@cloudbase/toolbox 0.7.16-beta.2 → 0.7.17-beta.0

package/lib/auth/index.d.ts

@@ -1,7 +1,9 @@
+import { DeviceFlowOptions } from './oauth';
 import { Credential, RequestConfig } from '../types';
 export * from './common';
 export * from './credential';
 export * from './web-auth';
+export * from './oauth';
 export interface AuthSupervisorOptions {
     /**
      * 是否在内存中缓存 credential 信息
@@ -20,15 +22,28 @@ export interface AuthSupervisorOptions {
      */
     throwError?: boolean;
 }
+export type AuthFlowType = 'default' | 'web' | 'device';
 export interface WebAuthOptions {
     /**
      * 请在初始化实例时指定
      * @deprecated
      */
     throwError?: boolean;
+    /**
+     * 授权方式
+     * - 'default': 自动选择，优先 web，浏览器打开失败或无浏览器环境时降级到 device
+     * - 'web': 强制使用网页回调授权
+     * - 'device': 强制使用 Device Flow 授权
+     * @default 'default'
+     */
+    mode?: AuthFlowType;
     getAuthUrl?: (rawUrl: string) => string;
     noBrowser?: boolean;
     callbackTimeout?: number;
+    /** Device Flow 的客户端 ID */
+    client_id?: string;
+    /** Device Flow 回调，获取设备码后通知调用方 */
+    onDeviceCode?: DeviceFlowOptions['onDeviceCode'];
 }
 export interface LoginByApiSecretOptions {
     /**

package/lib/auth/index.js

@@ -25,12 +25,15 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthSupevisor = exports.AuthSupervisor = void 0;
 const web_auth_1 = require("./web-auth");
+const oauth_1 = require("./oauth");
 const common_1 = require("./common");
 const credential_1 = require("./credential");
+const web_1 = require("../web");
 const error_1 = require("../error");
 __exportStar(require("./common"), exports);
 __exportStar(require("./credential"), exports);
 __exportStar(require("./web-auth"), exports);
+__exportStar(require("./oauth"), exports);
 class AuthSupervisor {
     /**
      * 单例模式，全局缓存
@@ -80,7 +83,7 @@ class AuthSupervisor {
      */
     loginByWebAuth(options = {}) {
         return __awaiter(this, void 0, void 0, function* () {
-            const { getAuthUrl, throwError, noBrowser, callbackTimeout } = options;
+            const { getAuthUrl, throwError, noBrowser, callbackTimeout, mode: authFlowType, client_id, onDeviceCode } = options;
             if (this.cacheCredential && this.needCache && !this.isCacheExpire()) {
                 return this.cacheCredential;
             }
@@ -88,12 +91,45 @@ class AuthSupervisor {
             let credential = yield (0, credential_1.checkAndGetCredential)(this.requestConfig);
             if (credential)
                 return credential;
-            // 兼容临时秘钥
-            credential = yield (0, web_auth_1.getAuthTokenFromWeb)({
-                getAuthUrl,
-                noBrowser,
-                callbackTimeout
-            });
+            // 根据授权方式获取凭证
+            switch (authFlowType) {
+                case 'device':
+                    credential = yield (0, oauth_1.getAuthTokenByDeviceFlow)({ client_id, onDeviceCode });
+                    break;
+                case 'web':
+                    credential = yield (0, web_auth_1.getAuthTokenFromWeb)({
+                        getAuthUrl,
+                        noBrowser,
+                        callbackTimeout
+                    });
+                    break;
+                case 'default':
+                default: {
+                    const isNoBrowser = noBrowser || (0, web_1.isTruthyFlag)(process.env.TCB_NO_BROWSER);
+                    if (isNoBrowser) {
+                        credential = yield (0, oauth_1.getAuthTokenByDeviceFlow)({ client_id, onDeviceCode });
+                    }
+                    else {
+                        try {
+                            credential = yield (0, web_auth_1.getAuthTokenFromWeb)({
+                                getAuthUrl,
+                                callbackTimeout,
+                                onOpenFailed: () => { }
+                            });
+                        }
+                        catch (e) {
+                            if ((e === null || e === void 0 ? void 0 : e.code) === 'BROWSER_OPEN_FAILED') {
+                                credential = yield (0, oauth_1.getAuthTokenByDeviceFlow)({ client_id, onDeviceCode });
+                            }
+                            else {
+                                throw e;
+                            }
+                        }
+                    }
+                    break;
+                }
+            }
+            credential = (0, common_1.resolveCredential)(credential);
             try {
                 yield (0, common_1.checkAuth)(credential, this.requestConfig);
             }

