npm - @aiam/ciba - Versions diffs - 0.8.7 → 0.8.9 - Mend

@aiam/ciba 0.8.7 → 0.8.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/ciba.mjs CHANGED Viewed

@@ -438,83 +438,71 @@ function startDaemon(provider, deviceDoc, privateKey, serverUrl) {
           dlog(`${req.command} cmd attrs=${JSON.stringify(req.attrs)}`);
           const requests = deviceDoc.getMap('requests');
           const resourcesMap = deviceDoc.getMap('resources');
-          // Pass attrs straight through — server resolves grant_type from resource URN.
-          const attrs = { ...(req.attrs || {}) };
           const defaultResource = `urn:sap:destination:${process.env.CIBA_DEFAULT_DESTINATION || 'WEBAGENTS_BACKEND'}`;
+          const attrs = { ...(req.attrs || {}) };
           const requestedResource = attrs.resource ?? defaultResource;
-          const decryptFromTokenMap = (tokenMap) => {
-            const ciphertext = tokenMap.get('ciphertext');
-            const serverPublicKey = tokenMap.get('serverPublicKey');
-            if (!ciphertext || !serverPublicKey) return null;
-            const plain = ecdhDecrypt(ciphertext, serverPublicKey, privateKey);
-            try { const parsed = JSON.parse(plain); return parsed.access_token ?? plain; }
+          // Pure: check resources map right now, return token map or null.
+          function tryGet(resource) {
+            const key = resource
+              ? resourcesMap.get(resource)
+              : [...resourcesMap.values()][0];
+            if (!key) return null;
+            const map = deviceDoc.getMap(key);
+            const expiresAt = map.get('expires_at');
+            if (expiresAt && expiresAt < Date.now()) return null; // expired
+            if (!map.get('ciphertext')) return null;
+            return map;
+          }
+          // Pure: decrypt token map → access_token string.
+          function decrypt(map) {
+            const plain = ecdhDecrypt(map.get('ciphertext'), map.get('serverPublicKey'), privateKey);
+            try { return JSON.parse(plain).access_token ?? plain; }
             catch { return plain; }
-          };
+          }
           if (req.command === 'refresh') {
-            // Fire-and-forget — just set default resource if none given.
+            // Fire-and-forget — write request, server exchanges async.
             if (!attrs.resource) attrs.resource = defaultResource;
             const newRid = randomBytes(8).toString('base64url');
-            dlog(`refresh; writing requests[${newRid}] attrs=${JSON.stringify(attrs)}`);
+            dlog(`refresh; writing requests[${newRid}] resource=${attrs.resource}`);
             requests.set(newRid, { ...attrs, status: 'pending', created_at: new Date().toISOString() });
             conn.end(JSON.stringify({ ok: true }));
             return;
           }
-          // token: cache-first, then wait for server response
-          const cachedName = resourcesMap.get(requestedResource);
-          if (cachedName) {
-            const cachedMap = deviceDoc.getMap(cachedName);
-            const exp = cachedMap.get('exp');
-            const now = Math.floor(Date.now() / 1000);
-            // Return cached token if: no exp set (server manages expiry),
-            // or exp is still valid. Only skip if we know it's expired.
-            const isExpired = exp && exp < now + 60;
-            if (!isExpired) {
-              const token = decryptFromTokenMap(cachedMap);
-              if (token) { conn.end(JSON.stringify({ token })); return; }
-            }
-          }
+          // token: observe resources map, resolve when token arrives.
+          const waitForResource = (resource) => new Promise((resolve, reject) => {
+            const found = tryGet(resource);
+            if (found) return resolve(found);
-          const prevTokenMapName = resourcesMap.get(requestedResource);
-          const newRid = randomBytes(8).toString('base64url');
-          dlog(`cache miss; writing requests[${newRid}] attrs=${JSON.stringify(attrs)} resources=${JSON.stringify([...resourcesMap.entries()])}`);
-          requests.set(newRid, { ...attrs, status: 'pending', created_at: new Date().toISOString() });
-          // Immediate re-check: token may have landed between cache check and now.
