@crewai-ts/core 0.1.12 → 0.2.0

package/dist/auth.cjs

@@ -0,0 +1,598 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/auth.ts
+var auth_exports = {};
+__export(auth_exports, {
+  ALGORITHMS: () => ALGORITHMS,
+  Auth0Provider: () => Auth0Provider,
+  AuthError: () => AuthError,
+  AuthenticationCommand: () => AuthenticationCommand,
+  BaseProvider: () => BaseProvider,
+  EntraIdProvider: () => EntraIdProvider,
+  KeycloakProvider: () => KeycloakProvider,
+  Oauth2Settings: () => Oauth2Settings,
+  OktaProvider: () => OktaProvider,
+  ProviderFactory: () => ProviderFactory,
+  TokenManager: () => TokenManager,
+  WorkosProvider: () => WorkosProvider,
+  constantTimeEquals: () => constantTimeEquals,
+  createTemporaryTokenStorage: () => createTemporaryTokenStorage,
+  getAuthToken: () => getAuthToken,
+  get_auth_token: () => get_auth_token,
+  validateJwtToken: () => validateJwtToken,
+  validate_jwt_token: () => validate_jwt_token
+});
+module.exports = __toCommonJS(auth_exports);
+var import_node_fs = require("fs");
+var import_node_fs2 = require("fs");
+var import_node_os = require("os");
+var import_node_path = require("path");
+var import_node_crypto = require("crypto");
+var ALGORITHMS = ["RS256"];
+var AuthError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "AuthError";
+  }
+};
+var TokenManager = class {
+  filePath;
+  file_path;
+  storageDir;
+  storage_dir;
+  key;
+  constructor(filePathOrOptions = "tokens.enc") {
+    const options = typeof filePathOrOptions === "string" ? { filePath: filePathOrOptions } : filePathOrOptions;
+    this.filePath = options.filePath ?? options.file_path ?? "tokens.enc";
+    this.file_path = this.filePath;
+    this.storageDir = options.storageDir ?? options.storage_dir ?? getSecureStoragePath();
+    this.storage_dir = this.storageDir;
+    (0, import_node_fs.mkdirSync)(this.storageDir, { recursive: true, mode: 448 });
+    this.key = this.getOrCreateKey();
+  }
+  saveTokens(accessToken, expiresAt) {
+    const data = {
+      access_token: accessToken,
+      expiration: new Date(expiresAt * 1e3).toISOString()
+    };
+    this.atomicWriteSecureFile(this.filePath, encryptJson(data, this.key));
+  }
+  save_tokens(accessToken, expiresAt) {
+    this.saveTokens(accessToken, expiresAt);
+  }
+  getToken() {
+    const encrypted = this.readSecureFile(this.filePath);
+    if (!encrypted) {
+      return null;
+    }
+    const data = decryptJson(encrypted, this.key);
+    const expiration = Date.parse(data.expiration);
+    if (!Number.isFinite(expiration) || expiration <= Date.now()) {
+      return null;
+    }
+    return data.access_token;
+  }
+  get_token() {
+    return this.getToken();
+  }
+  clearTokens() {
+    this.deleteSecureFile(this.filePath);
+  }
+  clear_tokens() {
+    this.clearTokens();
+  }
+  getOrCreateKey() {
+    const key = this.readSecureFile("secret.key");
+    if (key && key.length === 32) {
+      return key;
+    }
+    const newKey = (0, import_node_crypto.randomBytes)(32);
+    if (this.atomicCreateSecureFile("secret.key", newKey)) {
+      return newKey;
+    }
+    const retryKey = this.readSecureFile("secret.key");
+    if (retryKey && retryKey.length === 32) {
+      return retryKey;
+    }
+    throw new Error("Failed to create or read encryption key");
+  }
+  atomicCreateSecureFile(filename, content) {
+    const path = (0, import_node_path.join)(this.storageDir, filename);
