@aifabrix/builder 2.31.0 → 2.32.1

package/lib/utils/token-manager.js

@@ -12,10 +12,13 @@
 const fs = require('fs');
 const path = require('path');
 const yaml = require('js-yaml');
-const config = require('../config');
-const { makeApiCall, refreshDeviceToken: apiRefreshDeviceToken } = require('./api');
+const config = require('../core/config');
 const logger = require('./logger');
 const pathsUtil = require('./paths');
+const {
+  refreshClientToken,
+  refreshDeviceToken
+} = require('./token-manager-refresh');
 
 function getSecretsFilePath() {
   return path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
@@ -100,69 +103,6 @@ function shouldRefreshToken(expiresAt) {
   return config.shouldRefreshToken(expiresAt);
 }
 
-/**
- * Refresh client token using credentials from secrets.local.yaml
- * Gets new token from API and saves it to config.yaml
- * @param {string} environment - Environment key
- * @param {string} appName - Application name
- * @param {string} controllerUrl - Controller URL
- * @param {string} [clientId] - Optional client ID (if not provided, loads from secrets.local.yaml)
- * @param {string} [clientSecret] - Optional client secret (if not provided, loads from secrets.local.yaml)
- * @returns {Promise<{token: string, expiresAt: string}>} New token and expiration
- * @throws {Error} If credentials are missing or token refresh fails
- */
-async function refreshClientToken(environment, appName, controllerUrl, clientId, clientSecret) {
-  if (!environment || typeof environment !== 'string') {
-    throw new Error('Environment is required and must be a string');
-  }
-  if (!appName || typeof appName !== 'string') {
-    throw new Error('App name is required and must be a string');
-  }
-  if (!controllerUrl || typeof controllerUrl !== 'string') {
-    throw new Error('Controller URL is required and must be a string');
-  }
-
-  // Load credentials if not provided
-  let credentials = null;
-  if (clientId && clientSecret) {
-    credentials = { clientId, clientSecret };
-  } else {
-    credentials = await loadClientCredentials(appName);
-    if (!credentials) {
-      throw new Error(`Client credentials not found for app '${appName}'. Add them to ~/.aifabrix/secrets.local.yaml as '${appName}-client-idKeyVault' and '${appName}-client-secretKeyVault'`);
-    }
-  }
-
-  // Call login API to get new token
-  const response = await makeApiCall(`${controllerUrl}/api/v1/auth/token`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      'x-client-id': credentials.clientId,
-      'x-client-secret': credentials.clientSecret
-    }
-  });
-
-  if (!response.success) {
-    throw new Error(`Failed to refresh token: ${response.error || 'Unknown error'}`);
-  }
-
-  const responseData = response.data;
-  if (!responseData || !responseData.token) {
-    throw new Error('Invalid response: missing token');
-  }
-
-  const token = responseData.token;
-  // Calculate expiration (default to 24 hours if not provided)
-  const expiresIn = responseData.expiresIn || 86400;
-  const expiresAt = responseData.expiresAt || new Date(Date.now() + expiresIn * 1000).toISOString();
-
-  // Save token to config.yaml (NEVER save credentials)
-  await config.saveClientToken(environment, appName, controllerUrl, token, expiresAt);
-
-  return { token, expiresAt };
-}
-
 /**
  * Get or refresh client token for environment and app
  * Checks if token exists and is valid, refreshes if expired
@@ -192,53 +132,6 @@ async function getOrRefreshClientToken(environment, appName, controllerUrl) {
   };
 }
 
