@gjsify/cli 0.4.36 → 0.4.37

package/lib/commands/index.d.ts

@@ -17,6 +17,8 @@ export * from './workspace.js';
 export * from './pack.js';
 export * from './publish.js';
 export * from './whoami.js';
+export * from './login.js';
+export * from './logout.js';
 export * from './self-update.js';
 export * from './generate-installer.js';
 export * from './uninstall.js';

package/lib/commands/index.js

@@ -17,6 +17,8 @@ export * from './workspace.js';
 export * from './pack.js';
 export * from './publish.js';
 export * from './whoami.js';
+export * from './login.js';
+export * from './logout.js';
 export * from './self-update.js';
 export * from './generate-installer.js';
 export * from './uninstall.js';

package/lib/commands/login.d.ts

@@ -0,0 +1,10 @@
+import type { Command } from '../types/index.js';
+interface LoginOptions {
+    registry?: string;
+    scope?: string;
+    username?: string;
+    otp?: string;
+    json?: boolean;
+}
+export declare const loginCommand: Command<unknown, LoginOptions>;
+export {};

package/lib/commands/login.js

@@ -0,0 +1,139 @@
+// `gjsify login [--registry <url>] [--scope @scope] [--username <u>] [--otp <code>]`
+//
+// Node-free `npm login` — completes the auth trio alongside `gjsify whoami` /
+// `gjsify publish`. Implements npm's legacy (`--auth-type=legacy`) CouchDB
+// credentials flow (npm-profile's `loginCouch`):
+//
+//   1. PUT the user doc to `<registry>/-/user/org.couchdb.user:<u>` with Basic
+//      auth (base64 of `<username>:<password>`) + an `npm-otp` header for 2FA.
+//   2. On 409 (the user already exists — the normal case for a *login*), GET
+//      `…?write=true` for the current `_rev`, merge it in, and PUT to
+//      `…/-rev/<rev>`.
+//   3. The response carries a bearer `token`; write it to the userconfig
+//      `.npmrc` as `//<host>/:_authToken=<token>` (the key `publish`/`whoami`
+//      read), then verify with `whoami`.
+//
+// The npm-9+ web-OAuth flow is intentionally NOT implemented — the legacy flow
+// is the Node-free-friendly path and needs no browser. `login` (vs `adduser`)
+// does not send an email.
+//
+// Reference: refs/npm-cli/node_modules/npm-profile/lib/index.js `loginCouch`.
+import { DEFAULT_REGISTRY, registryFor, whoami } from '@gjsify/npm-registry';
+import { loadNpmrc } from '../utils/load-npmrc.js';
+import { writeAuthToken } from '../utils/auth-npmrc.js';
+import { promptLine, promptHidden } from '../utils/prompt.js';
+export const loginCommand = {
+    command: 'login',
+    description: "Log in to an npm registry (Node-free `npm login`). Prompts for username + password (hidden) and writes the token to ~/.npmrc. Use --otp for 2FA. Web-OAuth flow is not supported — this is npm's legacy credentials flow.",
+    builder: (yargs) => yargs
+        .option('registry', {
+        description: `Registry URL to log in to. Default: ${DEFAULT_REGISTRY} (or a --scope's registry).`,
+        type: 'string',
+    })
+        .option('scope', {
+        description: "Associate the login with a scope (e.g. @gjsify) — resolves that scope's registry from .npmrc.",
+        type: 'string',
+    })
+        .option('username', { description: 'Username (prompted if omitted).', type: 'string' })
+        .option('otp', { description: 'npm 2FA one-time code (prompted on demand if omitted).', type: 'string' })
+        .option('json', { description: 'Emit `{username, registry}` JSON on success.', type: 'boolean' }),
+    handler: async (args) => {
+        const npmrc = await loadNpmrc(process.cwd());
+        const registry = args.registry ??
+            process.env.npm_config_registry ??
+            (args.scope ? registryFor(args.scope.startsWith('@') ? `${args.scope}/_` : `@${args.scope}/_`, npmrc) : undefined) ??
+            DEFAULT_REGISTRY;
+        const registryClean = registry.endsWith('/') ? registry : `${registry}/`;
+        const username = args.username ?? (await promptLine(`Username: `));
+        if (!username) {
+            console.error('gjsify login: a username is required.');
+            process.exit(1);
+        }
+        const password = await promptHidden(`Password: `);
