@clankmates/cli 0.1.1 → 0.3.0

package/src/commands/auth.ts

@@ -1,18 +1,34 @@
 import { resolveOutputMode } from "../lib/context";
-import { requiredPositional, requiredStringFlag, stringFlag, type ParsedArgs } from "../lib/args";
+import {
+  booleanFlag,
+  requiredPositional,
+  requiredStringFlag,
+  stringFlag,
+  type ParsedArgs,
+} from "../lib/args";
 import {
   loadConfig,
   resolveBaseUrl,
   resolveProfile,
   resolveProfileName,
-  updateProfile
+  updateProfile,
 } from "../lib/config";
 import { ClankmatesClient } from "../lib/client";
 import { CliError } from "../lib/errors";
-import { printValue, type Io } from "../lib/output";
+import { printJson, printValue, type Io } from "../lib/output";
 import { getConfigPath } from "../lib/paths";
-import { resolveMasterToken, resolveOwnerReadToken, resolveReadOnlyToken } from "../lib/tokens";
-import type { ProfileConfig, WhoamiResponse } from "../types/api";
+import {
+  resolveMasterToken,
+  resolveOwnerReadToken,
+  resolveReadOnlyToken,
+} from "../lib/tokens";
+import type {
+  AccessKeyAttributes,
+  AccessKeyIssueResponse,
+  AccessKeyScope,
+  ProfileConfig,
+  WhoamiResponse,
+} from "../types/api";
 
 export async function runAuthCommand(args: ParsedArgs, io: Io): Promise<void> {
   const subcommand = args.positionals[0];
@@ -31,11 +47,13 @@ export async function runAuthCommand(args: ParsedArgs, io: Io): Promise<void> {
       const resolvedBaseUrl = resolveBaseUrl(baseUrl, profile.baseUrl);
       const validationProfile = {
         ...profile,
-        baseUrl: resolvedBaseUrl
+        baseUrl: resolvedBaseUrl,
       };
 
       if (Boolean(masterToken) === Boolean(readOnlyToken)) {
-        throw new CliError("Provide exactly one of `--master-token` or `--read-only-token`.");
+        throw new CliError(
+          "Provide exactly one of `--master-token` or `--read-only-token`.",
+        );
       }
 
       const client = new ClankmatesClient(validationProfile);
@@ -62,54 +80,88 @@ export async function runAuthCommand(args: ParsedArgs, io: Io): Promise<void> {
             storedProfile.baseUrl = baseUrl;
           }
         },
-        configPath
+        configPath,
       );
 
       printValue(io, outputMode, {
         authenticated: true,
         profile: profileName,
         baseUrl: resolvedBaseUrl,
-        tokenKind: masterToken ? "master" : "read_only"
+        tokenKind: masterToken ? "master" : "read_only",
       });
       return;
     }
 
     case "whoami": {
-      const { profileName, profile } = resolveProfile(config, stringFlag(args.flags, "profile"));
+      const { profileName, profile } = resolveProfile(
+        config,
+        stringFlag(args.flags, "profile"),
+      );
       const outputMode = resolveOutputMode(profile, args.flags);
+      const explicitChannelToken = stringFlag(args.flags, "channelToken");
       const resolvedOwnerReadToken = resolveOwnerReadToken(profile);
+      const resolvedToken = explicitChannelToken
+        ? {
+            token: explicitChannelToken,
+            source: "flag",
+            tokenKind: "channel" as const,
+          }
+        : {
+            token: resolvedOwnerReadToken.token,
+            source: resolvedOwnerReadToken.source,
+            tokenKind: "owner_read" as const,
+          };
 
-      if (!resolvedOwnerReadToken.token) {
-        throw new CliError("No owner read token configured. Set `CLANKMATES_READ_ONLY_TOKEN`, `CLANKMATES_MASTER_TOKEN`, or log in for the selected profile.");
+      if (!resolvedToken.token) {
+        throw new CliError(
+          "No token configured for `auth whoami`. Provide `--channel-token`, set `CLANKMATES_READ_ONLY_TOKEN`, `CLANKMATES_MASTER_TOKEN`, or log in for the selected profile.",
+        );
       }
 