+    try {
+      const fd = (0, import_node_fs.openSync)(path, "wx", 384);
+      (0, import_node_fs.writeFileSync)(fd, content);
+      return true;
+    } catch (error) {
+      if (error instanceof Error && "code" in error && error.code === "EEXIST") {
+        return false;
+      }
+      throw error;
+    }
+  }
+  atomicWriteSecureFile(filename, content) {
+    const tempPath = (0, import_node_path.join)(this.storageDir, `.${filename}.${(0, import_node_crypto.randomBytes)(8).toString("hex")}`);
+    const finalPath = (0, import_node_path.join)(this.storageDir, filename);
+    (0, import_node_fs.writeFileSync)(tempPath, content, { mode: 384 });
+    (0, import_node_fs.renameSync)(tempPath, finalPath);
+  }
+  readSecureFile(filename) {
+    const path = (0, import_node_path.join)(this.storageDir, filename);
+    return (0, import_node_fs.existsSync)(path) ? (0, import_node_fs.readFileSync)(path) : null;
+  }
+  deleteSecureFile(filename) {
+    (0, import_node_fs.rmSync)((0, import_node_path.join)(this.storageDir, filename), { force: true });
+  }
+};
+function getAuthToken(tokenManager = new TokenManager()) {
+  const accessToken = tokenManager.getToken();
+  if (!accessToken) {
+    throw new AuthError("No token found, make sure you are logged in");
+  }
+  return accessToken;
+}
+var get_auth_token = getAuthToken;
+var Oauth2Settings = class _Oauth2Settings {
+  provider;
+  clientId;
+  client_id;
+  domain;
+  audience;
+  extra;
+  constructor(options) {
+    const clientId = options.clientId ?? options.client_id;
+    if (!clientId) {
+      throw new Error("Oauth2Settings requires clientId.");
+    }
+    this.provider = options.provider;
+    this.clientId = clientId;
+    this.client_id = clientId;
+    this.domain = options.domain;
+    this.audience = options.audience ?? null;
+    this.extra = { ...options.extra ?? {} };
+  }
+  static fromSettings(settings) {
+    return new _Oauth2Settings(settings);
+  }
+  static from_settings(settings) {
+    return _Oauth2Settings.fromSettings(settings);
+  }
+};
+var BaseProvider = class {
+  settings;
+  constructor(settings) {
+    this.settings = settings;
+  }
+  get_authorize_url() {
+    return this.getAuthorizeUrl();
+  }
+  get_token_url() {
+    return this.getTokenUrl();
+  }
+  get_jwks_url() {
+    return this.getJwksUrl();
+  }
+  get_issuer() {
+    return this.getIssuer();
+  }
+  get_audience() {
+    return this.getAudience();
+  }
+  get_client_id() {
+    return this.getClientId();
+  }
+  getRequiredFields() {
+    return [];
+  }
+  get_required_fields() {
+    return this.getRequiredFields();
+  }
+  getOauthScopes() {
+    return ["openid", "profile", "email"];
+  }
+  get_oauth_scopes() {
+    return this.getOauthScopes();
+  }
+};
+var Auth0Provider = class extends BaseProvider {
+  getAuthorizeUrl() {
+    return `https://${this.domain()}/oauth/device/code`;
+  }
+  getTokenUrl() {
+    return `https://${this.domain()}/oauth/token`;
+  }
+  getJwksUrl() {
+    return `https://${this.domain()}/.well-known/jwks.json`;
+  }
+  getIssuer() {
+    return `https://${this.domain()}/`;
+  }
+  getAudience() {
+    return required(this.settings.audience, "Audience");
+  }
+  getClientId() {
+    return this.settings.clientId;
+  }
+  domain() {
+    return required(this.settings.domain, "Domain");
+  }
+};
+var WorkosProvider = class extends BaseProvider {