+        if (!password) {
+            console.error('gjsify login: a password is required.');
+            process.exit(1);
+        }
+        // npm legacy auth = HTTP Basic of `<username>:<password>` (the same
+        // credentials being logged in with). The password also lives in the
+        // PUT body, which is how the registry mints the token.
+        const basic = `Basic ${btoa(`${username}:${password}`)}`;
+        const couchUrl = `${registryClean}-/user/org.couchdb.user:${encodeURIComponent(username)}`;
+        const body = {
+            _id: `org.couchdb.user:${username}`,
+            name: username,
+            password,
+            type: 'user',
+            roles: [],
+            date: undefined, // the registry stamps this; Date is unavailable in some runtimes
+        };
+        function authHeaders(otp) {
+            const h = {
+                authorization: basic,
+                'content-type': 'application/json',
+                accept: '*/*',
+            };
+            if (otp)
+                h['npm-otp'] = otp;
+            return h;
+        }
+        async function putUser(path, otp) {
+            return fetch(`${couchUrl}${path}`, { method: 'PUT', headers: authHeaders(otp), body: JSON.stringify(body) });
+        }
+        let otp = args.otp;
+        let res = await putUser('', otp);
+        // 2FA: 401 + www-authenticate "otp" (or a one-time-pass body) → prompt + retry.
+        if (res.status === 401 && !otp) {
+            const wwwAuth = (res.headers.get('www-authenticate') ?? '').toLowerCase();
+            const text = await res.clone().text().catch(() => '');
+            if (wwwAuth.includes('otp') || /one-time pass/i.test(text)) {
+                otp = await promptLine(`This operation requires a one-time password.\nEnter OTP: `);
+                if (!otp) {
+                    console.error('gjsify login: no OTP entered.');
+                    process.exit(1);
+                }
+                res = await putUser('', otp);
+            }
+        }
+        // 409 Conflict: the user already exists (the normal login case). Fetch
+        // the current doc for its `_rev`, merge, and PUT to `…/-rev/<rev>`.
+        if (res.status === 409) {
+            const getRes = await fetch(`${couchUrl}?write=true`, { headers: authHeaders(otp) });
+            if (getRes.ok) {
+                const existing = (await getRes.json().catch(() => ({})));
+                for (const k of Object.keys(existing)) {
+                    if (!body[k] || k === 'roles')
+                        body[k] = existing[k];
+                }
+                if (body._rev)
+                    res = await putUser(`/-rev/${body._rev}`, otp);
+            }
+        }
+        if (res.status === 400) {
+            console.error(`gjsify login: there is no user with the username "${username}" on ${registryClean}.`);
+            process.exit(1);
+        }
+        if (!res.ok) {
+            const text = await res.text().catch(() => '<no body>');
+            console.error(`gjsify login: ${res.status} ${res.statusText} from ${registryClean}\n${text.slice(0, 400)}`);
+            process.exit(1);
+        }
+        const data = (await res.json().catch(() => ({})));
+        if (!data.token) {
+            console.error(`gjsify login: the registry accepted the login but returned no token (unexpected response shape). ` +
+                `Your registry may require the web-OAuth flow — use \`npm login\`.`);
+            process.exit(1);
+        }
+        const npmrcPath = writeAuthToken(registryClean, data.token);
+        // Confirm the freshly-written token authenticates.
+        const verifyNpmrc = await loadNpmrc(process.cwd());
+        const who = await whoami(registryClean, verifyNpmrc);
+        const confirmedName = who.username ?? username;
+        if (args.json) {
+            process.stdout.write(`${JSON.stringify({ username: confirmedName, registry: registryClean })}\n`);
+        }
+        else {
+            process.stdout.write(`Logged in as ${confirmedName} on ${registryClean}\n(token written to ${npmrcPath})\n`);
+        }
+    },
+};

