@angeloashmore/prismic-cli-poc 0.0.0-canary.1d36cd8

package/src/token-create.ts

@@ -0,0 +1,203 @@
+import { parseArgs } from "node:util";
+import * as v from "valibot";
+
+import { isAuthenticated } from "./lib/auth";
+import { safeGetRepositoryFromConfig } from "./lib/config";
+import { stringify } from "./lib/json";
+import { ForbiddenRequestError, request, UnauthorizedRequestError } from "./lib/request";
+import { getRepoUrl } from "./lib/url";
+import {
+	type AccessToken,
+	AccessTokenSchema,
+	getAccessTokens,
+	type OAuthApp,
+	OAuthAppSchema,
+	type WriteToken,
+	WriteTokenSchema,
+} from "./token-list";
+
+const HELP = `
+Create a new API token for a Prismic repository.
+
+By default, this command reads the repository from prismic.config.json at the
+project root.
+
+USAGE
+  prismic token create [flags]
+
+FLAGS
+  -w, --write              Create a write token (Custom Types/Migration API)
+  -n, --name string        Token name (default: "Prismic CLI")
+      --allow-releases     Allow access to releases (access tokens only)
+      --json               Output as JSON
+  -r, --repo string        Repository domain
+  -h, --help               Show help for command
+
+LEARN MORE
+  Use \`prismic token <command> --help\` for more information about a command.
+`.trim();
+
+const DEFAULT_APP_NAME = "Prismic CLI";
+
+export async function tokenCreate(): Promise<void> {
+	const {
+		values: {
+			help,
+			repo = await safeGetRepositoryFromConfig(),
+			json,
+			write,
+			name = DEFAULT_APP_NAME,
+			"allow-releases": allowReleases,
+		},
+	} = parseArgs({
+		args: process.argv.slice(4), // skip: node, script, "token", "create"
+		options: {
+			json: { type: "boolean" },
+			repo: { type: "string", short: "r" },
+			help: { type: "boolean", short: "h" },
+			write: { type: "boolean", short: "w" },
+			name: { type: "string", short: "n" },
+			"allow-releases": { type: "boolean" },
+		},
+		allowPositionals: false,
+	});
+
+	if (help) {
+		console.info(HELP);
+		return;
+	}
+
+	if (!repo) {
+		console.error("Missing prismic.config.json or --repo option");
+		process.exitCode = 1;
+		return;
+	}
+
+	if (write && allowReleases) {
+		console.error("--allow-releases is only valid for access tokens (not with --write)");
+		process.exitCode = 1;
+		return;
+	}
+
+	const authenticated = await isAuthenticated();
+	if (!authenticated) {
+		handleUnauthenticated();
+		return;
+	}
+
+	if (write) {
+		const result = await createWriteToken(repo, name);
+		if (!result.ok) {
+			if (
+				result.error instanceof ForbiddenRequestError ||
+				result.error instanceof UnauthorizedRequestError
+			) {
+				handleUnauthenticated();
+			} else if (v.isValiError(result.error)) {
+				console.error(
+					`Failed to create write token: Invalid response: ${stringify(result.error.issues)}`,
+				);
+				process.exitCode = 1;
+			} else {
+				console.error(`Failed to create write token: ${stringify(result.value)}`);
+				process.exitCode = 1;
+			}
+			return;
+		}
+
+		if (json) {
+			console.info(stringify(result.value));
+		} else {
+			console.info(`Token created: ${result.value.token}`);
+		}
+	} else {
+		const scope = allowReleases ? "master+releases" : "master";
+		const result = await createAccessToken(repo, name, scope);
+		if (!result.ok) {
+			if (
+				result.error instanceof ForbiddenRequestError ||