-/**
- * Refresh device token using refresh token
- * Calls API refresh endpoint and saves new token to config
- * @param {string} controllerUrl - Controller URL
- * @param {string} refreshToken - Refresh token
- * @returns {Promise<{token: string, refreshToken: string, expiresAt: string}>} New token info
- * @throws {Error} If refresh fails or refresh token is expired/invalid
- */
-async function refreshDeviceToken(controllerUrl, refreshToken) {
-  if (!controllerUrl || typeof controllerUrl !== 'string') {
-    throw new Error('Controller URL is required');
-  }
-  if (!refreshToken || typeof refreshToken !== 'string') {
-    throw new Error('Refresh token is required');
-  }
-
-  try {
-    // Call API refresh endpoint
-    const tokenResponse = await apiRefreshDeviceToken(controllerUrl, refreshToken);
-
-    const token = tokenResponse.access_token;
-    const newRefreshToken = tokenResponse.refresh_token || refreshToken; // Use new refresh token if provided, otherwise keep old one
-    const expiresIn = tokenResponse.expires_in || 3600;
-    const expiresAt = new Date(Date.now() + expiresIn * 1000).toISOString();
-
-    // Save new token and refresh token to config
-    await config.saveDeviceToken(controllerUrl, token, newRefreshToken, expiresAt);
-
-    return {
-      token,
-      refreshToken: newRefreshToken,
-      expiresAt
-    };
-  } catch (error) {
-    // Check if error indicates refresh token expiry (case-insensitive)
-    const errorMessage = (error.message || String(error)).toLowerCase();
-    if (errorMessage.includes('expired') ||
-        errorMessage.includes('invalid') ||
-        errorMessage.includes('401') ||
-        errorMessage.includes('unauthorized')) {
-      throw new Error('Refresh token has expired. Please login again using: aifabrix login');
-    }
-    // Re-throw other errors as-is
-    throw error;
-  }
-}
-
 /**
  * Get or refresh device token for controller
  * Checks if token exists and is valid, refreshes proactively if within 15 minutes of expiry
@@ -293,18 +186,14 @@ async function getOrRefreshDeviceToken(controllerUrl) {
 }
 
 /**
- * Get deployment authentication configuration with priority:
- * 1. Device token (Bearer) - for user-level audit tracking (preferred)
- * 2. Client token (Bearer) - for application-level authentication
- * 3. Client credentials (x-client-id/x-client-secret) - direct credential authentication
- *
+ * Validates deployment auth parameters
+ * @function validateDeploymentAuthParams
  * @param {string} controllerUrl - Controller URL
  * @param {string} environment - Environment key
  * @param {string} appName - Application name
- * @returns {Promise<{type: 'bearer'|'client-credentials', token?: string, clientId?: string, clientSecret?: string, controller: string}>} Auth configuration
- * @throws {Error} If no authentication method is available
+ * @throws {Error} If validation fails
  */
-async function getDeploymentAuth(controllerUrl, environment, appName) {
+function validateDeploymentAuthParams(controllerUrl, environment, appName) {
   if (!controllerUrl || typeof controllerUrl !== 'string') {
     throw new Error('Controller URL is required');
   }
@@ -314,8 +203,16 @@ async function getDeploymentAuth(controllerUrl, environment, appName) {
   if (!appName || typeof appName !== 'string') {
     throw new Error('App name is required');
   }
+}
 
-  // Priority 1: Try device token (for user-level audit)
+/**
+ * Tries to get device token for deployment auth
+ * @async
+ * @function tryDeviceTokenAuth
+ * @param {string} controllerUrl - Controller URL
+ * @returns {Promise<Object|null>} Auth config with device token or null
+ */
+async function tryDeviceTokenAuth(controllerUrl) {
   const deviceToken = await getOrRefreshDeviceToken(controllerUrl);
   if (deviceToken && deviceToken.token) {
     return {
@@ -324,8 +221,19 @@ async function getDeploymentAuth(controllerUrl, environment, appName) {
       controller: deviceToken.controller
     };
   }
+  return null;
+}
 
-  // Priority 2: Try client token (application-level)
+/**
+ * Tries to get client token for deployment auth
+ * @async
+ * @function tryClientTokenAuth
+ * @param {string} environment - Environment key
+ * @param {string} appName - Application name
+ * @param {string} controllerUrl - Controller URL
+ * @returns {Promise<Object|null>} Auth config with client token or null
+ */
+async function tryClientTokenAuth(environment, appName, controllerUrl) {
   try {
     const clientToken = await getOrRefreshClientToken(environment, appName, controllerUrl);
     if (clientToken && clientToken.token) {
@@ -339,8 +247,18 @@ async function getDeploymentAuth(controllerUrl, environment, appName) {
     // Client token unavailable, continue to credentials
     logger.warn(`Client token unavailable: ${error.message}`);
   }
+  return null;
+}
 