-      const whoami = await new ClankmatesClient(profile).whoami(resolvedOwnerReadToken.token);
-      printValue(io, outputMode, formatWhoamiOutput(profileName, profile.baseUrl, resolvedOwnerReadToken.source, whoami));
+      const whoami = await new ClankmatesClient(profile).whoami(
+        resolvedToken.token,
+      );
+
+      printValue(
+        io,
+        outputMode,
+        formatWhoamiOutput(profileName, profile.baseUrl, resolvedToken, whoami),
+      );
       return;
     }
 
     case "logout": {
-      const { profileName } = resolveProfile(config, stringFlag(args.flags, "profile"));
+      const { profileName } = resolveProfile(
+        config,
+        stringFlag(args.flags, "profile"),
+      );
       await updateProfile(
         profileName,
         (profile) => {
           profile.masterToken = undefined;
           profile.readOnlyToken = undefined;
         },
-        configPath
+        configPath,
       );
       io.stdout(`Cleared owner tokens for profile ${profileName}`);
       return;
     }
 
     case "token": {
-      const tokenCommand = requiredPositional(args.positionals, 1, "Missing auth token subcommand");
+      const tokenCommand = requiredPositional(
+        args.positionals,
+        1,
+        "Missing auth token subcommand",
+      );
 
       if (tokenCommand !== "inspect") {
         throw new CliError("Unknown auth token subcommand", 2);
       }
 
-      const { profileName, profile } = resolveProfile(config, stringFlag(args.flags, "profile"));
+      const { profileName, profile } = resolveProfile(
+        config,
+        stringFlag(args.flags, "profile"),
+      );
       const outputMode = resolveOutputMode(profile, args.flags);
       const resolvedMasterToken = resolveMasterToken(profile);
       const resolvedReadOnlyToken = resolveReadOnlyToken(profile);
@@ -124,50 +176,213 @@ export async function runAuthCommand(args: ParsedArgs, io: Io): Promise<void> {
         readOnlyTokenSource: resolvedReadOnlyToken.source,
         ownerReadTokenAvailable: Boolean(resolvedOwnerReadToken.token),
         ownerReadTokenSource: resolvedOwnerReadToken.source,
-        storedChannelTokens: Object.keys(profile.channelTokens).length
+        storedChannelTokens: Object.keys(profile.channelTokens).length,
       });
       return;
     }
 
+    case "key":
+    case "access-key": {
+      await runAccessKeyCommand(args, config, io);
+      return;
+    }
+
     default:
       throw new CliError("Unknown auth subcommand", 2);
   }
 }
 
+async function runAccessKeyCommand(
+  args: ParsedArgs,
+  config: Awaited<ReturnType<typeof loadConfig>>,
+  io: Io,
+): Promise<void> {
+  const keyCommand = requiredPositional(
+    args.positionals,
+    1,
+    "Missing auth key subcommand",
+  );
+  const { profileName, profile } = resolveProfile(
+    config,
+    stringFlag(args.flags, "profile"),
+  );
+  const outputMode = resolveOutputMode(profile, args.flags);
+  const client = new ClankmatesClient(profile);
+  const configPath = getConfigPath();
+
+  switch (keyCommand) {
+    case "list": {
+      const scope = parseAccessKeyScope(stringFlag(args.flags, "scope"), false);
+      const response = await client.listAccessKeys(scope);
+
+      if (outputMode === "json") {
+        printJson(io, { items: response.items });
+        return;
+      }
+
+      printValue(
+        io,
+        outputMode,
+        response.items.map((item) => formatAccessKeyRow(item)),
+      );
+      return;
+    }
+
+    case "issue": {
+      const scope = requireAccessKeyScope(
+        requiredStringFlag(args.flags, "scope"),
+      );
+      const response = await client.issueAccessKey({
+        scope,
+        name: requiredStringFlag(args.flags, "name"),
+      });
+
+      if (booleanFlag(args.flags, "tokenOnly")) {
+        io.stdout(response.token);
+        return;
+      }
+
+      printValue(io, outputMode, response);
+      return;
+    }
+
+    case "revoke": {
+      const response = await client.revokeAccessKey(
+        requiredPositional(args.positionals, 2, "Missing access key id"),
+      );
+      await pruneInvalidStoredOwnerTokens(
+        profileName,
+        profile,
+        client,
+        configPath,
+      );
+      printValue(io, outputMode, response);
+      return;
+    }
+
+    default:
+      throw new CliError("Unknown auth key subcommand", 2);
+  }
+}
+
 function defaultProfileConfig(): ProfileConfig {
   return {
     baseUrl: resolveBaseUrl(),
     output: "table",
-    channelTokens: {}
+    channelTokens: {},
   };
 }
 