package/lib/auth/oauth.d.ts

@@ -0,0 +1,11 @@
+import { Credential } from "../types";
+export interface DeviceFlowOptions {
+    client_id?: string;
+    onDeviceCode?: (data: {
+        user_code: string;
+        verification_uri?: string;
+        device_code: string;
+        expires_in: number;
+    }) => void;
+}
+export declare function getAuthTokenByDeviceFlow(options?: DeviceFlowOptions): Promise<Credential>;

package/lib/auth/oauth.js

@@ -0,0 +1,123 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAuthTokenByDeviceFlow = void 0;
+const net_1 = require("../net");
+const web_1 = require("../web");
+const error_1 = require("../error");
+const coding_1 = require("../coding");
+const system_1 = require("../system");
+const web_auth_1 = require("./web-auth");
+const OAUTH_ENDPOINT = process.env.TCB_OAUTH_ENDPOINT || 'https://tcb-api.cloud.tencent.com/qcloud-tcb/v1/oauth';
+const DEFAULT_CLIENT_ID = 'cloudbase-toolbox';
+const POLL_ERROR_CODES = {
+    AUTHORIZATION_PENDING: 'authorization_pending',
+    SLOW_DOWN: 'slow_down',
+    EXPIRED_TOKEN: 'expired_token',
+    ACCESS_DENIED: 'access_denied',
+};
+const SUCCESS_CODE = 'NORMAL';
+function fetchDeviceCode(options = {}) {
+    const { client_id = DEFAULT_CLIENT_ID } = options;
+    return (0, net_1.postFetch)(`${OAUTH_ENDPOINT}/device/code`, { client_id });
+}
+function fetchPollToken(options) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { device_code, client_id = DEFAULT_CLIENT_ID } = options;
+        const mac = yield (0, system_1.getMacAddress)();
+        return (0, net_1.postFetch)(`${OAUTH_ENDPOINT}/token`, {
+            device_code,
+            client_id,
+            grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+            device_info: {
+                mac,
+                os: (0, system_1.getOSInfo)(),
+                hash: (0, coding_1.md5Encoding)(mac),
+            }
+        });
+    });
+}
+function sleep(ms) {
+    return new Promise((resolve) => {
+        setTimeout(resolve, ms);
+    });
+}
+function getAuthTokenByDeviceFlow(options = {}) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { client_id, onDeviceCode } = options;
+        const deviceCodeResp = yield fetchDeviceCode({ client_id });
+        if (deviceCodeResp.code !== SUCCESS_CODE) {
+            throw new error_1.CloudBaseError('Device Flow fetchDeviceCode failed', {
+                code: deviceCodeResp.code,
+                requestId: deviceCodeResp.reqId,
+            });
+        }
+        const { device_code, user_code, expires_in, interval } = deviceCodeResp.result;
+        // const defaultVerificationUri = deviceCodeResp.result.verification_uri || `${CLI_AUTH_BASE_URL}#/cli-auth`;
+        // 暂时不消费 verification_uri，由客户端控制跳转
+        const defaultVerificationUri = `${web_auth_1.CLI_AUTH_BASE_URL}#/cli-auth`;
+        // from=cli 后续考虑改用 client_id，因为 toolbox 作为公共依赖，可能被不同 client 所引用
+        const verification_uri = `${defaultVerificationUri}?user_code=${user_code}&from=cli&mode=device`;
+        // 打印授权信息，引导用户操作
+        console.log('\n\n若链接未自动打开，请手动复制至浏览器，或尝试其他登录方式:');
+        console.log(`\n${verification_uri}`);
+        console.log(`\n用户码: ${user_code}\n`);
+        // 尝试自动打开授权页面
+        yield (0, web_1.openUrl)(verification_uri);
+        if (onDeviceCode) {
+            onDeviceCode({ user_code, verification_uri, device_code, expires_in });
+        }
+        let pollInterval = interval;
+        const deadline = Date.now() + expires_in * 1000;
+        while (Date.now() < deadline) {
+            yield sleep(pollInterval * 1000);
+            let resp;
+            try {
+                resp = yield fetchPollToken({ device_code, interval: pollInterval, client_id });
+            }
+            catch (e) {
+                throw new error_1.CloudBaseError('Device Flow 轮询请求失败', { original: e });
+            }
+            const { code, result } = resp;
+            // 服务端返回业务错误（result 中携带 error 字段）
+            if (result && 'error' in result) {
+                const { error, error_description } = result;
+                if (error === POLL_ERROR_CODES.AUTHORIZATION_PENDING) {
+                    continue;
+                }
+                if (error === POLL_ERROR_CODES.SLOW_DOWN) {
+                    pollInterval += 5;
+                    continue;
+                }
+                if (error === POLL_ERROR_CODES.EXPIRED_TOKEN) {
+                    throw new error_1.CloudBaseError('设备码已过期，请重新发起授权');
+                }
+                if (error === POLL_ERROR_CODES.ACCESS_DENIED) {
+                    throw new error_1.CloudBaseError('用户拒绝了授权请求');
+                }
+                throw new error_1.CloudBaseError(error_description || `Device Flow 授权失败，错误: ${error}`, {
+                    code: error,
+                    requestId: resp.reqId,
+                });
+            }
+            // 服务端返回成功的 Credential
+            if (code === SUCCESS_CODE && result) {
+                return result;
+            }
+            throw new error_1.CloudBaseError(`Device Flow 授权失败，错误码: ${code}`, {
+                code,
+                requestId: resp.reqId,
+            });
+        }
+        throw new error_1.CloudBaseError('授权超时，用户未在有效期内完成授权，请重试');
+    });
+}
+exports.getAuthTokenByDeviceFlow = getAuthTokenByDeviceFlow;

