@clauth/device 1.0.0 → 1.1.0

package/device-auth.mjs

@@ -13,7 +13,8 @@
  */
 import { createECDH, createHash, createDecipheriv, createSign, createPrivateKey, randomBytes } from 'node:crypto';
 import { exec, spawn } from 'node:child_process';
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync } from 'node:fs';
+import { createServer, createConnection } from 'node:net';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 
@@ -29,6 +30,7 @@ const TIMEOUT = 120_000;
 const CURVE = 'prime256v1';
 const CONFIG_DIR = join(homedir(), '.config', 'device-auth');
 const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
+const SOCKET_PATH = join(CONFIG_DIR, 'daemon.sock');
 
 // ─── Local config (url, domain) ──────────────────────────────────────────────
 
@@ -203,6 +205,7 @@ function clearSession() {
 if (command === 'stop') {
   const pid = keychainGet('pid');
   if (pid) { try { process.kill(parseInt(pid)); } catch {} }
+  if (existsSync(SOCKET_PATH)) unlinkSync(SOCKET_PATH);
   clearSession();
   process.stderr.write('Session stopped.\n');
   process.exit(0);
@@ -226,68 +229,40 @@ if (command === 'status') {
   process.exit(1);
 }
 
-// ─── Token command — read from Yjs via WS ────────────────────────────────────
+// ─── Token command — ask daemon via unix socket ──────────────────────────────
 
 if (command === 'token') {
-  const url = serverUrl || keychainGet('url');
-  const { privateKey, publicKey } = getOrCreateEcdhKeys();
-  const { jwt: deviceJwt, deviceId } = signDeviceJwt(privateKey, publicKey);
-
-  if (!url) {
+  if (!existsSync(SOCKET_PATH)) {
     process.stderr.write('Error: No active session. Run `device-auth start --url <server>` first.\n');
     process.exit(1);
   }
 
-  // Connect to device doc with self-signed JWT
-  const syncUrl = url.replace(/^http/, 'ws') + '/sync/device';
-  const doc = new Y.Doc();
-  const provider = new HocuspocusProvider({
-    url: syncUrl, name: 'device', token: deviceJwt,
-    document: doc, WebSocketPolyfill: WebSocket,
-  });
-
-  await new Promise((resolve, reject) => {
-    const t = setTimeout(() => reject(new Error('Timeout connecting')), 10000);
-    provider.on('synced', () => { clearTimeout(t); resolve(); });
-    provider.on('authenticationFailed', ({ reason }) => { clearTimeout(t); reject(new Error(reason)); });
-  });
-
-  // Find the LATEST completed token for this resource (most recent by created_at)
-  const tokensMap = doc.getMap('tokens');
-  const requests = doc.getMap('requests');
-  let foundToken = null;
-  let latestTime = 0;
+  const client = createConnection(SOCKET_PATH);
+  client.end(JSON.stringify({ command: 'token', resource }) + '\n');
 
-  // Search through tokens for the most recent matching our resource
-  for (const [rid, raw] of tokensMap.entries()) {
-    if (!raw) continue;
+  let data = '';
+  client.on('data', (chunk) => { data += chunk.toString(); });
+  client.on('end', () => {
     try {
-      const data = JSON.parse(raw);
-      if (data.status !== 'complete') continue;
-      const reqRaw = requests.get(rid);
-      if (reqRaw) {
-        const req = JSON.parse(reqRaw);
-        if (req.resource === resource) {
-          const time = new Date(req.created_at || 0).getTime();
-          if (time >= latestTime) {
-            latestTime = time;
-            foundToken = data;
-          }
-        }
+      const res = JSON.parse(data);
+      if (res.error) {
+        process.stderr.write(`Error: ${res.error}\n`);
+        process.exit(1);
       }
-    } catch {}
-  }
-
-  provider.destroy();
-
-  if (!foundToken) {
-    process.stderr.write(`Error: No token for "${resource}". Run: device-auth --url ${url} --resource "${resource}"\n`);
+      output(res.token);
+      process.exit(0);
+    } catch (e) {
+      process.stderr.write(`Error: Invalid response from daemon\n`);
+      process.exit(1);
+    }
+  });
+  client.on('error', (err) => {
+    process.stderr.write(`Error: Cannot connect to daemon (${err.message}). Run \`device-auth start\` first.\n`);
     process.exit(1);
-  }
+  });
 
