@geolonia/geonicdb-cli 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +93 -1
  2. package/dist/index.js +487 -11
  3. package/dist/index.js.map +1 -1
  4. package/package.json +1 -1
package/README.md CHANGED
@@ -118,10 +118,28 @@ geonic help [<command>] [<subcommand>]
118
118
  |---|---|
119
119
  | `auth login` | Authenticate and save token |
120
120
  | `auth logout` | Clear saved authentication token |
121
+ | `auth nonce` | Get a nonce and PoW challenge for API key authentication |
122
+ | `auth token-exchange` | Exchange API key for a session JWT via nonce + PoW |
121
123
 
122
124
  The `auth login` command reads `GDB_EMAIL` and `GDB_PASSWORD` environment variables. It also supports OAuth Client Credentials flow with `--client-id` and `--client-secret`.
123
125
 
124
- ### me Display current user
126
+ #### API Key Token Exchange
127
+
128
+ `auth token-exchange` performs a complete API key to JWT exchange:
129
+
130
+ 1. Requests a nonce from the server (`POST /auth/nonce`)
131
+ 2. Solves the Proof-of-Work challenge (SHA-256)
132
+ 3. Exchanges the API key + solved PoW for a session JWT (`POST /oauth/token`)
133
+
134
+ ```bash
135
+ # Exchange API key for JWT and save to config
136
+ geonic auth token-exchange --api-key gdb_abcdef... --save
137
+
138
+ # Just display the token without saving
139
+ geonic auth token-exchange --api-key gdb_abcdef...
140
+ ```
141
+
142
+ ### me — Current user and self-service resources
125
143
 
126
144
  ```bash
127
145
  geonic me
@@ -129,6 +147,41 @@ geonic me
129
147
 
130
148
  Displays the current authenticated user, token expiry, and active profile.
131
149
 
150
+ #### me oauth-clients
151
+
152
+ | Subcommand | Description |
153
+ |---|---|
154
+ | `me oauth-clients list` | List your OAuth clients |
155
+ | `me oauth-clients create [json]` | Create a new OAuth client |
156
+ | `me oauth-clients delete <id>` | Delete an OAuth client |
157
+
158
+ #### me api-keys
159
+
160
+ | Subcommand | Description |
161
+ |---|---|
162
+ | `me api-keys list` | List your API keys |
163
+ | `me api-keys create [json]` | Create a new API key |
164
+ | `me api-keys delete <keyId>` | Delete an API key |
165
+
166
+ `me api-keys create` supports flag options:
167
+
168
+ | Flag | Description |
169
+ |---|---|
170
+ | `--name <name>` | Key name |
171
+ | `--scopes <scopes>` | Allowed scopes (comma-separated) |
172
+ | `--origins <origins>` | Allowed origins (comma-separated, at least 1 required) |
173
+ | `--entity-types <types>` | Allowed entity types (comma-separated) |
174
+ | `--rate-limit <n>` | Rate limit (requests per minute) |
175
+ | `--save` | Save the API key to profile config |
176
+
177
+ ```bash
178
+ # Create an API key and save to config
179
+ geonic me api-keys create --name my-app --scopes read:entities --save
180
+
181
+ # Create from JSON
182
+ geonic me api-keys create '{"name":"my-app","allowedScopes":["read:entities"]}'
183
+ ```
184
+
132
185
  ### entities — Manage context entities
133
186
 
134
187
  | Subcommand | Description |
@@ -306,6 +359,20 @@ Temporal entityOperations query supports: `--aggr-methods`, `--aggr-period`.
306
359
  | `admin oauth-clients update <id> [json]` | Update an OAuth client |
307
360
  | `admin oauth-clients delete <id>` | Delete an OAuth client |
308
361
 
362
+ #### admin api-keys
363
+
364
+ | Subcommand | Description |
365
+ |---|---|
366
+ | `admin api-keys list` | List all API keys |
367
+ | `admin api-keys get <keyId>` | Get an API key by ID |
368
+ | `admin api-keys create [json]` | Create a new API key |
369
+ | `admin api-keys update <keyId> [json]` | Update an API key |
370
+ | `admin api-keys delete <keyId>` | Delete an API key |
371
+
372
+ `admin api-keys list` supports `--tenant-id` to filter by tenant. `admin api-keys create` supports flag options: `--name`, `--scopes`, `--origins`, `--entity-types`, `--rate-limit`, `--tenant-id`, `--save`.
373
+
374
+ **Note**: `allowedOrigins` must contain at least 1 item when specified. Use `*` to allow all origins. `allowedEntityTypes` is enforced at runtime — API key holders can only access entities of the specified types.
375
+
309
376
  #### admin cadde
310
377
 
311
378
  | Subcommand | Description |
@@ -435,6 +502,31 @@ Override the config directory with the `GEONIC_CONFIG_DIR` environment variable:
435
502
  GEONIC_CONFIG_DIR=/path/to/config geonic entities list
436
503
  ```
437
504
 
505
+ ## API Key Authentication
506
+
507
+ API keys provide an alternative to JWT tokens for authentication. When configured, requests include the `X-Api-Key` header.
508
+
509
+ ```bash
510
+ # Set API key in config
511
+ geonic config set api-key gdb_your_api_key_here
512
+
513
+ # Or pass via CLI flag
514
+ geonic entities list --api-key gdb_your_api_key_here
515
+
516
+ # Or use environment variable
517
+ GDB_API_KEY=gdb_your_api_key_here geonic entities list
518
+ ```
519
+
520
+ When both a Bearer token and an API key are configured, both headers are sent (the server determines precedence).
521
+
522
+ ### Valid Scopes
523
+
524
+ `read:entities`, `write:entities`, `read:subscriptions`, `write:subscriptions`, `read:registrations`, `write:registrations`
525
+
526
+ ### Entity Type Restrictions
527
+
528
+ API keys with `allowedEntityTypes` are restricted to the specified entity types at runtime. Attempting to access entities of other types results in a 403 error with a descriptive message.
529
+
438
530
  ## Development
439
531
 
440
532
  Requires Node.js >= 20.