@geolonia/geonicdb-cli 0.5.0 → 0.6.1

package/README.md

@@ -121,7 +121,47 @@ geonic help [<command>] [<subcommand>]
 | `auth nonce` | Get a nonce and PoW challenge for API key authentication |
 | `auth token-exchange` | Exchange API key for a session JWT via nonce + PoW |
 
-The `auth login` command reads `GDB_EMAIL` and `GDB_PASSWORD` environment variables. It also supports OAuth Client Credentials flow with `--client-id` and `--client-secret`.
+#### Email/Password Login
+
+`auth login` uses interactive prompts for email and password. A TTY is required — credentials are never accepted via environment variables or command-line arguments to prevent leaking secrets in shell history.
+
+```bash
+geonic auth login
+```
+
+| Option | Description |
+|---|---|
+| `--tenant-id <id>` | Log in to a specific tenant |
+
+**Multi-tenant support**: When you belong to multiple tenants, `auth login` displays the list and lets you select one interactively. Use `--tenant-id` to skip the prompt.
+
+```text
+$ geonic auth login
+Email: user@example.com
+Password: ********
+Login successful. Token saved to config.
+
+Available tenants:
+  * 1) my_city (tenant_admin) ← current
+    2) another_city (user)
+
+Select tenant number (Enter to keep current):
+```
+
+#### OAuth Client Credentials
+
+For machine-to-machine authentication (CI/CD, scripts), use the OAuth Client Credentials flow:
+
+```bash
+geonic auth login --client-credentials --client-id MY_ID --client-secret MY_SECRET
+```
+
+| Option | Description |
+|---|---|
+| `--client-credentials` | Use OAuth 2.0 Client Credentials flow |
+| `--client-id <id>` | OAuth client ID (or `GDB_OAUTH_CLIENT_ID` env var) |
+| `--client-secret <secret>` | OAuth client secret (or `GDB_OAUTH_CLIENT_SECRET` env var) |
+| `--scope <scopes>` | OAuth scopes (space-separated) |
 
 #### API Key Token Exchange
 
@@ -172,6 +212,7 @@ Displays the current authenticated user, token expiry, and active profile.
 | `--origins <origins>` | Allowed origins (comma-separated, at least 1 required) |
 | `--entity-types <types>` | Allowed entity types (comma-separated) |
 | `--rate-limit <n>` | Rate limit (requests per minute) |
+| `--dpop-required` | Require DPoP token binding (RFC 9449) |
 | `--save` | Save the API key to profile config |
 
 ```bash
@@ -182,6 +223,8 @@ geonic me api-keys create --name my-app --scopes read:entities --save
 geonic me api-keys create '{"name":"my-app","allowedScopes":["read:entities"]}'
 ```
 
+`me api-keys list` output includes a `dpopRequired` field (boolean).
+
 ### entities — Manage context entities
 
 | Subcommand | Description |
@@ -369,9 +412,9 @@ Temporal entityOperations query supports: `--aggr-methods`, `--aggr-period`.
 | `admin api-keys update <keyId> [json]` | Update an API key |
 | `admin api-keys delete <keyId>` | Delete an API key |
 
-`admin api-keys list` supports `--tenant-id` to filter by tenant. `admin api-keys create` supports flag options: `--name`, `--scopes`, `--origins`, `--entity-types`, `--rate-limit`, `--tenant-id`, `--save`.
+`admin api-keys list` supports `--tenant-id` to filter by tenant. `admin api-keys create` supports flag options: `--name`, `--scopes`, `--origins`, `--entity-types`, `--rate-limit`, `--dpop-required`, `--tenant-id`, `--save`. `admin api-keys update` supports `--name`, `--scopes`, `--origins`, `--entity-types`, `--rate-limit`, `--dpop-required` / `--no-dpop-required`.
 