+  getAuthorizeUrl() {
+    return `https://${this.domain()}/oauth2/device_authorization`;
+  }
+  getTokenUrl() {
+    return `https://${this.domain()}/oauth2/token`;
+  }
+  getJwksUrl() {
+    return `https://${this.domain()}/oauth2/jwks`;
+  }
+  getIssuer() {
+    return `https://${this.domain()}`;
+  }
+  getAudience() {
+    return this.settings.audience ?? "";
+  }
+  getClientId() {
+    return this.settings.clientId;
+  }
+  domain() {
+    return required(this.settings.domain, "Domain");
+  }
+};
+var EntraIdProvider = class extends BaseProvider {
+  getAuthorizeUrl() {
+    return `${this.baseUrl()}/oauth2/v2.0/devicecode`;
+  }
+  getTokenUrl() {
+    return `${this.baseUrl()}/oauth2/v2.0/token`;
+  }
+  getJwksUrl() {
+    return `${this.baseUrl()}/discovery/v2.0/keys`;
+  }
+  getIssuer() {
+    return `${this.baseUrl()}/v2.0`;
+  }
+  getAudience() {
+    return required(this.settings.audience, "Audience");
+  }
+  getClientId() {
+    return this.settings.clientId;
+  }
+  getOauthScopes() {
+    return [...super.getOauthScopes(), ...stringFromUnknown(this.settings.extra.scope).split(/\s+/).filter(Boolean)];
+  }
+  getRequiredFields() {
+    return ["scope"];
+  }
+  baseUrl() {
+    return `https://login.microsoftonline.com/${this.settings.domain}`;
+  }
+};
+var KeycloakProvider = class extends BaseProvider {
+  getAuthorizeUrl() {
+    return `${this.baseUrl()}/realms/${String(this.settings.extra.realm)}/protocol/openid-connect/auth/device`;
+  }
+  getTokenUrl() {
+    return `${this.baseUrl()}/realms/${String(this.settings.extra.realm)}/protocol/openid-connect/token`;
+  }
+  getJwksUrl() {
+    return `${this.baseUrl()}/realms/${String(this.settings.extra.realm)}/protocol/openid-connect/certs`;
+  }
+  getIssuer() {
+    return `${this.baseUrl()}/realms/${String(this.settings.extra.realm)}`;
+  }
+  getAudience() {
+    return this.settings.audience ?? "no-audience-provided";
+  }
+  getClientId() {
+    return this.settings.clientId;
+  }
+  getRequiredFields() {
+    return ["realm"];
+  }
+  baseUrl() {
+    return `https://${this.settings.domain.replace(/^https?:\/\//, "")}`;
+  }
+};
+var OktaProvider = class extends BaseProvider {
+  getAuthorizeUrl() {
+    return `${this.baseUrl()}/v1/device/authorize`;
+  }
+  getTokenUrl() {
+    return `${this.baseUrl()}/v1/token`;
+  }
+  getJwksUrl() {
+    return `${this.baseUrl()}/v1/keys`;
+  }
+  getIssuer() {
+    return this.baseUrl().replace(/\/oauth2$/, "");
+  }
+  getAudience() {
+    return required(this.settings.audience, "Audience");
+  }
+  getClientId() {
+    return this.settings.clientId;
+  }
+  getRequiredFields() {
+    return ["authorization_server_name", "using_org_auth_server"];
+  }
+  baseUrl() {
+    return this.settings.extra.using_org_auth_server ? `https://${this.settings.domain}/oauth2` : `https://${this.settings.domain}/oauth2/${stringFromUnknown(this.settings.extra.authorization_server_name, "default")}`;
+  }
+};
+var providerRegistry = /* @__PURE__ */ new Map([
+  ["auth0", Auth0Provider],
+  ["workos", WorkosProvider],
+  ["entra_id", EntraIdProvider],
+  ["okta", OktaProvider],
+  ["keycloak", KeycloakProvider]
+]);
+var ProviderFactory = {
+  register(provider, providerClass) {
+    providerRegistry.set(provider.toLowerCase(), providerClass);
+  },
+  fromSettings(settings) {
+    const providerClass = providerRegistry.get(settings.provider.toLowerCase());
