@aifabrix/builder 2.21.0 → 2.22.0

package/lib/utils/app-register-auth.js

@@ -10,62 +10,126 @@
 
 const chalk = require('chalk');
 const logger = require('./logger');
-const { getConfig } = require('../config');
+const { getConfig, normalizeControllerUrl } = require('../config');
 const { getOrRefreshDeviceToken } = require('./token-manager');
+const { formatAuthenticationError } = require('./error-formatters/http-status-errors');
+
+/**
+ * Display authentication error and exit
+ * Uses the centralized error formatter for consistent error messages
+ * @param {Error|null} [error] - Optional error object
+ * @param {Object|string} [controllerUrlOrData] - Optional controller URL string or error data object
+ */
+function displayAuthenticationError(error = null, controllerUrlOrData = null) {
+  // Build error data object for the formatter
+  let errorData;
+  if (typeof controllerUrlOrData === 'object' && controllerUrlOrData !== null) {
+    // If it's an object, use it directly (may contain attemptedUrls, etc.)
+    errorData = {
+      message: error ? error.message : controllerUrlOrData.message,
+      controllerUrl: controllerUrlOrData.controllerUrl || undefined,
+      attemptedUrls: controllerUrlOrData.attemptedUrls || undefined,
+      correlationId: controllerUrlOrData.correlationId || undefined
+    };
+  } else {
+    // If it's a string or null, treat as controllerUrl
+    errorData = {
+      message: error ? error.message : undefined,
+      controllerUrl: controllerUrlOrData || undefined,
+      correlationId: undefined
+    };
+  }
+
+  // Use centralized formatter (it will include controller URL in the command)
+  const formattedError = formatAuthenticationError(errorData);
+  logger.error(formattedError);
+
+  process.exit(1);
+}
 
 /**
  * Check if user is authenticated and get token
  * @async
- * @param {string} [controllerUrl] - Optional controller URL from variables.yaml
+ * @param {string} [controllerUrl] - Optional controller URL from variables.yaml or --controller flag
  * @param {string} [environment] - Optional environment key
- * @returns {Promise<{apiUrl: string, token: string}>} Configuration with API URL and token
+ * @returns {Promise<{apiUrl: string, token: string, controllerUrl: string}>} Configuration with API URL, token, and controller URL
  */
 async function checkAuthentication(controllerUrl, environment) {
-  const config = await getConfig();
+  try {
+    const config = await getConfig();
 
-  // Try to get controller URL from parameter, config, or device tokens
-  let finalControllerUrl = controllerUrl;
-  let token = null;
+    // Try to get controller URL from parameter, config, or device tokens
+    // Handle empty string as falsy (treat same as undefined/null)
+    const normalizedControllerUrl = (controllerUrl && controllerUrl.trim()) ? normalizeControllerUrl(controllerUrl) : null;
+    let finalControllerUrl = normalizedControllerUrl;
+    let token = null;
+    let lastError = null;
+    const attemptedUrls = []; // Track all attempted URLs
 
-  // If controller URL provided, try to get device token
-  if (finalControllerUrl) {
-    const deviceToken = await getOrRefreshDeviceToken(finalControllerUrl);
-    if (deviceToken && deviceToken.token) {
-      token = deviceToken.token;
-      finalControllerUrl = deviceToken.controller;
+    // If controller URL provided, try to get device token
+    if (finalControllerUrl) {
+      attemptedUrls.push(finalControllerUrl);
+      try {
+        const deviceToken = await getOrRefreshDeviceToken(finalControllerUrl);
+        if (deviceToken && deviceToken.token) {
+          token = deviceToken.token;
+          finalControllerUrl = deviceToken.controller || finalControllerUrl;
+        }
+      } catch (error) {
+        lastError = error;
+        logger.warn(chalk.yellow(`⚠️  Failed to get token for controller ${finalControllerUrl}: ${error.message}`));
+      }
     }
-  }
 