-**Note**: `allowedOrigins` must contain at least 1 item when specified. Use `*` to allow all origins. `allowedEntityTypes` is enforced at runtime — API key holders can only access entities of the specified types.
+**Note**: `allowedOrigins` must contain at least 1 item when specified. Use `*` to allow all origins. `allowedEntityTypes` is enforced at runtime — API key holders can only access entities of the specified types. `admin api-keys list` / `admin api-keys get` output includes a `dpopRequired` field (boolean).
 
 #### admin cadde
 

package/dist/index.js

@@ -848,6 +848,9 @@ var GdbClient = class _GdbClient {
   async executeRawRequest(method, path, options) {
     const url = this.buildUrl(path, options?.params);
     const headers = this.buildHeaders(options?.headers);
+    if (options?.skipTenantHeader) {
+      delete headers["NGSILD-Tenant"];
+    }
     const body = options?.body ? JSON.stringify(options.body) : void 0;
     this.logRequest(method, url, headers, body);
     this.handleDryRun(method, url, headers, body);
@@ -985,7 +988,7 @@ function withErrorHandler(fn) {
         return;
       }
       if (err instanceof GdbClientError && err.status === 401) {
-        printError("Authentication failed. Please run `geonic login` to re-authenticate.");
+        printError("Authentication failed. Please re-authenticate (e.g., `geonic auth login` or check your API key).");
       } else if (err instanceof GdbClientError && err.status === 403) {
         const detail = (err.ngsiError?.detail ?? err.ngsiError?.description ?? "").toLowerCase();
         if (detail.includes("entity type") || detail.includes("allowedentitytypes")) {
@@ -1097,6 +1100,30 @@ async function promptPassword() {
     stdin.on("error", onError);
   });
 }
+async function promptTenantSelection(tenants, currentTenantId) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    console.log("\nAvailable tenants:");
+    for (let i = 0; i < tenants.length; i++) {
+      const t = tenants[i];
+      const current = t.tenantId === currentTenantId ? " \u2190 current" : "";
+      const marker = t.tenantId === currentTenantId ? "  *" : "   ";
+      console.log(`${marker} ${i + 1}) ${t.tenantId} (${t.role})${current}`);
+    }
+    for (; ; ) {
+      const answer = await rl.question("\nSelect tenant number (Enter to keep current): ");
+      const trimmed = answer.trim();
+      if (!trimmed) return void 0;
+      const index = parseInt(trimmed, 10) - 1;
+      if (index >= 0 && index < tenants.length) {
+        return tenants[index].tenantId;
+      }
+      console.log(`Invalid selection. Please enter a number between 1 and ${tenants.length}.`);
+    }
+  } finally {
+    rl.close();
+  }
+}
 
