@every-env/spiral-cli 0.2.0 → 1.0.0

package/src/auth.ts

@@ -1,245 +1,80 @@
-import { getCookies } from "@steipete/sweet-cookie";
-import { config } from "./config";
-import { AuthenticationError } from "./types";
-
-const SPIRAL_DOMAIN = "app.writewithspiral.com";
-const SPIRAL_URL = `https://${SPIRAL_DOMAIN}`;
-const PAT_PREFIX = "spiral_sk_";
-
-// Supported browsers for cookie extraction
-const SUPPORTED_BROWSERS = ["safari", "chrome", "firefox"] as const;
-type Browser = (typeof SUPPORTED_BROWSERS)[number];
-
-// In-memory cache (per performance review - avoids Keychain latency)
-let tokenCache: { token: string; expiresAt: number } | null = null;
-
-/**
- * Parse JWT expiry without external dependencies
- * @security Never log the full token
- */
-function getTokenExpiry(token: string): number {
-  try {
-    const parts = token.split(".");
-    const payloadB64 = parts[1];
-    if (!payloadB64) return 0;
-    const payload = JSON.parse(atob(payloadB64));
-    return payload.exp ? payload.exp * 1000 : 0;
-  } catch {
-    return 0; // Treat as expired if unparseable
-  }
-}
-
-/**
- * Check if token is expired (with 5s buffer)
- * Note: Clerk tokens are short-lived (60s) and refresh automatically
- */
-function isTokenExpired(token: string): boolean {
-  const expiry = getTokenExpiry(token);
-  const now = Date.now();
-  // Use 5s buffer instead of 60s since Clerk tokens refresh frequently
-  const isExpired = expiry === 0 || now >= expiry - 5_000;
-
-  if (process.env.DEBUG) {
-    console.debug("Token expiry check:", {
-      expiry: expiry ? new Date(expiry).toISOString() : "none",
-      now: new Date(now).toISOString(),
-      isExpired,
-      tokenPreview: `${token.substring(0, 50)}...`,
-    });
-  }
-
-  return isExpired;
-}
+import { input, password } from "@inquirer/prompts";
+import { theme } from "./theme.js";
+import { getStoredAuth, storeAuth, clearAuth } from "./config.js";
+import { AuthenticationError } from "./types.js";
 
 /**
- * Extract Spiral session from browser cookies
- * Tries Safari, Chrome, Firefox in order
- * @throws AuthenticationError if no session found
- * @security Requires Full Disk Access on macOS Sonoma+
+ * Get auth token. Priority: SPIRAL_TOKEN env → stored PAT → throw.
  */
-export async function extractSpiralAuth(): Promise<string> {
-  // Try each browser until we find a valid session
-  for (const browser of SUPPORTED_BROWSERS) {
-    try {
-      const { cookies, warnings } = await getCookies({
-        url: `https://${SPIRAL_DOMAIN}/`,
-        names: ["__session"],
-        browsers: [browser],
-      });
+export function getAuthToken(): string {
+  const envToken = process.env["SPIRAL_TOKEN"];
+  if (envToken) return envToken;
 
-      if (warnings.length > 0 && process.env.DEBUG) {
-        console.debug(`Cookie extraction warnings (${browser}):`, warnings.length);
-      }
-
-      const sessionCookie = cookies.find((c) => c.name === "__session");
-      if (sessionCookie?.value) {
-        if (process.env.DEBUG) {
-          console.debug(`Found session cookie in ${browser}`);
-        }
-        return sessionCookie.value;
-      }
-    } catch (error) {
-      if (process.env.DEBUG) {
-        console.debug(`Failed to extract from ${browser}:`, (error as Error).message);
-      }
-      // Continue to next browser
-    }
-  }
+  const stored = getStoredAuth();
+  if (stored?.token) return stored.token;
 
   throw new AuthenticationError(
-    "No Spiral session found in any browser.\n" +
-      "Please log in at https://app.writewithspiral.com in Safari, Chrome, or Firefox.\n" +
-      "Note: Full Disk Access may be required in System Preferences.",
+    "Not authenticated. Run `spiral auth login` or set SPIRAL_TOKEN.",
   );
 }
 
 /**
- * Check if a token is a PAT (Personal Access Token)
- */
-function isPAT(token: string): boolean {
-  return token.startsWith(PAT_PREFIX);
-}
-
-/**
- * Get stored PAT from config
- */
-export function getStoredPAT(): string | null {
-  const auth = config.get("auth");
-  return auth?.token || null;
-}
-
-/**
- * Store PAT in config
- */
-export function storePAT(token: string): void {
-  if (!isPAT(token)) {
-    throw new AuthenticationError(
-      `Invalid API key format. Keys should start with "${PAT_PREFIX}"`,
-    );
-  }
-
-  config.set("auth", {
-    token,
-    tokenPrefix: `${token.substring(0, 16)}...`,
-    createdAt: new Date().toISOString(),
-  });
-
-  // Clear any cached JWT
-  clearTokenCache();
-}
-
-/**
- * Clear stored PAT
- */
-export function clearStoredPAT(): void {
-  config.delete("auth");
-  clearTokenCache();
-}
-
-/**
- * Get auth status info
+ * Store a PAT token (interactive or via --token flag).
  */
-export function getAuthStatus(): {
-  method: "pat" | "browser" | "env" | "none";
-  tokenPrefix?: string;
-  createdAt?: string;
-} {
-  // Check env first
-  if (process.env.SPIRAL_TOKEN) {
-    const token = process.env.SPIRAL_TOKEN;
-    return {
-      method: "env",
-      tokenPrefix: isPAT(token) ? `${token.substring(0, 16)}...` : "JWT token",
-    };
+export async function login(tokenArg?: string): Promise<void> {
+  const token =
+    tokenArg ??
+    (await password({
+      message: "Paste your Spiral API key (spiral_sk_...):",
+      mask: "*",
+      validate: (v) =>
+        v.startsWith("spiral_sk_") || "Token must start with spiral_sk_",
+    }));
+
+  if (!token.startsWith("spiral_sk_")) {
+    throw new AuthenticationError("Token must start with spiral_sk_");
   }
 
