@clauth/device 1.0.0

package/device-auth.mjs

@@ -0,0 +1,434 @@
+#!/usr/bin/env node
+/**
+ * device-auth — OAuth Device Authorization CLI (Yjs-first, ECDH encrypted).
+ *
+ * Tokens live in the server-side Yjs doc. CLI keeps WS alive to read them.
+ *
+ * Commands:
+ *   device-auth --url <server>              One-shot: auth, print token, exit
+ *   device-auth start --url <server>        Background: auth, keep WS alive
+ *   device-auth token [--resource <urn>]    Read token from running session
+ *   device-auth stop                        Stop background, clear session
+ *   device-auth status                      Check if session is active
+ */
+import { createECDH, createHash, createDecipheriv, createSign, createPrivateKey, randomBytes } from 'node:crypto';
+import { exec, spawn } from 'node:child_process';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+import { HocuspocusProvider } from '@hocuspocus/provider';
+import * as Y from 'yjs';
+import { WebSocket } from 'ws';
+
+import { keychainGet, keychainSet, keychainDelete } from './keychain.mjs';
+
+// ─── Config ──────────────────────────────────────────────────────────────────
+
+const TIMEOUT = 120_000;
+const CURVE = 'prime256v1';
+const CONFIG_DIR = join(homedir(), '.config', 'device-auth');
+const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
+
+// ─── Local config (url, domain) ──────────────────────────────────────────────
+
+function loadConfig() {
+  try {
+    if (existsSync(CONFIG_FILE)) return JSON.parse(readFileSync(CONFIG_FILE, 'utf8'));
+  } catch {}
+  return {};
+}
+
+function saveConfig(updates) {
+  mkdirSync(CONFIG_DIR, { recursive: true });
+  const existing = loadConfig();
+  writeFileSync(CONFIG_FILE, JSON.stringify({ ...existing, ...updates }, null, 2));
+}
+
+// ─── Parse args ──────────────────────────────────────────────────────────────
+
+const args = process.argv.slice(2);
+const command = ['start', 'stop', 'token', 'status'].includes(args[0]) ? args.shift() : null;
+const jsonOutput = args.includes('--json');
+const envOutput = args.includes('--env');
+const isDaemon = args.includes('--daemon');
+const urlIdx = args.indexOf('--url');
+const resourceIdx = args.indexOf('--resource');
+const domainIdx = args.indexOf('--domain');
+const tidIdx = args.indexOf('--tid');
+
+const config = loadConfig();
+const serverUrl = (urlIdx !== -1 && args[urlIdx + 1]) || process.env.DEVICE_AUTH_URL || config.url || '';
+const resource = (resourceIdx !== -1 && args[resourceIdx + 1]) || process.env.DEVICE_AUTH_RESOURCE || 'urn:d:unified-gateway';
+const domain = (domainIdx !== -1 && args[domainIdx + 1]) || process.env.IAS_DOMAIN || config.domain || '';
+const tid = (tidIdx !== -1 && args[tidIdx + 1]) || process.env.IAS_TID || config.tid || '';
+
+// ─── Help ────────────────────────────────────────────────────────────────────
+
+if (args.includes('--help') || args.includes('-h')) {
+  console.log(`
+device-auth — OAuth Device Authorization CLI (RFC 8628 + Yjs + ECDH)
+
+Commands:
+  device-auth --url <server> [options]   One-shot: authenticate, print token, exit
+  device-auth start --url <server>       Background: authenticate, keep session alive
+  device-auth token [--resource <urn>]   Read token from running session
+  device-auth stop                       Stop background session
+  device-auth status                     Check session status
+
+Options:
+  --url <url>        Auth server URL (required, or set DEVICE_AUTH_URL)
+  --resource <urn>   Token resource (default: urn:d:unified-gateway)
+  --domain <name>    IAS tenant subdomain (e.g. sapdasintegdev)
+  --tid <uuid>       IAS tenant ID directly (skips tenant API)
+  --login            Open browser for login (default: wait for external login)
+  --json             Output as JSON
+  --env              Output as shell export
+  --help             Show this help
+
+Examples:
+  # One-shot:
+  curl -H "Authorization: Bearer $(device-auth --url https://mtls-device.dev-eu12.build.cloud.sap --domain sapdasintegdev)" https://api/...