 // src/token.ts
 function decodeJwtPayload(token) {
@@ -1370,7 +1397,7 @@ function addMeApiKeysSubcommand(me) {
       command: "geonic me api-keys list"
     }
   ]);
-  const create = apiKeys.command("create [json]").description("Create a new API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Allowed scopes (comma-separated)").option("--origins <origins>", "Allowed origins (comma-separated)").option("--entity-types <types>", "Allowed entity types (comma-separated)").option("--rate-limit <n>", "Rate limit per minute").option("--save", "Save the API key to config for automatic use").action(
+  const create = apiKeys.command("create [json]").description("Create a new API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Allowed scopes (comma-separated)").option("--origins <origins>", "Allowed origins (comma-separated)").option("--entity-types <types>", "Allowed entity types (comma-separated)").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--save", "Save the API key to config for automatic use").action(
     withErrorHandler(async (json, _opts, cmd) => {
       const opts = cmd.opts();
       if (opts.origins !== void 0) {
@@ -1383,12 +1410,13 @@ function addMeApiKeysSubcommand(me) {
       let body;
       if (json) {
         body = await parseJsonInput(json);
-      } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit) {
+      } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0) {
         const payload = {};
         if (opts.name) payload.name = opts.name;
         if (opts.scopes) payload.allowedScopes = opts.scopes.split(",").map((s) => s.trim()).filter(Boolean);
         if (opts.origins) payload.allowedOrigins = opts.origins.split(",").map((s) => s.trim()).filter(Boolean);
         if (opts.entityTypes) payload.allowedEntityTypes = opts.entityTypes.split(",").map((s) => s.trim()).filter(Boolean);
+        if (opts.dpopRequired !== void 0) payload.dpopRequired = opts.dpopRequired;
         if (opts.rateLimit) {
           const raw = opts.rateLimit.trim();
           if (!/^\d+$/.test(raw)) {
@@ -1453,6 +1481,10 @@ function addMeApiKeysSubcommand(me) {
     {
       description: "Create an API key with rate limiting",
       command: "geonic me api-keys create --name my-app --rate-limit 100"
+    },
+    {
+      description: "Create an API key with DPoP required",
+      command: "geonic me api-keys create --name my-app --dpop-required"
     }
   ]);
   const del = apiKeys.command("delete <keyId>").description("Delete an API key").action(
@@ -1506,32 +1538,59 @@ function createLoginCommand() {
         printSuccess("Login successful (OAuth Client Credentials). Token saved to config.");
         return;
       }
-      let email = process.env.GDB_EMAIL;
-      let password = process.env.GDB_PASSWORD;
-      if (!email || !password) {
-        if (isInteractive()) {
-          if (!email) email = await promptEmail();
-          if (!password) password = await promptPassword();
-        } else {
-          printError(
-            "Set GDB_EMAIL and GDB_PASSWORD environment variables, or run in a terminal for interactive login."
-          );
-          process.exit(1);
-        }
+      if (!globalOpts.url) {
+        printError("No URL configured. Use `geonic config set url <url>` or pass --url.");
+        process.exit(1);
       }
+      try {
+        validateUrl(globalOpts.url);
+      } catch (err) {
+        printError(err.message);
+        process.exit(1);
+      }
+      if (!isInteractive()) {
+        printError(
+          "Interactive terminal required. Run `geonic auth login` in a terminal with TTY."
+        );
+        process.exit(1);
+      }
+      const email = await promptEmail();
+      const password = await promptPassword();
       const client = createClient(cmd);
       const body = { email, password };
       if (loginOpts.tenantId) {
         body.tenantId = loginOpts.tenantId;
       }
-      const response = await client.rawRequest("POST", "/auth/login", { body });
+      const response = await client.rawRequest("POST", "/auth/login", {
+        body,
+        skipTenantHeader: true
+      });
       const data = response.data;
-      const token = data.accessToken ?? data.token;
-      const refreshToken = data.refreshToken;
+      let token = data.accessToken ?? data.token;
+      let refreshToken = data.refreshToken;
       if (!token) {
         printError("No token received from server.");
         process.exit(1);
       }
+      const availableTenants = data.availableTenants;
+      const currentTenantId = data.tenantId;
+      if (availableTenants && availableTenants.length > 1 && !loginOpts.tenantId) {
+        const selectedTenantId = await promptTenantSelection(availableTenants, currentTenantId);
+        if (selectedTenantId && selectedTenantId !== currentTenantId) {
+          const reloginResponse = await client.rawRequest("POST", "/auth/login", {
+            body: { email, password, tenantId: selectedTenantId },
+            skipTenantHeader: true
+          });
+          const reloginData = reloginResponse.data;