+				result.error instanceof UnauthorizedRequestError
+			) {
+				handleUnauthenticated();
+			} else if (v.isValiError(result.error)) {
+				console.error(
+					`Failed to create access token: Invalid response: ${stringify(result.error.issues)}`,
+				);
+				process.exitCode = 1;
+			} else {
+				console.error(`Failed to create access token: ${stringify(result.value)}`);
+				process.exitCode = 1;
+			}
+			return;
+		}
+
+		if (json) {
+			console.info(stringify(result.value));
+		} else {
+			console.info(`Token created: ${result.value.token}`);
+		}
+	}
+}
+
+type CreateWriteTokenResult =
+	| { ok: true; value: WriteToken }
+	| { ok: false; value: unknown; error: Error | v.ValiError<typeof WriteTokenSchema> };
+
+async function createWriteToken(repo: string, appName: string): Promise<CreateWriteTokenResult> {
+	const url = new URL("settings/security/token", await getRepoUrl(repo));
+	const response = await request(url, {
+		method: "POST",
+		body: { app_name: appName },
+		schema: WriteTokenSchema,
+	});
+	return response;
+}
+
+type CreateAccessTokenResult =
+	| { ok: true; value: AccessToken }
+	| { ok: false; value: unknown; error: Error | v.ValiError<typeof AccessTokenSchema> };
+
+async function createAccessToken(
+	repo: string,
+	appName: string,
+	scope: "master" | "master+releases",
+): Promise<CreateAccessTokenResult> {
+	// First, find or create an OAuth app with the given name
+	const appsResponse = await getAccessTokens(repo);
+	if (!appsResponse.ok) {
+		return appsResponse;
+	}
+
+	let app = appsResponse.value.find((a: OAuthApp) => a.name === appName);
+
+	// Create OAuth app if it doesn't exist
+	if (!app) {
+		const createAppUrl = new URL("settings/security/oauthapp", await getRepoUrl(repo));
+		const createAppResponse = await request(createAppUrl, {
+			method: "POST",
+			body: { app_name: appName },
+			schema: OAuthAppSchema,
+		});
+
+		if (!createAppResponse.ok) {
+			return createAppResponse;
+		}
+
+		app = createAppResponse.value;
+	}
+
+	// Create the authorization token
+	const authUrl = new URL("settings/security/authorizations", await getRepoUrl(repo));
+	const authResponse = await request(authUrl, {
+		method: "POST",
+		body: { app: app.id, scope },
+		schema: AccessTokenSchema,
+	});
+
+	return authResponse;
+}
+
+function handleUnauthenticated(): void {
+	console.error("Not logged in. Run `prismic login` first.");
+	process.exitCode = 1;
+}

package/src/token-delete.ts

@@ -0,0 +1,182 @@
+import { parseArgs } from "node:util";
+import * as v from "valibot";
+
+import { isAuthenticated } from "./lib/auth";
+import { safeGetRepositoryFromConfig } from "./lib/config";
+import { stringify } from "./lib/json";
+import { ForbiddenRequestError, request, UnauthorizedRequestError } from "./lib/request";
+import { getRepoUrl } from "./lib/url";
+import { type AccessToken, getAccessTokens, getWriteTokens, type WriteToken } from "./token-list";
+
+const HELP = `
+Delete a token from a Prismic repository.
+
+By default, this command reads the repository from prismic.config.json at the
+project root.
+
+USAGE
+  prismic token delete <token> [flags]
+
+ARGUMENTS
+  token   The token value (or partial match)
+
+FLAGS
+  -r, --repo string   Repository domain
+  -h, --help          Show help for command
+
+LEARN MORE
+  Use \`prismic token <command> --help\` for more information about a command.
