npm - @faable/faable - Versions diffs - 1.6.0 → 1.7.0 - Mend

@faable/faable 1.6.0 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/api/FaableApi.js +7 -0
package/dist/api/auth.js +11 -1
package/dist/api/context.js +17 -2
package/dist/api/session.js +55 -0
package/dist/commands/deploy/index.js +2 -6
package/dist/commands/link/index.js +2 -6
package/dist/commands/login/index.js +16 -4
package/dist/commands/whoami/index.js +3 -1
package/package.json +1 -1

package/dist/api/FaableApi.js CHANGED Viewed

@@ -33,6 +33,13 @@ class FaableApi {
                 const res = e.response;
                 const url = e.config?.url || "";
                 if (res) {
+                    // Uniform handling for an expired/invalid session across every
+                    // command, regardless of which endpoint returned the 401.
+                    if (res.status === 401) {
+                        const expired = new Error("Your Faable session has expired or is invalid. Run `faable login` to sign in again.", { cause: error });
+                        expired.status = 401;
+                        throw expired;
+                    }
                     const serverMessage = res.data?.message || res.statusText || "Unknown Error";
                     const wrapped = new Error(`FaableApi ${url} ${res.status}: ${serverMessage}`, { cause: error });
                     // Surface the structured error contract (e.g. the repository-link

package/dist/api/auth.js CHANGED Viewed

@@ -35,5 +35,15 @@ async function getMe(access_token) {
     });
     return res.data;
 }
+// Exchange a refresh token for a fresh access token (and a rotated refresh
+// token). The CLI is a public client, so no client_secret is required.
+async function refreshToken(refresh_token) {
+    const res = await api.post(`/oauth/token`, {
+        grant_type: "refresh_token",
+        client_id: CLIENT_ID,
+        refresh_token,
+    });
+    return res.data;
+}
-export { getDeviceCode, getDeviceToken, getMe };
+export { getDeviceCode, getDeviceToken, getMe, refreshToken };

package/dist/api/context.js CHANGED Viewed

@@ -4,6 +4,8 @@ import { getIDToken } from '@actions/core';
 import { oidc_strategy } from './strategies/oidc.strategy.js';
 import { bearer_strategy } from './strategies/bearer.strategy.js';
 import { CredentialsStore } from '../lib/CredentialsStore.js';
+import { loadLiveCredentials } from './session.js';
+import { log } from '../log.js';
 const context = async () => {
     let api;
@@ -25,7 +27,8 @@ const context = async () => {
     }
     else {
         const store = new CredentialsStore();
-        const config = await store.loadCredentials();
+        // Auto-refreshes an expired access token via the stored refresh_token.
+        const config = await loadLiveCredentials(store);
         if (config) {
             if (config.token) {
                 api = FaableApi.create({
@@ -47,5 +50,17 @@ const context = async () => {
         appId,
     };
 };
+// Resolve the API client for a command that needs an authenticated session.
+// Exits with a uniform message when there is no session at all. An expired
+// session that could not be refreshed still surfaces here as a working `api`
+// whose first call returns 401 — FaableApi maps that to the same re-login hint.
+const requireApi = async () => {
+    const ctx = await context();
+    if (!ctx.api) {
+        log.error("❌ Not logged in. Run 'faable login' first.");
+        process.exit(1);
+    }
+    return ctx;
+};
-export { context };
+export { context, requireApi };

package/dist/api/session.js ADDED Viewed

@@ -0,0 +1,55 @@
+import { CredentialsStore } from '../lib/CredentialsStore.js';
+import { refreshToken } from './auth.js';
+import { log } from '../log.js';
+// True when a stored JWT access token is still valid (has a future `exp`).
+// Anything we can't decode, or without `exp`, counts as NOT live — callers then
+// refresh or ask the user to re-login instead of trusting a dead token.
+const isTokenLive = (token) => {
+    try {
+        const [, payload] = token.split(".");
+        const claims = JSON.parse(Buffer.from(payload, "base64url").toString());
+        if (typeof claims.exp !== "number")
+            return false;
+        // 30s skew so a near-expired token is treated as dead and refreshed early.
+        return claims.exp * 1000 > Date.now() + 30_000;
+    }
+    catch {
+        return false;
+    }
+};
+// Load local credentials, transparently refreshing an expired (or near-expired)
+// access token using the stored refresh_token. The refreshed credentials are
+// persisted so the next command reuses them. Returns the (possibly refreshed)
+// config, or undefined when there are no local credentials.
+//
+// This is the single place the CLI resolves a local session, so every command
+// that goes through it gets auto-refresh for free. If the refresh fails (e.g.
+// the refresh token itself expired or was revoked) we return the stale config
+// and let the downstream 401 surface the uniform "session expired" error.
+const loadLiveCredentials = async (store = new CredentialsStore()) => {
+    const config = await store.loadCredentials();
+    if (!config)
+        return undefined;
+    const needsRefresh = !!config.token && !isTokenLive(config.token);
+    if (needsRefresh && config.refresh_token) {
+        try {
+            const refreshed = await refreshToken(config.refresh_token);
+            const next = {
+                ...config,
+                token: refreshed.access_token,
+                refresh_token: refreshed.refresh_token ?? config.refresh_token,
+            };
+            await store.saveCredentials(next);
+            log.debug?.("Refreshed access token");
+            return next;
+        }
+        catch {
+            // Refresh failed — keep the stale config; the API call's 401 (or
+            // requireApi) will tell the user to run `faable login` again.
+        }
+    }
+    return config;
+};
+export { isTokenLive, loadLiveCredentials };