+          const newToken = reloginData.accessToken ?? reloginData.token;
+          if (!newToken) {
+            printError("Re-login failed: no token received for selected tenant.");
+            process.exit(1);
+          }
+          token = newToken;
+          refreshToken = reloginData.refreshToken;
+        }
+      }
       const config = loadConfig(globalOpts.profile);
       config.token = token;
       if (refreshToken) {
@@ -1723,10 +1782,6 @@ function registerAuthCommands(program2) {
       description: "Login with OAuth client credentials",
       command: "geonic auth login --client-credentials --client-id MY_ID --client-secret MY_SECRET"
     },
-    {
-      description: "Login with environment variables",
-      command: "GDB_EMAIL=user@example.com GDB_PASSWORD=pass geonic auth login"
-    },
     {
       description: "Login to a specific tenant",
       command: "geonic auth login --tenant-id my-tenant"
@@ -3363,6 +3418,7 @@ function buildBodyFromFlags(opts) {
     }
     payload.rateLimit = { perMinute };
   }
+  if (opts.dpopRequired !== void 0) payload.dpopRequired = opts.dpopRequired;
   if (opts.tenantId) payload.tenantId = opts.tenantId;
   return payload;
 }
@@ -3408,14 +3464,14 @@ function registerApiKeysCommand(parent) {
       command: "geonic admin api-keys get <key-id>"
     }
   ]);
-  const create = apiKeys.command("create [json]").description("Create a new API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Comma-separated scopes").option("--origins <origins>", "Comma-separated origins").option("--entity-types <types>", "Comma-separated entity types").option("--rate-limit <n>", "Rate limit per minute").option("--tenant-id <id>", "Tenant ID").option("--save", "Save the API key to profile config").action(
+  const create = apiKeys.command("create [json]").description("Create a new API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Comma-separated scopes").option("--origins <origins>", "Comma-separated origins").option("--entity-types <types>", "Comma-separated entity types").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--tenant-id <id>", "Tenant ID").option("--save", "Save the API key to profile config").action(
     withErrorHandler(async (json, _opts, cmd) => {
       const opts = cmd.opts();
       validateOrigins(void 0, opts);
       let body;
       if (json) {
         body = await parseJsonInput(json);
-      } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.tenantId) {
+      } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0 || opts.tenantId) {
         body = buildBodyFromFlags(opts);
       } else {
         body = await parseJsonInput();
@@ -3452,12 +3508,16 @@ function registerApiKeysCommand(parent) {
       description: "Create an API key with flags",
       command: "geonic admin api-keys create --name my-key --scopes entities:read,entities:write --origins '*'"
     },
+    {
+      description: "Create an API key with DPoP required",
+      command: "geonic admin api-keys create --name my-key --dpop-required"
+    },
     {
       description: "Create an API key from JSON and save to config",
       command: "geonic admin api-keys create @key.json --save"
     }
   ]);
-  const update = apiKeys.command("update <keyId> [json]").description("Update an API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Comma-separated scopes").option("--origins <origins>", "Comma-separated origins").option("--entity-types <types>", "Comma-separated entity types").option("--rate-limit <n>", "Rate limit per minute").action(
+  const update = apiKeys.command("update <keyId> [json]").description("Update an API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Comma-separated scopes").option("--origins <origins>", "Comma-separated origins").option("--entity-types <types>", "Comma-separated entity types").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--no-dpop-required", "Disable DPoP token binding").action(
     withErrorHandler(
       async (keyId, json, _opts, cmd) => {
         const opts = cmd.opts();
@@ -3465,7 +3525,7 @@ function registerApiKeysCommand(parent) {
         let body;
         if (json) {
           body = await parseJsonInput(json);
-        } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit) {
+        } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0) {
           body = buildBodyFromFlags(opts);
         } else {
           body = await parseJsonInput();
@@ -3488,6 +3548,14 @@ function registerApiKeysCommand(parent) {
       description: "Update an API key name",
       command: "geonic admin api-keys update <key-id> --name new-name"
     },
+    {
+      description: "Enable DPoP requirement",
+      command: "geonic admin api-keys update <key-id> --dpop-required"
+    },
+    {
+      description: "Disable DPoP requirement",
+      command: "geonic admin api-keys update <key-id> --no-dpop-required"
+    },
     {
       description: "Update an API key from a JSON file",
       command: "geonic admin api-keys update <key-id> @key.json"