+
+  # Background session:
+  device-auth start --url https://mtls-device.dev-eu12.build.cloud.sap --domain sapdasintegdev
+  curl -H "Authorization: Bearer $(device-auth token)" https://api/...
+  device-auth stop
+`);
+  process.exit(0);
+}
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+function log(...msg) {
+  if (!jsonOutput && !envOutput) process.stderr.write(msg.join(' ') + '\n');
+}
+
+function openBrowser(url) {
+  const cmd = process.platform === 'darwin' ? 'open' :
+              process.platform === 'win32' ? 'start ""' : 'xdg-open';
+  exec(`${cmd} "${url}"`);
+}
+
+function output(token) {
+  if (jsonOutput) {
+    process.stdout.write(JSON.stringify({ access_token: token, token_type: 'Bearer' }, null, 2) + '\n');
+  } else if (envOutput) {
+    process.stdout.write(`export ACCESS_TOKEN="${token}"\n`);
+  } else {
+    process.stdout.write(token + '\n');
+  }
+}
+
+// ─── ECDH helpers ────────────────────────────────────────────────────────────
+
+function getOrCreateEcdhKeys() {
+  let privateKey = keychainGet('ecdh_private');
+  let publicKey = keychainGet('ecdh_public');
+  if (!privateKey || !publicKey) {
+    const ecdh = createECDH(CURVE);
+    ecdh.generateKeys();
+    privateKey = ecdh.getPrivateKey('base64');
+    publicKey = ecdh.getPublicKey('base64');
+    keychainSet('ecdh_private', privateKey);
+    keychainSet('ecdh_public', publicKey);
+  }
+  return { privateKey, publicKey };
+}
+
+/**
+ * Sign a self-signed device JWT (ES256) using the ECDH/ECDSA private key.
+ * Embeds the public key in the JWT header (jwk) for server verification.
+ * device_id = base64url(SHA-256(raw_public_key)) — deterministic.
+ */
+function signDeviceJwt(privateKeyBase64, publicKeyBase64) {
+  const pubKeyBuf = Buffer.from(publicKeyBase64, 'base64');
+  const privKeyBuf = Buffer.from(privateKeyBase64, 'base64');
+  const deviceId = createHash('sha256').update(pubKeyBuf).digest('base64url');
+
+  // P-256 uncompressed public key: 04 || x (32 bytes) || y (32 bytes)
+  const x = pubKeyBuf.subarray(1, 33).toString('base64url');
+  const y = pubKeyBuf.subarray(33, 65).toString('base64url');
+  const d = privKeyBuf.toString('base64url');
+
+  // Import as JWK to get a KeyObject for signing
+  const keyObject = createPrivateKey({ key: { kty: 'EC', crv: 'P-256', x, y, d }, format: 'jwk' });
+
+  // JWT header with embedded public key (no 'd' — only public part)
+  const header = { alg: 'ES256', typ: 'JWT', jwk: { kty: 'EC', crv: 'P-256', x, y } };
+  const payload = {
+    sub: deviceId,
+    iat: Math.floor(Date.now() / 1000),
+    exp: Math.floor(Date.now() / 1000) + 300,
+  };
+
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const sigInput = `${headerB64}.${payloadB64}`;
+
+  const sig = createSign('SHA256').update(sigInput).sign({ key: keyObject, dsaEncoding: 'ieee-p1363' }, 'base64url');
+
+  return { jwt: `${headerB64}.${payloadB64}.${sig}`, deviceId };
+}
+
+function ecdhDecrypt(ciphertext, serverPublicKeyBase64, clientPrivateKeyBase64) {
+  const serverPublicKey = Buffer.from(serverPublicKeyBase64, 'base64');
+  const clientEcdh = createECDH(CURVE);
+  clientEcdh.setPrivateKey(Buffer.from(clientPrivateKeyBase64, 'base64'));
+  const sharedSecret = clientEcdh.computeSecret(serverPublicKey);
+  const aesKey = createHash('sha256').update(sharedSecret).digest();
+  const buf = Buffer.from(ciphertext, 'base64');
+  const iv = buf.subarray(0, 12);
+  const tag = buf.subarray(12, 28);
+  const data = buf.subarray(28);
