,QAAQ,CAAC,kBAAkB,EAAE,MAAM,MAAM,CAAC,MAAM,CAAC,kBAAkB,EAAE,QAAQ,CAAC,CAAC;IAC/E,QAAQ,CAAC,eAAe,EAAE,CACxB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,KACb,MAAM,CAAC,MAAM,CAAC,uBAAuB,EAAE,QAAQ,CAAC,CAAC;IACtD,QAAQ,CAAC,YAAY,EAAE,CACrB,iBAAiB,EAAE,MAAM,KACtB,MAAM,CAAC,MAAM,CAAC,uBAAuB,EAAE,QAAQ,CAAC,CAAC;IACtD,QAAQ,CAAC,WAAW,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACvE,QAAQ,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;CAC9E;;AAED,qBAAa,UAAW,SAAQ,eAE/B;CAAG;AAuMJ;;;;;GAKG;AACH,eAAO,MAAM,QAAQ,GACnB,YAAY,UAAU,CAAC,UAAU,EACjC,aAAa,MAAM,EACnB,YAAY,MAAM,KACjB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,QAAQ,CAKlC,CAAC;AAMJ,eAAO,MAAM,cAAc,qEAsP1B,CAAC;AAMF,eAAO,MAAM,cAAc,GAAI,YAAY,OAAO,CAAC,iBAAiB,CAAC,0CA0CrC,CAAC"}
|
|
@@ -10,12 +10,15 @@
|
|
|
10
10
|
* @experimental This API is unstable and may change without notice.
|
|
11
11
|
*/
|
|
12
12
|
import * as HttpClient from "effect/unstable/http/HttpClient";
|
|
13
|
+
import * as HttpClientError from "effect/unstable/http/HttpClientError";
|
|
13
14
|
import * as HttpClientRequest from "effect/unstable/http/HttpClientRequest";
|
|
15
|
+
import * as HttpClientResponse from "effect/unstable/http/HttpClientResponse";
|
|
14
16
|
import * as Data from "effect/Data";
|
|
15
17
|
import * as ServiceMap from "effect/Context";
|
|
16
18
|
import * as Effect from "effect/Effect";
|
|
17
19
|
import * as Layer from "effect/Layer";
|
|
18
20
|
import * as Schedule from "effect/Schedule";
|
|
21
|
+
import * as Schema from "effect/Schema";
|
|
19
22
|
import { makeAppError } from "../app-error/index.js";
|
|
20
23
|
import { normalizeHandle } from "../extensions/handle.js";
|
|
21
24
|
import {} from "./oauth-contract.js";
|
|
@@ -27,7 +30,9 @@ import { isRegistryClientError, isAnyRegistryClientError, hasTagSuffix, getStrin
|
|
|
27
30
|
// -----------------------------------------------------------------------------
|
|
28
31
|
const CLIENT_ID = "axm-cli";
|
|
29
32
|
const DEVICE_CODE_SCOPES = "extensions:read extensions:publish:new extensions:publish:version extensions:yank extensions:admin account:read account:write";
|
|
33
|
+
const PKCE_SCOPES = "openid profile email offline_access";
|
|
30
34
|
const DEVICE_CODE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
|
|
35
|
+
const AUTHORIZATION_CODE_GRANT_TYPE = "authorization_code";
|
|
31
36
|
const SLOW_DOWN_INCREMENT_MS = 5000;
|
|
32
37
|
const TRANSIENT_DEVICE_POLL_RETRY_COUNT = 2;
|
|
33
38
|
const TRANSIENT_DEVICE_POLL_RETRY_BASE_DELAY = "250 millis";
|
|
@@ -44,13 +49,48 @@ const normalizeTokenResponse = (token) => ({
|
|
|
44
49
|
refresh_token: token.refresh_token,
|
|
45
50
|
expires_at: token.expires_at,
|
|
46
51
|
});
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
52
|
+
const SessionTokenResponseSchema = Schema.Struct({
|
|
53
|
+
access_token: Schema.String,
|
|
54
|
+
refresh_token: Schema.String,
|
|
55
|
+
expires_at: Schema.String,
|
|
56
|
+
});
|
|
57
|
+
const OAuthTokenErrorResponseSchema = Schema.Struct({
|
|
58
|
+
error: Schema.String,
|
|
59
|
+
error_description: Schema.optional(Schema.String),
|
|
60
|
+
});
|
|
61
|
+
const unexpectedTokenStatus = (response) => Effect.flatMap(Effect.orElseSucceed(response.text, () => "Unexpected status code"), (description) => Effect.fail(new HttpClientError.HttpClientError({
|
|
62
|
+
reason: new HttpClientError.StatusCodeError({
|
|
63
|
+
request: response.request,
|
|
64
|
+
response,
|
|
65
|
+
description,
|
|
66
|
+
}),
|
|
67
|
+
})));
|
|
68
|
+
const deriveAuthorizationOrigin = (registryUrl) => {
|
|
69
|
+
const url = new URL(registryUrl);
|
|
70
|
+
if (url.origin === "https://registry.agentxm.ai") {
|
|
71
|
+
return "https://agentxm.ai";
|
|
72
|
+
}
|
|
73
|
+
if (url.origin === "https://registry-dev.agentxm-ai.workers.dev") {
|
|
74
|
+
return "https://web-dev.agentxm-ai.workers.dev";
|
|
75
|
+
}
|
|
76
|
+
if (url.host === "localhost:4300") {
|
|
77
|
+
return "http://localhost:4200";
|
|
78
|
+
}
|
|
79
|
+
if (url.host === "127.0.0.1:4300") {
|
|
80
|
+
return "http://127.0.0.1:4200";
|
|
81
|
+
}
|
|
82
|
+
if (url.hostname === "127.0.0.1") {
|
|
83
|
+
return `${url.protocol}//${url.hostname}:4200`;
|
|
84
|
+
}
|
|
85
|
+
return url.origin;
|
|
86
|
+
};
|
|
87
|
+
const mapAuthCodeExchangeError = (error) => makeAppError({
|
|
88
|
+
code: "auth",
|
|
89
|
+
message: "Authorization code exchange failed",
|
|
90
|
+
breadcrumbs: [{ description: "Run `axm login` to try again.", cmd: "axm login" }],
|
|
91
|
+
cause: error,
|
|
92
|
+
});
|
|
93
|
+
const getOAuthErrorCode = (error) => getString(error, "error") ?? getString(error, "code");
|
|
54
94
|
const isRetryableDevicePollError = (error) => error._tag === "RetryableDevicePollError";
|
|
55
95
|
const makeTransientDevicePollAppError = (cause) => makeAppError({
|
|
56
96
|
code: "auth",
|
|
@@ -77,48 +117,43 @@ const retryTransientDevicePollFailure = (effect) => effect.pipe(Effect.retry({
|
|
|
77
117
|
// -----------------------------------------------------------------------------
|
|
78
118
|
// Single poll step
|
|
79
119
|
// -----------------------------------------------------------------------------
|
|
120
|
+
const postTokenForm = (httpClient, registryUrl, body) => HttpClientRequest.post("/v1/auth/token").pipe(HttpClientRequest.bodyUrlParams(body), (request) => httpClient
|
|
121
|
+
.pipe(HttpClient.mapRequest(HttpClientRequest.prependUrl(registryUrl)))
|
|
122
|
+
.execute(request), Effect.flatMap(HttpClientResponse.matchStatus({
|
|
123
|
+
"2xx": HttpClientResponse.schemaBodyJson(SessionTokenResponseSchema),
|
|
124
|
+
"400": (response) => HttpClientResponse.schemaBodyJson(OAuthTokenErrorResponseSchema)(response).pipe(Effect.flatMap((error) => Effect.fail(error))),
|
|
125
|
+
orElse: unexpectedTokenStatus,
|
|
126
|
+
})), Effect.map(normalizeTokenResponse));
|
|
80
127
|
/**
|
|
81
|
-
* Internal: execute a single device token poll against the
|
|
128
|
+
* Internal: execute a single device token poll against the OAuth token endpoint.
|
|
82
129
|
*
|
|
83
130
|
* Surfaces transient HTTP failures as RetryableDevicePollError so callers can
|
|
84
131
|
* decide whether to retry; other failures are mapped to AppError directly.
