@every-env/spiral-cli 0.1.0 → 1.0.0

package/src/auth.ts

@@ -1,160 +1,80 @@
-import { getCookies } from "@steipete/sweet-cookie";
-import { AuthenticationError } from "./types";
-
-const SPIRAL_DOMAIN = "app.writewithspiral.com";
-const SPIRAL_URL = `https://${SPIRAL_DOMAIN}`;
-
-// Supported browsers for cookie extraction
-const SUPPORTED_BROWSERS = ["safari", "chrome", "firefox"] as const;
-type Browser = (typeof SUPPORTED_BROWSERS)[number];
-
-// In-memory cache (per performance review - avoids Keychain latency)
-let tokenCache: { token: string; expiresAt: number } | null = null;
-
-/**
- * Parse JWT expiry without external dependencies
- * @security Never log the full token
- */
-function getTokenExpiry(token: string): number {
-  try {
-    const parts = token.split(".");
-    const payloadB64 = parts[1];
-    if (!payloadB64) return 0;
-    const payload = JSON.parse(atob(payloadB64));
-    return payload.exp ? payload.exp * 1000 : 0;
-  } catch {
-    return 0; // Treat as expired if unparseable
-  }
-}
+import { input, password } from "@inquirer/prompts";
+import { theme } from "./theme.js";
+import { getStoredAuth, storeAuth, clearAuth } from "./config.js";
+import { AuthenticationError } from "./types.js";
 
 /**
- * Check if token is expired (with 5s buffer)
- * Note: Clerk tokens are short-lived (60s) and refresh automatically
+ * Get auth token. Priority: SPIRAL_TOKEN env → stored PAT → throw.
  */
-function isTokenExpired(token: string): boolean {
-  const expiry = getTokenExpiry(token);
-  const now = Date.now();
-  // Use 5s buffer instead of 60s since Clerk tokens refresh frequently
-  const isExpired = expiry === 0 || now >= expiry - 5_000;
+export function getAuthToken(): string {
+  const envToken = process.env["SPIRAL_TOKEN"];
+  if (envToken) return envToken;
 
-  if (process.env.DEBUG) {
-    console.debug("Token expiry check:", {
-      expiry: expiry ? new Date(expiry).toISOString() : "none",
-      now: new Date(now).toISOString(),
-      isExpired,
-      tokenPreview: `${token.substring(0, 50)}...`,
-    });
-  }
+  const stored = getStoredAuth();
+  if (stored?.token) return stored.token;
 
-  return isExpired;
+  throw new AuthenticationError(
+    "Not authenticated. Run `spiral auth login` or set SPIRAL_TOKEN.",
+  );
 }
 
 /**
- * Extract Spiral session from browser cookies
- * Tries Safari, Chrome, Firefox in order
- * @throws AuthenticationError if no session found
- * @security Requires Full Disk Access on macOS Sonoma+
+ * Store a PAT token (interactive or via --token flag).
  */
-export async function extractSpiralAuth(): Promise<string> {
-  // Try each browser until we find a valid session
-  for (const browser of SUPPORTED_BROWSERS) {
-    try {
-      const { cookies, warnings } = await getCookies({
-        url: `https://${SPIRAL_DOMAIN}/`,
-        names: ["__session"],
-        browsers: [browser],
-      });
-
-      if (warnings.length > 0 && process.env.DEBUG) {
-        console.debug(`Cookie extraction warnings (${browser}):`, warnings.length);
-      }
-
-      const sessionCookie = cookies.find((c) => c.name === "__session");
-      if (sessionCookie?.value) {
-        if (process.env.DEBUG) {
-          console.debug(`Found session cookie in ${browser}`);
-        }
-        return sessionCookie.value;
-      }
-    } catch (error) {
-      if (process.env.DEBUG) {
-        console.debug(`Failed to extract from ${browser}:`, (error as Error).message);
-      }
-      // Continue to next browser
-    }
+export async function login(tokenArg?: string): Promise<void> {
+  const token =
+    tokenArg ??
+    (await password({
+      message: "Paste your Spiral API key (spiral_sk_...):",
+      mask: "*",
+      validate: (v) =>
+        v.startsWith("spiral_sk_") || "Token must start with spiral_sk_",
+    }));
+
+  if (!token.startsWith("spiral_sk_")) {
+    throw new AuthenticationError("Token must start with spiral_sk_");
   }
 