package/lib/auth/web-auth.d.ts

@@ -1,6 +1,8 @@
 import { Credential } from '../types';
+export declare const CLI_AUTH_BASE_URL = "https://tcb.cloud.tencent.com/dev";
 export declare function getAuthTokenFromWeb(options?: {
     getAuthUrl?: (rawUrl: string) => string;
     noBrowser?: boolean;
     callbackTimeout?: number;
+    onOpenFailed?: () => void;
 }): Promise<Credential>;

package/lib/auth/web-auth.js

@@ -9,16 +9,16 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getAuthTokenFromWeb = void 0;
+exports.getAuthTokenFromWeb = exports.CLI_AUTH_BASE_URL = void 0;
 const common_1 = require("./common");
 const coding_1 = require("../coding");
 const web_1 = require("../web");
 const system_1 = require("../system");
-const CliAuthBaseUrl = 'https://tcb.cloud.tencent.com/dev';
+exports.CLI_AUTH_BASE_URL = 'https://tcb.cloud.tencent.com/dev';
 // 打开云开发控制台，获取授权
 function getAuthTokenFromWeb(options = {}) {
     return __awaiter(this, void 0, void 0, function* () {
-        const { getAuthUrl, noBrowser, callbackTimeout } = options;
+        const { getAuthUrl, noBrowser, callbackTimeout, onOpenFailed } = options;
         const mac = yield (0, system_1.getMacAddress)();
         const os = (0, system_1.getOSInfo)();
         const macHash = (0, coding_1.md5Encoding)(mac);
@@ -31,7 +31,7 @@ function getAuthTokenFromWeb(options = {}) {
                 + '&from=cli';
             const encodedCallbackUrl = encodeURIComponent(callbackUrl);
             // 授权链接
-            const rawAuthUrl = `${CliAuthBaseUrl}?authCallbackUrl=${encodedCallbackUrl}#/cli-auth?${encodedQuery}`;
+            const rawAuthUrl = `${exports.CLI_AUTH_BASE_URL}?authCallbackUrl=${encodedCallbackUrl}#/cli-auth?${encodedQuery}`;
             let cliAuthUrl = rawAuthUrl;
             if (getAuthUrl) {
                 try {
@@ -44,7 +44,8 @@ function getAuthTokenFromWeb(options = {}) {
             return cliAuthUrl;
         }, 'login', {
             noBrowser,
-            callbackTimeout
+            callbackTimeout,
+            onOpenFailed
         });
         const credential = (0, common_1.resolveCredential)(query);
         return credential;