-          const postWriteName = resourcesMap.get(requestedResource);
-          if (postWriteName && postWriteName !== prevTokenMapName) {
-            const m = deviceDoc.getMap(postWriteName);
-            const token = decryptFromTokenMap(m);
-            if (token) { conn.end(JSON.stringify({ token })); return; }
-          }
-          const newTokenMap = deviceDoc.getMap(`token:${newRid}`);
-          const viaRid = firstInYMap(newTokenMap, (key) => key === 'ciphertext' || key === 'error', 30_000)
-            .then(() => newTokenMap);
-          const viaResources = firstInYMap(
-            resourcesMap,
-            (key, val) => key === requestedResource && val && val !== prevTokenMapName,
-            30_000
-          ).then((newMapName) => {
-            const m = deviceDoc.getMap(newMapName);
-            return firstInYMap(m, (key) => key === 'ciphertext' || key === 'error', 5_000)
-              .then(() => m).catch(() => m);
+            // Cache miss — write request to trigger server exchange.
+            const newRid = randomBytes(8).toString('base64url');
+            dlog(`cache miss; writing requests[${newRid}] resource=${resource}`);
+            requests.set(newRid, { ...attrs, resource, status: 'pending', created_at: new Date().toISOString() });
+            const timer = setTimeout(() => {
+              resourcesMap.unobserve(observer);
+              reject(new Error('Timeout waiting for token'));
+            }, 30_000);
+            const observer = () => {
+              const found = tryGet(resource);
+              if (found) {
+                clearTimeout(timer);
+                resourcesMap.unobserve(observer);
+                resolve(found);
+              }
+            };
+            resourcesMap.observe(observer);
           });
-          Promise.race([
-            viaRid.then((map) => ({ src: 'rid', map })),
-            viaResources.then((map) => ({ src: 'resources', map })),
-          ])
-            .then(({ src, map }) => {
-              dlog(`token resolved via ${src} for ${requestedResource}`);
-              const err = map.get('error');
-              if (err) { conn.end(JSON.stringify({ error: err })); return; }
-              try { conn.end(JSON.stringify({ token: decryptFromTokenMap(map) })); }
-              catch (e) { conn.end(JSON.stringify({ error: `decrypt failed: ${e.message}` })); }
+          waitForResource(requestedResource)
+            .then((map) => {
+              dlog(`token resolved for ${requestedResource}`);
+              const access_token = decrypt(map);
+              conn.end(JSON.stringify({ token: access_token }));
             })
             .catch((e) => conn.end(JSON.stringify({ error: e.message || 'Timeout waiting for token' })));
@@ -662,51 +650,42 @@ const loginCmd = defineCommand({
 });
 const tokenCmd = defineCommand({
-  meta: { description: 'Return token from running session (cache-first)' },
+  meta: { description: 'Return token (cache-first, no daemon needed)' },
   args: {
-    resource:     { type: 'string', description: 'Resource URN (default: urn:sap:destination:WEBAGENTS_BACKEND)' },
-    destination:  { type: 'string', description: 'Destination name (alternative to full resource URN)' },
-    'grant-type': { type: 'string', description: 'Override grant_type (inferred from resource URN if omitted)' },
+    resource: { type: 'string', description: 'Resource URN (default: urn:sap:destination:WEBAGENTS_BACKEND)' },
     ...outputArgs,
   },
   async run({ args }) {