-  // If no token yet, try to find any device token in config
-  if (!token && config.device) {
-    const deviceUrls = Object.keys(config.device);
-    if (deviceUrls.length > 0) {
-      // Use first available device token
-      finalControllerUrl = deviceUrls[0];
-      const deviceToken = await getOrRefreshDeviceToken(finalControllerUrl);
-      if (deviceToken && deviceToken.token) {
-        token = deviceToken.token;
-        finalControllerUrl = deviceToken.controller;
+    // If no token yet, try to find any device token in config
+    if (!token && config.device) {
+      const deviceUrls = Object.keys(config.device);
+      if (deviceUrls.length > 0) {
+        // Try each device token until we find a valid one
+        for (const storedUrl of deviceUrls) {
+          attemptedUrls.push(storedUrl);
+          try {
+            const normalizedStoredUrl = normalizeControllerUrl(storedUrl);
+            const deviceToken = await getOrRefreshDeviceToken(normalizedStoredUrl);
+            if (deviceToken && deviceToken.token) {
+              token = deviceToken.token;
+              finalControllerUrl = deviceToken.controller || normalizedStoredUrl;
+              break;
+            }
+          } catch (error) {
+            lastError = error;
+            // Continue to next URL
+          }
+        }
       }
     }
-  }
 
-  // If still no token, check for client token (requires environment and app)
-  if (!token && environment) {
-    // For app register, we don't have an app yet, so client tokens won't work
-    // This is expected - device tokens should be used for registration
-  }
+    // If still no token, check for client token (requires environment and app)
+    if (!token && environment) {
+      // For app register, we don't have an app yet, so client tokens won't work
+      // This is expected - device tokens should be used for registration
+    }
 
-  if (!token || !finalControllerUrl) {
-    logger.error(chalk.red('❌ Not logged in. Run: aifabrix login'));
-    logger.error(chalk.gray('   Use device code flow: aifabrix login --method device --controller <url>'));
-    process.exit(1);
-  }
+    // If no token found, display error with attempted URLs
+    if (!token || !finalControllerUrl) {
+      const errorData = {
+        message: lastError ? lastError.message : 'No valid authentication found',
+        controllerUrl: controllerUrl || (attemptedUrls.length > 0 ? attemptedUrls[0] : undefined),
+        attemptedUrls: attemptedUrls.length > 1 ? attemptedUrls : undefined,
+        correlationId: undefined
+      };
+      displayAuthenticationError(lastError, errorData);
+    }
 
-  return {
-    apiUrl: finalControllerUrl,
-    token: token
-  };
+    return {
+      apiUrl: finalControllerUrl,
+      token: token,
+      controllerUrl: finalControllerUrl // Return the actual URL used
+    };
+  } catch (error) {
+    // Handle any unexpected errors during authentication check
+    displayAuthenticationError(error, { controllerUrl: controllerUrl });
+  }
 }
 
 module.exports = { checkAuthentication };

package/lib/utils/config-paths.js

@@ -0,0 +1,112 @@
+/**
+ * AI Fabrix Builder - Configuration Path Utilities
+ *
+ * Helper functions for managing path configuration in config.yaml
+ *
+ * @fileoverview Path configuration utilities for config management
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+/**
+ * Get path configuration value
+ * @async
+ * @param {Function} getConfigFn - Function to get config
+ * @param {string} key - Configuration key
+ * @returns {Promise<string|null>} Path value or null
+ */
+async function getPathConfig(getConfigFn, key) {
+  const config = await getConfigFn();
+  return config[key] || null;
+}
+
+/**
+ * Set path configuration value
+ * @async
+ * @param {Function} getConfigFn - Function to get config
+ * @param {Function} saveConfigFn - Function to save config
+ * @param {string} key - Configuration key
+ * @param {string} value - Path value
+ * @param {string} errorMsg - Error message if validation fails
+ * @returns {Promise<void>}
+ */
+async function setPathConfig(getConfigFn, saveConfigFn, key, value, errorMsg) {
+  if (!value || typeof value !== 'string') {
+    throw new Error(errorMsg);
+  }
+  const config = await getConfigFn();
+  config[key] = value;
+  await saveConfigFn(config);
+}
+
+/**
+ * Create path configuration functions with config access
+ * @param {Function} getConfigFn - Function to get config
+ * @param {Function} saveConfigFn - Function to save config
+ * @returns {Object} Path configuration functions
+ */
+function createPathConfigFunctions(getConfigFn, saveConfigFn) {
+  return {
+    /**
+     * Get aifabrix-home override path
+     * @async
+     * @returns {Promise<string|null>} Home path or null
+     */
+    async getAifabrixHomeOverride() {
+      return getPathConfig(getConfigFn, 'aifabrix-home');
+    },
+
+    /**
+     * Set aifabrix-home override path
+     * @async
+     * @param {string} homePath - Home path
+     * @returns {Promise<void>}
+     */
+    async setAifabrixHomeOverride(homePath) {
+      await setPathConfig(getConfigFn, saveConfigFn, 'aifabrix-home', homePath, 'Home path is required and must be a string');
+    },
+
+    /**
+     * Get aifabrix-secrets path
+     * @async
+     * @returns {Promise<string|null>} Secrets path or null
+     */
+    async getAifabrixSecretsPath() {
+      return getPathConfig(getConfigFn, 'aifabrix-secrets');
+    },
+
+    /**
+     * Set aifabrix-secrets path
+     * @async
+     * @param {string} secretsPath - Secrets path
+     * @returns {Promise<void>}
+     */
+    async setAifabrixSecretsPath(secretsPath) {
+      await setPathConfig(getConfigFn, saveConfigFn, 'aifabrix-secrets', secretsPath, 'Secrets path is required and must be a string');
+    },
+
+    /**
+     * Get aifabrix-env-config path
+     * @async
+     * @returns {Promise<string|null>} Env config path or null
+     */
+    async getAifabrixEnvConfigPath() {
+      return getPathConfig(getConfigFn, 'aifabrix-env-config');
+    },
+
+    /**
+     * Set aifabrix-env-config path
+     * @async
+     * @param {string} envConfigPath - Env config path
+     * @returns {Promise<void>}
+     */
+    async setAifabrixEnvConfigPath(envConfigPath) {
+      await setPathConfig(getConfigFn, saveConfigFn, 'aifabrix-env-config', envConfigPath, 'Env config path is required and must be a string');
+    }
+  };
+}
+
+module.exports = {
+  createPathConfigFunctions
+};
+