|
|
85
132
|
*
|
|
86
|
-
* @param
|
|
133
|
+
* @param httpClient - Effect HTTP client
|
|
134
|
+
* @param registryUrl - Registry API origin
|
|
87
135
|
* @param deviceCode - Device verification code from the initial authorization
|
|
88
136
|
*/
|
|
89
|
-
const pollOnceInternal = (
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
grant_type: DEVICE_CODE_GRANT_TYPE,
|
|
95
|
-
},
|
|
96
|
-
})
|
|
97
|
-
.pipe(Effect.map((token) => ({
|
|
137
|
+
const pollOnceInternal = (httpClient, registryUrl, deviceCode) => postTokenForm(httpClient, registryUrl, {
|
|
138
|
+
client_id: CLIENT_ID,
|
|
139
|
+
device_code: deviceCode,
|
|
140
|
+
grant_type: DEVICE_CODE_GRANT_TYPE,
|
|
141
|
+
}).pipe(Effect.map((token) => ({
|
|
98
142
|
_tag: "Success",
|
|
99
|
-
token
|
|
143
|
+
token,
|
|
100
144
|
})), Effect.catch((error) => {
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
return Effect.fail(makeAppError({
|
|
114
|
-
code: "auth",
|
|
115
|
-
message: "Device token exchange failed with an unexpected error",
|
|
116
|
-
breadcrumbs: [
|
|
117
|
-
{ description: "Try running `axm login` again.", cmd: "axm login" },
|
|
118
|
-
],
|
|
119
|
-
cause: error,
|
|
120
|
-
}));
|
|
121
|
-
}
|
|
145
|
+
const code = getOAuthErrorCode(error);
|
|
146
|
+
switch (code) {
|
|
147
|
+
case "authorization_pending":
|
|
148
|
+
return Effect.succeed({ _tag: "Pending" });
|
|
149
|
+
case "slow_down":
|
|
150
|
+
return Effect.succeed({ _tag: "SlowDown" });
|
|
151
|
+
case "access_denied":
|
|
152
|
+
return Effect.succeed({ _tag: "AccessDenied" });
|
|
153
|
+
case "expired_token":
|
|
154
|
+
return Effect.succeed({ _tag: "ExpiredToken" });
|
|
155
|
+
default:
|
|
156
|
+
break;
|
|
122
157
|
}
|
|
123
158
|
if (isTransientHttpClientError(error)) {
|
|
124
159
|
return Effect.fail(new RetryableDevicePollError({ cause: error }));
|
|
@@ -136,14 +171,40 @@ const pollOnceInternal = (client, deviceCode) => client
|
|
|
136
171
|
* Transient HTTP failures are collapsed into AUTH_LOGIN_FAILED; this seam does
|
|
137
172
|
* not retry on its own. For the retrying variant, use `pollDeviceToken`.
|
|
138
173
|
*/
|
|
139
|
-
export const pollOnce = (
|
|
174
|
+
export const pollOnce = (httpClient, registryUrl, deviceCode) => pollOnceInternal(httpClient, registryUrl, deviceCode).pipe(Effect.catchTag("RetryableDevicePollError", (e) => Effect.fail(makeTransientDevicePollAppError(e.cause))));
|
|
140
175
|
// -----------------------------------------------------------------------------
|
|
141
176
|
// Live layer
|
|
142
177
|
// -----------------------------------------------------------------------------
|
|
143
178
|
export const AuthClientLive = Layer.effect(AuthClient, Effect.gen(function* () {
|
|
144
179
|
const httpClient = yield* HttpClient.HttpClient;
|
|
145
180
|
const registryUrl = yield* RegistryUrl;
|
|
181
|
+
const authorizationOrigin = deriveAuthorizationOrigin(registryUrl);
|
|
146
182
|
const client = GeneratedRegistryClient.make(httpClient.pipe(HttpClient.mapRequest(HttpClientRequest.prependUrl(registryUrl))));
|
|
183
|
+
const buildAuthorizeUrl = ({ challenge, expiresAt, state, redirectUri, scopes, }) => {
|
|
184
|
+
const url = new URL("/oauth/authorize", authorizationOrigin);
|
|
185
|
+
url.searchParams.set("response_type", "code");
|
|
186
|
+
url.searchParams.set("client_id", CLIENT_ID);
|
|
187
|
+
url.searchParams.set("code_challenge", challenge);
|
|
188
|
+
url.searchParams.set("code_challenge_method", "S256");
|
|
189
|
+
url.searchParams.set("state", state);
|
|
190
|
+
url.searchParams.set("redirect_uri", redirectUri);
|
|
191
|
+
url.searchParams.set("scope", (scopes ?? PKCE_SCOPES.split(" ")).join(" "));
|
|
192
|
+
if (expiresAt !== undefined) {
|
|
193
|
+
url.searchParams.set("request_expires_at", expiresAt.toISOString());
|
|
194
|
+
}
|
|
195
|
+
return url.href;
|
|
196
|
+
};
|
|
197
|
+
const getAuthorizationIssuer = () => authorizationOrigin;
|
|
198
|
+
const exchangePkceCode = Effect.fn("AuthClient.exchangePkceCode")(function* ({ code, verifier, redirectUri }) {
|
|
199
|
+
const response = yield* postTokenForm(httpClient, registryUrl, {
|
|
200
|
+
grant_type: AUTHORIZATION_CODE_GRANT_TYPE,
|
|
201
|
+
code,
|
|
202
|
+
code_verifier: verifier,
|
|
203
|
+
client_id: CLIENT_ID,
|
|
204
|
+
redirect_uri: redirectUri,
|
|
205
|
+
}).pipe(Effect.mapError(mapAuthCodeExchangeError));
|
|
206
|
+
return response;
|
|
207
|
+
});
|
|
147
208
|
const initiateDeviceFlow = Effect.fn("AuthClient.initiateDeviceFlow")(function* () {
|
|
148
209
|
const response = yield* client
|
|
149
210
|
.AuthIssueDeviceCode({
|
|
@@ -172,7 +233,7 @@ export const AuthClientLive = Layer.effect(AuthClient, Effect.gen(function* () {
|
|
|
172
233
|
let currentInterval = interval * 1000;
|
|
173
234
|
while (true) {
|
|
174
235
|
yield* Effect.sleep(currentInterval);
|
|
175
|
-
const result = yield* retryTransientDevicePollFailure(pollOnceInternal(
|
|
236
|
+
const result = yield* retryTransientDevicePollFailure(pollOnceInternal(httpClient, registryUrl, deviceCode));
|
|
176
237
|
switch (result._tag) {
|
|
177
238
|
case "Success":
|
|
178
239
|
return result.token;
|
|
@@ -197,15 +258,11 @@ export const AuthClientLive = Layer.effect(AuthClient, Effect.gen(function* () {
|
|
|
197
258
|
}
|
|
198
259
|
});
|
|
199
260
|
const refreshToken = Effect.fn("AuthClient.refreshToken")(function* (refreshTokenValue) {
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
client_id: CLIENT_ID,
|
|
206
|
-
},
|
|
207
|
-
})
|
|
208
|
-
.pipe(Effect.mapError((error) => makeAppError({
|
|
261
|
+
return yield* postTokenForm(httpClient, registryUrl, {
|
|
262
|
+
grant_type: "refresh_token",
|
|
263
|
+
refresh_token: refreshTokenValue,
|
|
264
|
+
client_id: CLIENT_ID,
|
|
265
|
+
}).pipe(Effect.mapError((error) => makeAppError({
|
|
209
266
|
code: "auth",
|
|
210
267
|
message: "Token refresh request failed",
|
|
211
268
|
breadcrumbs: [
|
|
@@ -213,14 +270,17 @@ export const AuthClientLive = Layer.effect(AuthClient, Effect.gen(function* () {
|
|
|
213
270
|
],
|
|
214
271
|
cause: error,
|
|
215
272
|
})));
|
|
216
|
-
return normalizeTokenResponse(token);
|
|
217
273
|
});
|
|
218
|
-
const revokeToken = Effect.fn("AuthClient.revokeToken")(function* (
|
|
219
|
-
yield*
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
})
|
|
223
|
-
.pipe(
|
|
274
|
+
const revokeToken = Effect.fn("AuthClient.revokeToken")(function* (token) {
|
|
275
|
+
yield* HttpClientRequest.post("/v1/auth/revoke").pipe(HttpClientRequest.bodyUrlParams({
|
|
276
|
+
token,
|
|
277
|
+
token_type_hint: "refresh_token",
|
|
278
|
+
}), (request) => httpClient
|
|
279
|
+
.pipe(HttpClient.mapRequest(HttpClientRequest.prependUrl(registryUrl)))
|
|
280
|
+
.execute(request), Effect.flatMap(HttpClientResponse.matchStatus({
|
|
281
|
+
"200": () => Effect.void,
|
|
282
|
+
orElse: (response) => response.text.pipe(Effect.flatMap(Effect.fail)),
|
|
283
|
+
})), Effect.catch((error) => Effect.logWarning(`Token revocation failed: ${String(error)}. Local credentials will still be cleared.`)));
|
|
224
284
|
});
|
|
225
285
|
const getMe = Effect.fn("AuthClient.getMe")(function* (accessToken) {
|
|
226
286
|
// Inject bearer token via a per-request HttpClient wrapper for getMe.