+`.trim();
+
+export async function tokenDelete(): Promise<void> {
+	const {
+		values: { help, repo = await safeGetRepositoryFromConfig() },
+		positionals: [tokenValue],
+	} = parseArgs({
+		args: process.argv.slice(4), // skip: node, script, "token", "delete"
+		options: {
+			repo: { type: "string", short: "r" },
+			help: { type: "boolean", short: "h" },
+		},
+		allowPositionals: true,
+	});
+
+	if (help) {
+		console.info(HELP);
+		return;
+	}
+
+	if (!tokenValue) {
+		console.error("Missing required argument: token");
+		process.exitCode = 1;
+		return;
+	}
+
+	if (!repo) {
+		console.error("Missing prismic.config.json or --repo option");
+		process.exitCode = 1;
+		return;
+	}
+
+	const authenticated = await isAuthenticated();
+	if (!authenticated) {
+		handleUnauthenticated();
+		return;
+	}
+
+	// First, find the token in access tokens or write tokens
+	const [accessResponse, writeResponse] = await Promise.all([
+		getAccessTokens(repo),
+		getWriteTokens(repo),
+	]);
+
+	if (!accessResponse.ok) {
+		if (
+			accessResponse.error instanceof ForbiddenRequestError ||
+			accessResponse.error instanceof UnauthorizedRequestError
+		) {
+			handleUnauthenticated();
+		} else if (v.isValiError(accessResponse.error)) {
+			console.error(
+				`Failed to list access tokens: Invalid response: ${stringify(accessResponse.error.issues)}`,
+			);
+			process.exitCode = 1;
+		} else {
+			console.error(`Failed to list access tokens: ${stringify(accessResponse.value)}`);
+			process.exitCode = 1;
+		}
+		return;
+	}
+
+	if (!writeResponse.ok) {
+		if (
+			writeResponse.error instanceof ForbiddenRequestError ||
+			writeResponse.error instanceof UnauthorizedRequestError
+		) {
+			handleUnauthenticated();
+		} else if (v.isValiError(writeResponse.error)) {
+			console.error(
+				`Failed to list write tokens: Invalid response: ${stringify(writeResponse.error.issues)}`,
+			);
+			process.exitCode = 1;
+		} else {
+			console.error(`Failed to list write tokens: ${stringify(writeResponse.value)}`);
+			process.exitCode = 1;
+		}
+		return;
+	}
+
+	// Find in access tokens
+	let foundAuth: AccessToken | undefined;
+	for (const app of accessResponse.value) {
+		for (const auth of app.wroom_auths) {
+			if (
+				auth.token === tokenValue ||
+				auth.token.startsWith(tokenValue) ||
+				auth.token.endsWith(tokenValue)
+			) {
+				foundAuth = auth;
+				break;
+			}
+		}
+		if (foundAuth) break;
+	}
+
+	if (foundAuth) {
+		// Delete the authorization (preserves OAuth app)
+		const url = new URL(`settings/security/authorizations/${foundAuth.id}`, await getRepoUrl(repo));
+		const response = await request(url, { method: "DELETE" });
+
+		if (!response.ok) {
+			if (
+				response.error instanceof ForbiddenRequestError ||
+				response.error instanceof UnauthorizedRequestError
+			) {
+				handleUnauthenticated();
+			} else {
+				console.error(`Failed to delete token: ${stringify(response.value)}`);
+				process.exitCode = 1;
+			}
+			return;
+		}
+
+		console.info("Token deleted");
+		return;
+	}
+
+	// Find in write tokens
+	const foundWriteToken = writeResponse.value.tokens.find(
+		(t: WriteToken) =>
+			t.token === tokenValue || t.token.startsWith(tokenValue) || t.token.endsWith(tokenValue),
+	);
+
+	if (foundWriteToken) {
+		// Delete write token
+		const url = new URL(`settings/security/token/${foundWriteToken.token}`, await getRepoUrl(repo));
+		const response = await request(url, { method: "DELETE" });
+
+		if (!response.ok) {
+			if (
+				response.error instanceof ForbiddenRequestError ||
+				response.error instanceof UnauthorizedRequestError
+			) {
+				handleUnauthenticated();
+			} else {
+				console.error(`Failed to delete token: ${stringify(response.value)}`);
+				process.exitCode = 1;
+			}
+			return;
+		}
+
+		console.info("Token deleted");
+		return;
+	}
+
+	console.error(`Token not found: ${tokenValue}`);
+	process.exitCode = 1;
+}
+
+function handleUnauthenticated(): void {
+	console.error("Not logged in. Run `prismic login` first.");
+	process.exitCode = 1;
+}

package/src/token-list.ts

@@ -0,0 +1,223 @@
+import { parseArgs } from "node:util";
+import * as v from "valibot";
+
+import { isAuthenticated } from "./lib/auth";
+import { safeGetRepositoryFromConfig } from "./lib/config";
+import { stringify } from "./lib/json";
+import {
+	ForbiddenRequestError,
+	type ParsedRequestResponse,
+	request,
+	UnauthorizedRequestError,
+} from "./lib/request";
+import { getRepoUrl } from "./lib/url";
+
+const HELP = `
+List all API tokens for a Prismic repository.
