@createlex/figgen 1.4.2

package/companion/createlex-auth.cjs

@@ -0,0 +1,364 @@
+const crypto = require('crypto');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const CONFIG_DIR = process.env.CREATELEX_CONFIG_DIR || path.join(os.homedir(), '.createlex');
+const AUTH_FILE = process.env.CREATELEX_AUTH_FILE || path.join(CONFIG_DIR, 'auth.json');
+
+function normalizeWebBase(value) {
+  if (!value || typeof value !== 'string') {
+    return undefined;
+  }
+  let normalized = value.trim();
+  if (!normalized) {
+    return undefined;
+  }
+  if (!/^https?:\/\//i.test(normalized)) {
+    normalized = `https://${normalized}`;
+  }
+  return normalized.replace(/\/+$/, '');
+}
+
+function ensureApiBaseUrl(value) {
+  let base = normalizeWebBase(value)
+    || normalizeWebBase(process.env.CREATELEX_API_BASE_URL)
+    || normalizeWebBase(process.env.API_BASE_URL)
+    || 'https://api.createlex.com';
+
+  if (!base.toLowerCase().endsWith('/api')) {
+    base = `${base}/api`;
+  }
+  return base;
+}
+
+function shouldBypassAuth() {
+  return process.env.FIGMA_SWIFTUI_BYPASS_AUTH === 'true' || process.env.BYPASS_SUBSCRIPTION === 'true';
+}
+
+function loadAuth() {
+  if (!fs.existsSync(AUTH_FILE)) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(fs.readFileSync(AUTH_FILE, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function saveAuth(auth) {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.writeFileSync(AUTH_FILE, JSON.stringify(auth, null, 2), 'utf8');
+}
+
+function decodeJwtPayload(token) {
+  const parts = token.split('.');
+  if (parts.length !== 3 || parts.some((part) => !part)) {
+    throw new Error('invalid_token_structure');
+  }
+
+  const normalized = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+  const padded = normalized.padEnd(normalized.length + ((4 - normalized.length % 4) % 4), '=');
+  return JSON.parse(Buffer.from(padded, 'base64').toString('utf8'));
+}
+
+function validateTokenFormat(token) {
+  if (!token) {
+    return { valid: false, reason: 'missing_token' };
+  }
+
+  const parts = token.split('.');
+  if (parts.length !== 3) {
+    return { valid: false, reason: 'invalid_token_format' };
+  }
+
+  if (parts.some((part) => !part)) {
+    return { valid: false, reason: 'invalid_token_structure' };
+  }
+
+  try {
+    const payload = decodeJwtPayload(token);
+    if (payload.exp) {
+      const expiryTime = payload.exp * 1000;
+      const clockSkewBuffer = 30 * 1000;
+      if (Date.now() >= expiryTime + clockSkewBuffer) {
+        return { valid: false, reason: 'token_expired' };
+      }
+    }
+    return { valid: true, payload };
+  } catch {
+    return { valid: false, reason: 'invalid_token_structure' };
+  }
+}
+
+async function refreshSession(refreshToken, apiBaseUrl) {
+  if (!refreshToken) {
+    throw new Error('missing_refresh_token');
+  }
+
+  const response = await fetch(`${ensureApiBaseUrl(apiBaseUrl)}/mcp/figma-swiftui/session/refresh`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      refreshToken,
+    }),
+  });
+
+  const payload = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    throw new Error(payload.error_description || payload.error || `refresh_failed:${response.status}`);
+  }
+
+  return payload;
+}
+
+async function ensureAccessToken(explicitToken, apiBaseUrl) {
+  const rawToken = explicitToken || process.env.FIGMA_SWIFTUI_ACCESS_TOKEN || process.env.CREATELEX_ACCESS_TOKEN;
+  if (rawToken) {
+    const validation = validateTokenFormat(rawToken);
+    if (!validation.valid) {
+      throw new Error(`CreateLex token is invalid: ${validation.reason}`);
+    }
+    return {
+      token: rawToken,
+      payload: validation.payload,
+      source: 'env',
+    };
+  }
+
+  const auth = loadAuth();
+  if (!auth?.token) {
+    throw new Error(`CreateLex login required. Run "npx @createlex/figma-swiftui-mcp login" to create ${AUTH_FILE}.`);
+  }
+
+  const currentValidation = validateTokenFormat(auth.token);
+  if (currentValidation.valid) {
+    return {
+      token: auth.token,
+      payload: currentValidation.payload,
+      source: AUTH_FILE,
+    };
+  }
+
+  const refreshToken = auth.refreshToken || auth.refresh_token;
+  if (currentValidation.reason !== 'token_expired' || !refreshToken) {
+    throw new Error(`CreateLex token is invalid: ${currentValidation.reason}. Run "npx @createlex/figma-swiftui-mcp login" again.`);
+  }
+
+  const refreshed = await refreshSession(refreshToken, apiBaseUrl);
+  const nextToken = refreshed.access_token;
+  const nextValidation = validateTokenFormat(nextToken);
+  if (!nextValidation.valid) {
+    throw new Error(`CreateLex token refresh failed: ${nextValidation.reason}`);
+  }
+
+  saveAuth({
+    ...auth,
+    token: nextToken,
+    refreshToken: refreshed.refresh_token || refreshToken,
+    refresh_token: refreshed.refresh_token || refreshToken,
+    email: refreshed.user?.email || auth.email || nextValidation.payload?.email || null,
+    userId: refreshed.user?.id || auth.userId || nextValidation.payload?.sub || null,
+    savedAt: new Date().toISOString(),