|
|
@@ -284,6 +344,9 @@ export const AuthClientLive = Layer.effect(AuthClient, Effect.gen(function* () {
|
|
|
284
344
|
};
|
|
285
345
|
});
|
|
286
346
|
return {
|
|
347
|
+
buildAuthorizeUrl,
|
|
348
|
+
getAuthorizationIssuer,
|
|
349
|
+
exchangePkceCode,
|
|
287
350
|
initiateDeviceFlow,
|
|
288
351
|
pollDeviceToken,
|
|
289
352
|
refreshToken,
|
|
@@ -295,6 +358,12 @@ export const AuthClientLive = Layer.effect(AuthClient, Effect.gen(function* () {
|
|
|
295
358
|
// Test layer factory
|
|
296
359
|
// -----------------------------------------------------------------------------
|
|
297
360
|
export const AuthClientTest = (overrides) => Layer.succeed(AuthClient, {
|
|
361
|
+
buildAuthorizeUrl: ({ redirectUri }) => `https://agentxm.ai/oauth/authorize?redirect_uri=${redirectUri}`,
|
|
362
|
+
getAuthorizationIssuer: () => "https://agentxm.ai",
|
|
363
|
+
exchangePkceCode: () => Effect.fail(makeAppError({
|
|
364
|
+
code: "auth",
|
|
365
|
+
message: "Not implemented in test",
|
|
366
|
+
})),
|
|
298
367
|
initiateDeviceFlow: () => Effect.fail(makeAppError({
|
|
299
368
|
code: "auth",
|
|
300
369
|
message: "Not implemented in test",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth-client.js","sourceRoot":"","sources":["../../../../src/unstable/auth/auth-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,UAAU,MAAM,iCAAiC,CAAC;AAC9D,OAAO,KAAK,iBAAiB,MAAM,wCAAwC,CAAC;AAC5E,OAAO,KAAK,IAAI,MAAM,aAAa,CAAC;AACpC,OAAO,KAAK,UAAU,MAAM,gBAAgB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AACxC,OAAO,KAAK,KAAK,MAAM,cAAc,CAAC;AACtC,OAAO,KAAK,QAAQ,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAiB,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACpE,OAAO,EAAE,eAAe,EAAe,MAAM,yBAAyB,CAAC;AACvE,OAAO,EAAgC,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,uBAAuB,MAAM,8CAA8C,CAAC;AACxF,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,YAAY,EACZ,SAAS,EACT,0BAA0B,GAC3B,MAAM,8BAA8B,CAAC;AAEtC,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF,MAAM,SAAS,GAAG,SAAS,CAAC;AAC5B,MAAM,kBAAkB,GACtB,+HAA+H,CAAC;AAClI,MAAM,sBAAsB,GAAG,8CAA8C,CAAC;AAC9E,MAAM,sBAAsB,GAAG,IAAI,CAAC;AACpC,MAAM,iCAAiC,GAAG,CAAC,CAAC;AAC5C,MAAM,sCAAsC,GAAG,YAAY,CAAC;AAqD5D,MAAM,OAAO,UAAW,SAAQ,UAAU,CAAC,OAAO,EAAiC,CACjF,2DAA2D,CAC5D;CAAG;AAEJ,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF,MAAM,wBAAyB,SAAQ,IAAI,CAAC,WAAW,CAAC,0BAA0B,CAEhF;CAAG;AAEL,kFAAkF;AAClF,MAAM,sBAAsB,GAAG,CAAC,KAI/B,EAA2B,EAAE,CAAC,CAAC;IAC9B,YAAY,EAAE,KAAK,CAAC,YAAY;IAChC,aAAa,EAAE,KAAK,CAAC,aAAa;IAClC,UAAU,EAAE,KAAK,CAAC,UAAU;CAC7B,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,iBAAiB,GAAG,CACxB,KAAwF,EACpE,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AAE3F,MAAM,0BAA0B,GAAG,CACjC,KAA0C,EACP,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,0BAA0B,CAAC;AAElF,MAAM,+BAA+B,GAAG,CAAC,KAAc,EAAE,EAAE,CACzD,YAAY,CAAC;IACX,IAAI,EAAE,MAAM;IACZ,OAAO,EAAE,8CAA8C;IACvD,WAAW,EAAE;QACX;YACE,WAAW,EAAE,2EAA2E;YACxF,GAAG,EAAE,WAAW;SACjB;KACF;IACD,KAAK;CACN,CAAC,CAAC;AAEL;;;;;GAKG;AACH,MAAM,+BAA+B,GAAG,CACtC,MAA6D,EACjC,EAAE,CAC9B,MAAM,CAAC,IAAI,CACT,MAAM,CAAC,KAAK,CAAC;IACX,KAAK,EAAE,iCAAiC;IACxC,QAAQ,EAAE,QAAQ,CAAC,WAAW,CAAC,sCAAsC,CAAC;IACtE,KAAK,EAAE,0BAA0B;CAClC,CAAC,EACF,MAAM,CAAC,QAAQ,CAAC,0BAA0B,EAAE,CAAC,CAAC,EAAE,EAAE,CAChD,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CACtD,CACF,CAAC;AAEJ,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;GAQG;AACH,MAAM,gBAAgB,GAAG,CACvB,MAA8C,EAC9C,UAAkB,EAC8C,EAAE,CAClE,MAAM;KACH,sBAAsB,CAAC;IACtB,OAAO,EAAE;QACP,SAAS,EAAE,SAAS;QACpB,WAAW,EAAE,UAAU;QACvB,UAAU,EAAE,sBAAsB;KACnC;CACF,CAAC;KACD,IAAI,CACH,MAAM,CAAC,GAAG,CACR,CAAC,KAAK,EAAc,EAAE,CAAC,CAAC;IACtB,IAAI,EAAE,SAAS;IACf,KAAK,EAAE,sBAAsB,CAAC,KAAK,CAAC;CACrC,CAAC,CACH,EACD,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAkE,EAAE;IACrF,IAAI,qBAAqB,CAAC,2BAA2B,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACtC,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,uBAAuB;gBAC1B,OAAO,MAAM,CAAC,OAAO,CAAa,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;YACzD,KAAK,WAAW;gBACd,OAAO,MAAM,CAAC,OAAO,CAAa,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;YAC1D,KAAK,eAAe;gBAClB,OAAO,MAAM,CAAC,OAAO,CAAa,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;YAC9D,KAAK,eAAe;gBAClB,OAAO,MAAM,CAAC,OAAO,CAAa,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;YAC9D;gBACE,OAAO,MAAM,CAAC,IAAI,CAChB,YAAY,CAAC;oBACX,IAAI,EAAE,MAAM;oBACZ,OAAO,EAAE,uDAAuD;oBAChE,WAAW,EAAE;wBACX,EAAE,WAAW,EAAE,gCAAgC,EAAE,GAAG,EAAE,WAAW,EAAE;qBACpE;oBACD,KAAK,EAAE,KAAK;iBACb,CAAC,CACH,CAAC;QACN,CAAC;IACH,CAAC;IAED,IAAI,0BAA0B,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,wBAAwB,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAChB,YAAY,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,uDAAuD;QAChE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,gCAAgC,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC;QAClF,KAAK,EAAE,KAAK;KACb,CAAC,CACH,CAAC;AACJ,CAAC,CAAC,CACH,CAAC;AAEN;;;;;GAKG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG,CACtB,MAA8C,EAC9C,UAAkB,EACmB,EAAE,CACvC,gBAAgB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,IAAI,CACvC,MAAM,CAAC,QAAQ,CAAC,0BAA0B,EAAE,CAAC,CAAC,EAAE,EAAE,CAChD,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CACtD,CACF,CAAC;AAEJ,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF,MAAM,CAAC,MAAM,cAAc,GAAG,KAAK,CAAC,MAAM,CACxC,UAAU,EACV,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;IAClB,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;IAChD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,WAAW,CAAC;IACvC,MAAM,MAAM,GAAG,uBAAuB,CAAC,IAAI,CACzC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,iBAAiB,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,CAClF,CAAC;IAEF,MAAM,kBAAkB,GAA4C,MAAM,CAAC,EAAE,CAC3E,+BAA+B,CAChC,CAAC,QAAQ,CAAC;QACT,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,MAAM;aAC3B,mBAAmB,CAAC;YACnB,OAAO,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE;SAC7D,CAAC;aACD,IAAI,CACH,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAE,EAAE,CACxB,YAAY,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,mCAAmC;YAC5C,WAAW,EAAE;gBACX;oBACE,WAAW,EAAE,+DAA+D;iBAC7E;aACF;YACD,KAAK,EAAE,KAAK;SACb,CAAC,CACH,CACF,CAAC;QAEJ,OAAO;YACL,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;YAC3C,yBAAyB,EAAE,QAAQ,CAAC,yBAAyB;YAC7D,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,UAAU,EAAE,QAAQ,CAAC,UAAU;SACH,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,MAAM,eAAe,GAAyC,MAAM,CAAC,EAAE,CACrE,4BAA4B,CAC7B,CAAC,QAAQ,CAAC,EAAE