-  // Priority 3: Use client credentials directly
+/**
+ * Tries to get client credentials for deployment auth
+ * @async
+ * @function tryClientCredentialsAuth
+ * @param {string} appName - Application name
+ * @param {string} controllerUrl - Controller URL
+ * @returns {Promise<Object|null>} Auth config with client credentials or null
+ */
+async function tryClientCredentialsAuth(appName, controllerUrl) {
   const credentials = await loadClientCredentials(appName);
   if (credentials && credentials.clientId && credentials.clientSecret) {
     return {
@@ -350,6 +268,41 @@ async function getDeploymentAuth(controllerUrl, environment, appName) {
       controller: controllerUrl
     };
   }
+  return null;
+}
+
+/**
+ * Get deployment authentication configuration with priority:
+ * 1. Device token (Bearer) - for user-level audit tracking (preferred)
+ * 2. Client token (Bearer) - for application-level authentication
+ * 3. Client credentials (x-client-id/x-client-secret) - direct credential authentication
+ *
+ * @param {string} controllerUrl - Controller URL
+ * @param {string} environment - Environment key
+ * @param {string} appName - Application name
+ * @returns {Promise<{type: 'bearer'|'client-credentials', token?: string, clientId?: string, clientSecret?: string, controller: string}>} Auth configuration
+ * @throws {Error} If no authentication method is available
+ */
+async function getDeploymentAuth(controllerUrl, environment, appName) {
+  validateDeploymentAuthParams(controllerUrl, environment, appName);
+
+  // Priority 1: Try device token (for user-level audit)
+  const deviceAuth = await tryDeviceTokenAuth(controllerUrl);
+  if (deviceAuth) {
+    return deviceAuth;
+  }
+
+  // Priority 2: Try client token (application-level)
+  const clientTokenAuth = await tryClientTokenAuth(environment, appName, controllerUrl);
+  if (clientTokenAuth) {
+    return clientTokenAuth;
+  }
+
+  // Priority 3: Use client credentials directly
+  const credentialsAuth = await tryClientCredentialsAuth(appName, controllerUrl);
+  if (credentialsAuth) {
+    return credentialsAuth;
+  }
 
   throw new Error(`No authentication method available. Run 'aifabrix login' for device token, or add credentials to ~/.aifabrix/secrets.local.yaml as '${appName}-client-idKeyVault' and '${appName}-client-secretKeyVault'`);
 }

package/lib/utils/variable-transformer.js

@@ -26,14 +26,14 @@ function sanitizeAuthType(authType) {
 }
 
 /**
- * Transforms flat structure to schema-compatible format
- * @function transformFlatStructure
+ * Builds base result object from variables
+ * @function buildBaseResult
  * @param {Object} variables - Raw variables from YAML
  * @param {string} appName - Application name (fallback)
- * @returns {Object} Transformed variables matching schema
+ * @returns {Object} Base result object
  */
-function transformFlatStructure(variables, appName) {
-  const result = {
+function buildBaseResult(variables, appName) {
+  return {
     key: variables.key || appName,
     displayName: variables.displayName || appName,
     description: variables.description || '',
@@ -47,37 +47,85 @@ function transformFlatStructure(variables, appName) {
     databases: variables.databases || [],
     ...variables
   };
+}
 