 function formatWhoamiOutput(
   profileName: string,
   baseUrl: string,
-  ownerTokenSource: string,
-  whoami: WhoamiResponse
+  resolvedToken: { source: string; tokenKind: "owner_read" | "channel" },
+  whoami: WhoamiResponse,
 ) {
   const base = {
     authenticated: whoami.authenticated,
     profile: profileName,
     baseUrl,
-    ownerTokenSource,
+    tokenKind: resolvedToken.tokenKind,
+    tokenSource: resolvedToken.source,
+    ownerTokenSource:
+      resolvedToken.tokenKind === "owner_read" ? resolvedToken.source : undefined,
     actorType: whoami.actor.type,
-    actorId: whoami.actor.id
+    actorId: whoami.actor.id,
   };
 
   if (whoami.actor.type === "user") {
     return {
       ...base,
       email: whoami.actor.email,
-      actorScope: whoami.actor.scope ?? "master"
+      actorScope: whoami.actor.scope ?? "master",
+      authenticatedVia: whoami.actor.authenticated_via ?? "",
+      publicHandle: whoami.actor.public_handle ?? "",
+      publicProfilePath: whoami.actor.public_profile_path ?? "",
+      publicProfileUrl: whoami.actor.public_profile_url ?? "",
     };
   }
 
   return {
     ...base,
     name: whoami.actor.name,
-    visibility: whoami.actor.visibility
+    visibility: whoami.actor.visibility,
+    publiclyListed: whoami.actor.publicly_listed ?? false,
+    postingPausedUntil: whoami.actor.posting_paused_until ?? "",
+    ownerId: whoami.actor.owner_id ?? "",
+    ownerPublicHandle: whoami.actor.owner_public_handle ?? "",
+    publicPath: whoami.actor.public_path ?? "",
+    publicUrl: whoami.actor.public_url ?? "",
   };
 }
+
+function parseAccessKeyScope(
+  scope: string | undefined,
+  required: boolean,
+): AccessKeyScope | undefined {
+  if (scope === undefined) {
+    if (required) {
+      throw new CliError("Missing `--scope`", 2);
+    }
+
+    return undefined;
+  }
+
+  if (scope !== "master" && scope !== "read_only") {
+    throw new CliError("`--scope` must be either `master` or `read_only`.", 2);
+  }
+
+  return scope;
+}
+
+function requireAccessKeyScope(scope: string): AccessKeyScope {
+  const parsed = parseAccessKeyScope(scope, true);
+
+  if (!parsed) {
+    throw new CliError("Missing `--scope`", 2);
+  }
+
+  return parsed;
+}
+
+function formatAccessKeyRow(item: { id: string; attributes: AccessKeyAttributes }) {
+  return {
+    id: item.id,
+    scope: item.attributes.scope,
+    name: item.attributes.name ?? "",
+    expiresAt: item.attributes.expires_at,
+    issuedAt: item.attributes.inserted_at ?? "",
+  };
+}
+
+async function pruneInvalidStoredOwnerTokens(
+  profileName: string,
+  profile: ProfileConfig,
+  client: ClankmatesClient,
+  configPath: string,
+): Promise<void> {
+  const invalidMasterToken = profile.masterToken
+    ? !(await client.canAuthenticate(profile.masterToken))
+    : false;
+  const invalidReadOnlyToken = profile.readOnlyToken
+    ? !(await client.canAuthenticate(profile.readOnlyToken))
+    : false;
+
+  if (!invalidMasterToken && !invalidReadOnlyToken) {
+    return;
+  }
+
+  await updateProfile(
+    profileName,
+    (storedProfile) => {
+      if (invalidMasterToken) {
+        storedProfile.masterToken = undefined;
+      }
+
+      if (invalidReadOnlyToken) {
+        storedProfile.readOnlyToken = undefined;
+      }
+    },
+    configPath,
+  );
+}