npm - @geolonia/geonicdb-cli - Versions diffs - 0.6.0 → 0.6.1 - Mend

@geolonia/geonicdb-cli 0.6.0 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -121,7 +121,47 @@ geonic help [<command>] [<subcommand>]
 | `auth nonce` | Get a nonce and PoW challenge for API key authentication |
 | `auth token-exchange` | Exchange API key for a session JWT via nonce + PoW |
-The `auth login` command reads `GDB_EMAIL` and `GDB_PASSWORD` environment variables. It also supports OAuth Client Credentials flow with `--client-id` and `--client-secret`.
+#### Email/Password Login
+`auth login` uses interactive prompts for email and password. A TTY is required — credentials are never accepted via environment variables or command-line arguments to prevent leaking secrets in shell history.
+```bash
+geonic auth login
+```
+| Option | Description |
+|---|---|
+| `--tenant-id <id>` | Log in to a specific tenant |
+**Multi-tenant support**: When you belong to multiple tenants, `auth login` displays the list and lets you select one interactively. Use `--tenant-id` to skip the prompt.
+```text
+$ geonic auth login
+Email: user@example.com
+Password: ********
+Login successful. Token saved to config.
+Available tenants:
+  * 1) my_city (tenant_admin) ← current
+    2) another_city (user)
+Select tenant number (Enter to keep current):
+```
+#### OAuth Client Credentials
+For machine-to-machine authentication (CI/CD, scripts), use the OAuth Client Credentials flow:
+```bash
+geonic auth login --client-credentials --client-id MY_ID --client-secret MY_SECRET
+```
+| Option | Description |
+|---|---|
+| `--client-credentials` | Use OAuth 2.0 Client Credentials flow |
+| `--client-id <id>` | OAuth client ID (or `GDB_OAUTH_CLIENT_ID` env var) |
+| `--client-secret <secret>` | OAuth client secret (or `GDB_OAUTH_CLIENT_SECRET` env var) |
+| `--scope <scopes>` | OAuth scopes (space-separated) |
 #### API Key Token Exchange

package/dist/index.js CHANGED Viewed

@@ -848,6 +848,9 @@ var GdbClient = class _GdbClient {
   async executeRawRequest(method, path, options) {
     const url = this.buildUrl(path, options?.params);
     const headers = this.buildHeaders(options?.headers);
+    if (options?.skipTenantHeader) {
+      delete headers["NGSILD-Tenant"];
+    }
     const body = options?.body ? JSON.stringify(options.body) : void 0;
     this.logRequest(method, url, headers, body);
     this.handleDryRun(method, url, headers, body);
@@ -985,7 +988,7 @@ function withErrorHandler(fn) {
         return;
       }
       if (err instanceof GdbClientError && err.status === 401) {
-        printError("Authentication failed. Please run `geonic login` to re-authenticate.");
+        printError("Authentication failed. Please re-authenticate (e.g., `geonic auth login` or check your API key).");
       } else if (err instanceof GdbClientError && err.status === 403) {
         const detail = (err.ngsiError?.detail ?? err.ngsiError?.description ?? "").toLowerCase();
         if (detail.includes("entity type") || detail.includes("allowedentitytypes")) {
@@ -1097,6 +1100,30 @@ async function promptPassword() {
     stdin.on("error", onError);
   });
 }
+async function promptTenantSelection(tenants, currentTenantId) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    console.log("\nAvailable tenants:");
+    for (let i = 0; i < tenants.length; i++) {
+      const t = tenants[i];
+      const current = t.tenantId === currentTenantId ? " \u2190 current" : "";
+      const marker = t.tenantId === currentTenantId ? "  *" : "   ";
+      console.log(`${marker} ${i + 1}) ${t.tenantId} (${t.role})${current}`);
+    }
+    for (; ; ) {
+      const answer = await rl.question("\nSelect tenant number (Enter to keep current): ");
+      const trimmed = answer.trim();
+      if (!trimmed) return void 0;
+      const index = parseInt(trimmed, 10) - 1;
+      if (index >= 0 && index < tenants.length) {
+        return tenants[index].tenantId;
+      }
+      console.log(`Invalid selection. Please enter a number between 1 and ${tenants.length}.`);
+    }
+  } finally {
+    rl.close();
+  }
+}
 // src/token.ts
 function decodeJwtPayload(token) {
@@ -1511,32 +1538,59 @@ function createLoginCommand() {
         printSuccess("Login successful (OAuth Client Credentials). Token saved to config.");
         return;
       }
-      let email = process.env.GDB_EMAIL;
-      let password = process.env.GDB_PASSWORD;
-      if (!email || !password) {
-        if (isInteractive()) {
-          if (!email) email = await promptEmail();
-          if (!password) password = await promptPassword();
-        } else {
-          printError(
-            "Set GDB_EMAIL and GDB_PASSWORD environment variables, or run in a terminal for interactive login."
-          );
-          process.exit(1);
-        }
+      if (!globalOpts.url) {
+        printError("No URL configured. Use `geonic config set url <url>` or pass --url.");
+        process.exit(1);
+      }
+      try {
+        validateUrl(globalOpts.url);
+      } catch (err) {
+        printError(err.message);
+        process.exit(1);
+      }
+      if (!isInteractive()) {
+        printError(
+          "Interactive terminal required. Run `geonic auth login` in a terminal with TTY."
+        );
+        process.exit(1);
       }
+      const email = await promptEmail();
+      const password = await promptPassword();
       const client = createClient(cmd);
       const body = { email, password };
       if (loginOpts.tenantId) {
         body.tenantId = loginOpts.tenantId;
       }
-      const response = await client.rawRequest("POST", "/auth/login", { body });
+      const response = await client.rawRequest("POST", "/auth/login", {
+        body,
+        skipTenantHeader: true
+      });
       const data = response.data;
-      const token = data.accessToken ?? data.token;
-      const refreshToken = data.refreshToken;
+      let token = data.accessToken ?? data.token;
+      let refreshToken = data.refreshToken;
       if (!token) {
         printError("No token received from server.");
         process.exit(1);
       }
+      const availableTenants = data.availableTenants;
+      const currentTenantId = data.tenantId;
+      if (availableTenants && availableTenants.length > 1 && !loginOpts.tenantId) {
+        const selectedTenantId = await promptTenantSelection(availableTenants, currentTenantId);
+        if (selectedTenantId && selectedTenantId !== currentTenantId) {
+          const reloginResponse = await client.rawRequest("POST", "/auth/login", {
+            body: { email, password, tenantId: selectedTenantId },
+            skipTenantHeader: true
+          });
+          const reloginData = reloginResponse.data;
+          const newToken = reloginData.accessToken ?? reloginData.token;
+          if (!newToken) {
+            printError("Re-login failed: no token received for selected tenant.");
+            process.exit(1);
+          }
+          token = newToken;
+          refreshToken = reloginData.refreshToken;
+        }
+      }
       const config = loadConfig(globalOpts.profile);
       config.token = token;
       if (refreshToken) {
@@ -1728,10 +1782,6 @@ function registerAuthCommands(program2) {
       description: "Login with OAuth client credentials",
       command: "geonic auth login --client-credentials --client-id MY_ID --client-secret MY_SECRET"
     },
-    {
-      description: "Login with environment variables",
-      command: "GDB_EMAIL=user@example.com GDB_PASSWORD=pass geonic auth login"
-    },
     {
       description: "Login to a specific tenant",
       command: "geonic auth login --tenant-id my-tenant"