package/lib/commands/logout.d.ts

@@ -0,0 +1,8 @@
+import type { Command } from '../types/index.js';
+interface LogoutOptions {
+    registry?: string;
+    scope?: string;
+    json?: boolean;
+}
+export declare const logoutCommand: Command<unknown, LogoutOptions>;
+export {};

package/lib/commands/logout.js

@@ -0,0 +1,63 @@
+// `gjsify logout [--registry <url>] [--scope @scope]`
+//
+// Node-free `npm logout` — revokes the current bearer token on the registry
+// (best-effort `DELETE /-/user/token/<token>`) and removes the
+// `//<host>/:_authToken=` line from the userconfig `.npmrc`. Completes the auth
+// trio with `gjsify login` / `whoami` / `publish`.
+//
+// Reference: npm's `lib/commands/logout.js` (DELETE the token, then strip the
+// nerf-darted authToken from the config).
+import { DEFAULT_REGISTRY, registryFor, resolveAuthForUrl } from '@gjsify/npm-registry';
+import { loadNpmrc } from '../utils/load-npmrc.js';
+import { removeAuthToken } from '../utils/auth-npmrc.js';
+export const logoutCommand = {
+    command: 'logout',
+    description: 'Log out of an npm registry (Node-free `npm logout`). Revokes the token on the registry (best-effort) and removes it from ~/.npmrc.',
+    builder: (yargs) => yargs
+        .option('registry', {
+        description: `Registry URL to log out of. Default: ${DEFAULT_REGISTRY} (or a --scope's registry).`,
+        type: 'string',
+    })
+        .option('scope', {
+        description: "Log out of a scope's registry (e.g. @gjsify) — resolved from .npmrc.",
+        type: 'string',
+    })
+        .option('json', { description: 'Emit `{registry, revoked, removed}` JSON.', type: 'boolean' }),
+    handler: async (args) => {
+        const npmrc = await loadNpmrc(process.cwd());
+        const registry = args.registry ??
+            process.env.npm_config_registry ??
+            (args.scope
+                ? registryFor(args.scope.startsWith('@') ? `${args.scope}/_` : `@${args.scope}/_`, npmrc)
+                : undefined) ??
+            DEFAULT_REGISTRY;
+        const registryClean = registry.endsWith('/') ? registry : `${registry}/`;
+        // Best-effort server-side revoke. The token value is what npm's DELETE
+        // endpoint expects in the path; if there's no token we just strip locally.
+        const auth = resolveAuthForUrl(`${registryClean}-/whoami`, npmrc);
+        let revoked = false;
+        if (auth?.startsWith('Bearer ')) {
+            const token = auth.slice('Bearer '.length);
+            try {
+                const res = await fetch(`${registryClean}-/user/token/${encodeURIComponent(token)}`, {
+                    method: 'DELETE',
+                    headers: { authorization: auth, accept: '*/*' },
+                });
+                revoked = res.ok;
+            }
+            catch {
+                /* offline / registry down — fall through to local removal */
+            }
+        }
+        const { path, removed } = removeAuthToken(registryClean);
+        if (args.json) {
+            process.stdout.write(`${JSON.stringify({ registry: registryClean, revoked, removed })}\n`);
+        }
+        else if (removed) {
+            process.stdout.write(`Logged out of ${registryClean}${revoked ? ' (token revoked)' : ''}\n(removed from ${path})\n`);
+        }
+        else {
+            process.stdout.write(`No token for ${registryClean} found in ${path} — nothing to remove.\n`);
+        }
+    },
+};