-  const plainToken = ecdhDecrypt(foundToken.ciphertext, foundToken.serverPublicKey, privateKey);
-  output(plainToken);
-  process.exit(0);
+  // Prevent falling through to auth flow
+  await new Promise(() => {});
 }
 
 // ─── Start command: fork into background ─────────────────────────────────────
@@ -408,15 +383,73 @@ async function main() {
   // Step 6: Decrypt
   const plainToken = ecdhDecrypt(tokenData.ciphertext, tokenData.serverPublicKey, privateKey);
 
-  // ─── Daemon mode: save session, keep alive ─────────────────────────────────
+  // ─── Daemon mode: start socket server, keep WS alive ────────────────────────
   if (isDaemon || command === 'start') {
     saveSession(serverUrl);
     saveConfig({ url: serverUrl, domain, tid });
-    log('');
-    log('✓ Session ready. Use `device-auth token` to get the token.');
-    process.on('SIGTERM', () => { provider.destroy(); clearSession(); process.exit(0); });
-    process.on('SIGINT', () => { provider.destroy(); clearSession(); process.exit(0); });
-    return; // keep alive — WS stays connected
+
+    // Start unix socket server for `device-auth token` commands
+    mkdirSync(CONFIG_DIR, { recursive: true });
+    if (existsSync(SOCKET_PATH)) unlinkSync(SOCKET_PATH);
+
+    const socketServer = createServer((conn) => {
+      let data = '';
+      conn.on('data', (chunk) => { data += chunk.toString(); });
+      conn.on('end', () => {
+        try {
+          const req = JSON.parse(data);
+          if (req.command === 'token') {
+            const reqResource = req.resource || resource;
+            // Read from live Yjs doc
+            const tokensMap = deviceDoc.getMap('tokens');
+            const requests = deviceDoc.getMap('requests');
+            let found = null;
+            let latestTime = 0;
+            for (const [rid, raw] of tokensMap.entries()) {
+              if (!raw) continue;
+              try {
+                const td = JSON.parse(raw);
+                if (td.status !== 'complete') continue;
+                const reqRaw = requests.get(rid);
+                if (reqRaw) {
+                  const r = JSON.parse(reqRaw);
+                  if (r.resource === reqResource) {
+                    const time = new Date(r.created_at || 0).getTime();
+                    if (time >= latestTime) { latestTime = time; found = td; }
+                  }
+                }
+              } catch {}
+            }
+            if (!found) {
+              conn.end(JSON.stringify({ error: `No token for "${reqResource}"` }));
+              return;
+            }
+            const token = ecdhDecrypt(found.ciphertext, found.serverPublicKey, privateKey);
+            conn.end(JSON.stringify({ token }));
+          } else {
+            conn.end(JSON.stringify({ error: 'Unknown command' }));
+          }
+        } catch (e) {
+          conn.end(JSON.stringify({ error: e.message }));
+        }
+      });
+    });
+
+    socketServer.listen(SOCKET_PATH, () => {
+      log('');
+      log('✓ Session ready. Use `device-auth token` to get the token.');
+    });
+
+    function cleanup() {
+      socketServer.close();
+      if (existsSync(SOCKET_PATH)) unlinkSync(SOCKET_PATH);
+      provider.destroy();
+      clearSession();
+      process.exit(0);
+    }
+    process.on('SIGTERM', cleanup);
+    process.on('SIGINT', cleanup);
+    return; // keep alive
   }
 
   // ─── One-shot: print and exit ──────────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clauth/device",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "description": "OAuth Device Authorization CLI with WebSocket token delivery and local encrypted cache",
   "type": "module",
   "bin": {
@@ -13,7 +13,7 @@
   ],
   "publishConfig": {
     "access": "public",
-    "tag": "1.0.0"
+    "tag": "1.0.2"
   },
   "scripts": {
     "start": "node device-auth.mjs"