@aiam/ciba 0.8.8 → 0.9.0

package/ciba.mjs

@@ -650,51 +650,42 @@ const loginCmd = defineCommand({
 });
 
 const tokenCmd = defineCommand({
-  meta: { description: 'Return token from running session (cache-first)' },
+  meta: { description: 'Return token (cache-first, no daemon needed)' },
   args: {
-    resource:     { type: 'string', description: 'Resource URN (default: urn:sap:destination:WEBAGENTS_BACKEND)' },
-    destination:  { type: 'string', description: 'Destination name (alternative to full resource URN)' },
-    'grant-type': { type: 'string', description: 'Override grant_type (inferred from resource URN if omitted)' },
+    resource: { type: 'string', description: 'Resource URN (default: urn:sap:destination:WEBAGENTS_BACKEND)' },
     ...outputArgs,
   },
   async run({ args }) {
-    const attrs = {
-      ...(args.resource      ? { resource:    args.resource }      : {}),
-      ...(args.destination   ? { destination: args.destination }   : {}),
-      ...(args['grant-type'] ? { grant_type:  args['grant-type'] } : {}),
-    };
-    try {
-      const token = await socketCommand('token', attrs);
-      makeOutput(args).print(token);
-      process.exit(0);
-    } catch (e) {
-      process.stderr.write(`Error: ${e.message}\n`);
-      process.exit(1);
-    }
+    const tokenScript = join(_pkgDir, "token.mjs");
+    const argv = [tokenScript];
+    if (args.resource) argv.push('--resource', args.resource);
+    if (args.json) argv.push('--json');
+    if (args.env) argv.push('--env');
+    const cfg = loadConfig();
+    if (cfg.url) argv.push('--url', cfg.url);
+    const child = spawn(process.execPath, argv, { stdio: 'inherit' });
+    child.on('exit', (code) => process.exit(code ?? 0));
   },
 });
 
 const refreshCmd = defineCommand({
   meta: { description: 'Force a fresh token exchange (no re-approval needed)' },
   args: {
-    resource:     { type: 'string', description: 'Resource URN to refresh (default: WEBAGENTS_BACKEND destination)' },
-    destination:  { type: 'string', description: 'Destination name (alternative to full resource URN)' },
-    'grant-type': { type: 'string', description: 'Override grant_type (inferred from resource URN if omitted)' },
+    resource: { type: 'string', description: 'Resource URN to refresh (default: WEBAGENTS_BACKEND destination)' },
     ...outputArgs,
   },
   async run({ args }) {
-    const attrs = {
-      ...(args.resource      ? { resource:    args.resource }      : {}),
-      ...(args.destination   ? { destination: args.destination }   : {}),
-      ...(args['grant-type'] ? { grant_type:  args['grant-type'] } : {}),
-    };
-    try {
-      await socketCommand('refresh', attrs);
-      process.exit(0);
-    } catch (e) {
-      process.stderr.write(`Error: ${e.message}\n`);
-      process.exit(1);
-    }
+    // refresh writes to device-doc requests and returns immediately.
+    // token.mjs will pick up the new token when it arrives.
+    const tokenScript = join(_pkgDir, "token.mjs");
+    const argv = [tokenScript, '--refresh'];
+    if (args.resource) argv.push('--resource', args.resource);
+    if (args.json) argv.push('--json');
+    if (args.env) argv.push('--env');
+    const cfg = loadConfig();
+    if (cfg.url) argv.push('--url', cfg.url);
+    const child = spawn(process.execPath, argv, { stdio: 'inherit' });
+    child.on('exit', (code) => process.exit(code ?? 0));
   },
 });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aiam/ciba",
-  "version": "0.8.8",
+  "version": "0.9.0",
   "description": "OAuth 2.0 Device Authorization Grant CLI with cross-device push approval (Yjs sync, ECDH-encrypted token delivery, persistent device id)",
   "type": "module",
   "bin": {
@@ -8,6 +8,7 @@
   },
   "files": [
     "ciba.mjs",
+    "token.mjs",
     "keychain.mjs",
     "README.md"
   ],