+  const decipher = createDecipheriv('aes-256-gcm', aesKey, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(data), decipher.final()]).toString('utf8');
+}
+
+// ─── Session helpers (Keychain-backed) ───────────────────────────────────────
+
+function saveSession(url) {
+  keychainSet('url', url);
+  keychainSet('pid', String(process.pid));
+}
+
+function clearSession() {
+  keychainDelete('url');
+  keychainDelete('pid');
+}
+
+// ─── Stop command ────────────────────────────────────────────────────────────
+
+if (command === 'stop') {
+  const pid = keychainGet('pid');
+  if (pid) { try { process.kill(parseInt(pid)); } catch {} }
+  clearSession();
+  process.stderr.write('Session stopped.\n');
+  process.exit(0);
+}
+
+// ─── Status command ──────────────────────────────────────────────────────────
+
+if (command === 'status') {
+  const pid = keychainGet('pid');
+  const url = keychainGet('url');
+  if (pid && url) {
+    let alive = false;
+    try { process.kill(parseInt(pid), 0); alive = true; } catch {}
+    process.stderr.write(alive
+      ? `Active session: ${url} (pid: ${pid})\n`
+      : `Stale session (process ${pid} not running). Run 'device-auth stop' to clear.\n`
+    );
+    process.exit(alive ? 0 : 1);
+  }
+  process.stderr.write('No active session.\n');
+  process.exit(1);
+}
+
+// ─── Token command — read from Yjs via WS ────────────────────────────────────
+
+if (command === 'token') {
+  const url = serverUrl || keychainGet('url');
+  const { privateKey, publicKey } = getOrCreateEcdhKeys();
+  const { jwt: deviceJwt, deviceId } = signDeviceJwt(privateKey, publicKey);
+
+  if (!url) {
+    process.stderr.write('Error: No active session. Run `device-auth start --url <server>` first.\n');
+    process.exit(1);
+  }
+
+  // Connect to device doc with self-signed JWT
+  const syncUrl = url.replace(/^http/, 'ws') + '/sync/device';
+  const doc = new Y.Doc();
+  const provider = new HocuspocusProvider({
+    url: syncUrl, name: 'device', token: deviceJwt,
+    document: doc, WebSocketPolyfill: WebSocket,
+  });
+
+  await new Promise((resolve, reject) => {
+    const t = setTimeout(() => reject(new Error('Timeout connecting')), 10000);
+    provider.on('synced', () => { clearTimeout(t); resolve(); });
+    provider.on('authenticationFailed', ({ reason }) => { clearTimeout(t); reject(new Error(reason)); });
+  });
+
+  // Find the LATEST completed token for this resource (most recent by created_at)
+  const tokensMap = doc.getMap('tokens');
+  const requests = doc.getMap('requests');
+  let foundToken = null;
+  let latestTime = 0;
+
+  // Search through tokens for the most recent matching our resource
+  for (const [rid, raw] of tokensMap.entries()) {
+    if (!raw) continue;
+    try {
+      const data = JSON.parse(raw);
+      if (data.status !== 'complete') continue;
+      const reqRaw = requests.get(rid);
+      if (reqRaw) {
+        const req = JSON.parse(reqRaw);
+        if (req.resource === resource) {
+          const time = new Date(req.created_at || 0).getTime();
+          if (time >= latestTime) {
+            latestTime = time;
+            foundToken = data;
+          }
+        }
+      }
+    } catch {}
+  }
+
+  provider.destroy();
+
+  if (!foundToken) {
+    process.stderr.write(`Error: No token for "${resource}". Run: device-auth --url ${url} --resource "${resource}"\n`);
+    process.exit(1);
+  }
+
+  const plainToken = ecdhDecrypt(foundToken.ciphertext, foundToken.serverPublicKey, privateKey);
+  output(plainToken);
+  process.exit(0);
+}
+
