@createlex/figma-swiftui-mcp 1.0.0

package/companion/createlex-auth.cjs

@@ -0,0 +1,364 @@
+const crypto = require('crypto');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const CONFIG_DIR = process.env.CREATELEX_CONFIG_DIR || path.join(os.homedir(), '.createlex');
+const AUTH_FILE = process.env.CREATELEX_AUTH_FILE || path.join(CONFIG_DIR, 'auth.json');
+
+function normalizeWebBase(value) {
+  if (!value || typeof value !== 'string') {
+    return undefined;
+  }
+  let normalized = value.trim();
+  if (!normalized) {
+    return undefined;
+  }
+  if (!/^https?:\/\//i.test(normalized)) {
+    normalized = `https://${normalized}`;
+  }
+  return normalized.replace(/\/+$/, '');
+}
+
+function ensureApiBaseUrl(value) {
+  let base = normalizeWebBase(value)
+    || normalizeWebBase(process.env.CREATELEX_API_BASE_URL)
+    || normalizeWebBase(process.env.API_BASE_URL)
+    || 'https://createlex.com';
+
+  if (!base.toLowerCase().endsWith('/api')) {
+    base = `${base}/api`;
+  }
+  return base;
+}
+
+function shouldBypassAuth() {
+  return process.env.FIGMA_SWIFTUI_BYPASS_AUTH === 'true' || process.env.BYPASS_SUBSCRIPTION === 'true';
+}
+
+function loadAuth() {
+  if (!fs.existsSync(AUTH_FILE)) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(fs.readFileSync(AUTH_FILE, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function saveAuth(auth) {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.writeFileSync(AUTH_FILE, JSON.stringify(auth, null, 2), 'utf8');
+}
+
+function decodeJwtPayload(token) {
+  const parts = token.split('.');
+  if (parts.length !== 3 || parts.some((part) => !part)) {
+    throw new Error('invalid_token_structure');
+  }
+
+  const normalized = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+  const padded = normalized.padEnd(normalized.length + ((4 - normalized.length % 4) % 4), '=');
+  return JSON.parse(Buffer.from(padded, 'base64').toString('utf8'));
+}
+
+function validateTokenFormat(token) {
+  if (!token) {
+    return { valid: false, reason: 'missing_token' };
+  }
+
+  const parts = token.split('.');
+  if (parts.length !== 3) {
+    return { valid: false, reason: 'invalid_token_format' };
+  }
+
+  if (parts.some((part) => !part)) {
+    return { valid: false, reason: 'invalid_token_structure' };
+  }
+
+  try {
+    const payload = decodeJwtPayload(token);
+    if (payload.exp) {
+      const expiryTime = payload.exp * 1000;
+      const clockSkewBuffer = 30 * 1000;
+      if (Date.now() >= expiryTime + clockSkewBuffer) {
+        return { valid: false, reason: 'token_expired' };
+      }
+    }
+    return { valid: true, payload };
+  } catch {
+    return { valid: false, reason: 'invalid_token_structure' };
+  }
+}
+
+async function refreshSession(refreshToken, apiBaseUrl) {
+  if (!refreshToken) {
+    throw new Error('missing_refresh_token');
+  }
+
+  const response = await fetch(`${ensureApiBaseUrl(apiBaseUrl)}/mcp/figma-swiftui/session/refresh`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      refreshToken,
+    }),
+  });
+
+  const payload = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    throw new Error(payload.error_description || payload.error || `refresh_failed:${response.status}`);
+  }
+
+  return payload;
+}
+
+async function ensureAccessToken(explicitToken, apiBaseUrl) {
+  const rawToken = explicitToken || process.env.FIGMA_SWIFTUI_ACCESS_TOKEN || process.env.CREATELEX_ACCESS_TOKEN;
+  if (rawToken) {
+    const validation = validateTokenFormat(rawToken);
+    if (!validation.valid) {
+      throw new Error(`CreateLex token is invalid: ${validation.reason}`);
+    }
+    return {
+      token: rawToken,
+      payload: validation.payload,
+      source: 'env',
+    };
+  }
+
+  const auth = loadAuth();
+  if (!auth?.token) {
+    throw new Error(`CreateLex login required. Run "npx @createlex/figma-swiftui-mcp login" to create ${AUTH_FILE}.`);
+  }
+
+  const currentValidation = validateTokenFormat(auth.token);
+  if (currentValidation.valid) {
+    return {
+      token: auth.token,
+      payload: currentValidation.payload,
+      source: AUTH_FILE,
+    };
+  }
+
+  const refreshToken = auth.refreshToken || auth.refresh_token;
