@every-env/spiral-cli 0.1.0

package/src/auth.ts

@@ -0,0 +1,160 @@
+import { getCookies } from "@steipete/sweet-cookie";
+import { AuthenticationError } from "./types";
+
+const SPIRAL_DOMAIN = "app.writewithspiral.com";
+const SPIRAL_URL = `https://${SPIRAL_DOMAIN}`;
+
+// Supported browsers for cookie extraction
+const SUPPORTED_BROWSERS = ["safari", "chrome", "firefox"] as const;
+type Browser = (typeof SUPPORTED_BROWSERS)[number];
+
+// In-memory cache (per performance review - avoids Keychain latency)
+let tokenCache: { token: string; expiresAt: number } | null = null;
+
+/**
+ * Parse JWT expiry without external dependencies
+ * @security Never log the full token
+ */
+function getTokenExpiry(token: string): number {
+  try {
+    const parts = token.split(".");
+    const payloadB64 = parts[1];
+    if (!payloadB64) return 0;
+    const payload = JSON.parse(atob(payloadB64));
+    return payload.exp ? payload.exp * 1000 : 0;
+  } catch {
+    return 0; // Treat as expired if unparseable
+  }
+}
+
+/**
+ * Check if token is expired (with 5s buffer)
+ * Note: Clerk tokens are short-lived (60s) and refresh automatically
+ */
+function isTokenExpired(token: string): boolean {
+  const expiry = getTokenExpiry(token);
+  const now = Date.now();
+  // Use 5s buffer instead of 60s since Clerk tokens refresh frequently
+  const isExpired = expiry === 0 || now >= expiry - 5_000;
+
+  if (process.env.DEBUG) {
+    console.debug("Token expiry check:", {
+      expiry: expiry ? new Date(expiry).toISOString() : "none",
+      now: new Date(now).toISOString(),
+      isExpired,
+      tokenPreview: `${token.substring(0, 50)}...`,
+    });
+  }
+
+  return isExpired;
+}
+
+/**
+ * Extract Spiral session from browser cookies
+ * Tries Safari, Chrome, Firefox in order
+ * @throws AuthenticationError if no session found
+ * @security Requires Full Disk Access on macOS Sonoma+
+ */
+export async function extractSpiralAuth(): Promise<string> {
+  // Try each browser until we find a valid session
+  for (const browser of SUPPORTED_BROWSERS) {
+    try {
+      const { cookies, warnings } = await getCookies({
+        url: `https://${SPIRAL_DOMAIN}/`,
+        names: ["__session"],
+        browsers: [browser],
+      });
+
+      if (warnings.length > 0 && process.env.DEBUG) {
+        console.debug(`Cookie extraction warnings (${browser}):`, warnings.length);
+      }
+
+      const sessionCookie = cookies.find((c) => c.name === "__session");
+      if (sessionCookie?.value) {
+        if (process.env.DEBUG) {
+          console.debug(`Found session cookie in ${browser}`);
+        }
+        return sessionCookie.value;
+      }
+    } catch (error) {
+      if (process.env.DEBUG) {
+        console.debug(`Failed to extract from ${browser}:`, (error as Error).message);
+      }
+      // Continue to next browser
+    }
+  }
+
+  throw new AuthenticationError(
+    "No Spiral session found in any browser.\n" +
+      "Please log in at https://app.writewithspiral.com in Safari, Chrome, or Firefox.\n" +
+      "Note: Full Disk Access may be required in System Preferences.",
+  );
+}
+
+/**
+ * Get valid auth token (from env, cache, or browser)
+ * @security Uses in-memory cache, re-extracts on expiry
+ */
+export async function getAuthToken(): Promise<string> {
+  // 0. Check for explicit token in environment (for CI/scripts)
+  const envToken = process.env.SPIRAL_TOKEN;
+  if (envToken) {
+    if (process.env.DEBUG) {
+      console.debug("Using SPIRAL_TOKEN from environment");
+    }
+    return envToken;
+  }
+
+  // 1. Check in-memory cache first (0ms vs 50-200ms disk access)
+  if (tokenCache && !isTokenExpired(tokenCache.token)) {
+    return tokenCache.token;
+  }
+
+  // 2. Extract fresh token from browser cookies
+  const token = await extractSpiralAuth();
+
+  // 3. Check if token is expired
+  if (isTokenExpired(token)) {
+    throw new AuthenticationError(
+      "Session token has expired.\n\n" +
+        "To refresh: Open https://app.writewithspiral.com in your browser and refresh the page.\n" +
+        "The CLI will automatically pick up the fresh token.\n\n" +
+        "Tip: Keep a Spiral tab open while using the CLI for seamless token refresh.",
+    );
+  }
+
+  // 4. Cache for future calls in this process
+  tokenCache = { token, expiresAt: getTokenExpiry(token) };
+  return token;
+}
+
+/**
+ * Clear the in-memory token cache
+ */
+export function clearTokenCache(): void {
+  tokenCache = null;
+}
+
+/**
+ * Sanitize error messages to prevent token leakage
+ * @security CRITICAL - tokens must never appear in logs/errors
+ */
+export function sanitizeError(error: Error, token?: string): string {
+  let message = error.message;
+  if (token) {
+    // Remove any occurrence of the full token
+    message = message.replace(new RegExp(escapeRegex(token), "g"), "[REDACTED]");
+    // Also redact partial tokens (first 20 chars)
+    if (token.length > 20) {
+      message = message.replace(new RegExp(escapeRegex(token.substring(0, 20)), "g"), "[REDACTED]");
+    }
+  }
+  return message;
+}
+
+/**
+ * Escape special regex characters in a string
+ */
+function escapeRegex(str: string): string {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}