-    const attrs = {
-      ...(args.resource      ? { resource:    args.resource }      : {}),
-      ...(args.destination   ? { destination: args.destination }   : {}),
-      ...(args['grant-type'] ? { grant_type:  args['grant-type'] } : {}),
-    };
-    try {
-      const token = await socketCommand('token', attrs);
-      makeOutput(args).print(token);
-      process.exit(0);
-    } catch (e) {
-      process.stderr.write(`Error: ${e.message}\n`);
-      process.exit(1);
-    }
+    const tokenScript = join(_dirname(_fileURLToPath(import.meta.url)), 'token.mjs');
+    const argv = [tokenScript];
+    if (args.resource) argv.push('--resource', args.resource);
+    if (args.json) argv.push('--json');
+    if (args.env) argv.push('--env');
+    const cfg = loadConfig();
+    if (cfg.url) argv.push('--url', cfg.url);
+    const child = spawn(process.execPath, argv, { stdio: 'inherit' });
+    child.on('exit', (code) => process.exit(code ?? 0));
   },
 });
 const refreshCmd = defineCommand({
   meta: { description: 'Force a fresh token exchange (no re-approval needed)' },
   args: {
-    resource:     { type: 'string', description: 'Resource URN to refresh (default: WEBAGENTS_BACKEND destination)' },
-    destination:  { type: 'string', description: 'Destination name (alternative to full resource URN)' },
-    'grant-type': { type: 'string', description: 'Override grant_type (inferred from resource URN if omitted)' },
+    resource: { type: 'string', description: 'Resource URN to refresh (default: WEBAGENTS_BACKEND destination)' },
     ...outputArgs,
   },
   async run({ args }) {
-    const attrs = {
-      ...(args.resource      ? { resource:    args.resource }      : {}),
-      ...(args.destination   ? { destination: args.destination }   : {}),
-      ...(args['grant-type'] ? { grant_type:  args['grant-type'] } : {}),
-    };
-    try {
-      await socketCommand('refresh', attrs);
-      process.exit(0);
-    } catch (e) {
-      process.stderr.write(`Error: ${e.message}\n`);
-      process.exit(1);
-    }
+    // refresh writes to device-doc requests and returns immediately.
+    // token.mjs will pick up the new token when it arrives.
+    const tokenScript = join(_dirname(_fileURLToPath(import.meta.url)), 'token.mjs');
+    const argv = [tokenScript, '--refresh'];
+    if (args.resource) argv.push('--resource', args.resource);
+    if (args.json) argv.push('--json');
+    if (args.env) argv.push('--env');
+    const cfg = loadConfig();
+    if (cfg.url) argv.push('--url', cfg.url);
+    const child = spawn(process.execPath, argv, { stdio: 'inherit' });
+    child.on('exit', (code) => process.exit(code ?? 0));
   },
 });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aiam/ciba",
-  "version": "0.8.7",
+  "version": "0.8.9",
   "description": "OAuth 2.0 Device Authorization Grant CLI with cross-device push approval (Yjs sync, ECDH-encrypted token delivery, persistent device id)",
   "type": "module",
   "bin": {
@@ -8,6 +8,7 @@
   },
   "files": [
     "ciba.mjs",
+    "token.mjs",
     "keychain.mjs",
     "README.md"
   ],

package/token.mjs ADDED Viewed

@@ -0,0 +1,219 @@
+#!/usr/bin/env node
+/**
+ * token.mjs — Standalone token fetcher.
+ *
+ * Connects directly to the device doc via Yjs/Hocuspocus WS,
+ * checks resources map, writes a request if needed, waits for
+ * the token to land, decrypts and prints to stdout.
+ *
+ * Usage: node token.mjs [--resource <urn>] [--url <server>] [--json] [--env]
+ *
+ * Logs to stderr, token to stdout.