package/token.mjs

@@ -0,0 +1,219 @@
+#!/usr/bin/env node
+/**
+ * token.mjs — Standalone token fetcher.
+ *
+ * Connects directly to the device doc via Yjs/Hocuspocus WS,
+ * checks resources map, writes a request if needed, waits for
+ * the token to land, decrypts and prints to stdout.
+ *
+ * Usage: node token.mjs [--resource <urn>] [--url <server>] [--json] [--env]
+ *
+ * Logs to stderr, token to stdout.
+ */
+import { createECDH, createHash, createDecipheriv, createSign, createPrivateKey, randomBytes } from 'node:crypto';
+import { existsSync, readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { HocuspocusProvider } from '@hocuspocus/provider';
+import * as Y from 'yjs';
+import { WebSocket } from 'ws';
+
+const CURVE = 'prime256v1';
+const CONFIG_DIR = join(homedir(), '.config', 'ciba');
+const KEYS_FILE = join(CONFIG_DIR, 'keys.json');
+const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
+const DEFAULT_SERVER = 'https://mtls-device.dev-eu12.build.cloud.sap';
+
+// ─── Args ────────────────────────────────────────────────────────────────────
+
+const args = process.argv.slice(2);
+const get = (flag) => { const i = args.indexOf(flag); return i !== -1 ? args[i + 1] : undefined; };
+const has = (flag) => args.includes(flag);
+
+const resource = get('--resource') ?? `urn:sap:destination:${process.env.CIBA_DEFAULT_DESTINATION || 'WEBAGENTS_BACKEND'}`;
+const jsonOut  = has('--json');
+const envOut   = has('--env');
+const isRefresh = has('--refresh');
+
+// ─── Config ───────────────────────────────────────────────────────────────────
+
+function loadConfig() {
+  try { if (existsSync(CONFIG_FILE)) return JSON.parse(readFileSync(CONFIG_FILE, 'utf8')); } catch {}
+  return {};
+}
+
+const cfg = loadConfig();
+const serverUrl = get('--url') || process.env.CIBA_URL || cfg.url || DEFAULT_SERVER;
+
+// ─── Keys ─────────────────────────────────────────────────────────────────────
+
+function loadKeys() {
+  try {
+    if (existsSync(KEYS_FILE)) {
+      const k = JSON.parse(readFileSync(KEYS_FILE, 'utf8'));
+      if (k.privateKey && k.publicKey) return k;
+    }
+  } catch {}
+  return null;
+}
+
+const keys = loadKeys();
+if (!keys) {
+  process.stderr.write('No device keys found. Run: ciba login --persist\n');
+  process.exit(1);
+}
+const { privateKey, publicKey } = keys;
+
+// ─── Device JWT ──────────────────────────────────────────────────────────────
+
+function signDeviceJwt(privBase64, pubBase64) {
+  const pubBuf = Buffer.from(pubBase64, 'base64');
+  const privBuf = Buffer.from(privBase64, 'base64');
+  const deviceId = createHash('sha256').update(pubBuf).digest('base64url');
+  const x = pubBuf.subarray(1, 33).toString('base64url');
+  const y = pubBuf.subarray(33, 65).toString('base64url');
+  const d = privBuf.toString('base64url');
+  const keyObject = createPrivateKey({ key: { kty: 'EC', crv: 'P-256', x, y, d }, format: 'jwk' });
+  const header = { alg: 'ES256', typ: 'JWT', jwk: { kty: 'EC', crv: 'P-256', x, y } };
+  const payload = { sub: deviceId, iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 86400 };
+  const h = Buffer.from(JSON.stringify(header)).toString('base64url');
+  const p = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const sig = createSign('SHA256').update(`${h}.${p}`).sign({ key: keyObject, dsaEncoding: 'ieee-p1363' }, 'base64url');
+  return { jwt: `${h}.${p}.${sig}`, deviceId };
+}
+
+// ─── Decrypt ─────────────────────────────────────────────────────────────────
+
+function decrypt(map) {
+  const ciphertext = map.get('ciphertext');
+  const serverPublicKey = map.get('serverPublicKey');
+  if (!ciphertext || !serverPublicKey) return null;
+  const serverPub = Buffer.from(serverPublicKey, 'base64');
+  const ecdh = createECDH(CURVE);
+  ecdh.setPrivateKey(Buffer.from(privateKey, 'base64'));
+  const shared = ecdh.computeSecret(serverPub);
+  const aesKey = createHash('sha256').update(shared).digest();
+  const buf = Buffer.from(ciphertext, 'base64');
+  const iv = buf.subarray(0, 12);
+  const tag = buf.subarray(12, 28);
+  const data = buf.subarray(28);