+  if (currentValidation.reason !== 'token_expired' || !refreshToken) {
+    throw new Error(`CreateLex token is invalid: ${currentValidation.reason}. Run "npx @createlex/figma-swiftui-mcp login" again.`);
+  }
+
+  const refreshed = await refreshSession(refreshToken, apiBaseUrl);
+  const nextToken = refreshed.access_token;
+  const nextValidation = validateTokenFormat(nextToken);
+  if (!nextValidation.valid) {
+    throw new Error(`CreateLex token refresh failed: ${nextValidation.reason}`);
+  }
+
+  saveAuth({
+    ...auth,
+    token: nextToken,
+    refreshToken: refreshed.refresh_token || refreshToken,
+    refresh_token: refreshed.refresh_token || refreshToken,
+    email: refreshed.user?.email || auth.email || nextValidation.payload?.email || null,
+    userId: refreshed.user?.id || auth.userId || nextValidation.payload?.sub || null,
+    savedAt: new Date().toISOString(),
+  });
+
+  return {
+    token: nextToken,
+    payload: nextValidation.payload,
+    source: AUTH_FILE,
+  };
+}
+
+function generateDeviceId() {
+  const cpus = os.cpus();
+  const networkInterfaces = os.networkInterfaces();
+  const hardwareString = JSON.stringify({
+    hostname: os.hostname(),
+    platform: os.platform(),
+    arch: os.arch(),
+    cpuModel: cpus[0]?.model || 'unknown',
+    cpuCount: cpus.length,
+    macAddresses: Object.values(networkInterfaces)
+      .flat()
+      .filter((iface) => iface && !iface.internal && iface.mac && iface.mac !== '00:00:00:00:00:00')
+      .map((iface) => iface.mac)
+      .sort(),
+  });
+
+  return crypto.createHash('sha256').update(hardwareString).digest('hex');
+}
+
+function getDeviceInfo() {
+  return {
+    deviceId: generateDeviceId(),
+    deviceName: os.hostname(),
+    platform: `${os.platform()}-${os.arch()}`,
+    osVersion: os.release(),
+  };
+}
+
+async function postJson(url, options) {
+  const response = await fetch(url, options);
+  const data = await response.json().catch(() => ({}));
+  return { response, data };
+}
+
+async function postAuthorizedApi(session, apiPath, body) {
+  const apiBaseUrl = ensureApiBaseUrl(session?.apiBaseUrl);
+  const access = await ensureAccessToken(undefined, apiBaseUrl);
+  const normalizedPath = apiPath.startsWith('/') ? apiPath : `/${apiPath}`;
+  return postJson(`${apiBaseUrl}${normalizedPath}`, {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${access.token}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify(body ?? {}),
+  });
+}
+
+async function validateStartupWithFallback({ apiBaseUrl, accessToken, body }) {
+  const productUrl = `${apiBaseUrl}/mcp/figma-swiftui/session/validate`;
+  const fallbackUrl = `${apiBaseUrl}/mcp/validate-startup`;
+  const headers = {
+    Authorization: `Bearer ${accessToken}`,
+    'Content-Type': 'application/json',
+  };
+
+  const productAttempt = await postJson(productUrl, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify(body),
+  });
+
+  if (productAttempt.response.ok || productAttempt.response.status !== 404) {
+    return {
+      url: productUrl,
+      ...productAttempt,
+    };
+  }
+
+  const fallbackAttempt = await postJson(fallbackUrl, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify(body),
+  });
+
+  return {
+    url: fallbackUrl,
+    ...fallbackAttempt,
+  };
+}
+
+async function authorizeRuntimeStartup(options = {}) {
+  if (shouldBypassAuth()) {
+    return {
+      authorized: true,
+      bypass: true,
+      apiBaseUrl: ensureApiBaseUrl(options.apiBaseUrl),
+      validatedAt: new Date().toISOString(),
+      reason: 'bypass',
+      userId: null,
+      email: null,
+      tokenSource: 'bypass',
+      mcpToken: null,
+      mcpPayload: null,
+      expiresAt: null,
+    };
+  }
+
+  const apiBaseUrl = ensureApiBaseUrl(options.apiBaseUrl);
+  const access = await ensureAccessToken(options.accessToken, apiBaseUrl);
+  const deviceInfo = getDeviceInfo();
+  const startupPayload = {
+    deviceId: deviceInfo.deviceId,
+    deviceInfo,
+    clientName: 'figma-swiftui-mcp',
+    clientVersion: '1.0.0',
+    requestedTtlSeconds: 86400,
+  };
+  const { response, data, url } = await validateStartupWithFallback({
+    apiBaseUrl,
+    accessToken: access.token,
