@faable/faable 1.5.33 → 1.7.0

package/dist/api/FaableApi.js

@@ -33,6 +33,13 @@ class FaableApi {
                 const res = e.response;
                 const url = e.config?.url || "";
                 if (res) {
+                    // Uniform handling for an expired/invalid session across every
+                    // command, regardless of which endpoint returned the 401.
+                    if (res.status === 401) {
+                        const expired = new Error("Your Faable session has expired or is invalid. Run `faable login` to sign in again.", { cause: error });
+                        expired.status = 401;
+                        throw expired;
+                    }
                     const serverMessage = res.data?.message || res.statusText || "Unknown Error";
                     const wrapped = new Error(`FaableApi ${url} ${res.status}: ${serverMessage}`, { cause: error });
                     // Surface the structured error contract (e.g. the repository-link

package/dist/api/auth.js

@@ -1,11 +1,24 @@
 import axios from 'axios';
+import os from 'os';
 
 const api = axios.create({ baseURL: "https://faable.auth.faable.link" });
 const CLIENT_ID = "c879023b-e34f-4b0c-a262-210e556bc2e4";
+const PLATFORM_LABELS = {
+    darwin: "macOS",
+    win32: "Windows",
+    linux: "Linux",
+};
+// Human-friendly device name shown on the auth confirm page so the user can
+// recognise which device they are authorising, e.g. "marcs-mbp (macOS)".
+function deviceName() {
+    const platform = PLATFORM_LABELS[os.platform()] || os.platform();
+    return `${os.hostname()} (${platform})`;
+}
 async function getDeviceCode() {
     const res = await api.post(`/oauth/device/code`, {
         client_id: CLIENT_ID,
         scope: "openid email profile offline_access",
+        device_name: deviceName(),
     });
     return res.data;
 }
@@ -22,5 +35,15 @@ async function getMe(access_token) {
     });
     return res.data;
 }
+// Exchange a refresh token for a fresh access token (and a rotated refresh
+// token). The CLI is a public client, so no client_secret is required.
+async function refreshToken(refresh_token) {
+    const res = await api.post(`/oauth/token`, {
+        grant_type: "refresh_token",
+        client_id: CLIENT_ID,
+        refresh_token,
+    });
+    return res.data;
+}
 
-export { getDeviceCode, getDeviceToken, getMe };
+export { getDeviceCode, getDeviceToken, getMe, refreshToken };

package/dist/api/context.js

@@ -4,6 +4,8 @@ import { getIDToken } from '@actions/core';
 import { oidc_strategy } from './strategies/oidc.strategy.js';
 import { bearer_strategy } from './strategies/bearer.strategy.js';
 import { CredentialsStore } from '../lib/CredentialsStore.js';
+import { loadLiveCredentials } from './session.js';
+import { log } from '../log.js';
 
 const context = async () => {
     let api;
@@ -25,7 +27,8 @@ const context = async () => {
     }
     else {
         const store = new CredentialsStore();
-        const config = await store.loadCredentials();
+        // Auto-refreshes an expired access token via the stored refresh_token.
+        const config = await loadLiveCredentials(store);
         if (config) {
             if (config.token) {
                 api = FaableApi.create({
@@ -47,5 +50,17 @@ const context = async () => {
         appId,
     };
 };
+// Resolve the API client for a command that needs an authenticated session.
+// Exits with a uniform message when there is no session at all. An expired
+// session that could not be refreshed still surfaces here as a working `api`
+// whose first call returns 401 — FaableApi maps that to the same re-login hint.
+const requireApi = async () => {
+    const ctx = await context();
+    if (!ctx.api) {
+        log.error("❌ Not logged in. Run 'faable login' first.");
+        process.exit(1);
+    }
+    return ctx;
+};
 
-export { context };
+export { context, requireApi };

package/dist/api/session.js

@@ -0,0 +1,55 @@
+import { CredentialsStore } from '../lib/CredentialsStore.js';
+import { refreshToken } from './auth.js';
+import { log } from '../log.js';
+
+// True when a stored JWT access token is still valid (has a future `exp`).
+// Anything we can't decode, or without `exp`, counts as NOT live — callers then
+// refresh or ask the user to re-login instead of trusting a dead token.
+const isTokenLive = (token) => {
+    try {
+        const [, payload] = token.split(".");
+        const claims = JSON.parse(Buffer.from(payload, "base64url").toString());
+        if (typeof claims.exp !== "number")
+            return false;
+        // 30s skew so a near-expired token is treated as dead and refreshed early.
+        return claims.exp * 1000 > Date.now() + 30_000;
+    }
+    catch {
+        return false;
+    }
+};
+// Load local credentials, transparently refreshing an expired (or near-expired)
+// access token using the stored refresh_token. The refreshed credentials are
+// persisted so the next command reuses them. Returns the (possibly refreshed)
+// config, or undefined when there are no local credentials.
+//
+// This is the single place the CLI resolves a local session, so every command
+// that goes through it gets auto-refresh for free. If the refresh fails (e.g.
+// the refresh token itself expired or was revoked) we return the stale config
+// and let the downstream 401 surface the uniform "session expired" error.
+const loadLiveCredentials = async (store = new CredentialsStore()) => {
+    const config = await store.loadCredentials();
+    if (!config)
+        return undefined;
+    const needsRefresh = !!config.token && !isTokenLive(config.token);
+    if (needsRefresh && config.refresh_token) {
+        try {
+            const refreshed = await refreshToken(config.refresh_token);
+            const next = {
+                ...config,
+                token: refreshed.access_token,
+                refresh_token: refreshed.refresh_token ?? config.refresh_token,
+            };
+            await store.saveCredentials(next);
+            log.debug?.("Refreshed access token");
+            return next;
+        }
+        catch {
+            // Refresh failed — keep the stale config; the API call's 401 (or
+            // requireApi) will tell the user to run `faable login` again.
+        }
+    }
+    return config;
+};
+
+export { isTokenLive, loadLiveCredentials };