+  const dec = createDecipheriv('aes-256-gcm', aesKey, iv);
+  dec.setAuthTag(tag);
+  const plain = Buffer.concat([dec.update(data), dec.final()]).toString('utf8');
+  try { return JSON.parse(plain).access_token ?? plain; } catch { return plain; }
+}
+
+// ─── tryGet ───────────────────────────────────────────────────────────────────
+
+function tryGet(resourcesMap, deviceDoc, res) {
+  const key = res ? resourcesMap.get(res) : [...resourcesMap.values()][0];
+  if (!key) return null;
+  const map = deviceDoc.getMap(key);
+  const expiresAt = map.get('expires_at');
+  if (expiresAt && expiresAt < Date.now()) {
+    log(`  token for ${res ?? 'default'} found but expired`);
+    return null;
+  }
+  if (!map.get('ciphertext')) return null;
+  return map;
+}
+
+// ─── Output ───────────────────────────────────────────────────────────────────
+
+function log(msg) { process.stderr.write(msg + '\n'); }
+
+function output(token) {
+  if (jsonOut) {
+    process.stdout.write(JSON.stringify({ access_token: token, token_type: 'Bearer' }, null, 2) + '\n');
+  } else if (envOut) {
+    process.stdout.write(`export ACCESS_TOKEN="${token}"\n`);
+  } else {
+    process.stdout.write(token + '\n');
+  }
+}
+
+// ─── Main ─────────────────────────────────────────────────────────────────────
+
+const { jwt: deviceJwt, deviceId } = signDeviceJwt(privateKey, publicKey);
+log(`→ device:   ${deviceId}`);
+log(`→ server:   ${serverUrl}`);
+log(`→ resource: ${resource}`);
+log('');
+
+const cliUA = `ciba-cli/token (${process.platform} ${process.arch}; node ${process.version})`;
+class TaggedWebSocket extends WebSocket {
+  constructor(url, protocols) { super(url, protocols, { headers: { 'User-Agent': cliUA } }); }
+}
+
+const syncUrl = serverUrl.replace(/^http/, 'ws') + '/sync';
+const deviceDoc = new Y.Doc();
+const provider = new HocuspocusProvider({
+  url: syncUrl, name: deviceId, token: deviceJwt,
+  document: deviceDoc, WebSocketPolyfill: TaggedWebSocket,
+});
+
+log('→ connecting...');
+
+await new Promise((resolve, reject) => {
+  const t = setTimeout(() => reject(new Error('Timeout connecting')), 10000);
+  provider.on('synced', () => { clearTimeout(t); resolve(); });
+  provider.on('authenticationFailed', ({ reason }) => { clearTimeout(t); reject(new Error(reason)); });
+});
+
+log('→ synced');
+
+// Write public key
+const meta = deviceDoc.getMap('meta');
+if (meta.get('public_key') !== publicKey) meta.set('public_key', publicKey);
+
+const resourcesMap = deviceDoc.getMap('resources');
+log(`→ resources: ${JSON.stringify([...resourcesMap.entries()])}`);
+
+// Refresh mode: write request and exit immediately.
+if (isRefresh) {
+  const requests = deviceDoc.getMap('requests');
+  const newRid = randomBytes(8).toString('base64url');
+  log(`→ refresh — writing request ${newRid}`);
+  requests.set(newRid, { resource, status: 'pending', created_at: new Date().toISOString() });
+  provider.destroy();
+  process.exit(0);
+}
+
+// tryGet immediately
+const found = tryGet(resourcesMap, deviceDoc, resource);
+if (found) {
+  log('→ cache hit');
+  const token = decrypt(found);
+  provider.destroy();
+  output(token);
+  process.exit(0);
+}
+
+// Cache miss — write request
+const requests = deviceDoc.getMap('requests');
+const newRid = randomBytes(8).toString('base64url');
+log(`→ cache miss — writing request ${newRid}`);
+requests.set(newRid, { resource, status: 'pending', created_at: new Date().toISOString() });
+
+// Wait for resources to update
+log('→ waiting for token...');
+const token = await new Promise((resolve, reject) => {
+  const timer = setTimeout(() => {
+    resourcesMap.unobserve(observer);
+    reject(new Error('Timeout waiting for token'));
+  }, 30_000);
+
+  const observer = () => {
+    log(`→ resources updated: ${JSON.stringify([...resourcesMap.entries()])}`);
+    const found = tryGet(resourcesMap, deviceDoc, resource);
+    if (found) {
+      clearTimeout(timer);
+      resourcesMap.unobserve(observer);
+      resolve(decrypt(found));
+    }
+  };
+  resourcesMap.observe(observer);
+});
+
+provider.destroy();
+output(token);