+    body: startupPayload,
+  });
+
+  if (!response.ok || !data.valid) {
+    const reason = data?.error || `CreateLex backend rejected MCP startup (${response.status})`;
+    throw new Error(reason);
+  }
+
+  return {
+    authorized: true,
+    bypass: false,
+    apiBaseUrl,
+    validatedAt: new Date().toISOString(),
+    userId: access.payload?.sub || null,
+    email: access.payload?.email || null,
+    tokenSource: access.source,
+    mcpToken: data.mcpToken,
+    mcpPayload: data.mcpPayload,
+    expiresAt: typeof data.expiresIn === 'number' ? new Date(Date.now() + (data.expiresIn * 1000)).toISOString() : null,
+    startupEndpoint: url,
+  };
+}
+
+async function validateRuntimeSession(session) {
+  if (!session || session.bypass) {
+    return {
+      valid: true,
+      session,
+      bypass: true,
+    };
+  }
+
+  const { response, data } = await postJson(`${session.apiBaseUrl}/mcp/validate-token`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      token: session.mcpToken,
+      payload: session.mcpPayload,
+    }),
+  });
+
+  if (response.ok && data.valid) {
+    return {
+      valid: true,
+      session: {
+        ...session,
+        validatedAt: new Date().toISOString(),
+      },
+    };
+  }
+
+  try {
+    const refreshed = await authorizeRuntimeStartup({ apiBaseUrl: session.apiBaseUrl });
+    return {
+      valid: true,
+      refreshed: true,
+      session: refreshed,
+    };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : 'CreateLex MCP session validation failed',
+    };
+  }
+}
+
+module.exports = {
+  AUTH_FILE,
+  authorizeRuntimeStartup,
+  ensureApiBaseUrl,
+  postAuthorizedApi,
+  saveAuth,
+  shouldBypassAuth,
+  validateTokenFormat,
+  validateRuntimeSession,
+};

package/companion/login.mjs

@@ -0,0 +1,190 @@
+#!/usr/bin/env node
+
+import http from 'node:http';
+import { randomBytes } from 'node:crypto';
+import { spawn } from 'node:child_process';
+import { createRequire } from 'node:module';
+
+const require = createRequire(import.meta.url);
+const {
+  AUTH_FILE,
+  ensureApiBaseUrl,
+  saveAuth,
+  validateTokenFormat,
+} = require('./createlex-auth.cjs');
+
+function getWebBaseUrl() {
+  const explicit = process.env.CREATELEX_WEB_BASE_URL?.trim();
+  if (explicit) {
+    return explicit.replace(/\/+$/, '');
+  }
+  const apiBase = ensureApiBaseUrl(process.env.CREATELEX_API_BASE_URL);
+  return apiBase.replace(/\/api$/, '');
+}
+
+function openBrowser(url) {
+  const platform = process.platform;
+  if (platform === 'darwin') {
+    spawn('open', [url], { detached: true, stdio: 'ignore' }).unref();
+    return;
+  }
+  if (platform === 'win32') {
+    spawn('cmd', ['/c', 'start', '', url], { detached: true, stdio: 'ignore' }).unref();
+    return;
+  }
+  spawn('xdg-open', [url], { detached: true, stdio: 'ignore' }).unref();
+}
+
+function sendHtml(res, statusCode, title, body) {
+  res.writeHead(statusCode, { 'Content-Type': 'text/html; charset=utf-8' });
+  res.end(`<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>${title}</title>
+    <style>
+      body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; background: #0f172a; color: #e2e8f0; display: flex; min-height: 100vh; align-items: center; justify-content: center; margin: 0; }
+      .card { max-width: 560px; padding: 32px; border-radius: 16px; background: #111827; box-shadow: 0 10px 40px rgba(0,0,0,0.35); text-align: center; }
+      h1 { margin-top: 0; font-size: 28px; }
+      p { line-height: 1.5; color: #cbd5e1; }
+      code { background: #1f2937; padding: 2px 6px; border-radius: 6px; }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>${title}</h1>
+      ${body}
+    </div>
+  </body>
+</html>`);
+}
+
+async function main() {
+  const args = new Set(process.argv.slice(2));
+  if (args.has('--help') || args.has('-h')) {
+    console.log(`CreateLex figma-swiftui login
+
+Usage:
+  npx @createlex/figma-swiftui-mcp login
+
+Options:
+  --no-open   Print the CreateLex login URL instead of opening a browser
+  --help      Show this help message
+`);
+    return;
+  }
+
+  const noOpen = args.has('--no-open');
+  const state = randomBytes(16).toString('hex');