+ */
+import { createECDH, createHash, createDecipheriv, createSign, createPrivateKey, randomBytes } from 'node:crypto';
+import { existsSync, readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { HocuspocusProvider } from '@hocuspocus/provider';
+import * as Y from 'yjs';
+import { WebSocket } from 'ws';
+const CURVE = 'prime256v1';
+const CONFIG_DIR = join(homedir(), '.config', 'ciba');
+const KEYS_FILE = join(CONFIG_DIR, 'keys.json');
+const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
+const DEFAULT_SERVER = 'https://mtls-device.dev-eu12.build.cloud.sap';
+// ─── Args ────────────────────────────────────────────────────────────────────
+const args = process.argv.slice(2);
+const get = (flag) => { const i = args.indexOf(flag); return i !== -1 ? args[i + 1] : undefined; };
+const has = (flag) => args.includes(flag);
+const resource = get('--resource') ?? `urn:sap:destination:${process.env.CIBA_DEFAULT_DESTINATION || 'WEBAGENTS_BACKEND'}`;
+const jsonOut  = has('--json');
+const envOut   = has('--env');
+const isRefresh = has('--refresh');
+// ─── Config ───────────────────────────────────────────────────────────────────
+function loadConfig() {
+  try { if (existsSync(CONFIG_FILE)) return JSON.parse(readFileSync(CONFIG_FILE, 'utf8')); } catch {}
+  return {};
+}
+const cfg = loadConfig();
+const serverUrl = get('--url') || process.env.CIBA_URL || cfg.url || DEFAULT_SERVER;
+// ─── Keys ─────────────────────────────────────────────────────────────────────
+function loadKeys() {
+  try {
+    if (existsSync(KEYS_FILE)) {
+      const k = JSON.parse(readFileSync(KEYS_FILE, 'utf8'));
+      if (k.privateKey && k.publicKey) return k;
+    }
+  } catch {}
+  return null;
+}
+const keys = loadKeys();
+if (!keys) {
+  process.stderr.write('No device keys found. Run: ciba login --persist\n');
+  process.exit(1);
+}
+const { privateKey, publicKey } = keys;
+// ─── Device JWT ──────────────────────────────────────────────────────────────
+function signDeviceJwt(privBase64, pubBase64) {
+  const pubBuf = Buffer.from(pubBase64, 'base64');
+  const privBuf = Buffer.from(privBase64, 'base64');
+  const deviceId = createHash('sha256').update(pubBuf).digest('base64url');
+  const x = pubBuf.subarray(1, 33).toString('base64url');
+  const y = pubBuf.subarray(33, 65).toString('base64url');
+  const d = privBuf.toString('base64url');
+  const keyObject = createPrivateKey({ key: { kty: 'EC', crv: 'P-256', x, y, d }, format: 'jwk' });
+  const header = { alg: 'ES256', typ: 'JWT', jwk: { kty: 'EC', crv: 'P-256', x, y } };
+  const payload = { sub: deviceId, iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 86400 };
+  const h = Buffer.from(JSON.stringify(header)).toString('base64url');
+  const p = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const sig = createSign('SHA256').update(`${h}.${p}`).sign({ key: keyObject, dsaEncoding: 'ieee-p1363' }, 'base64url');
+  return { jwt: `${h}.${p}.${sig}`, deviceId };
+}
+// ─── Decrypt ─────────────────────────────────────────────────────────────────
+function decrypt(map) {
+  const ciphertext = map.get('ciphertext');
+  const serverPublicKey = map.get('serverPublicKey');
+  if (!ciphertext || !serverPublicKey) return null;
+  const serverPub = Buffer.from(serverPublicKey, 'base64');
+  const ecdh = createECDH(CURVE);
+  ecdh.setPrivateKey(Buffer.from(privateKey, 'base64'));
+  const shared = ecdh.computeSecret(serverPub);
+  const aesKey = createHash('sha256').update(shared).digest();
+  const buf = Buffer.from(ciphertext, 'base64');
+  const iv = buf.subarray(0, 12);
+  const tag = buf.subarray(12, 28);
+  const data = buf.subarray(28);
+  const dec = createDecipheriv('aes-256-gcm', aesKey, iv);
+  dec.setAuthTag(tag);
+  const plain = Buffer.concat([dec.update(data), dec.final()]).toString('utf8');