package/lib/utils/config-tokens.js

@@ -0,0 +1,233 @@
+/**
+ * AI Fabrix Builder - Configuration Token Management
+ *
+ * Token management functions for device and client tokens in config.yaml
+ *
+ * @fileoverview Token management utilities for config
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+/**
+ * Normalize controller URL for consistent storage and lookup
+ * Removes trailing slashes and normalizes the URL format
+ * @param {string} url - Controller URL to normalize
+ * @returns {string} Normalized controller URL
+ */
+function normalizeControllerUrl(url) {
+  if (!url || typeof url !== 'string') {
+    return url;
+  }
+  // Remove trailing slashes
+  let normalized = url.trim().replace(/\/+$/, '');
+  // Ensure it starts with http:// or https://
+  if (!normalized.match(/^https?:\/\//)) {
+    // If it doesn't start with protocol, assume http://
+    normalized = `http://${normalized}`;
+  }
+  return normalized;
+}
+
+/**
+ * Create token management functions with config access
+ * @param {Function} getConfigFn - Function to get config
+ * @param {Function} saveConfigFn - Function to save config
+ * @param {Function} getSecretsEncryptionKeyFn - Function to get encryption key
+ * @param {Function} encryptTokenValueFn - Function to encrypt token
+ * @param {Function} decryptTokenValueFn - Function to decrypt token
+ * @param {Function} isTokenEncryptedFn - Function to check if token is encrypted
+ * @returns {Object} Token management functions
+ */
+function createTokenManagementFunctions(
+  getConfigFn,
+  saveConfigFn,
+  getSecretsEncryptionKeyFn,
+  encryptTokenValueFn,
+  decryptTokenValueFn,
+  isTokenEncryptedFn
+) {
+  /**
+   * Extract device token information with encryption/decryption handling
+   * @param {Object} deviceToken - Device token object from config
+   * @param {string} controllerUrl - Controller URL
+   * @returns {Promise<{controller: string, token: string, refreshToken: string, expiresAt: string}>} Device token info
+   */
+  async function extractDeviceTokenInfo(deviceToken, controllerUrl) {
+    // Migration: If tokens are plain text and encryption key exists, encrypt them first
+    const encryptionKey = await getSecretsEncryptionKeyFn();
+    if (encryptionKey) {
+      let needsSave = false;
+
+      if (deviceToken.token && !isTokenEncryptedFn(deviceToken.token)) {
+        // Token is plain text, encrypt it
+        deviceToken.token = await encryptTokenValueFn(deviceToken.token);
+        needsSave = true;
+      }
+
+      if (deviceToken.refreshToken && !isTokenEncryptedFn(deviceToken.refreshToken)) {
+        // Refresh token is plain text, encrypt it
+        deviceToken.refreshToken = await encryptTokenValueFn(deviceToken.refreshToken);
+        needsSave = true;
+      }
+
+      if (needsSave) {
+        // Save encrypted tokens back to config
+        const config = await getConfigFn();
+        await saveConfigFn(config);
+      }
+    }
+    // Decrypt tokens if encrypted (for return value)
+    const token = deviceToken.token ? await decryptTokenValueFn(deviceToken.token) : undefined;
+    const refreshToken = deviceToken.refreshToken ? await decryptTokenValueFn(deviceToken.refreshToken) : null;
+
+    return {
+      controller: controllerUrl,
+      token: token,
+      refreshToken: refreshToken,
+      expiresAt: deviceToken.expiresAt
+    };
+  }
+
+  /**
+   * Get device token for controller
+   * @param {string} controllerUrl - Controller URL
+   * @returns {Promise<{controller: string, token: string, refreshToken: string, expiresAt: string}|null>} Device token info or null
+   */
+  async function getDeviceToken(controllerUrl) {
+    const config = await getConfigFn();
+    if (!controllerUrl) return null;
+
+    // Normalize URL for consistent lookup
+    const normalizedUrl = normalizeControllerUrl(controllerUrl);
+
+    // Try exact match first
+    if (config.device && config.device[normalizedUrl]) {
+      const deviceToken = config.device[normalizedUrl];
+      return extractDeviceTokenInfo(deviceToken, normalizedUrl);
+    }
+
+    // Try to find matching URL by normalizing all stored URLs
+    if (config.device) {
+      for (const storedUrl of Object.keys(config.device)) {
+        if (normalizeControllerUrl(storedUrl) === normalizedUrl) {