+  const apiBaseUrl = ensureApiBaseUrl(process.env.CREATELEX_API_BASE_URL);
+  const webBaseUrl = getWebBaseUrl();
+
+  let server;
+  const completion = new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      reject(new Error('Timed out waiting for CreateLex login callback.'));
+    }, 5 * 60 * 1000);
+
+    server = http.createServer((req, res) => {
+      const url = new URL(req.url || '/', 'http://127.0.0.1');
+      if (url.pathname !== '/callback') {
+        sendHtml(res, 404, 'Not Found', '<p>This callback path is reserved for the CreateLex figma-swiftui login flow.</p>');
+        return;
+      }
+
+      const token = url.searchParams.get('token') || '';
+      const refreshToken = url.searchParams.get('refresh_token') || '';
+      const userId = url.searchParams.get('user_id') || '';
+      const email = url.searchParams.get('email') || '';
+      const hasSubscription = url.searchParams.get('has_subscription') === 'true';
+      const returnedState = url.searchParams.get('state') || '';
+      const error = url.searchParams.get('error') || '';
+
+      if (returnedState !== state) {
+        sendHtml(res, 400, 'Login Failed', '<p>The login callback state did not match. Close this window and run <code>npx @createlex/figma-swiftui-mcp login</code> again.</p>');
+        clearTimeout(timeout);
+        reject(new Error('Login callback state mismatch.'));
+        return;
+      }
+
+      if (error) {
+        sendHtml(res, 400, 'Login Failed', `<p>${error}</p><p>Close this window and run <code>npx @createlex/figma-swiftui-mcp login</code> again.</p>`);
+        clearTimeout(timeout);
+        reject(new Error(error));
+        return;
+      }
+
+      if (!hasSubscription) {
+        sendHtml(res, 403, 'Subscription Required', '<p>Your CreateLex account does not have an active subscription for figma-swiftui.</p>');
+        clearTimeout(timeout);
+        reject(new Error('Active CreateLex subscription required for figma-swiftui.'));
+        return;
+      }
+
+      const validation = validateTokenFormat(token);
+      if (!validation.valid) {
+        sendHtml(res, 400, 'Login Failed', '<p>The returned CreateLex token was invalid.</p>');
+        clearTimeout(timeout);
+        reject(new Error(`Returned token invalid: ${validation.reason}`));
+        return;
+      }
+
+      saveAuth({
+        token,
+        refreshToken,
+        refresh_token: refreshToken,
+        userId,
+        email,
+        apiBaseUrl,
+        savedAt: new Date().toISOString(),
+      });
+
+      sendHtml(
+        res,
+        200,
+        'Login Successful',
+        `<p>You are now signed in to CreateLex for <code>figma-swiftui</code>.</p>
+         <p>Auth file written to <code>${AUTH_FILE}</code>.</p>
+         <p>You can close this window and return to Terminal.</p>`
+      );
+
+      clearTimeout(timeout);
+      resolve({ userId, email });
+    });
+
+    server.listen(0, '127.0.0.1', () => {
+      const address = server.address();
+      if (!address || typeof address === 'string') {
+        clearTimeout(timeout);
+        reject(new Error('Failed to determine local login callback port.'));
+        return;
+      }
+
+      const callbackUrl = `http://127.0.0.1:${address.port}/callback`;
+      const loginUrl = `${webBaseUrl}/api/mcp/figma-swiftui/login?callback_url=${encodeURIComponent(callbackUrl)}&state=${encodeURIComponent(state)}`;
+
+      console.log(noOpen ? 'CreateLex login URL:' : 'Opening CreateLex login in your browser...');
+      console.log(`If the browser does not open, visit:\n${loginUrl}\n`);
+      if (!noOpen) {
+        try {
+          openBrowser(loginUrl);
+        } catch (error) {
+          console.warn(`Could not open browser automatically: ${error.message}`);
+        }
+      }
+    });
+  });
+
+  try {
+    const result = await completion;
+    console.log(`CreateLex login saved for ${result.email || result.userId || 'unknown-user'}.`);
+    console.log(`Auth file: ${AUTH_FILE}`);
+  } finally {
+    await new Promise((resolve) => server?.close(() => resolve()));
+  }
+}
+
+main().catch((error) => {
+  console.error(`CreateLex login failed: ${error.message}`);
+  process.exit(1);
+});