-  // Sanitize authentication if present
-  if (result.authentication && result.authentication.type) {
-    result.authentication = {
-      ...result.authentication,
-      type: sanitizeAuthType(result.authentication.type)
-    };
-  }
-  // Handle partial authentication objects (when only enableSSO is provided)
-  if (result.authentication && result.authentication.enableSSO !== undefined) {
-    const auth = {
-      ...result.authentication,
-      enableSSO: result.authentication.enableSSO
-    };
-    // When enableSSO is false, default type to 'none' and requiredRoles to []
-    // When enableSSO is true, default type to 'azure' if not provided
-    if (auth.enableSSO === false) {
-      auth.type = sanitizeAuthType(result.authentication.type || 'none');
-      auth.requiredRoles = result.authentication.requiredRoles || [];
-    } else {
-      auth.type = sanitizeAuthType(result.authentication.type || 'azure');
-      auth.requiredRoles = result.authentication.requiredRoles || [];
-    }
-    result.authentication = auth;
-  }
-
-  // Add placeholder deploymentKey for validation (will be generated from JSON later)
-  // This is a 64-character hex string matching the SHA256 pattern
+/**
+ * Handles authentication type sanitization
+ * @function sanitizeAuthenticationType
+ * @param {Object} authentication - Authentication object
+ * @returns {Object} Sanitized authentication object
+ */
+function sanitizeAuthenticationType(authentication) {
+  if (!authentication || !authentication.type) {
+    return authentication;
+  }
+  return {
+    ...authentication,
+    type: sanitizeAuthType(authentication.type)
+  };
+}
+
+/**
+ * Handles partial authentication objects with enableSSO
+ * @function handlePartialAuthentication
+ * @param {Object} authentication - Authentication object
+ * @returns {Object} Processed authentication object
+ */
+function handlePartialAuthentication(authentication) {
+  if (!authentication || authentication.enableSSO === undefined) {
+    return authentication;
+  }
+
+  const auth = {
+    ...authentication,
+    enableSSO: authentication.enableSSO
+  };
+
+  // When enableSSO is false, default type to 'none' and requiredRoles to []
+  // When enableSSO is true, default type to 'azure' if not provided
+  if (auth.enableSSO === false) {
+    auth.type = sanitizeAuthType(authentication.type || 'none');
+    auth.requiredRoles = authentication.requiredRoles || [];
+  } else {
+    auth.type = sanitizeAuthType(authentication.type || 'azure');
+    auth.requiredRoles = authentication.requiredRoles || [];
+  }
+
+  return auth;
+}
+
+/**
+ * Adds placeholder deployment key if missing
+ * @function addPlaceholderDeploymentKey
+ * @param {Object} result - Result object
+ * @returns {Object} Result object with deployment key
+ */
+function addPlaceholderDeploymentKey(result) {
   if (!result.deploymentKey) {
+    // This is a 64-character hex string matching the SHA256 pattern
     result.deploymentKey = '0000000000000000000000000000000000000000000000000000000000000000';
   }
+  return result;
+}
+
+/**
+ * Transforms flat structure to schema-compatible format
+ * @function transformFlatStructure
+ * @param {Object} variables - Raw variables from YAML
+ * @param {string} appName - Application name (fallback)
+ * @returns {Object} Transformed variables matching schema
+ */
+function transformFlatStructure(variables, appName) {
+  const result = buildBaseResult(variables, appName);
+
+  // Sanitize authentication if present
+  if (result.authentication) {
+    result.authentication = sanitizeAuthenticationType(result.authentication);
+    result.authentication = handlePartialAuthentication(result.authentication);
+  }
+
+  // Add placeholder deploymentKey for validation
+  addPlaceholderDeploymentKey(result);
 
   return result;
 }
@@ -184,38 +232,37 @@ function validateDeploymentConfig(deployment) {
 }
 
 /**
- * Transforms optional fields from variables
- * @function transformOptionalFields
- * @param {Object} variables - Raw variables from YAML
- * @param {Object} transformed - Base transformed object
- * @returns {Object} Transformed object with optional fields added
+ * Transforms authentication configuration
+ * @function transformAuthentication
+ * @param {Object} authentication - Authentication configuration
+ * @returns {Object} Transformed authentication object
  */
-function transformOptionalFields(variables, transformed) {
-  if (variables.healthCheck) {
-    transformed.healthCheck = variables.healthCheck;
-  }
+function transformAuthentication(authentication) {
+  const auth = {
+    ...authentication,
+    enableSSO: authentication.enableSSO !== undefined ? authentication.enableSSO : true
+  };
 