+  });
+
+  return {
+    token: nextToken,
+    payload: nextValidation.payload,
+    source: AUTH_FILE,
+  };
+}
+
+function generateDeviceId() {
+  const cpus = os.cpus();
+  const networkInterfaces = os.networkInterfaces();
+  const hardwareString = JSON.stringify({
+    hostname: os.hostname(),
+    platform: os.platform(),
+    arch: os.arch(),
+    cpuModel: cpus[0]?.model || 'unknown',
+    cpuCount: cpus.length,
+    macAddresses: Object.values(networkInterfaces)
+      .flat()
+      .filter((iface) => iface && !iface.internal && iface.mac && iface.mac !== '00:00:00:00:00:00')
+      .map((iface) => iface.mac)
+      .sort(),
+  });
+
+  return crypto.createHash('sha256').update(hardwareString).digest('hex');
+}
+
+function getDeviceInfo() {
+  return {
+    deviceId: generateDeviceId(),
+    deviceName: os.hostname(),
+    platform: `${os.platform()}-${os.arch()}`,
+    osVersion: os.release(),
+  };
+}
+
+async function postJson(url, options) {
+  const response = await fetch(url, options);
+  const data = await response.json().catch(() => ({}));
+  return { response, data };
+}
+
+async function postAuthorizedApi(session, apiPath, body) {
+  const apiBaseUrl = ensureApiBaseUrl(session?.apiBaseUrl);
+  const access = await ensureAccessToken(undefined, apiBaseUrl);
+  const normalizedPath = apiPath.startsWith('/') ? apiPath : `/${apiPath}`;
+  return postJson(`${apiBaseUrl}${normalizedPath}`, {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${access.token}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify(body ?? {}),
+  });
+}
+
+async function validateStartupWithFallback({ apiBaseUrl, accessToken, body }) {
+  const productUrl = `${apiBaseUrl}/mcp/figma-swiftui/session/validate`;
+  const fallbackUrl = `${apiBaseUrl}/mcp/validate-startup`;
+  const headers = {
+    Authorization: `Bearer ${accessToken}`,
+    'Content-Type': 'application/json',
+  };
+
+  const productAttempt = await postJson(productUrl, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify(body),
+  });
+
+  if (productAttempt.response.ok || productAttempt.response.status !== 404) {
+    return {
+      url: productUrl,
+      ...productAttempt,
+    };
+  }
+
+  const fallbackAttempt = await postJson(fallbackUrl, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify(body),
+  });
+
+  return {
+    url: fallbackUrl,
+    ...fallbackAttempt,
+  };
+}
+
+async function authorizeRuntimeStartup(options = {}) {
+  if (shouldBypassAuth()) {
+    return {
+      authorized: true,
+      bypass: true,
+      apiBaseUrl: ensureApiBaseUrl(options.apiBaseUrl),
+      validatedAt: new Date().toISOString(),
+      reason: 'bypass',
+      userId: null,
+      email: null,
+      tokenSource: 'bypass',
+      mcpToken: null,
+      mcpPayload: null,
+      expiresAt: null,
+    };
+  }
+
+  const apiBaseUrl = ensureApiBaseUrl(options.apiBaseUrl);
+  const access = await ensureAccessToken(options.accessToken, apiBaseUrl);
+  const deviceInfo = getDeviceInfo();
+  const startupPayload = {
+    deviceId: deviceInfo.deviceId,
+    deviceInfo,
+    clientName: 'figma-swiftui-mcp',
+    clientVersion: '1.0.0',
+    requestedTtlSeconds: 86400,
+  };
+  const { response, data, url } = await validateStartupWithFallback({
+    apiBaseUrl,
+    accessToken: access.token,
+    body: startupPayload,
+  });
+
+  if (!response.ok || !data.valid) {
+    const reason = data?.error || `CreateLex backend rejected MCP startup (${response.status})`;
+    throw new Error(reason);
+  }
+
+  return {
+    authorized: true,
+    bypass: false,
+    apiBaseUrl,
+    validatedAt: new Date().toISOString(),
+    userId: access.payload?.sub || null,
+    email: access.payload?.email || null,
+    tokenSource: access.source,
+    mcpToken: data.mcpToken,
+    mcpPayload: data.mcpPayload,
+    expiresAt: typeof data.expiresIn === 'number' ? new Date(Date.now() + (data.expiresIn * 1000)).toISOString() : null,
+    startupEndpoint: url,
+  };
+}
+
+async function validateRuntimeSession(session) {
+  if (!session || session.bypass) {
+    return {
+      valid: true,
+      session,
+      bypass: true,
+    };
+  }
+
+  const { response, data } = await postJson(`${session.apiBaseUrl}/mcp/validate-token`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      token: session.mcpToken,
+      payload: session.mcpPayload,
+    }),
+  });
+
+  if (response.ok && data.valid) {
+    return {
+      valid: true,
+      session: {
+        ...session,
+        validatedAt: new Date().toISOString(),
+      },
+    };
+  }
+
+  try {
+    const refreshed = await authorizeRuntimeStartup({ apiBaseUrl: session.apiBaseUrl });
+    return {
+      valid: true,
+      refreshed: true,
+      session: refreshed,
+    };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : 'CreateLex MCP session validation failed',
+    };
+  }
+}
+
+module.exports = {
+  AUTH_FILE,
+  authorizeRuntimeStartup,
+  ensureApiBaseUrl,
+  postAuthorizedApi,
+  saveAuth,
+  shouldBypassAuth,
+  validateTokenFormat,
+  validateRuntimeSession,
+};