+
+By default, this command reads the repository from prismic.config.json at the
+project root.
+
+USAGE
+  prismic token list [flags]
+
+FLAGS
+      --json          Output as JSON
+  -r, --repo string   Repository domain
+  -h, --help          Show help for command
+
+LEARN MORE
+  Use \`prismic token <command> --help\` for more information about a command.
+`.trim();
+
+export async function tokenList(): Promise<void> {
+	const {
+		values: { help, repo = await safeGetRepositoryFromConfig(), json },
+	} = parseArgs({
+		args: process.argv.slice(4), // skip: node, script, "token", "list"
+		options: {
+			json: { type: "boolean" },
+			repo: { type: "string", short: "r" },
+			help: { type: "boolean", short: "h" },
+		},
+		allowPositionals: false,
+	});
+
+	if (help) {
+		console.info(HELP);
+		return;
+	}
+
+	if (!repo) {
+		console.error("Missing prismic.config.json or --repo option");
+		process.exitCode = 1;
+		return;
+	}
+
+	const authenticated = await isAuthenticated();
+	if (!authenticated) {
+		handleUnauthenticated();
+		return;
+	}
+
+	const [accessResponse, writeResponse] = await Promise.all([
+		getAccessTokens(repo),
+		getWriteTokens(repo),
+	]);
+
+	if (!accessResponse.ok) {
+		if (
+			accessResponse.error instanceof ForbiddenRequestError ||
+			accessResponse.error instanceof UnauthorizedRequestError
+		) {
+			handleUnauthenticated();
+		} else if (v.isValiError(accessResponse.error)) {
+			console.error(
+				`Failed to list access tokens: Invalid response: ${stringify(accessResponse.error.issues)}`,
+			);
+			process.exitCode = 1;
+		} else {
+			console.error(`Failed to list access tokens: ${stringify(accessResponse.value)}`);
+			process.exitCode = 1;
+		}
+		return;
+	}
+
+	if (!writeResponse.ok) {
+		if (
+			writeResponse.error instanceof ForbiddenRequestError ||
+			writeResponse.error instanceof UnauthorizedRequestError
+		) {
+			handleUnauthenticated();
+		} else if (v.isValiError(writeResponse.error)) {
+			console.error(
+				`Failed to list write tokens: Invalid response: ${stringify(writeResponse.error.issues)}`,
+			);
+			process.exitCode = 1;
+		} else {
+			console.error(`Failed to list write tokens: ${stringify(writeResponse.value)}`);
+			process.exitCode = 1;
+		}
+		return;
+	}
+
+	const accessTokens = accessResponse.value.flatMap((app: OAuthApp) =>
+		app.wroom_auths.map((auth: AccessToken) => ({
+			name: app.name,
+			appId: app.id,
+			authId: auth.id,
+			scope: auth.scope,
+			token: auth.token,
+			createdAt: auth.created_at.$date,
+		})),
+	);
+	const writeTokens = writeResponse.value.tokens;
+
+	if (json) {
+		console.info(stringify({ accessTokens, writeTokens }));
+	} else {
+		if (accessTokens.length > 0) {
+			console.info("ACCESS TOKENS");
+			for (const token of accessTokens) {
+				const truncated = truncateToken(token.token);
+				const date = formatDate(token.createdAt);
+				console.info(`  ${token.name}  ${token.scope}  ${truncated}  ${date}`);
+			}
+		} else {
+			console.info("ACCESS TOKENS  (none)");