,UAAU,EAAE,QAAQ;QAC/B,IAAI,eAAe,GAAG,QAAQ,GAAG,IAAI,CAAC;QAEtC,OAAO,IAAI,EAAE,CAAC;YACZ,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;YACrC,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,+BAA+B,CAAC,gBAAgB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;YAE5F,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;gBACpB,KAAK,SAAS;oBACZ,OAAO,MAAM,CAAC,KAAK,CAAC;gBACtB,KAAK,SAAS;oBACZ,SAAS;gBACX,KAAK,UAAU;oBACb,eAAe,IAAI,sBAAsB,CAAC;oBAC1C,SAAS;gBACX,KAAK,cAAc;oBACjB,OAAO,KAAK,CAAC,CAAC,YAAY,CAAC;wBACzB,IAAI,EAAE,MAAM;wBACZ,OAAO,EAAE,+BAA+B;wBACxC,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,+BAA+B,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC;qBAClF,CAAC,CAAC;gBACL,KAAK,cAAc;oBACjB,OAAO,KAAK,CAAC,CAAC,YAAY,CAAC;wBACzB,IAAI,EAAE,MAAM;wBACZ,OAAO,EAAE,oBAAoB;wBAC7B,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,+BAA+B,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC;qBAClF,CAAC,CAAC;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,YAAY,GAAsC,MAAM,CAAC,EAAE,CAAC,yBAAyB,CAAC,CAC1F,QAAQ,CAAC,EAAE,iBAAiB;QAC1B,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,MAAM;aACxB,gBAAgB,CAAC;YAChB,OAAO,EAAE;gBACP,UAAU,EAAE,eAAe;gBAC3B,aAAa,EAAE,iBAAiB;gBAChC,SAAS,EAAE,SAAS;aACrB;SACF,CAAC;aACD,IAAI,CACH,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAE,EAAE,CACxB,YAAY,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,8BAA8B;YACvC,WAAW,EAAE;gBACX,EAAE,WAAW,EAAE,qCAAqC,EAAE,GAAG,EAAE,WAAW,EAAE;aACzE;YACD,KAAK,EAAE,KAAK;SACb,CAAC,CACH,CACF,CAAC;QAEJ,OAAO,sBAAsB,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC,CACF,CAAC;IAEF,MAAM,WAAW,GAAqC,MAAM,CAAC,EAAE,CAAC,wBAAwB,CAAC,CACvF,QAAQ,CAAC,EAAE,WAAW;QACpB,KAAK,CAAC,CAAC,MAAM;aACV,eAAe,CAAC;YACf,OAAO,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE;SAChC,CAAC;aACD,IAAI,CACH,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CACrB,MAAM,CAAC,UAAU,CACf,4BAA4B,MAAM,CAAC,KAAK,CAAC,4CAA4C,CACtF,CACF,CACF,CAAC;IACN,CAAC,CACF,CAAC;IAEF,MAAM,KAAK,GAA+B,MAAM,CAAC,EAAE,CAAC,kBAAkB,CAAC,CACrE,QAAQ,CAAC,EAAE,WAAW;QACpB,sEAAsE;QACtE,0EAA0E;QAC1E,iEAAiE;QACjE,MAAM,YAAY,GAAG,uBAAuB,CAAC,IAAI,CAC/C,UAAU,CAAC,IAAI,CACb,UAAU,CAAC,UAAU,CAAC,iBAAiB,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,EAChE,UAAU,CAAC,UAAU,CAAC,iBAAiB,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,CAClE,CACF,CAAC;QAEF,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,YAAY,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,IAAI,CAC3D,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAY,EAAE;YAClC,IAAI,qBAAqB,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjD,OAAO,YAAY,CAAC;oBAClB,IAAI,EAAE,MAAM;oBACZ,OAAO,EAAE,uCAAuC;oBAChD,WAAW,EAAE;wBACX,EAAE,WAAW,EAAE,qCAAqC,EAAE,GAAG,EAAE,WAAW,EAAE;qBACzE;oBACD,KAAK,EAAE,KAAK;iBACb,CAAC,CAAC;YACL,CAAC;YACD,IAAI,qBAAqB,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjD,OAAO,YAAY,CAAC;oBAClB,IAAI,EAAE,MAAM;oBACZ,OAAO,EAAE,uCAAuC;oBAChD,WAAW,EAAE;wBACX,EAAE,WAAW,EAAE,qCAAqC,EAAE,GAAG,EAAE,WAAW,EAAE;qBACzE;oBACD,KAAK,EAAE,KAAK;iBACb,CAAC,CAAC;YACL,CAAC;YACD,4EAA4E;YAC5E,+EAA+E;YAC/E,+EAA+E;YAC/E,IAAI,wBAAwB,CAAC,KAAK,CAAC,IAAI,YAAY,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,CAAC;gBAClE,OAAO,YAAY,CAAC;oBAClB,IAAI,EAAE,SAAS;oBACf,OAAO,EAAE,gCAAgC;oBACzC,WAAW,EAAE;wBACX;4BACE,WAAW,EAAE,+DAA+D;yBAC7E;qBACF;oBACD,KAAK,EAAE,KAAK;iBACb,CAAC,CAAC;YACL,CAAC;YACD,OAAO,YAAY,CAAC;gBAClB,IAAI,EAAE,MAAM;gBACZ,OAAO,EAAE,mCAAmC;gBAC5C,WAAW,EAAE;oBACX;wBACE,WAAW,EAAE,+DAA+D;qBAC7E;iBACF;gBACD,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;QACL,CAAC,CAAC,CACH,CAAC;QAEF,OAAO;YACL,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;YACvB,UAAU,EAAE,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC;YAChD,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE;YAC/B,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YAC7B,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,MAAM;YAC5B,IAAI,EAAE,EAAE;SACY,CAAC;IACzB,CAAC,CACF,CAAC;IAEF,OAAO;QACL,kBAAkB;QAClB,eAAe;QACf,YAAY;QACZ,WAAW;QACX,KAAK;KACsB,CAAC;AAChC,CAAC,CAAC,CACH,CAAC;AAEF,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,SAAsC,EAAE,EAAE,CACvE,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE;IACxB,kBAAkB,EAAE,GAAG,EAAE,CACvB,MAAM,CAAC,IAAI,CACT,YAAY,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,yBAAyB;KACnC,CAAC,CACH;IACH,eAAe,EAAE,GAAG,EAAE,CACpB,MAAM,CAAC,IAAI,CACT,YAAY,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,yBAAyB;KACnC,CAAC,CACH;IACH,YAAY,EAAE,GAAG,EAAE,CACjB,MAAM,CAAC,IAAI,CACT,YAAY,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,yBAAyB;KACnC,CAAC,CACH;IACH,WAAW,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI;IAC9B,KAAK,EAAE,GAAG,EAAE,CACV,MAAM,CAAC,IAAI,CACT,YAAY,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,yBAAyB;KACnC,CAAC,CACH;IACH,GAAG,SAAS;CACe,CAAC,CAAC"}
|
|
1
|
+
{"version":3,"file":"auth-client.js","sourceRoot":"","sources":["../../../../src/unstable/auth/auth-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,UAAU,MAAM,iCAAiC,CAAC;AAC9D,OAAO,KAAK,eAAe,MAAM,sCAAsC,CAAC;AACxE,OAAO,KAAK,iBAAiB,MAAM,wCAAwC,CAAC;AAC5E,OAAO,KAAK,kBAAkB,MAAM,yCAAyC,CAAC;AAC9E,OAAO,KAAK,IAAI,MAAM,aAAa,CAAC;AACpC,OAAO,KAAK,UAAU,MAAM,gBAAgB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AACxC,OAAO,KAAK,KAAK,MAAM,cAAc,CAAC;AACtC,OAAO,KAAK,QAAQ,MAAM,iBAAiB,CAAC;AAC5C,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AACxC,OAAO,EAAiB,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACpE,OAAO,EAAE,eAAe,EAAe,MAAM,yBAAyB,CAAC;AACvE,OAAO,EAAgC,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,uBAAuB,MAAM,8CAA8C,CAAC;AACxF,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,YAAY,EACZ,SAAS,EACT,0BAA0B,GAC3B,MAAM,8BAA8B,CAAC;AAEtC,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF,MAAM,SAAS,GAAG,SAAS,CAAC;AAC5B,MAAM,kBAAkB,GACtB,+HAA+H,CAAC;AAClI,MAAM,WAAW,GAAG,qCAAqC,CAAC;AAC1D,MAAM,sBAAsB,GAAG,8CAA8C,CAAC;AAC9E,MAAM,6BAA6B,GAAG,oBAAoB,CAAC;AAC3D,MAAM,sBAAsB,GAAG,IAAI,CAAC;AACpC,MAAM,iCAAiC,GAAG,CAAC,CAAC;AAC5C,MAAM,sCAAsC,GAAG,YAAY,CAAC;AAwE5D,MAAM,OAAO,UAAW,SAAQ,UAAU,CAAC,OAAO,EAAiC,CACjF,2DAA2D,CAC5D;CAAG;AAEJ,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF,MAAM,wBAAyB,SAAQ,IAAI,CAAC,WAAW,CAAC,0BAA0B,CAEhF;CAAG;AAEL,kFAAkF;AAClF,MAAM,sBAAsB,GAAG,CAAC,KAI/B,EAA2B,EAAE,CAAC,CAAC;IAC9B,YAAY,EAAE,KAAK,CAAC,YAAY;IAChC,aAAa,EAAE,KAAK,CAAC,aAAa;IAClC,UAAU,EAAE,KAAK,CAAC,UAAU;CAC7B,CAAC,CAAC;AAEH,MAAM,0BAA0B,GAAG,MAAM,CAAC,MAAM,CAAC;IAC/C,YAAY,EAAE,MAAM,CAAC,MAAM;IAC3B,aAAa,EAAE,MAAM,CAAC,MAAM;IAC5B,UAAU,EAAE,MAAM,CAAC,MAAM;CAC1B,CAAC,CAAC;AAEH,