+    if (!providerClass) {
+      throw new Error(`Unsupported OAuth2 provider: ${settings.provider}`);
+    }
+    return new providerClass(settings);
+  },
+  from_settings(settings) {
+    return ProviderFactory.fromSettings(settings);
+  }
+};
+var AuthenticationCommand = class {
+  tokenManager;
+  token_manager;
+  oauth2Provider;
+  oauth2_provider;
+  fetchImpl;
+  openBrowser;
+  maxAttempts;
+  constructor(options = {}) {
+    this.tokenManager = options.tokenManager ?? options.token_manager ?? new TokenManager();
+    this.token_manager = this.tokenManager;
+    this.oauth2Provider = options.oauth2Provider ?? options.oauth2_provider ?? ProviderFactory.fromSettings(defaultOauth2Settings());
+    this.oauth2_provider = this.oauth2Provider;
+    this.fetchImpl = options.fetch ?? fetch;
+    this.openBrowser = options.openBrowser ?? options.open_browser ?? (() => void 0);
+    this.maxAttempts = options.maxAttempts ?? options.max_attempts ?? 10;
+  }
+  async login() {
+    const deviceCodeData = await this.getDeviceCode();
+    this.displayAuthInstructions(deviceCodeData);
+    await this.pollForToken(deviceCodeData);
+  }
+  async getDeviceCode() {
+    const response = await this.fetchImpl(this.oauth2Provider.getAuthorizeUrl(), {
+      method: "POST",
+      body: formBody({
+        client_id: this.oauth2Provider.getClientId(),
+        scope: this.oauth2Provider.getOauthScopes().join(" "),
+        audience: this.oauth2Provider.getAudience()
+      })
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to get device code: ${String(response.status)}`);
+    }
+    return await response.json();
+  }
+  displayAuthInstructions(deviceCodeData) {
+    const verificationUri = deviceCodeData.verification_uri_complete ?? deviceCodeData.verification_uri ?? "";
+    if (verificationUri) {
+      this.openBrowser(verificationUri);
+    }
+  }
+  async pollForToken(deviceCodeData) {
+    const tokenPayload = {
+      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+      device_code: deviceCodeData.device_code,
+      client_id: this.oauth2Provider.getClientId()
+    };
+    for (let attempt = 0; attempt < this.maxAttempts; attempt += 1) {
+      const response = await this.fetchImpl(this.oauth2Provider.getTokenUrl(), {
+        method: "POST",
+        body: formBody(tokenPayload)
+      });
+      const tokenData = await response.json();
+      if (response.ok && tokenData.access_token) {
+        await this.validateAndSaveToken(tokenData.access_token);
+        return;
+      }
+      if (tokenData.error !== "authorization_pending" && tokenData.error !== "slow_down") {
+        throw new Error(tokenData.error_description ?? tokenData.error ?? "OAuth2 token polling failed");
+      }
+      await sleep((deviceCodeData.interval ?? 1) * 1e3);
+    }
+    throw new Error("Timeout: Failed to get the token. Please try again.");
+  }
+  async validateAndSaveToken(jwtToken) {
+    const decoded = await validateJwtToken({
+      jwtToken,
+      jwksUrl: this.oauth2Provider.getJwksUrl(),
+      issuer: this.oauth2Provider.getIssuer(),
+      audience: this.oauth2Provider.getAudience(),
+      fetch: this.fetchImpl
+    });
+    const expiresAt = Number(decoded.exp ?? 0);
+    this.tokenManager.saveTokens(jwtToken, expiresAt);
+  }
+};
+async function validateJwtToken(options) {
+  const jwtToken = options.jwtToken ?? options.jwt_token;