-  throw new AuthenticationError(
-    "No Spiral session found in any browser.\n" +
-      "Please log in at https://app.writewithspiral.com in Safari, Chrome, or Firefox.\n" +
-      "Note: Full Disk Access may be required in System Preferences.",
-  );
+  storeAuth(token);
+  console.log(theme.success("✓ API key stored successfully."));
+  console.log(theme.dim(`  Prefix: ${token.slice(0, 14)}...`));
 }
 
 /**
- * Get valid auth token (from env, cache, or browser)
- * @security Uses in-memory cache, re-extracts on expiry
+ * Show current auth status.
  */
-export async function getAuthToken(): Promise<string> {
-  // 0. Check for explicit token in environment (for CI/scripts)
-  const envToken = process.env.SPIRAL_TOKEN;
+export function showStatus(): void {
+  const envToken = process.env["SPIRAL_TOKEN"];
   if (envToken) {
-    if (process.env.DEBUG) {
-      console.debug("Using SPIRAL_TOKEN from environment");
-    }
-    return envToken;
+    console.log(theme.success("✓ Authenticated via SPIRAL_TOKEN env var"));
+    console.log(theme.dim(`  Prefix: ${envToken.slice(0, 14)}...`));
+    return;
   }
 
-  // 1. Check in-memory cache first (0ms vs 50-200ms disk access)
-  if (tokenCache && !isTokenExpired(tokenCache.token)) {
-    return tokenCache.token;
-  }
-
-  // 2. Extract fresh token from browser cookies
-  const token = await extractSpiralAuth();
-
-  // 3. Check if token is expired
-  if (isTokenExpired(token)) {
-    throw new AuthenticationError(
-      "Session token has expired.\n\n" +
-        "To refresh: Open https://app.writewithspiral.com in your browser and refresh the page.\n" +
-        "The CLI will automatically pick up the fresh token.\n\n" +
-        "Tip: Keep a Spiral tab open while using the CLI for seamless token refresh.",
-    );
+  const stored = getStoredAuth();
+  if (stored?.token) {
+    console.log(theme.success("✓ Authenticated via stored API key"));
+    console.log(theme.dim(`  Prefix: ${stored.tokenPrefix}`));
+    console.log(theme.dim(`  Stored: ${stored.createdAt}`));
+    return;
   }
 
-  // 4. Cache for future calls in this process
-  tokenCache = { token, expiresAt: getTokenExpiry(token) };
-  return token;
+  console.log(theme.warning("✗ Not authenticated"));
+  console.log(theme.dim("  Run `spiral auth login` or set SPIRAL_TOKEN."));
 }
 
 /**
- * Clear the in-memory token cache
+ * Clear stored credentials.
  */
-export function clearTokenCache(): void {
-  tokenCache = null;
-}
-
-/**
- * Sanitize error messages to prevent token leakage
- * @security CRITICAL - tokens must never appear in logs/errors
- */
-export function sanitizeError(error: Error, token?: string): string {
-  let message = error.message;
-  if (token) {
-    // Remove any occurrence of the full token
-    message = message.replace(new RegExp(escapeRegex(token), "g"), "[REDACTED]");
-    // Also redact partial tokens (first 20 chars)
-    if (token.length > 20) {
-      message = message.replace(new RegExp(escapeRegex(token.substring(0, 20)), "g"), "[REDACTED]");
-    }
-  }
-  return message;
+export function logout(): void {
+  clearAuth();
+  console.log(theme.success("✓ Stored credentials cleared."));
 }
 
 /**
- * Escape special regex characters in a string
+ * Sanitize error messages to prevent token leakage.
  */
-function escapeRegex(str: string): string {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+export function sanitizeError(error: unknown): string {
+  const msg = error instanceof Error ? error.message : String(error);
+  return msg.replace(/spiral_sk_[a-zA-Z0-9_-]+/g, "spiral_sk_***");
 }