package/lib/commands/publish.js

@@ -404,13 +404,13 @@ export const publishCommand = {
                 process.stdout.write(`= ${packed.name}@${packed.version} (already published, tolerated)\n`);
             return;
         }
-        // 404 diagnostic — token-auth only. npm returns 404 for both a
-        // dead `_authToken` and a genuinely-missing package; `/-/whoami`
-        // disambiguates. OIDC has its own clear error surfaces (handled in
-        // the OIDC catch block above) and `--otp` flows take a different
-        // 401 path, so the diagnostic only kicks in for the plain
-        // token-auth PUT signature.
-        if (res.status === 404 && authMode === 'token' && !otp) {
+        // 404 diagnostic — token-auth (with or without --otp). npm returns 404
+        // for a dead `_authToken`, a genuinely-missing package, AND transiently
+        // while a brand-new scoped package is being provisioned; `/-/whoami`
+        // disambiguates a dead token from a live one. OIDC has its own clear
+        // error surfaces (handled in the OIDC catch block above), so the
+        // diagnostic only kicks in for the token-auth PUT signature.
+        if (res.status === 404 && authMode === 'token') {
             if (is404DiagnosticCandidate(text)) {
                 const diag = await diagnose404({
                     packageName: packed.name,

package/lib/index.js

@@ -4,7 +4,7 @@ import { dirname, join } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
-import { buildCommand as build, testCommand as test, runCommand as run, infoCommand as info, systemCheckCommand as systemCheck, checkCommand as check, showcaseCommand as showcase, createCommand as create, gresourceCommand as gresource, gettextCommand as gettext, gsettingsCommand as gsettings, flatpakCommand as flatpak, dlxCommand as dlx, installCommand as install, foreachCommand as foreach, workspaceCommand as workspace, packCommand as pack, publishCommand as publish, whoamiCommand as whoami, selfUpdateCommand as selfUpdate, generateInstallerCommand as generateInstaller, uninstallCommand as uninstall, formatCommand as format, lintCommand as lint, fixCommand as fix, upgradeCommand as upgrade, barrelsCommand as barrels, tscCommand as tsc, affectedCommand as affected, } from './commands/index.js';
+import { buildCommand as build, testCommand as test, runCommand as run, infoCommand as info, systemCheckCommand as systemCheck, checkCommand as check, showcaseCommand as showcase, createCommand as create, gresourceCommand as gresource, gettextCommand as gettext, gsettingsCommand as gsettings, flatpakCommand as flatpak, dlxCommand as dlx, installCommand as install, foreachCommand as foreach, workspaceCommand as workspace, packCommand as pack, publishCommand as publish, whoamiCommand as whoami, loginCommand as login, logoutCommand as logout, selfUpdateCommand as selfUpdate, generateInstallerCommand as generateInstaller, uninstallCommand as uninstall, formatCommand as format, lintCommand as lint, fixCommand as fix, upgradeCommand as upgrade, barrelsCommand as barrels, tscCommand as tsc, affectedCommand as affected, } from './commands/index.js';
 import { APP_NAME } from './constants.js';
 // Detect which runtime is executing the CLI (GJS or Node.js).
 // GJS MUST be checked first because @gjsify/process sets
@@ -80,6 +80,8 @@ await cli
     .command(pack.command, pack.description, pack.builder, pack.handler)
     .command(publish.command, publish.description, publish.builder, publish.handler)
     .command(whoami.command, whoami.description, whoami.builder, whoami.handler)
+    .command(login.command, login.description, login.builder, login.handler)
+    .command(logout.command, logout.description, logout.builder, logout.handler)
     .command(selfUpdate.command, selfUpdate.description, selfUpdate.builder, selfUpdate.handler)
     .command(generateInstaller.command, generateInstaller.description, generateInstaller.builder, generateInstaller.handler)
     .command(uninstall.command, uninstall.description, uninstall.builder, uninstall.handler)

package/lib/utils/auth-npmrc.d.ts

@@ -0,0 +1,22 @@
+/** The `.npmrc` file `gjsify login` writes to (matches `load-npmrc.ts`'s userconfig source). */
+export declare function userconfigNpmrcPath(): string;
+/**
+ * The npm "nerf-dart" key for a registry: the URL with the protocol removed,
+ * keeping the host + path with a trailing slash — `//registry.npmjs.org/`.
+ */
+export declare function nerfDart(registry: string): string;
+/** The full `_authToken` config key for a registry. */
+export declare function authTokenKey(registry: string): string;
+/**
+ * Upsert `<nerf-dart>:_authToken=<token>` in the userconfig `.npmrc`, preserving
+ * all other lines. Returns the file path written.
+ */
+export declare function writeAuthToken(registry: string, token: string): string;
+/**
+ * Remove the `<nerf-dart>:_authToken=` line for a registry from the userconfig
+ * `.npmrc`. Returns `{ path, removed }` — `removed` is false if no line matched.
+ */
+export declare function removeAuthToken(registry: string): {
+    path: string;
+    removed: boolean;
+};