-  // Check stored PAT
-  const auth = config.get("auth");
-  if (auth?.token) {
-    return {
-      method: "pat",
-      tokenPrefix: auth.tokenPrefix,
-      createdAt: auth.createdAt,
-    };
-  }
-
-  return { method: "none" };
+  storeAuth(token);
+  console.log(theme.success("✓ API key stored successfully."));
+  console.log(theme.dim(`  Prefix: ${token.slice(0, 14)}...`));
 }
 
 /**
- * Get valid auth token (from env, stored PAT, cache, or browser)
- * @security Uses in-memory cache, re-extracts on expiry
+ * Show current auth status.
  */
-export async function getAuthToken(): Promise<string> {
-  // 0. Check for explicit token in environment (for CI/scripts)
-  const envToken = process.env.SPIRAL_TOKEN;
+export function showStatus(): void {
+  const envToken = process.env["SPIRAL_TOKEN"];
   if (envToken) {
-    if (process.env.DEBUG) {
-      console.debug("Using SPIRAL_TOKEN from environment");
-    }
-    return envToken;
-  }
-
-  // 1. Check for stored PAT (long-lived, doesn't expire)
-  const storedPAT = getStoredPAT();
-  if (storedPAT) {
-    if (process.env.DEBUG) {
-      console.debug("Using stored PAT from config");
-    }
-    return storedPAT;
-  }
-
-  // 2. Check in-memory cache for JWT (0ms vs 50-200ms disk access)
-  if (tokenCache && !isTokenExpired(tokenCache.token)) {
-    return tokenCache.token;
+    console.log(theme.success("✓ Authenticated via SPIRAL_TOKEN env var"));
+    console.log(theme.dim(`  Prefix: ${envToken.slice(0, 14)}...`));
+    return;
   }
 
-  // 3. Extract fresh JWT token from browser cookies
-  const token = await extractSpiralAuth();
-
-  // 4. Check if JWT token is expired
-  if (isTokenExpired(token)) {
-    throw new AuthenticationError(
-      "Session token has expired.\n\n" +
-        "To fix this, either:\n" +
-        "  1. Run `spiral auth login` and enter your API key\n" +
-        "  2. Open https://app.writewithspiral.com in your browser and refresh\n\n" +
-        "Get an API key at: https://app.writewithspiral.com → Account → API Keys",
-    );
+  const stored = getStoredAuth();
+  if (stored?.token) {
+    console.log(theme.success("✓ Authenticated via stored API key"));
+    console.log(theme.dim(`  Prefix: ${stored.tokenPrefix}`));
+    console.log(theme.dim(`  Stored: ${stored.createdAt}`));
+    return;
   }
 
-  // 5. Cache for future calls in this process
-  tokenCache = { token, expiresAt: getTokenExpiry(token) };
-  return token;
-}
-
-/**
- * Clear the in-memory token cache
- */
-export function clearTokenCache(): void {
-  tokenCache = null;
+  console.log(theme.warning("✗ Not authenticated"));
+  console.log(theme.dim("  Run `spiral auth login` or set SPIRAL_TOKEN."));
 }
 
 /**
- * Sanitize error messages to prevent token leakage
- * @security CRITICAL - tokens must never appear in logs/errors
+ * Clear stored credentials.
  */
-export function sanitizeError(error: Error, token?: string): string {
-  let message = error.message;
-  if (token) {
-    // Remove any occurrence of the full token
-    message = message.replace(new RegExp(escapeRegex(token), "g"), "[REDACTED]");
-    // Also redact partial tokens (first 20 chars)
-    if (token.length > 20) {
-      message = message.replace(new RegExp(escapeRegex(token.substring(0, 20)), "g"), "[REDACTED]");
-    }
-  }
-  return message;
+export function logout(): void {
+  clearAuth();
+  console.log(theme.success("✓ Stored credentials cleared."));
 }
 
 /**
- * Escape special regex characters in a string
+ * Sanitize error messages to prevent token leakage.
  */
-function escapeRegex(str: string): string {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+export function sanitizeError(error: unknown): string {
+  const msg = error instanceof Error ? error.message : String(error);
+  return msg.replace(/spiral_sk_[a-zA-Z0-9_-]+/g, "spiral_sk_***");
 }