-  if (variables.authentication) {
-    // Ensure authentication object has enableSSO at minimum
-    // Default type and requiredRoles based on enableSSO value
-    const auth = {
-      ...variables.authentication,
-      enableSSO: variables.authentication.enableSSO !== undefined ? variables.authentication.enableSSO : true
-    };
-
-    // When enableSSO is false, default type to 'none' and requiredRoles to []
-    // When enableSSO is true, default type to 'azure' if not provided
-    if (auth.enableSSO === false) {
-      auth.type = sanitizeAuthType(variables.authentication.type || 'none');
-      auth.requiredRoles = variables.authentication.requiredRoles || [];
-    } else {
-      auth.type = sanitizeAuthType(variables.authentication.type || 'azure');
-      auth.requiredRoles = variables.authentication.requiredRoles || [];
-    }
-
-    transformed.authentication = auth;
+  // When enableSSO is false, default type to 'none' and requiredRoles to []
+  // When enableSSO is true, default type to 'azure' if not provided
+  if (auth.enableSSO === false) {
+    auth.type = sanitizeAuthType(authentication.type || 'none');
+    auth.requiredRoles = authentication.requiredRoles || [];
+  } else {
+    auth.type = sanitizeAuthType(authentication.type || 'azure');
+    auth.requiredRoles = authentication.requiredRoles || [];
   }
 
+  return auth;
+}
+
+/**
+ * Transforms configuration sections (repository, build, deployment)
+ * @function transformConfigSections
+ * @param {Object} variables - Raw variables from YAML
+ * @param {Object} transformed - Base transformed object
+ */
+function transformConfigSections(variables, transformed) {
   const repository = validateRepositoryConfig(variables.repository);
   if (repository) {
     transformed.repository = repository;
@@ -230,7 +277,15 @@ function transformOptionalFields(variables, transformed) {
   if (deployment) {
     transformed.deployment = deployment;
   }
+}
 
+/**
+ * Transforms simple optional fields
+ * @function transformSimpleOptionalFields
+ * @param {Object} variables - Raw variables from YAML
+ * @param {Object} transformed - Base transformed object
+ */
+function transformSimpleOptionalFields(variables, transformed) {
   if (variables.startupCommand) {
     transformed.startupCommand = variables.startupCommand;
   }
@@ -249,6 +304,26 @@ function transformOptionalFields(variables, transformed) {
   if (variables.permissions) {
     transformed.permissions = variables.permissions;
   }
+}
+
+/**
+ * Transforms optional fields from variables
+ * @function transformOptionalFields
+ * @param {Object} variables - Raw variables from YAML
+ * @param {Object} transformed - Base transformed object
+ * @returns {Object} Transformed object with optional fields added
+ */
+function transformOptionalFields(variables, transformed) {
+  if (variables.healthCheck) {
+    transformed.healthCheck = variables.healthCheck;
+  }
+
+  if (variables.authentication) {
+    transformed.authentication = transformAuthentication(variables.authentication);
+  }
+
+  transformConfigSections(variables, transformed);
+  transformSimpleOptionalFields(variables, transformed);
 
   return transformed;
 }
@@ -263,20 +338,18 @@ function transformOptionalFields(variables, transformed) {
  * @param {string} appName - Application name (fallback)
  * @returns {Object} Transformed variables matching schema
  */
-function transformVariablesForValidation(variables, appName) {
-  // Check if structure is already flat (has key, displayName, image as string)
-  const isFlat = variables.key && variables.image && typeof variables.image === 'string';
-
-  if (isFlat) {
-    return transformFlatStructure(variables, appName);
-  }
-
-  // Nested structure - transform it
+/**
+ * Builds base transformed structure from nested variables
+ * @function buildBaseTransformedStructure
+ * @param {Object} variables - Variables object
+ * @param {string} appName - Application name
+ * @returns {Object} Base transformed structure
+ */
+function buildBaseTransformedStructure(variables, appName) {
   const requires = variables.requires || {};
   const imageRef = buildImageReference(variables, appName);
 
-  // Transform to flat schema structure
-  const transformed = {
+  return {
     key: variables.app?.key || appName,
     displayName: variables.app?.displayName || appName,
     description: variables.app?.description || '',
@@ -289,16 +362,20 @@ function transformVariablesForValidation(variables, appName) {
     requiresStorage: requires.storage || false,
     databases: requires.databases || (requires.database ? [{ name: variables.app?.key || appName }] : [])
   };
+}
 
-  const result = transformOptionalFields(variables, transformed);
+function transformVariablesForValidation(variables, appName) {
+  // Check if structure is already flat
+  const isFlat = variables.key && variables.image && typeof variables.image === 'string';
 