package/lib/utils/auth-npmrc.js

@@ -0,0 +1,89 @@
+// Write/remove npm auth tokens in the user's `.npmrc` — the write side of
+// `load-npmrc.ts` (which only reads). Used by `gjsify login` / `gjsify logout`.
+//
+// npm stores the token under a "nerf-dart" key: the registry URL with the
+// protocol stripped, e.g. `//registry.npmjs.org/:_authToken=<token>`. We upsert
+// exactly that line in the userconfig file (`$NPM_CONFIG_USERCONFIG` or
+// `~/.npmrc`), preserving every other line, and chmod it to 0600 (it holds a
+// credential).
+import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join, dirname } from 'node:path';
+/** The `.npmrc` file `gjsify login` writes to (matches `load-npmrc.ts`'s userconfig source). */
+export function userconfigNpmrcPath() {
+    return process.env.NPM_CONFIG_USERCONFIG || join(homedir(), '.npmrc');
+}
+/**
+ * The npm "nerf-dart" key for a registry: the URL with the protocol removed,
+ * keeping the host + path with a trailing slash — `//registry.npmjs.org/`.
+ */
+export function nerfDart(registry) {
+    const u = new URL(registry);
+    const path = u.pathname.endsWith('/') ? u.pathname : `${u.pathname}/`;
+    return `//${u.host}${path}`;
+}
+/** The full `_authToken` config key for a registry. */
+export function authTokenKey(registry) {
+    return `${nerfDart(registry)}:_authToken`;
+}
+function readUserconfig(path) {
+    return existsSync(path) ? readFileSync(path, 'utf-8') : '';
+}
+function writeUserconfig(path, content) {
+    const dir = dirname(path);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    writeFileSync(path, content, 'utf-8');
+    // Credential file — restrict to the owner (best-effort; ignored on Windows).
+    try {
+        chmodSync(path, 0o600);
+    }
+    catch {
+        /* non-POSIX filesystem */
+    }
+}
+/**
+ * Upsert `<nerf-dart>:_authToken=<token>` in the userconfig `.npmrc`, preserving
+ * all other lines. Returns the file path written.
+ */
+export function writeAuthToken(registry, token) {
+    const path = userconfigNpmrcPath();
+    const key = authTokenKey(registry);
+    const line = `${key}=${token}`;
+    const existing = readUserconfig(path);
+    const lines = existing.length ? existing.split('\n') : [];
+    let replaced = false;
+    const next = lines.map((l) => {
+        // Match the key at the start of the line (ignore `${...}` placeholder
+        // values too — we always overwrite with the concrete token).
+        if (l.replace(/\s+/g, '').startsWith(`${key}=`)) {
+            replaced = true;
+            return line;
+        }
+        return l;
+    });
+    // Strip trailing blank lines so we don't accumulate them across rewrites.
+    while (next.length && next[next.length - 1].trim() === '')
+        next.pop();
+    if (!replaced)
+        next.push(line);
+    writeUserconfig(path, next.join('\n') + '\n');
+    return path;
+}
+/**
+ * Remove the `<nerf-dart>:_authToken=` line for a registry from the userconfig
+ * `.npmrc`. Returns `{ path, removed }` — `removed` is false if no line matched.
+ */
+export function removeAuthToken(registry) {
+    const path = userconfigNpmrcPath();
+    const key = authTokenKey(registry);
+    const existing = readUserconfig(path);
+    if (!existing)
+        return { path, removed: false };
+    const lines = existing.split('\n');
+    const next = lines.filter((l) => !l.replace(/\s+/g, '').startsWith(`${key}=`));
+    const removed = next.length !== lines.length;
+    if (removed)
+        writeUserconfig(path, next.join('\n'));
+    return { path, removed };
+}