+// ─── Start command: fork into background ─────────────────────────────────────
+
+if (command === 'start' && !isDaemon) {
+  if (!serverUrl) {
+    process.stderr.write('Error: --url <server> is required.\n');
+    process.exit(1);
+  }
+  const child = spawn(process.execPath, [process.argv[1], '--daemon', ...args], {
+    detached: true, stdio: ['ignore', 'pipe', 'pipe'],
+  });
+  let output = '';
+  child.stderr.on('data', (d) => {
+    output += d.toString();
+    process.stderr.write(d);
+    if (output.includes('Session ready')) { child.unref(); process.exit(0); }
+  });
+  child.on('exit', (code) => { if (code !== 0) process.exit(code || 1); });
+  await new Promise(() => {});
+}
+
+// ─── Auth flow (one-shot or daemon) ──────────────────────────────────────────
+
+if (!serverUrl) {
+  process.stderr.write('Error: --url <server> is required (or set DEVICE_AUTH_URL).\n');
+  process.exit(1);
+}
+
+async function main() {
+  const { privateKey, publicKey } = getOrCreateEcdhKeys();
+  const { jwt: deviceJwt, deviceId } = signDeviceJwt(privateKey, publicKey);
+
+  log('device-auth v2.0.0');
+  log(`  server:   ${serverUrl}`);
+  log(`  device:   ${deviceId}`);
+  log(`  resource: ${resource}`);
+  log('');
+
+  // Step 1: Connect with self-signed JWT
+  log('→ Connecting to server...');
+  const syncUrl = serverUrl.replace(/^http/, 'ws') + '/sync/device';
+  const deviceDoc = new Y.Doc();
+  const provider = new HocuspocusProvider({
+    url: syncUrl, name: 'device', token: deviceJwt,
+    document: deviceDoc, WebSocketPolyfill: WebSocket,
+  });
+
+  await new Promise((resolve, reject) => {
+    const t = setTimeout(() => reject(new Error('Timeout connecting')), 10000);
+    provider.on('synced', () => { clearTimeout(t); resolve(); });
+    provider.on('authenticationFailed', ({ reason }) => { clearTimeout(t); reject(new Error(reason)); });
+  });
+
+  // Write public key to meta (for ECDH token encryption)
+  const meta = deviceDoc.getMap('meta');
+  if (meta.get('public_key') !== publicKey) {
+    deviceDoc.transact(() => { meta.set('public_key', publicKey); });
+  }
+
+  // Step 2: Write request
+  log('→ Requesting token...');
+  const rid = randomBytes(8).toString('base64url');
+  const requests = deviceDoc.getMap('requests');
+  deviceDoc.transact(() => {
+    requests.set(rid, JSON.stringify({
+      resource, domain, tid, base_url: serverUrl,
+      status: 'pending', created_at: new Date().toISOString(),
+    }));
+  });
+
+  // Step 3: Wait for response
+  log('→ Waiting for server response...');
+  const responses = deviceDoc.getMap('responses');
+  const response = await new Promise((resolve, reject) => {
+    const t = setTimeout(() => reject(new Error('Timeout')), 15000);
+    function check() {
+      const raw = responses.get(rid);
+      if (raw) { clearTimeout(t); resolve(JSON.parse(raw)); }
+    }
+    responses.observe(check);
+    check();
+  });
+
+  log(`  user_code: ${response.user_code}`);
+  log(`  expires:   ${response.expires_in}s`);
+  log('');
+
+  // Step 4: Open browser only if --login specified
+  if (args.includes('--login')) {
+    log('→ Opening browser...');
+    log(`  ${response.verification_uri_complete}`);
+    openBrowser(response.verification_uri_complete);
+  } else {
+    log('→ Waiting for login...');
+    log(`  user_code: ${response.user_code}`);
+    log(`  url: ${response.verification_uri_complete}`);
+    log('  (open the URL above, or use a login listener)');
+  }
+  log('');
+  log('  Waiting for authentication...');