MAAM,6BAA6B,GAAG,MAAM,CAAC,MAAM,CAAC;IAClD,KAAK,EAAE,MAAM,CAAC,MAAM;IACpB,iBAAiB,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC;CAClD,CAAC,CAAC;AAEH,MAAM,qBAAqB,GAAG,CAAC,QAA+C,EAAE,EAAE,CAChF,MAAM,CAAC,OAAO,CACZ,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,wBAAwB,CAAC,EACnE,CAAC,WAAW,EAAE,EAAE,CACd,MAAM,CAAC,IAAI,CACT,IAAI,eAAe,CAAC,eAAe,CAAC;IAClC,MAAM,EAAE,IAAI,eAAe,CAAC,eAAe,CAAC;QAC1C,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,QAAQ;QACR,WAAW;KACZ,CAAC;CACH,CAAC,CACH,CACJ,CAAC;AAEJ,MAAM,yBAAyB,GAAG,CAAC,WAAmB,EAAU,EAAE;IAChE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IACjC,IAAI,GAAG,CAAC,MAAM,KAAK,6BAA6B,EAAE,CAAC;QACjD,OAAO,oBAAoB,CAAC;IAC9B,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,6CAA6C,EAAE,CAAC;QACjE,OAAO,wCAAwC,CAAC;IAClD,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAClC,OAAO,uBAAuB,CAAC;IACjC,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAClC,OAAO,uBAAuB,CAAC;IACjC,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACjC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,OAAO,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,CAAC;AACpB,CAAC,CAAC;AAEF,MAAM,wBAAwB,GAAG,CAAC,KAAc,EAAE,EAAE,CAClD,YAAY,CAAC;IACX,IAAI,EAAE,MAAM;IACZ,OAAO,EAAE,oCAAoC;IAC7C,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,+BAA+B,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC;IACjF,KAAK,EAAE,KAAK;CACb,CAAC,CAAC;AAEL,MAAM,iBAAiB,GAAG,CAAC,KAAc,EAAsB,EAAE,CAC/D,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AAExD,MAAM,0BAA0B,GAAG,CACjC,KAA0C,EACP,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,0BAA0B,CAAC;AAElF,MAAM,+BAA+B,GAAG,CAAC,KAAc,EAAE,EAAE,CACzD,YAAY,CAAC;IACX,IAAI,EAAE,MAAM;IACZ,OAAO,EAAE,8CAA8C;IACvD,WAAW,EAAE;QACX;YACE,WAAW,EAAE,2EAA2E;YACxF,GAAG,EAAE,WAAW;SACjB;KACF;IACD,KAAK;CACN,CAAC,CAAC;AAEL;;;;;GAKG;AACH,MAAM,+BAA+B,GAAG,CACtC,MAA6D,EACjC,EAAE,CAC9B,MAAM,CAAC,IAAI,CACT,MAAM,CAAC,KAAK,CAAC;IACX,KAAK,EAAE,iCAAiC;IACxC,QAAQ,EAAE,QAAQ,CAAC,WAAW,CAAC,sCAAsC,CAAC;IACtE,KAAK,EAAE,0BAA0B;CAClC,CAAC,EACF,MAAM,CAAC,QAAQ,CAAC,0BAA0B,EAAE,CAAC,CAAC,EAAE,EAAE,CAChD,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CACtD,CACF,CAAC;AAEJ,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF,MAAM,aAAa,GAAG,CACpB,UAAiC,EACjC,WAAmB,EACnB,IAAsC,EACW,EAAE,CACnD,iBAAiB,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAC3C,iBAAiB,CAAC,aAAa,CAAC,IAAI,CAAC,EACrC,CAAC,OAAO,EAAE,EAAE,CACV,UAAU;KACP,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,iBAAiB,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;KACtE,OAAO,CAAC,OAAO,CAAC,EACrB,MAAM,CAAC,OAAO,CACZ,kBAAkB,CAAC,WAAW,CAAC;IAC7B,KAAK,EAAE,kBAAkB,CAAC,cAAc,CAAC,0BAA0B,CAAC;IACpE,KAAK,EAAE,CAAC,QAAQ,EAAE,EAAE,CAClB,kBAAkB,CAAC,cAAc,CAAC,6BAA6B,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAC7E,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAC9C;IACH,MAAM,EAAE,qBAAqB;CAC9B,CAAC,CACH,EACD,MAAM,CAAC,GAAG,CAAC,sBAAsB,CAAC,CACnC,CAAC;AAEJ;;;;;;;;;GASG;AACH,MAAM,gBAAgB,GAAG,CACvB,UAAiC,EACjC,WAAmB,EACnB,UAAkB,EAC8C,EAAE,CAClE,aAAa,CAAC,UAAU,EAAE,WAAW,EAAE;IACrC,SAAS,EAAE,SAAS;IACpB,WAAW,EAAE,UAAU;IACvB,UAAU,EAAE,sBAAsB;CACnC,CAAC,CAAC,IAAI,CACL,MAAM,CAAC,GAAG,CACR,CAAC,KAAK,EAAc,EAAE,CAAC,CAAC;IACtB,IAAI,EAAE,SAAS;IACf,KAAK;CACN,CAAC,CACH,EACD,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAkE,EAAE;IACrF,MAAM,IAAI,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IACtC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,uBAAuB;YAC1B,OAAO,MAAM,CAAC,OAAO,CAAa,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;QACzD,KAAK,WAAW;YACd,OAAO,MAAM,CAAC,OAAO,CAAa,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;QAC1D,KAAK,eAAe;YAClB,OAAO,MAAM,CAAC,OAAO,CAAa,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;QAC9D,KAAK,eAAe;YAClB,OAAO,MAAM,CAAC,OAAO,CAAa,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;QAC9D;YACE,MAAM;IACV,CAAC;IAED,IAAI,0BAA0B,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,wBAAwB,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAChB,YAAY,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,uDAAuD;QAChE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,gCAAgC,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC;QAClF,KAAK,EAAE,KAAK;KACb,CAAC,CACH,CAAC;AACJ,CAAC,CAAC,CACH,CAAC;AAEJ;;;;;GAKG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG,CACtB,UAAiC,EACjC,WAAmB,EACnB,UAAkB,EACmB,EAAE,CACvC,gBAAgB,CAAC,UAAU,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC,IAAI,CACxD,MAAM,CAAC,QAAQ,CAAC,0BAA0B,EAAE,CAAC,CAAC,EAAE,EAAE,CAChD,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CACtD,CACF,CAAC;AAEJ,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF,MAAM,CAAC,MAAM,cAAc,GAAG,KAAK,CAAC,MAAM,CACxC,UAAU,EACV,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;IAClB,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;IAChD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,WAAW,CAAC;IACvC,MAAM,mBAAmB,GAAG,yBAAyB,CAAC,WAAW,CAAC,CAAC;IACnE,MAAM,MAAM,GAAG,uBAAuB,CAAC,IAAI,CACzC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,iBAAiB,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,CAClF,CAAC;IAEF,MAAM,iBAAiB,GAA2C,CAAC,EACjE,SAAS,EACT,SAAS,EACT,KAAK,EACL,WAAW,EACX,MAAM,GACP,EAAE,EAAE;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,kBAAkB,EAAE,mBAAmB,CAAC,CAAC;QAC7D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QAC7C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;QACtD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACrC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;QAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,MAAM,IAAI,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5E,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,oBAAoB,EAAE,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,GAAG,CAAC,IAAI,CAAC;IAClB,CAAC,CAAC;IAEF,MAAM,sBAAsB,GAAgD,GAAG,EAAE,CAC/E,mBAAmB,CAAC;IAEtB,MAAM,gBAAgB,GAA0C,MAAM,CAAC,EAAE,CACvE,6BAA6B,CAC9B,CAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE;QAC1C,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,aAAa,CAAC,UAAU,EAAE,WAAW,EAAE;YAC7D,UAAU,EAAE,6BAA6B;YACzC,IAAI;YACJ,aAAa,EAAE,QAAQ;YACvB,SAAS,EAAE,SAAS;YACpB,YAAY,EAAE,WAAW;SAC1B,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC,CAAC;QAEnD,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,MAAM,kBAAkB,GAA4C,MAAM,CAAC,EAAE,CAC3E,+BAA+B,CAChC,CAAC,QAAQ,CAAC;QACT,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,MAAM;aAC3B,mBAAmB,CAAC;YACnB,OAAO,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE;SAC7D,CAAC;aACD,IAAI,CACH,