+  const jwksUrl = options.jwksUrl ?? options.jwks_url;
+  if (!jwtToken) {
+    throw new Error("jwtToken is required.");
+  }
+  if (!jwksUrl) {
+    throw new Error("jwksUrl is required.");
+  }
+  const [encodedHeader, encodedPayload, encodedSignature] = jwtToken.split(".");
+  if (!encodedHeader || !encodedPayload || !encodedSignature) {
+    throw new Error("Invalid token: expected a JWS compact token.");
+  }
+  const header = parseJwtPart(encodedHeader);
+  const payload = parseJwtPart(encodedPayload);
+  if (header.alg !== "RS256") {
+    throw new Error(`Invalid token algorithm: ${String(header.alg)}`);
+  }
+  const jwksResponse = await (options.fetch ?? fetch)(jwksUrl);
+  if (!jwksResponse.ok) {
+    throw new Error(`JWKS or key processing error: ${String(jwksResponse.status)}`);
+  }
+  const jwks = await jwksResponse.json();
+  const key = jwks.keys?.find((candidate) => candidate.kid === header.kid) ?? jwks.keys?.[0];
+  if (!key) {
+    throw new Error("JWKS or key processing error: no matching key found");
+  }
+  const publicKey = (0, import_node_crypto.createPublicKey)({ key, format: "jwk" });
+  const valid = (0, import_node_crypto.verify)(
+    "RSA-SHA256",
+    Buffer.from(`${encodedHeader}.${encodedPayload}`),
+    publicKey,
+    base64urlDecode(encodedSignature)
+  );
+  if (!valid) {
+    throw new Error("Invalid token: signature verification failed");
+  }
+  validateJwtClaims(payload, options.issuer, options.audience, options.leewaySeconds ?? options.leeway_seconds ?? 10);
+  return payload;
+}
+var validate_jwt_token = validateJwtToken;
+function defaultOauth2Settings() {
+  return new Oauth2Settings({
+    provider: process.env.CREWAI_OAUTH2_PROVIDER ?? "workos",
+    clientId: process.env.CREWAI_OAUTH2_CLIENT_ID ?? "crewai-cli",
+    domain: process.env.CREWAI_OAUTH2_DOMAIN ?? "login.crewai.com",
+    audience: process.env.CREWAI_OAUTH2_AUDIENCE ?? null
+  });
+}
+function getSecureStoragePath() {
+  if (process.env.CREWAI_TS_CREDENTIALS_DIR) {
+    return process.env.CREWAI_TS_CREDENTIALS_DIR;
+  }
+  if (process.platform === "win32" && process.env.LOCALAPPDATA) {
+    return (0, import_node_path.join)(process.env.LOCALAPPDATA, "crewai", "credentials");
+  }
+  if (process.platform === "darwin") {
+    return (0, import_node_path.join)((0, import_node_os.homedir)(), "Library", "Application Support", "crewai", "credentials");
+  }
+  return (0, import_node_path.join)((0, import_node_os.homedir)(), ".local", "share", "crewai", "credentials");
+}
+function createTemporaryTokenStorage() {
+  return (0, import_node_fs2.mkdtempSync)((0, import_node_path.join)((0, import_node_os.tmpdir)(), "crewai-ts-token-"));
+}
+function encryptJson(value, key) {
+  const iv = (0, import_node_crypto.randomBytes)(12);
+  const cipher = (0, import_node_crypto.createCipheriv)("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([cipher.update(JSON.stringify(value), "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([Buffer.from("v1:"), iv, tag, ciphertext]);
+}
+function decryptJson(encrypted, key) {
+  const prefix = encrypted.subarray(0, 3).toString();
+  if (prefix !== "v1:") {
+    throw new Error("Unsupported token file format.");
+  }
+  const iv = encrypted.subarray(3, 15);
+  const tag = encrypted.subarray(15, 31);
+  const ciphertext = encrypted.subarray(31);