-  // Add placeholder deploymentKey for validation (will be generated from JSON later)
-  // This is a 64-character hex string matching the SHA256 pattern
-  if (!result.deploymentKey) {
-    result.deploymentKey = '0000000000000000000000000000000000000000000000000000000000000000';
+  if (isFlat) {
+    return transformFlatStructure(variables, appName);
   }
 
-  return result;
+  // Nested structure - transform it
+  const transformed = buildBaseTransformedStructure(variables, appName);
+  const result = transformOptionalFields(variables, transformed);
+  return addPlaceholderDeploymentKey(result);
 }
 
 module.exports = {

package/lib/utils/yaml-preserve.js

@@ -185,61 +185,55 @@ function formatValue(value, quoted, quoteChar) {
  * const result = encryptYamlValues(yamlContent, encryptionKey);
  * // Returns: { content: '...', encrypted: 5, total: 10 }
  */
+/**
+ * Processes a single line for encryption
+ * @function processLineForEncryption
+ * @param {string} line - Line to process
+ * @param {string} encryptionKey - Encryption key
+ * @param {Object} stats - Statistics object
+ * @returns {string} Processed line
+ */
+function processLineForEncryption(line, encryptionKey, stats) {
+  const trimmed = line.trim();
+
+  // Preserve empty lines and comment-only lines
+  if (trimmed === '' || trimmed.startsWith('#')) {
+    return line;
+  }
+
+  const kvPattern = /^(\s*)([^#:\n]+?):\s*(.+?)(\s*)(#.*)?$/;
+  const match = line.match(kvPattern);
+  if (!match) {
+    return line;
+  }
+
+  stats.total++;
+  const [, indent, key, valuePart, trailingWhitespace, comment] = match;
+  const { value, quoted, quoteChar } = extractValue(valuePart);
+
+  if (shouldEncryptValue(value)) {
+    const encryptedValue = encryptSecret(value, encryptionKey);
+    const formattedValue = formatValue(encryptedValue, quoted, quoteChar);
+    stats.encrypted++;
+    return `${indent}${key}: ${formattedValue}${trailingWhitespace}${comment || ''}`;
+  }
+
+  return line;
+}
+
 function encryptYamlValues(content, encryptionKey) {
   const lines = content.split(/\r?\n/);
   const encryptedLines = [];
-  let encryptedCount = 0;
-  let totalCount = 0;
-
-  // Pattern to match key-value pairs with optional comments
-  // Matches: indentation, key, colon, value, optional whitespace, optional comment
-  // Handles: key: value, key: "value", key: value # comment, etc.
-  const kvPattern = /^(\s*)([^#:\n]+?):\s*(.+?)(\s*)(#.*)?$/;
+  const stats = { encrypted: 0, total: 0 };
 
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const trimmed = line.trim();
-
-    // Preserve empty lines and comment-only lines
-    if (trimmed === '' || trimmed.startsWith('#')) {
-      encryptedLines.push(line);
-      continue;
-    }
-
-    // Try to match key-value pattern
-    const match = line.match(kvPattern);
-    if (match) {
-      totalCount++;
-      const [, indent, key, valuePart, trailingWhitespace, comment] = match;
-
-      // Extract value (handle quotes)
-      const { value, quoted, quoteChar } = extractValue(valuePart);
-
-      // Check if value should be encrypted
-      if (shouldEncryptValue(value)) {
-        // Encrypt the value
-        const encryptedValue = encryptSecret(value, encryptionKey);
-        const formattedValue = formatValue(encryptedValue, quoted, quoteChar);
-
-        // Reconstruct line with encrypted value
-        const encryptedLine = `${indent}${key}: ${formattedValue}${trailingWhitespace}${comment || ''}`;
-        encryptedLines.push(encryptedLine);
-        encryptedCount++;
-      } else {
-        // Keep original line (already encrypted, URL, or non-string)
-        encryptedLines.push(line);
-      }
-    } else {
-      // Line doesn't match pattern (multiline value, complex structure, etc.)
-      // Preserve as-is
-      encryptedLines.push(line);
-    }
+  for (const line of lines) {
+    encryptedLines.push(processLineForEncryption(line, encryptionKey, stats));
   }
 
   return {
     content: encryptedLines.join('\n'),
-    encrypted: encryptedCount,
-    total: totalCount
+    encrypted: stats.encrypted,
+    total: stats.total
   };
 }