+          const deviceToken = config.device[storedUrl];
+          // Migrate to normalized URL if different
+          if (storedUrl !== normalizedUrl) {
+            config.device[normalizedUrl] = deviceToken;
+            delete config.device[storedUrl];
+            await saveConfigFn(config);
+          }
+          return extractDeviceTokenInfo(deviceToken, normalizedUrl);
+        }
+      }
+    }
+
+    return null;
+  }
+
+  /**
+   * Save device token for controller (root level)
+   * @param {string} controllerUrl - Controller URL (used as key)
+   * @param {string} token - Device access token
+   * @param {string} refreshToken - Refresh token for token renewal
+   * @param {string} expiresAt - ISO timestamp string
+   * @returns {Promise<void>}
+   */
+  async function saveDeviceToken(controllerUrl, token, refreshToken, expiresAt) {
+    const config = await getConfigFn();
+    if (!config.device) config.device = {};
+
+    // Normalize URL for consistent storage
+    const normalizedUrl = normalizeControllerUrl(controllerUrl);
+
+    // If there's an existing entry with a different URL format, remove it
+    if (config.device) {
+      for (const storedUrl of Object.keys(config.device)) {
+        if (normalizeControllerUrl(storedUrl) === normalizedUrl && storedUrl !== normalizedUrl) {
+          delete config.device[storedUrl];
+        }
+      }
+    }
+
+    // Encrypt tokens before saving
+    const encryptedToken = await encryptTokenValueFn(token);
+    const encryptedRefreshToken = refreshToken ? await encryptTokenValueFn(refreshToken) : null;
+
+    config.device[normalizedUrl] = {
+      token: encryptedToken,
+      refreshToken: encryptedRefreshToken,
+      expiresAt
+    };
+    await saveConfigFn(config);
+  }
+
+  /**
+   * Get client token for environment and app
+   * @param {string} environment - Environment key
+   * @param {string} appName - Application name
+   * @returns {Promise<{controller: string, token: string, expiresAt: string}|null>} Client token info or null
+   */
+  async function getClientToken(environment, appName) {
+    const config = await getConfigFn();
+    if (!config.environments || !config.environments[environment]) return null;
+    if (!config.environments[environment].clients || !config.environments[environment].clients[appName]) return null;
+
+    const clientToken = config.environments[environment].clients[appName];
+
+    // Migration: If token is plain text and encryption key exists, encrypt it first
+    const encryptionKey = await getSecretsEncryptionKeyFn();
+    if (encryptionKey && clientToken.token && !isTokenEncryptedFn(clientToken.token)) {
+      // Token is plain text, encrypt it
+      clientToken.token = await encryptTokenValueFn(clientToken.token);
+      // Save encrypted token back to config
+      await saveConfigFn(config);
+    }
+
+    // Decrypt token if encrypted (for return value)
+    const token = await decryptTokenValueFn(clientToken.token);
+
+    return {
+      controller: clientToken.controller,
+      token: token,
+      expiresAt: clientToken.expiresAt
+    };
+  }
+
+  /**
+   * Save client token for environment and app
+   * @param {string} environment - Environment key
+   * @param {string} appName - Application name
+   * @param {string} controllerUrl - Controller URL
+   * @param {string} token - Client token
+   * @param {string} expiresAt - ISO timestamp string
+   * @returns {Promise<void>}
+   */
+  async function saveClientToken(environment, appName, controllerUrl, token, expiresAt) {
+    const config = await getConfigFn();
+    if (!config.environments) config.environments = {};
+    if (!config.environments[environment]) config.environments[environment] = { clients: {} };
+    if (!config.environments[environment].clients) config.environments[environment].clients = {};
+
+    // Encrypt token before saving
+    const encryptedToken = await encryptTokenValueFn(token);
+
+    config.environments[environment].clients[appName] = {
+      controller: controllerUrl,
+      token: encryptedToken,
+      expiresAt
+    };
+    await saveConfigFn(config);
+  }
+
+  return {
+    getDeviceToken,
+    getClientToken,
+    saveDeviceToken,
+    saveClientToken
+  };
+}
+
+module.exports = {
+  createTokenManagementFunctions
+};
+