package/lib/web/web.d.ts

@@ -6,5 +6,11 @@ export type CheckFn = (query: IQuery) => Promise<void>;
 export interface GetDataFromWebOptions {
     noBrowser?: boolean;
     callbackTimeout?: number;
+    /** 浏览器打开失败时的回调，若提供则中止等待并抛出错误 */
+    onOpenFailed?: () => void;
 }
+export declare function isTruthyFlag(value?: string): boolean;
+export declare function openUrl(url: string, options?: {
+    skipBrowserFallback?: boolean;
+}): Promise<boolean>;
 export declare function getDataFromWeb<T extends IQuery>(getUrl: GetUrlFn, type: 'login' | 'getData', options?: GetDataFromWebOptions): Promise<T>;

package/lib/web/web.js

@@ -12,7 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getDataFromWeb = void 0;
+exports.getDataFromWeb = exports.openUrl = exports.isTruthyFlag = void 0;
 const open_1 = __importDefault(require("open"));
 const query_string_1 = __importDefault(require("query-string"));
 const http_1 = __importDefault(require("http"));
@@ -59,6 +59,7 @@ function isTruthyFlag(value) {
     }
     return ['1', 'true', 'yes', 'on'].includes(String(value).trim().toLowerCase());
 }
+exports.isTruthyFlag = isTruthyFlag;
 function isVSCodeEnvironment() {
     return Boolean(process.env.VSCODE_IPC_HOOK_CLI
         || process.env.VSCODE_PID
@@ -93,14 +94,13 @@ function openUrlByBrowserEnv(url) {
 function shouldUseBrowserEnvFallback() {
     return process.platform === 'linux' && isVSCodeEnvironment();
 }
-function openUrl(url) {
+function openUrl(url, options = {}) {
     return __awaiter(this, void 0, void 0, function* () {
+        const { skipBrowserFallback = false } = options;
         try {
             const child = yield (0, open_1.default)(url, { url: true });
-            if (child === null || child === void 0 ? void 0 : child.once) {
+            if ((child === null || child === void 0 ? void 0 : child.once) && !skipBrowserFallback) {
                 child.once('error', (error) => __awaiter(this, void 0, void 0, function* () {
-                    const code = (error === null || error === void 0 ? void 0 : error.code) || 'UNKNOWN';
-                    console.warn(`自动打开浏览器失败(${code})。`);
                     if (shouldUseBrowserEnvFallback()) {
                         yield openUrlByBrowserEnv(url);
                     }
@@ -109,13 +109,14 @@ function openUrl(url) {
             return true;
         }
         catch (e) {
-            if (shouldUseBrowserEnvFallback()) {
+            if (!skipBrowserFallback && shouldUseBrowserEnvFallback()) {
                 return openUrlByBrowserEnv(url);
             }
             return false;
         }
     });
 }
+exports.openUrl = openUrl;
 // 从 Web 页面中获取数据
 function getDataFromWeb(getUrl, type, options = {}) {
     var _a, _b;
@@ -127,13 +128,19 @@ function getDataFromWeb(getUrl, type, options = {}) {
             throw new error_1.CloudBaseError('callbackTimeout must be a positive number');
         }
         const url = getUrl(port);
-        console.log('\n\n若链接未自动打开，请手动复制此链接至浏览器，或尝试使用其他登录方式:');
-        console.log(`\n${url}`);
+        console.log('\n\n若链接未自动打开，请手动复制至浏览器，或尝试其他登录方式:');
+        console.log(`\n${url}\n`);
         if (!noBrowser) {
             // 对 url 转码, 避免 wsl 无法正常打开地址
             // https://www.npmjs.com/package/open#url
             // https://github.com/sindresorhus/open/blob/master/index.js#L48
-            yield openUrl(url);
+            const skipBrowserFallback = !!options.onOpenFailed;
+            const opened = yield openUrl(url, { skipBrowserFallback });
+            if (!opened && options.onOpenFailed) {
+                server.close();
+                options.onOpenFailed();
+                throw new error_1.CloudBaseError('浏览器打开失败', { code: 'BROWSER_OPEN_FAILED' });
+            }
         }
         return new Promise((resolve, reject) => {
             let finished = false;

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@cloudbase/toolbox",
-    "version": "0.7.16-beta.2",
+    "version": "0.7.17-beta.0",
     "description": "The toolbox for cloudbase",
     "main": "lib/index.js",
     "scripts": {
@@ -67,4 +67,4 @@
         }
     },
     "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
-}
+}