+  try { return JSON.parse(plain).access_token ?? plain; } catch { return plain; }
+}
+// ─── tryGet ───────────────────────────────────────────────────────────────────
+function tryGet(resourcesMap, deviceDoc, res) {
+  const key = res ? resourcesMap.get(res) : [...resourcesMap.values()][0];
+  if (!key) return null;
+  const map = deviceDoc.getMap(key);
+  const expiresAt = map.get('expires_at');
+  if (expiresAt && expiresAt < Date.now()) {
+    log(`  token for ${res ?? 'default'} found but expired`);
+    return null;
+  }
+  if (!map.get('ciphertext')) return null;
+  return map;
+}
+// ─── Output ───────────────────────────────────────────────────────────────────
+function log(msg) { process.stderr.write(msg + '\n'); }
+function output(token) {
+  if (jsonOut) {
+    process.stdout.write(JSON.stringify({ access_token: token, token_type: 'Bearer' }, null, 2) + '\n');
+  } else if (envOut) {
+    process.stdout.write(`export ACCESS_TOKEN="${token}"\n`);
+  } else {
+    process.stdout.write(token + '\n');
+  }
+}
+// ─── Main ─────────────────────────────────────────────────────────────────────
+const { jwt: deviceJwt, deviceId } = signDeviceJwt(privateKey, publicKey);
+log(`→ device:   ${deviceId}`);
+log(`→ server:   ${serverUrl}`);
+log(`→ resource: ${resource}`);
+log('');
+const cliUA = `ciba-cli/token (${process.platform} ${process.arch}; node ${process.version})`;
+class TaggedWebSocket extends WebSocket {
+  constructor(url, protocols) { super(url, protocols, { headers: { 'User-Agent': cliUA } }); }
+}
+const syncUrl = serverUrl.replace(/^http/, 'ws') + '/sync';
+const deviceDoc = new Y.Doc();
+const provider = new HocuspocusProvider({
+  url: syncUrl, name: deviceId, token: deviceJwt,
+  document: deviceDoc, WebSocketPolyfill: TaggedWebSocket,
+});
+log('→ connecting...');
+await new Promise((resolve, reject) => {
+  const t = setTimeout(() => reject(new Error('Timeout connecting')), 10000);
+  provider.on('synced', () => { clearTimeout(t); resolve(); });
+  provider.on('authenticationFailed', ({ reason }) => { clearTimeout(t); reject(new Error(reason)); });
+});
+log('→ synced');
+// Write public key
+const meta = deviceDoc.getMap('meta');
+if (meta.get('public_key') !== publicKey) meta.set('public_key', publicKey);
+const resourcesMap = deviceDoc.getMap('resources');
+log(`→ resources: ${JSON.stringify([...resourcesMap.entries()])}`);
+// Refresh mode: write request and exit immediately.
+if (isRefresh) {
+  const requests = deviceDoc.getMap('requests');
+  const newRid = randomBytes(8).toString('base64url');
+  log(`→ refresh — writing request ${newRid}`);
+  requests.set(newRid, { resource, status: 'pending', created_at: new Date().toISOString() });
+  provider.destroy();
+  process.exit(0);
+}
+// tryGet immediately
+const found = tryGet(resourcesMap, deviceDoc, resource);
+if (found) {
+  log('→ cache hit');
+  const token = decrypt(found);
+  provider.destroy();
+  output(token);
+  process.exit(0);
+}
+// Cache miss — write request
+const requests = deviceDoc.getMap('requests');
+const newRid = randomBytes(8).toString('base64url');
+log(`→ cache miss — writing request ${newRid}`);
+requests.set(newRid, { resource, status: 'pending', created_at: new Date().toISOString() });
+// Wait for resources to update
+log('→ waiting for token...');
+const token = await new Promise((resolve, reject) => {
+  const timer = setTimeout(() => {
+    resourcesMap.unobserve(observer);
+    reject(new Error('Timeout waiting for token'));
+  }, 30_000);
+  const observer = () => {
+    log(`→ resources updated: ${JSON.stringify([...resourcesMap.entries()])}`);
+    const found = tryGet(resourcesMap, deviceDoc, resource);
+    if (found) {
+      clearTimeout(timer);
+      resourcesMap.unobserve(observer);
+      resolve(decrypt(found));
+    }
+  };
+  resourcesMap.observe(observer);
+});
+provider.destroy();
+output(token);