package/dist/commands/deploy/index.js

@@ -1,4 +1,4 @@
-import { context } from '../../api/context.js';
+import { requireApi } from '../../api/context.js';
 import { cmd } from '../../lib/cmd.js';
 import { Configuration } from '../../lib/Configuration.js';
 import { log } from '../../log.js';
@@ -27,12 +27,8 @@ const deploy = {
     },
     handler: async (args) => {
         const workdir = args.workdir || process.cwd();
-        const ctx = await context();
+        const ctx = await requireApi();
         const { api } = ctx;
-        if (!api) {
-            log.error("❌ Not logged in. Run 'faable login' first.");
-            process.exit(1);
-        }
         // Resolve runtime
         const { runtime } = await runtime_detection(workdir);
         // app_id resolution (the user never has to look one up):

package/dist/commands/link/index.js

@@ -1,4 +1,4 @@
-import { context } from '../../api/context.js';
+import { requireApi } from '../../api/context.js';
 import prompts from 'prompts';
 import { log } from '../../log.js';
 import { cmd } from '../../lib/cmd.js';
@@ -60,11 +60,7 @@ const link = {
                 return;
             }
         }
-        const { api } = await context();
-        if (!api) {
-            log.error("❌ Not logged in. Run 'faable login' first.");
-            process.exit(1);
-        }
+        const { api } = await requireApi();
         log.info("Checking local git repository...");
         const gitUrl = await getGitRemoteUrl(workdir);
         const apps = await api.list();

package/dist/commands/login/index.js

@@ -1,8 +1,10 @@
 import { FaableApi } from '../../api/FaableApi.js';
 import { getDeviceCode, getDeviceToken, getMe } from '../../api/auth.js';
+import { isTokenLive } from '../../api/session.js';
 import { CredentialsStore } from '../../lib/CredentialsStore.js';
 import open from 'open';
 import ora from 'ora';
+import prompts from 'prompts';
 import { log } from '../../log.js';
 
 const wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
@@ -41,6 +43,31 @@ const login = {
     handler: async (args) => {
         const { apikey, token } = args;
         const store = new CredentialsStore();
+        // Interactive flow only: if there's already a session, confirm before
+        // re-authenticating. Flag-based logins (--apikey/--token) are an explicit
+        // re-auth (and often scripted), so they skip the prompt and overwrite.
+        if (!apikey && !token) {
+            const existing = await store.loadCredentials();
+            // Only a still-valid bearer session (or an API key) counts as "logged
+            // in". An expired token is a dead session, so skip the prompt and go
+            // straight to re-login instead of misleadingly saying "already logged in".
+            const hasLiveSession = (!!existing?.token && isTokenLive(existing.token)) ||
+                !!existing?.apikey;
+            if (hasLiveSession) {
+                const who = existing?.email ? ` as ${existing.email}` : "";
+                const { proceed } = await prompts({
+                    type: "confirm",
+                    name: "proceed",
+                    message: `You are already logged in${who}. Log out and log in again?`,
+                    initial: false,
+                });
+                if (!proceed) {
+                    log.info("Keeping current session. Run `faable logout` to log out.");
+                    return;
+                }
+                await store.deleteCredentials();
+            }
+        }
         if (apikey) {
             log.info("Logging in with API Key...");
             const tempApi = FaableApi.create({ auth: { apikey }, authStrategy: (await import('../../api/strategies/apikey.strategy.js')).apikey_strategy });
@@ -119,13 +146,19 @@ const login = {
                 if (cancelled)
                     return;
                 try {
-                    const { access_token } = await getDeviceToken(device_code);
+                    const { access_token, refresh_token } = await getDeviceToken(device_code);
                     if (access_token) {
                         spinner.stop();
                         // Validate the freshly issued token against the Auth server (it
                         // issued the token). The deploy API has no /me route.
                         const me = await getMe(access_token);
-                        await store.saveCredentials({ token: access_token, email: me.email });
+                        // Persist the refresh_token so the session can be renewed silently
+                        // when the access token expires (see api/session.ts).
+                        await store.saveCredentials({
+                            token: access_token,
+                            refresh_token,
+                            email: me.email,
+                        });
                         log.info(`✅ Successfully logged in as ${me.email}`);
                         return;
                     }

package/dist/commands/whoami/index.js

@@ -1,5 +1,6 @@
 import { log } from '../../log.js';
 import { getMe } from '../../api/auth.js';
+import { loadLiveCredentials } from '../../api/session.js';
 import { CredentialsStore } from '../../lib/CredentialsStore.js';
 
 const whoami = {
@@ -7,7 +8,8 @@ const whoami = {
     describe: "Display the current logged in user",
     handler: async () => {
         const store = new CredentialsStore();
-        const config = await store.loadCredentials();
+        // Auto-refreshes an expired token via the stored refresh_token.
+        const config = await loadLiveCredentials(store);
         // Bearer token from the environment (CI) or a local `faable login`.
         const token = process.env.FAABLE_TOKEN || config?.token;
         if (!token) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@faable/faable",
-  "version": "1.5.33",
+  "version": "1.7.0",
   "main": "dist/index.js",
   "license": "MIT",
   "author": "Marc Pomar <marc@faable.com>",