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAE,EAAE,CACxB,YAAY,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,mCAAmC;YAC5C,WAAW,EAAE;gBACX;oBACE,WAAW,EAAE,+DAA+D;iBAC7E;aACF;YACD,KAAK,EAAE,KAAK;SACb,CAAC,CACH,CACF,CAAC;QAEJ,OAAO;YACL,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;YAC3C,yBAAyB,EAAE,QAAQ,CAAC,yBAAyB;YAC7D,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,UAAU,EAAE,QAAQ,CAAC,UAAU;SACH,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,MAAM,eAAe,GAAyC,MAAM,CAAC,EAAE,CACrE,4BAA4B,CAC7B,CAAC,QAAQ,CAAC,EAAE,UAAU,EAAE,QAAQ;QAC/B,IAAI,eAAe,GAAG,QAAQ,GAAG,IAAI,CAAC;QAEtC,OAAO,IAAI,EAAE,CAAC;YACZ,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;YACrC,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,+BAA+B,CACnD,gBAAgB,CAAC,UAAU,EAAE,WAAW,EAAE,UAAU,CAAC,CACtD,CAAC;YAEF,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;gBACpB,KAAK,SAAS;oBACZ,OAAO,MAAM,CAAC,KAAK,CAAC;gBACtB,KAAK,SAAS;oBACZ,SAAS;gBACX,KAAK,UAAU;oBACb,eAAe,IAAI,sBAAsB,CAAC;oBAC1C,SAAS;gBACX,KAAK,cAAc;oBACjB,OAAO,KAAK,CAAC,CAAC,YAAY,CAAC;wBACzB,IAAI,EAAE,MAAM;wBACZ,OAAO,EAAE,+BAA+B;wBACxC,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,+BAA+B,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC;qBAClF,CAAC,CAAC;gBACL,KAAK,cAAc;oBACjB,OAAO,KAAK,CAAC,CAAC,YAAY,CAAC;wBACzB,IAAI,EAAE,MAAM;wBACZ,OAAO,EAAE,oBAAoB;wBAC7B,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,+BAA+B,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC;qBAClF,CAAC,CAAC;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,YAAY,GAAsC,MAAM,CAAC,EAAE,CAAC,yBAAyB,CAAC,CAC1F,QAAQ,CAAC,EAAE,iBAAiB;QAC1B,OAAO,KAAK,CAAC,CAAC,aAAa,CAAC,UAAU,EAAE,WAAW,EAAE;YACnD,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,iBAAiB;YAChC,SAAS,EAAE,SAAS;SACrB,CAAC,CAAC,IAAI,CACL,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAE,EAAE,CACxB,YAAY,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,8BAA8B;YACvC,WAAW,EAAE;gBACX,EAAE,WAAW,EAAE,qCAAqC,EAAE,GAAG,EAAE,WAAW,EAAE;aACzE;YACD,KAAK,EAAE,KAAK;SACb,CAAC,CACH,CACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,WAAW,GAAqC,MAAM,CAAC,EAAE,CAAC,wBAAwB,CAAC,CACvF,QAAQ,CAAC,EAAE,KAAK;QACd,KAAK,CAAC,CAAC,iBAAiB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,IAAI,CACnD,iBAAiB,CAAC,aAAa,CAAC;YAC9B,KAAK;YACL,eAAe,EAAE,eAAe;SACjC,CAAC,EACF,CAAC,OAAO,EAAE,EAAE,CACV,UAAU;aACP,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,iBAAiB,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;aACtE,OAAO,CAAC,OAAO,CAAC,EACrB,MAAM,CAAC,OAAO,CACZ,kBAAkB,CAAC,WAAW,CAAC;YAC7B,KAAK,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI;YACxB,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;SACtE,CAAC,CACH,EACD,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CACrB,MAAM,CAAC,UAAU,CACf,4BAA4B,MAAM,CAAC,KAAK,CAAC,4CAA4C,CACtF,CACF,CACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,KAAK,GAA+B,MAAM,CAAC,EAAE,CAAC,kBAAkB,CAAC,CACrE,QAAQ,CAAC,EAAE,WAAW;QACpB,sEAAsE;QACtE,0EAA0E;QAC1E,iEAAiE;QACjE,MAAM,YAAY,GAAG,uBAAuB,CAAC,IAAI,CAC/C,UAAU,CAAC,IAAI,CACb,UAAU,CAAC,UAAU,CAAC,iBAAiB,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,EAChE,UAAU,CAAC,UAAU,CAAC,iBAAiB,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,CAClE,CACF,CAAC;QAEF,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,YAAY,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,IAAI,CAC3D,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAY,EAAE;YAClC,IAAI,qBAAqB,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjD,OAAO,YAAY,CAAC;oBAClB,IAAI,EAAE,MAAM;oBACZ,OAAO,EAAE,uCAAuC;oBAChD,WAAW,EAAE;wBACX,EAAE,WAAW,EAAE,qCAAqC,EAAE,GAAG,EAAE,WAAW,EAAE;qBACzE;oBACD,KAAK,EAAE,KAAK;iBACb,CAAC,CAAC;YACL,CAAC;YACD,IAAI,qBAAqB,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjD,OAAO,YAAY,CAAC;oBAClB,IAAI,EAAE,MAAM;oBACZ,OAAO,EAAE,uCAAuC;oBAChD,WAAW,EAAE;wBACX,EAAE,WAAW,EAAE,qCAAqC,EAAE,GAAG,EAAE,WAAW,EAAE;qBACzE;oBACD,KAAK,EAAE,KAAK;iBACb,CAAC,CAAC;YACL,CAAC;YACD,4EAA4E;YAC5E,+EAA+E;YAC/E,+EAA+E;YAC/E,IAAI,wBAAwB,CAAC,KAAK,CAAC,IAAI,YAAY,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,CAAC;gBAClE,OAAO,YAAY,CAAC;oBAClB,IAAI,EAAE,SAAS;oBACf,OAAO,EAAE,gCAAgC;oBACzC,WAAW,EAAE;wBACX;4BACE,WAAW,EAAE,+DAA+D;yBAC7E;qBACF;oBACD,KAAK,EAAE,KAAK;iBACb,CAAC,CAAC;YACL,CAAC;YACD,OAAO,YAAY,CAAC;gBAClB,IAAI,EAAE,MAAM;gBACZ,OAAO,EAAE,mCAAmC;gBAC5C,WAAW,EAAE;oBACX;wBACE,WAAW,EAAE,+DAA+D;qBAC7E;iBACF;gBACD,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;QACL,CAAC,CAAC,CACH,CAAC;QAEF,OAAO;YACL,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;YACvB,UAAU,EAAE,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC;YAChD,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE;YAC/B,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YAC7B,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,MAAM;YAC5B,IAAI,EAAE,EAAE;SACY,CAAC;IACzB,CAAC,CACF,CAAC;IAEF,OAAO;QACL,iBAAiB;QACjB,sBAAsB;QACtB,gBAAgB;QAChB,kBAAkB;QAClB,eAAe;QACf,YAAY;QACZ,WAAW;QACX,KAAK;KACsB,CAAC;AAChC,CAAC,CAAC,CACH,CAAC;AAEF,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,SAAsC,EAAE,EAAE,CACvE,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE;IACxB,iBAAiB,EAAE,CAAC,EAAE,WAAW,EAAE,EAAE,EAAE,CACrC,mDAAmD,WAAW,EAAE;IAClE,sBAAsB,EAAE,GAAG,EAAE,CAAC,oBAAoB;IAClD,gBAAgB,EAAE,GAAG,EAAE,CACrB,MAAM,CAAC,IAAI,CACT,YAAY,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,yBAAyB;KACnC,CAAC,CACH;IACH,kBAAkB,EAAE,GAAG,EAAE,CACvB,MAAM,CAAC,IAAI,CACT,YAAY,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,yBAAyB;KACnC,CAAC,CACH;IACH,eAAe,EAAE,GAAG,EAAE,CACpB,MAAM,CAAC,IAAI,CACT,YAAY,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,yBAAyB;KACnC,CAAC,CACH;IACH,YAAY,EAAE,GAAG,EAAE,CACjB,MAAM,CAAC,IAAI,CACT,YAAY,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,yBAAyB;KACnC,CAAC,CACH;IACH,WAAW,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI;IAC9B,KAAK,EAAE,GAAG,EAAE,CACV,MAAM,CAAC,IAAI,CACT,YAAY,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,yBAAyB;KACnC,CAAC,CACH;IACH,GAAG,SAAS;CACe,CAAC,CAAC"}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* CredentialStore Effect service — credential storage and auth policy.
|
|
3
3
|
*
|
|
4
|
-
* Tier 1: OS keychain (
|
|
4
|
+
* Tier 1: OS keychain (@napi-rs/keyring)
|
|
5
5
|
* Tier 2: Restricted-permission file (~/.config/axm/credentials.json)
|
|
6
6
|
*
|
|
7
7
|
* CI and container environments are token-only by policy. They do not persist
|
|
@@ -49,10 +49,11 @@ export declare const detectEnvironment: Effect.Effect<{
|
|
|
49
49
|
/**
|
|
50
50
|
* Select storage tier based on detected environment.