+		}
+
+		console.info("");
+
+		if (writeTokens.length > 0) {
+			console.info("WRITE TOKENS");
+			for (const token of writeTokens) {
+				const truncated = truncateToken(token.token);
+				const date = formatDate(token.timestamp);
+				console.info(`  ${token.app_name}  ${truncated}  ${date}`);
+			}
+		} else {
+			console.info("WRITE TOKENS  (none)");
+		}
+	}
+}
+
+// MongoDB date format: { "$date": milliseconds }
+const MongoDBDateSchema = v.object({ $date: v.number() });
+type MongoDBDate = v.InferOutput<typeof MongoDBDateSchema>;
+
+// Access Token (from OAuth app's wroom_auths array)
+export const AccessTokenSchema = v.object({
+	id: v.string(),
+	origin: v.string(),
+	domain: v.string(),
+	app: v.string(),
+	scope: v.string(),
+	expired_at: MongoDBDateSchema,
+	created_at: MongoDBDateSchema,
+	owner: v.nullable(v.string()),
+	token: v.string(),
+});
+export type AccessToken = v.InferOutput<typeof AccessTokenSchema>;
+
+// OAuth App (container for access tokens)
+export const OAuthAppSchema = v.object({
+	id: v.string(),
+	secret: v.string(),
+	name: v.string(),
+	owner: v.string(),
+	created_at: MongoDBDateSchema,
+	authorized_domains: v.array(v.string()),
+	wroom_auths: v.array(AccessTokenSchema),
+});
+export type OAuthApp = v.InferOutput<typeof OAuthAppSchema>;
+
+// Write Token
+export const WriteTokenSchema = v.object({
+	app_name: v.string(),
+	token: v.string(),
+	timestamp: v.number(),
+});
+export type WriteToken = v.InferOutput<typeof WriteTokenSchema>;
+
+// Write Tokens List Response
+const WriteTokensInfoSchema = v.object({
+	max_tokens: v.number(),
+	tokens: v.array(WriteTokenSchema),
+});
+type WriteTokensInfo = v.InferOutput<typeof WriteTokensInfoSchema>;
+
+// Response schemas
+const GetAccessTokensResponseSchema = v.array(OAuthAppSchema);
+type GetAccessTokensResponse = v.InferOutput<typeof GetAccessTokensResponseSchema>;
+
+export async function getAccessTokens(
+	repo: string,
+): Promise<ParsedRequestResponse<GetAccessTokensResponse>> {
+	const url = new URL("settings/security/contentapi", await getRepoUrl(repo));
+	return await request(url, { schema: GetAccessTokensResponseSchema });
+}
+
+export async function getWriteTokens(
+	repo: string,
+): Promise<ParsedRequestResponse<WriteTokensInfo>> {
+	const url = new URL("settings/security/customtypesapi", await getRepoUrl(repo));
+	return await request(url, { schema: WriteTokensInfoSchema });
+}
+
+function truncateToken(token: string): string {
+	if (token.length <= 12) return token;
+	return `${token.slice(0, 8)}...${token.slice(-4)}`;
+}
+
+function formatDate(timestamp: number | MongoDBDate): string {
+	// MongoDB dates are in milliseconds, plain numbers are in seconds
+	const ms = typeof timestamp === "number" ? timestamp * 1000 : timestamp.$date;
+	const date = new Date(ms);
+	return date.toISOString().split("T")[0];
+}
+
+function handleUnauthenticated(): void {
+	console.error("Not logged in. Run `prismic login` first.");
+	process.exitCode = 1;
+}