package/dist/commands/deploy/index.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { context } from '../../api/context.js';
+import { requireApi } from '../../api/context.js';
 import { cmd } from '../../lib/cmd.js';
 import { Configuration } from '../../lib/Configuration.js';
 import { log } from '../../log.js';
@@ -27,12 +27,8 @@ const deploy = {
     },
     handler: async (args) => {
         const workdir = args.workdir || process.cwd();
-        const ctx = await context();
+        const ctx = await requireApi();
         const { api } = ctx;
-        if (!api) {
-            log.error("❌ Not logged in. Run 'faable login' first.");
-            process.exit(1);
-        }
         // Resolve runtime
         const { runtime } = await runtime_detection(workdir);
         // app_id resolution (the user never has to look one up):

package/dist/commands/link/index.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { context } from '../../api/context.js';
+import { requireApi } from '../../api/context.js';
 import prompts from 'prompts';
 import { log } from '../../log.js';
 import { cmd } from '../../lib/cmd.js';
@@ -60,11 +60,7 @@ const link = {
                 return;
             }
         }
-        const { api } = await context();
-        if (!api) {
-            log.error("❌ Not logged in. Run 'faable login' first.");
-            process.exit(1);
-        }
+        const { api } = await requireApi();
         log.info("Checking local git repository...");
         const gitUrl = await getGitRemoteUrl(workdir);
         const apps = await api.list();

package/dist/commands/login/index.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { FaableApi } from '../../api/FaableApi.js';
 import { getDeviceCode, getDeviceToken, getMe } from '../../api/auth.js';
+import { isTokenLive } from '../../api/session.js';
 import { CredentialsStore } from '../../lib/CredentialsStore.js';
 import open from 'open';
 import ora from 'ora';
@@ -47,8 +48,13 @@ const login = {
         // re-auth (and often scripted), so they skip the prompt and overwrite.
         if (!apikey && !token) {
             const existing = await store.loadCredentials();
-            if (existing && (existing.token || existing.apikey)) {
-                const who = existing.email ? ` as ${existing.email}` : "";
+            // Only a still-valid bearer session (or an API key) counts as "logged
+            // in". An expired token is a dead session, so skip the prompt and go
+            // straight to re-login instead of misleadingly saying "already logged in".
+            const hasLiveSession = (!!existing?.token && isTokenLive(existing.token)) ||
+                !!existing?.apikey;
+            if (hasLiveSession) {
+                const who = existing?.email ? ` as ${existing.email}` : "";
                 const { proceed } = await prompts({
                     type: "confirm",
                     name: "proceed",
@@ -140,13 +146,19 @@ const login = {
                 if (cancelled)
                     return;
                 try {
-                    const { access_token } = await getDeviceToken(device_code);
+                    const { access_token, refresh_token } = await getDeviceToken(device_code);
                     if (access_token) {
                         spinner.stop();
                         // Validate the freshly issued token against the Auth server (it
                         // issued the token). The deploy API has no /me route.
                         const me = await getMe(access_token);
-                        await store.saveCredentials({ token: access_token, email: me.email });
+                        // Persist the refresh_token so the session can be renewed silently
+                        // when the access token expires (see api/session.ts).
+                        await store.saveCredentials({
+                            token: access_token,
+                            refresh_token,
+                            email: me.email,
+                        });
                         log.info(`✅ Successfully logged in as ${me.email}`);
                         return;
                     }

package/dist/commands/whoami/index.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { log } from '../../log.js';
 import { getMe } from '../../api/auth.js';
+import { loadLiveCredentials } from '../../api/session.js';
 import { CredentialsStore } from '../../lib/CredentialsStore.js';
 const whoami = {
@@ -7,7 +8,8 @@ const whoami = {
     describe: "Display the current logged in user",
     handler: async () => {
         const store = new CredentialsStore();
-        const config = await store.loadCredentials();
+        // Auto-refreshes an expired token via the stored refresh_token.
+        const config = await loadLiveCredentials(store);
         // Bearer token from the environment (CI) or a local `faable login`.
         const token = process.env.FAABLE_TOKEN || config?.token;
         if (!token) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@faable/faable",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "main": "dist/index.js",
   "license": "MIT",
   "author": "Marc Pomar <marc@faable.com>",