|
|
51
51
|
*
|
|
52
|
-
*
|
|
53
|
-
*
|
|
52
|
+
* Use OS keychain by default, falling back to the restricted file backend when
|
|
53
|
+
* keychain access is unavailable. Whether persistence is allowed is a separate
|
|
54
|
+
* policy decision.
|
|
54
55
|
*/
|
|
55
|
-
export declare const selectTier: (
|
|
56
|
+
export declare const selectTier: (env: EnvironmentInfo) => StorageTier;
|
|
56
57
|
export declare const canUsePersistedCredentials: (env: EnvironmentInfo) => boolean;
|
|
57
58
|
export declare const makePersistedCredentialsUnsupportedError: () => AppError;
|
|
58
59
|
export declare const CredentialStoreLive: Layer.Layer<CredentialStore, never, FileSystem.FileSystem | Path.Path>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credential-store.d.ts","sourceRoot":"","sources":["../../../../src/unstable/auth/credential-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,UAAU,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,IAAI,MAAM,aAAa,CAAC;AACpC,OAAO,KAAK,UAAU,MAAM,gBAAgB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AACxC,OAAO,KAAK,KAAK,MAAM,cAAc,CAAC;AACtC,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"credential-store.d.ts","sourceRoot":"","sources":["../../../../src/unstable/auth/credential-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,UAAU,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,IAAI,MAAM,aAAa,CAAC;AACpC,OAAO,KAAK,UAAU,MAAM,gBAAgB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AACxC,OAAO,KAAK,KAAK,MAAM,cAAc,CAAC;AACtC,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AAIxC,OAAO,EAAwB,KAAK,QAAQ,EAAgB,MAAM,uBAAuB,CAAC;AAE1F,OAAO,EAAoB,KAAK,MAAM,EAAE,MAAM,yBAAyB,CAAC;AAExE,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAWlF,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,CACb,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE;QACX,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;QAC9B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;QAC/B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;KAC7B,KACE,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACnC,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,QAAQ,CAAC,CAAC;IAClG,QAAQ,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACvE,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,0BAA0B,EAAE,OAAO,CAAC;CAC9C;;AAED,qBAAa,eAAgB,SAAQ,oBAEpC;CAAG;AAyQJ,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;CAC1B;AAED,eAAO,MAAM,iBAAiB;;;;;;gCAQ5B,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,eAAe,KAAG,WACyB,CAAC;AAE5E,eAAO,MAAM,0BAA0B,GAAI,KAAK,eAAe,KAAG,OACnC,CAAC;AAEhC,eAAO,MAAM,wCAAwC,gBAA+B,CAAC;AAMrF,eAAO,MAAM,mBAAmB,wEAmJ/B,CAAC;AAMF,eAAO,MAAM,mBAAmB,GAC9B,OAAM,WAA+B,EACrC,cAAc,cAAc,EAC5B,6BAA6B,OAAO,+CA6DrC,CAAC"}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* CredentialStore Effect service — credential storage and auth policy.
|
|
3
3
|
*
|
|
4
|
-
* Tier 1: OS keychain (
|
|
4
|
+
* Tier 1: OS keychain (@napi-rs/keyring)
|
|
5
5
|
* Tier 2: Restricted-permission file (~/.config/axm/credentials.json)
|
|
6
6
|
*
|
|
7
7
|
* CI and container environments are token-only by policy. They do not persist
|
|
@@ -16,6 +16,8 @@ import * as Effect from "effect/Effect";
|
|
|
16
16
|
import * as Layer from "effect/Layer";
|
|
17
17
|
import * as Option from "effect/Option";
|
|
18
18
|
import * as Schema from "effect/Schema";
|
|
19
|
+
import { Entry } from "@napi-rs/keyring";
|
|
20
|
+
import * as lockfile from "proper-lockfile";
|
|
19
21
|
import { errAuthTokenRequired, makeAppError } from "../app-error/index.js";
|
|
20
22
|
import { isCI } from "../cli-flags/index.js";
|
|
21
23
|
import { decodeHandleSync } from "../extensions/handle.js";
|
|
@@ -31,6 +33,7 @@ const CREDENTIALS_FILENAME = "credentials.json";
|
|
|
31
33
|
const CONFIG_DIR_NAME = "axm";
|
|
32
34
|
const DIR_PERMISSIONS = 0o700;
|
|
33
35
|
const FILE_PERMISSIONS = 0o600;
|
|
36
|
+
const KEYCHAIN_SERVICE = "axm";
|
|
34
37
|
// -----------------------------------------------------------------------------
|
|
35
38
|
// Internal helpers (take fs/path as args to avoid context leakage)
|
|
36
39
|
// -----------------------------------------------------------------------------
|
|
@@ -54,6 +57,22 @@ const ensureCredentialsDir = (fs, path, homeDir) => Effect.gen(function* () {
|
|
|
54
57
|
});
|
|
55
58
|
const checkFilePermissions = (fs, filePath) => fs.stat(filePath).pipe(Effect.map((stat) => (stat.mode & 0o777) > FILE_PERMISSIONS), Effect.catch(() => Effect.succeed(false)));
|
|
56
59
|
const setFilePermissions = (fs, filePath) => fs.chmod(filePath, FILE_PERMISSIONS).pipe(Effect.catch(() => Effect.void));
|
|
60
|
+
const withCredentialFileLock = (fs, path, homeDir, effect) => Effect.gen(function* () {
|
|
61
|
+
yield* ensureCredentialsDir(fs, path, homeDir);
|
|
62
|
+
const dir = getCredentialsDir(path, homeDir);
|
|
63
|
+
const release = yield* Effect.tryPromise({
|
|
64
|
+
try: () => lockfile.lock(dir, { retries: { retries: 5, minTimeout: 25, maxTimeout: 100 } }),
|
|
65
|
+
catch: (error) => makeAppError({
|
|
66
|
+
code: "auth",
|
|
67
|
+
message: "Could not lock credential storage",
|
|
68
|
+
cause: error,
|
|
69
|
+
}),
|
|
70
|
+
});
|
|
71
|
+
return yield* effect.pipe(Effect.ensuring(Effect.tryPromise({
|
|
72
|
+
try: () => release(),
|
|
73
|
+
catch: () => undefined,
|
|
74
|
+
}).pipe(Effect.catch(() => Effect.void))));
|
|
75
|
+
});
|
|
57
76
|
const readCredentialFile = (fs, path, homeDir) => Effect.gen(function* () {
|
|
58
77
|
const filePath = getCredentialsPath(path, homeDir);
|
|
59
78
|
const exists = yield* fs.exists(filePath).pipe(Effect.catch(() => Effect.succeed(false)));
|
|
@@ -79,6 +98,13 @@ const readCredentialFile = (fs, path, homeDir) => Effect.gen(function* () {
|
|
|
79
98
|
cause: error,
|
|
80
99
|
})), Effect.catch(() => Effect.logWarning("Credential file failed schema validation, treating as empty.").pipe(Effect.map(() => Option.none()))));
|
|
81
100
|
});
|
|
101
|
+
const deleteCredentialFile = (fs, path, homeDir) => Effect.gen(function* () {
|
|
102
|
+
const filePath = getCredentialsPath(path, homeDir);
|
|
103
|
+
const exists = yield* fs.exists(filePath).pipe(Effect.catch(() => Effect.succeed(false)));
|
|
104
|
+
if (exists) {
|
|
105
|
+
yield* fs.remove(filePath).pipe(Effect.catch(() => Effect.void));
|
|
106
|
+
}
|
|
107
|
+
});
|
|
82
108
|
const writeCredentialFile = (fs, path, homeDir, data) => Effect.gen(function* () {
|
|
83
109
|
yield* ensureCredentialsDir(fs, path, homeDir);
|
|
84
110
|
const filePath = getCredentialsPath(path, homeDir);
|
|
@@ -99,6 +125,56 @@ const emptyCredentialFile = {
|
|
|
99
125
|
version: 1,
|
|
100
126
|
registries: {},
|
|
101
127
|
};
|
|
128
|
+
const keychainAccount = (registryUrl) => `registry:${registryUrl}`;
|
|
129
|
+
const readKeychainCredentialFile = (registryUrl) => Effect.try({
|
|
130
|
+
try: () => {
|
|
131
|
+
const entry = new Entry(KEYCHAIN_SERVICE, keychainAccount(registryUrl));
|
|
132
|
+
return entry.getPassword();
|
|
133
|
+
},
|
|
134
|
+
catch: (error) => makeAppError({
|
|
135
|
+
code: "auth",
|
|
136
|
+
message: "OS keychain could not be read",
|
|
137
|
+
cause: error,
|
|
138
|
+
}),
|
|
139
|
+
}).pipe(Effect.flatMap((content) => {
|
|
140
|
+
if (content === null)
|
|
141
|
+
return Effect.succeed(Option.none());
|
|
142
|
+
return decodeCredentialFileFromJsonString(content).pipe(Effect.map((file) => Option.some(file)), Effect.mapError((error) => makeAppError({
|
|
143
|
+
code: "auth",
|
|
144
|
+
message: "Failed to parse OS keychain credentials",
|
|
145
|
+
cause: error,
|
|
146
|
+
})));
|
|
147
|
+
}));
|
|
148
|
+
const writeKeychainCredentialFile = (registryUrl, data) => Effect.gen(function* () {
|
|
149
|
+
const encoded = yield* Schema.encodeEffect(CredentialFileSchema)(data).pipe(Effect.mapError((error) => makeAppError({
|
|
150
|
+
code: "auth",
|
|
151
|
+
message: "Failed to encode credential file",
|
|
152
|
+
cause: error,
|
|
153
|
+
})));
|
|
154
|
+
const content = JSON.stringify(encoded);
|
|
155
|
+
yield* Effect.try({
|
|
156
|
+
try: () => {
|
|
157
|
+
const entry = new Entry(KEYCHAIN_SERVICE, keychainAccount(registryUrl));
|
|
158
|
+
entry.setPassword(content);
|
|
159
|
+
},
|
|
160
|
+
catch: (error) => makeAppError({
|
|
161
|
+
code: "auth",
|
|
162
|
+
message: "OS keychain could not be written",
|
|
163
|
+
cause: error,
|
|
164
|
+
}),
|
|
165
|
+
});
|
|
166
|
+
});
|
|
167
|
+
const deleteKeychainCredentialFile = (registryUrl) => Effect.try({
|
|
168
|
+
try: () => {
|
|
169
|
+
const entry = new Entry(KEYCHAIN_SERVICE, keychainAccount(registryUrl));
|
|
170
|
+
entry.deletePassword();
|
|
171
|
+
},
|
|
172
|
+
catch: (error) => makeAppError({
|
|
173
|
+
code: "auth",
|
|
174
|
+
message: "OS keychain credential could not be deleted",
|
|
175
|
+
cause: error,
|
|
176
|
+
}),
|
|
177
|
+
}).pipe(Effect.catch(() => Effect.void));
|
|
102
178
|
export const detectEnvironment = Effect.gen(function* () {
|
|
103
179
|
return {
|
|
104
180
|
isSSH: yield* isSSH,
|
|
@@ -111,10 +187,11 @@ export const detectEnvironment = Effect.gen(function* () {
|
|
|
111
187
|
/**
|
|
112
188
|
* Select storage tier based on detected environment.