+
+  // Step 5: Wait for token
+  const tokensMap = deviceDoc.getMap('tokens');
+  const tokenData = await new Promise((resolve, reject) => {
+    const t = setTimeout(() => { provider.destroy(); reject(new Error('Timeout')); }, TIMEOUT);
+    function check() {
+      const raw = tokensMap.get(rid);
+      if (!raw) return;
+      const data = JSON.parse(raw);
+      if (data.status === 'complete') { clearTimeout(t); resolve(data); }
+      else if (data.status === 'error') { clearTimeout(t); reject(new Error(data.error || 'Failed')); }
+    }
+    tokensMap.observe(check);
+    check();
+  });
+
+  // Step 6: Decrypt
+  const plainToken = ecdhDecrypt(tokenData.ciphertext, tokenData.serverPublicKey, privateKey);
+
+  // ─── Daemon mode: save session, keep alive ─────────────────────────────────
+  if (isDaemon || command === 'start') {
+    saveSession(serverUrl);
+    saveConfig({ url: serverUrl, domain, tid });
+    log('');
+    log('✓ Session ready. Use `device-auth token` to get the token.');
+    process.on('SIGTERM', () => { provider.destroy(); clearSession(); process.exit(0); });
+    process.on('SIGINT', () => { provider.destroy(); clearSession(); process.exit(0); });
+    return; // keep alive — WS stays connected
+  }
+
+  // ─── One-shot: print and exit ──────────────────────────────────────────────
+  provider.destroy();
+  saveConfig({ url: serverUrl, domain, tid });
+  log('');
+  log('✓ Token received!');
+  output(plainToken);
+  process.exit(0);
+}
+
+main().catch((err) => {
+  process.stderr.write(`Error: ${err.message || err}\n`);
+  process.exit(1);
+});

package/keychain.mjs

@@ -0,0 +1,34 @@
+/**
+ * keychain.mjs — Platform keychain helpers (macOS Keychain, Linux secret-tool).
+ */
+import { execSync } from 'node:child_process';
+
+const SERVICE = 'device-auth-cli';
+
+export function keychainSet(key, value) {
+  if (process.platform === 'darwin') {
+    try { execSync(`security delete-generic-password -s "${SERVICE}" -a "${key}" 2>/dev/null`); } catch {}
+    execSync(`security add-generic-password -s "${SERVICE}" -a "${key}" -w "${value}"`);
+  } else {
+    execSync(`echo -n "${value}" | secret-tool store --label="device-auth: ${key}" service "${SERVICE}" key "${key}"`);
+  }
+}
+
+export function keychainGet(key) {
+  try {
+    if (process.platform === 'darwin') {
+      return execSync(`security find-generic-password -s "${SERVICE}" -a "${key}" -w`, { encoding: 'utf8' }).trim();
+    }
+    return execSync(`secret-tool lookup service "${SERVICE}" key "${key}"`, { encoding: 'utf8' }).trim();
+  } catch { return null; }
+}
+
+export function keychainDelete(key) {
+  try {
+    if (process.platform === 'darwin') {
+      execSync(`security delete-generic-password -s "${SERVICE}" -a "${key}" 2>/dev/null`);
+    } else {
+      execSync(`secret-tool clear service "${SERVICE}" key "${key}"`);
+    }
+  } catch {}
+}

package/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "@clauth/device",
+  "version": "1.0.1",
+  "description": "OAuth Device Authorization CLI with WebSocket token delivery and local encrypted cache",
+  "type": "module",
+  "bin": {
+    "device-auth": "device-auth.mjs"
+  },
+  "files": [
+    "device-auth.mjs",
+    "keychain.mjs",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "tag": "1.0.0"
+  },
+  "scripts": {
+    "start": "node device-auth.mjs"
+  },
+  "dependencies": {
+    "@hocuspocus/provider": "^4.0.0",
+    "oauth4webapi": "^3.0.0",
+    "yjs": "^13.6.30",
+    "ws": "^8.18.0"
+  }
+}