package/lib/utils/device-code.js

@@ -213,7 +213,9 @@ function handlePollingErrors(error, status, response) {
   }
 
   // Handle validation errors with detailed message
-  if (error === 'validation_error' || status === 400) {
+  // Check for validation_error, status 400, or specific validation error codes
+  if (error === 'validation_error' || status === 400 ||
+      error === 'INVALID_TOKEN' || error === 'INVALID_ACCESS_TOKEN') {
     throw createValidationError(response);
   }
 
@@ -245,14 +247,26 @@ function extractPollingError(response) {
     if (response.errorType === 'validation') {
       return 'validation_error';
     }
+    // Check if error code indicates validation error (e.g., INVALID_TOKEN)
+    const errorCode = errorData.error || errorData.code || response.error;
+    if (errorCode === 'INVALID_TOKEN' || errorCode === 'INVALID_ACCESS_TOKEN') {
+      return 'validation_error';
+    }
     // Return the error message from structured error
-    return errorData.detail || errorData.title || errorData.message || errorData.error || response.error || 'Unknown error';
+    return errorData.detail || errorData.title || errorData.message || errorCode || response.error || 'Unknown error';
   }
 
   // Fallback to original extraction logic
   const apiResponse = response.data || {};
   const errorData = typeof apiResponse === 'object' ? apiResponse : {};
-  return errorData.error || response.error || 'Unknown error';
+  const errorCode = errorData.error || response.error || 'Unknown error';
+
+  // Check if error code indicates validation error (e.g., INVALID_TOKEN)
+  if (errorCode === 'INVALID_TOKEN' || errorCode === 'INVALID_ACCESS_TOKEN') {
+    return 'validation_error';
+  }
+
+  return errorCode;
 }
 
 /**
@@ -278,14 +292,22 @@ function handleSuccessfulPoll(response) {
  */
 async function processPollingResponse(response, interval) {
   if (response.success) {
+    // Check if response contains an error code even though success is true
+    const apiResponse = response.data || {};
+    const responseData = apiResponse.data || apiResponse;
+    const errorCode = responseData.error || apiResponse.error || response.error;
+
+    // If there's an error code like INVALID_TOKEN, treat it as a validation error
+    if (errorCode && (errorCode === 'INVALID_TOKEN' || errorCode === 'INVALID_ACCESS_TOKEN')) {
+      throw createValidationError(response);
+    }
+
     const tokenResponse = handleSuccessfulPoll(response);
     if (tokenResponse) {
       return tokenResponse;
     }
 
-    const apiResponse = response.data;
-    const responseData = apiResponse.data || apiResponse;
-    const error = responseData.error || apiResponse.error;
+    const error = errorCode;
     const slowDown = error === 'slow_down';
     await waitForNextPoll(interval, slowDown);
     return null;