|
|
113
189
|
*
|
|
114
|
-
*
|
|
115
|
-
*
|
|
190
|
+
* Use OS keychain by default, falling back to the restricted file backend when
|
|
191
|
+
* keychain access is unavailable. Whether persistence is allowed is a separate
|
|
192
|
+
* policy decision.
|
|
116
193
|
*/
|
|
117
|
-
export const selectTier = (
|
|
194
|
+
export const selectTier = (env) => env.isContainer || env.isCI || env.isSSH ? "restricted-file" : "keychain";
|
|
118
195
|
export const canUsePersistedCredentials = (env) => !env.isContainer && !env.isCI;
|
|
119
196
|
export const makePersistedCredentialsUnsupportedError = () => errAuthTokenRequired();
|
|
120
197
|
// -----------------------------------------------------------------------------
|
|
@@ -130,6 +207,14 @@ export const CredentialStoreLive = Layer.effect(CredentialStore, Effect.gen(func
|
|
|
130
207
|
const env = yield* detectEnvironment;
|
|
131
208
|
const storageTier = selectTier(env);
|
|
132
209
|
const persistedCredentialsAllowed = canUsePersistedCredentials(env);
|
|
210
|
+
const readStoredFile = () => withCredentialFileLock(fs, path, homeDir, readCredentialFile(fs, path, homeDir));
|
|
211
|
+
const writeStoredFile = (data) => withCredentialFileLock(fs, path, homeDir, writeCredentialFile(fs, path, homeDir, data));
|
|
212
|
+
const loadCredentialFile = (registryUrl) => storageTier === "keychain"
|
|
213
|
+
? readKeychainCredentialFile(registryUrl).pipe(Effect.catch(() => Effect.logWarning("OS keychain unavailable; using restricted credential file.").pipe(Effect.flatMap(() => readStoredFile()))))
|
|
214
|
+
: readStoredFile();
|
|
215
|
+
const saveCredentialFile = (registryUrl, data) => storageTier === "keychain"
|
|
216
|
+
? writeKeychainCredentialFile(registryUrl, data).pipe(Effect.catch(() => Effect.logWarning("OS keychain unavailable; using restricted credential file.").pipe(Effect.flatMap(() => writeStoredFile(data)))))
|
|
217
|
+
: writeStoredFile(data);
|
|
133
218
|
const save = Effect.fn("CredentialStore.save")(function* (registryUrl, handle, credentials) {
|
|
134
219
|
if (!persistedCredentialsAllowed) {
|
|
135
220
|
return yield* makePersistedCredentialsUnsupportedError();
|
|
@@ -137,7 +222,7 @@ export const CredentialStoreLive = Layer.effect(CredentialStore, Effect.gen(func
|
|
|
137
222
|
if (env.isRoot) {
|
|
138
223
|
yield* Effect.logWarning("Running as root. Credentials will be owned by root.");
|
|
139
224
|
}
|
|
140
|
-
const existing = yield*
|
|
225
|
+
const existing = yield* loadCredentialFile(registryUrl);
|
|
141
226
|
const file = Option.getOrElse(existing, () => emptyCredentialFile);
|
|
142
227
|
const registryEntry = file.registries[registryUrl] ?? { accounts: {} };
|
|
143
228
|
const updatedAccounts = {};
|
|
@@ -159,10 +244,28 @@ export const CredentialStoreLive = Layer.effect(CredentialStore, Effect.gen(func
|
|
|
159
244
|
[registryUrl]: { accounts: updatedAccounts },
|
|
160
245
|
},
|
|
161
246
|
};
|
|
162
|
-
yield*
|
|
247
|
+
yield* saveCredentialFile(registryUrl, updated);
|
|
248
|
+
if (storageTier === "keychain") {
|
|
249
|
+
yield* deleteCredentialFile(fs, path, homeDir);
|
|
250
|
+
}
|
|
163
251
|
});
|
|
164
252
|
const load = Effect.fn("CredentialStore.load")(function* (registryUrl) {
|
|
165
|
-
const existing = yield*
|
|
253
|
+
const existing = yield* loadCredentialFile(registryUrl);
|
|
254
|
+
if (storageTier === "keychain") {
|
|
255
|
+
const legacy = yield* readStoredFile();
|
|
256
|
+
const legacyRegistry = Option.isSome(legacy)
|
|
257
|
+
? legacy.value.registries[registryUrl]
|
|
258
|
+
: undefined;
|
|
259
|
+
if (Option.isNone(existing) && legacyRegistry !== undefined) {
|
|
260
|
+
const migrated = {
|
|
261
|
+
version: 1,
|
|
262
|
+
registries: { [registryUrl]: legacyRegistry },
|
|
263
|
+
};
|
|
264
|
+
yield* writeKeychainCredentialFile(registryUrl, migrated).pipe(Effect.catch(() => Effect.void));
|
|
265
|
+
yield* deleteCredentialFile(fs, path, homeDir);
|
|
266
|
+
return yield* load(registryUrl);
|
|
267
|
+
}
|
|
268
|
+
}
|
|
166
269
|
if (Option.isNone(existing))
|
|
167
270
|
return Option.none();
|
|
168
271
|
const registry = existing.value.registries[registryUrl];
|
|
@@ -181,7 +284,10 @@ export const CredentialStoreLive = Layer.effect(CredentialStore, Effect.gen(func
|
|
|
181
284
|
return Option.none();
|
|
182
285
|
});
|
|
183
286
|
const clear = Effect.fn("CredentialStore.clear")(function* (registryUrl) {
|
|
184
|
-
|
|
287
|
+
if (storageTier === "keychain") {
|
|
288
|
+
yield* deleteKeychainCredentialFile(registryUrl);
|
|
289
|
+
}
|
|
290
|
+
const existing = yield* readStoredFile();
|
|
185
291
|
if (Option.isNone(existing))
|
|
186
292
|
return;
|
|
187
293
|
const { [registryUrl]: _, ...remainingRegistries } = existing.value.registries;
|
|
@@ -189,7 +295,7 @@ export const CredentialStoreLive = Layer.effect(CredentialStore, Effect.gen(func
|
|
|
189
295
|
...existing.value,
|
|
190
296
|
registries: remainingRegistries,
|
|
191
297
|
};
|
|
192
|
-
yield*
|
|
298
|
+
yield* writeStoredFile(updated);
|
|
193
299
|
});
|
|
194
300
|
return {
|
|
195
301
|
tier: storageTier,
|