+  const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return JSON.parse(Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8"));
+}
+function formBody(data) {
+  const params = new URLSearchParams();
+  for (const [key, value] of Object.entries(data)) {
+    params.set(key, value);
+  }
+  return params;
+}
+function sleep(ms) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}
+function parseJwtPart(part) {
+  return JSON.parse(base64urlDecode(part).toString("utf8"));
+}
+function base64urlDecode(value) {
+  return Buffer.from(value.replaceAll("-", "+").replaceAll("_", "/"), "base64");
+}
+function validateJwtClaims(payload, issuer, audience, leewaySeconds) {
+  const now = Math.floor(Date.now() / 1e3);
+  for (const claim of ["exp", "iat", "iss", "aud", "sub"]) {
+    if (!(claim in payload)) {
+      throw new Error(`Token is missing required claims: ${claim}`);
+    }
+  }
+  if (Number(payload.exp) + leewaySeconds <= now) {
+    throw new Error("Token has expired.");
+  }
+  if (Number(payload.nbf ?? 0) - leewaySeconds > now) {
+    throw new Error("Invalid token: not before claim is in the future");
+  }
+  if (Number(payload.iat) - leewaySeconds > now) {
+    throw new Error("Invalid token: issued at claim is in the future");
+  }
+  if (payload.iss !== issuer) {
+    throw new Error(`Invalid token issuer. Got: '${String(payload.iss)}'. Expected: '${issuer}'`);
+  }
+  const audiences = Array.isArray(payload.aud) ? payload.aud.map(String) : [String(payload.aud)];
+  if (!audiences.includes(audience)) {
+    throw new Error(`Invalid token audience. Got: '${audiences.join(",")}'. Expected: '${audience}'`);
+  }
+}
+function required(value, name) {
+  if (!value) {
+    throw new Error(`${name} is required. Please set it in the configuration.`);
+  }
+  return value;
+}
+function stringFromUnknown(value, fallback = "") {
+  return typeof value === "string" ? value : fallback;
+}
+function constantTimeEquals(left, right) {
+  const leftHash = (0, import_node_crypto.createHash)("sha256").update(left).digest();
+  const rightHash = (0, import_node_crypto.createHash)("sha256").update(right).digest();
+  return (0, import_node_crypto.timingSafeEqual)(leftHash, rightHash);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ALGORITHMS,
+  Auth0Provider,
+  AuthError,
+  AuthenticationCommand,
+  BaseProvider,
+  EntraIdProvider,
+  KeycloakProvider,
+  Oauth2Settings,
+  OktaProvider,
+  ProviderFactory,
+  TokenManager,
+  WorkosProvider,
+  constantTimeEquals,
+  createTemporaryTokenStorage,
+  getAuthToken,
+  get_auth_token,
+  validateJwtToken,
+  validate_jwt_token
+});

package/dist/auth.js

@@ -0,0 +1,40 @@
+import {
+  ALGORITHMS,
+  Auth0Provider,
+  AuthError,
+  AuthenticationCommand,
+  BaseProvider,
+  EntraIdProvider,
+  KeycloakProvider,
+  Oauth2Settings,
+  OktaProvider,
+  ProviderFactory,
+  TokenManager,
+  WorkosProvider,
+  constantTimeEquals,
+  createTemporaryTokenStorage,
+  getAuthToken,
+  get_auth_token,
+  validateJwtToken,
+  validate_jwt_token
+} from "./chunk-S477WFUT.js";
+export {
+  ALGORITHMS,
+  Auth0Provider,
+  AuthError,
+  AuthenticationCommand,
+  BaseProvider,
+  EntraIdProvider,
+  KeycloakProvider,
+  Oauth2Settings,
+  OktaProvider,
+  ProviderFactory,
+  TokenManager,
+  WorkosProvider,
+  constantTimeEquals,
+  createTemporaryTokenStorage,
+  getAuthToken,
+  get_auth_token,
+  validateJwtToken,
+  validate_jwt_token
+};