npm - @gramatr/client - Versions diffs - 0.6.3 → 0.6.6 - Mend

@gramatr/client 0.6.3 → 0.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/bin/gmtr-login.ts +180 -78
package/package.json +1 -1

package/bin/gmtr-login.ts CHANGED Viewed

@@ -15,10 +15,11 @@
  * The GMTRPromptEnricher hook reads this on every prompt.
  */
-import { randomBytes } from 'crypto';
+import { createHash, randomBytes } from 'crypto';
 import { readFileSync, writeFileSync, existsSync } from 'fs';
 import { join } from 'path';
 import { createServer, type IncomingMessage, type ServerResponse } from 'http';
+import type { AddressInfo } from 'net';
 // ── Config ──
@@ -41,7 +42,9 @@ const DASHBOARD_BASE = process.env.GMTR_DASHBOARD_URL || (() => {
     return 'https://app.gramatr.com';
   }
 })();
-const CALLBACK_PORT = 58787; // Must match server's redirect_uris
+// CALLBACK_PORT is now dynamically allocated per login (random localhost port).
+// The server's DCR endpoint accepts arbitrary localhost redirect_uris for
+// public CLIs (token_endpoint_auth_method=none). See loginBrowser() below.
 // ── HTML Templates ──
@@ -140,11 +143,16 @@ function errorPage(title: string, detail: string): string {
 // ── Headless Detection ──
-function isHeadless(): boolean {
-  // SSH session without display forwarding
-  if (process.env.SSH_CONNECTION || process.env.SSH_TTY) {
-    if (!process.env.DISPLAY && process.platform !== 'darwin') return true;
-  }
+function isHeadless(forceFlag: boolean = false): boolean {
+  // Explicit override — user passed --headless, OR env GRAMATR_LOGIN_HEADLESS=1
+  if (forceFlag) return true;
+  if (process.env.GRAMATR_LOGIN_HEADLESS === '1') return true;
+  // SSH session — always go headless. Even on macOS (which has a local
+  // display), `open` would launch Safari on the Mac's *physical* screen,
+  // not on the remote terminal where the user actually is. Device flow
+  // lets them paste the code on whichever machine they're sitting at.
+  if (process.env.SSH_CONNECTION || process.env.SSH_TTY) return true;
   // Docker / CI / no TTY
   if (process.env.CI || process.env.DOCKER) return true;
   // Linux without display
@@ -339,7 +347,7 @@ async function loginWithToken(token: string): Promise<void> {
   }
 }
-async function loginBrowser(): Promise<void> {
+async function loginBrowser(opts: { forceHeadless?: boolean } = {}): Promise<void> {
   console.log('\n  gramatr login\n');
   console.log(`  Server: ${SERVER_BASE}`);
   console.log(`  Dashboard: ${DASHBOARD_BASE}`);
@@ -355,8 +363,11 @@ async function loginBrowser(): Promise<void> {
   console.log('');
-  // Headless environments use device auth (no local server needed)
-  if (isHeadless()) {
+  // Headless environments use device auth (no local server needed).
+  // --headless flag or GRAMATR_LOGIN_HEADLESS=1 forces this path even on
+  // desktop — escape hatch when the browser flow is broken or the user
+  // prefers the device flow's out-of-band UX.
+  if (isHeadless(opts.forceHeadless)) {
     console.log('  Headless environment detected. Starting device login...\n');
     try {
       const device = await startDeviceAuthorization();
@@ -406,75 +417,127 @@ async function loginBrowser(): Promise<void> {
     }
   }
-  // Browser environments use local callback server
-  const state = randomBytes(16).toString('base64url');
-  const callbackUrl = `http://localhost:${CALLBACK_PORT}/callback`;
+  // ── Browser environments use OAuth 2.0 authorization-code grant + PKCE ──
+  //
+  // v0.6.5: This now mirrors the headless device flow's auth model — both
+  // paths produce an opaque `mcp-access-token-<uuid>` token (1-year TTL,
+  // Redis-backed) instead of the short-lived raw Firebase ID token the old
+  // dashboard-redirect flow stored. Per RFC 7591 (Dynamic Client Registration)
+  // we register the CLI as an OAuth client on first run, then per RFC 7636
+  // (PKCE) we exchange a code for the opaque token.
+  //
+  // Bug history: pre-v0.6.5 the browser flow stored a raw Firebase ID token
+  // (token_type: 'firebase'), which had a 1-hour TTL. After 1 hour every
+  // MCP call returned "JWT signature validation failed" because the token
+  // genuinely expired. See #519 + #524 + this PR.
+  // 1. Bind a localhost callback server (random port — server's DCR allows it)
+  const callbackServer = createServer();
+  await new Promise<void>((resolve, reject) => {
+    callbackServer.once('error', reject);
+    callbackServer.listen(0, '127.0.0.1', () => resolve());
+  });
+  const port = (callbackServer.address() as AddressInfo).port;
+  const redirectUri = `http://localhost:${port}/callback`;
-  const tokenPromise = new Promise<string>((resolve, reject) => {
-    const server = createServer(async (req: IncomingMessage, res: ServerResponse) => {
-      const url = new URL(req.url || '/', `http://localhost:${CALLBACK_PORT}`);
+  // 2. Dynamic client registration (RFC 7591). We always re-register because
+  //    the redirect_uri changes every run (random localhost port). Server
+  //    allows DCR with token_endpoint_auth_method=none for public CLIs.
+  const config = readConfig();
+  let clientId: string;
+  try {
+    const regRes = await fetch(`${SERVER_BASE}/register`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        client_name: 'gmtr-login',
+        redirect_uris: [redirectUri],
+        grant_types: ['authorization_code'],
+        response_types: ['code'],
+        token_endpoint_auth_method: 'none',
+      }),
+      signal: AbortSignal.timeout(10000),
+    });
+    const reg = await regRes.json().catch(() => ({}));
+    if (!regRes.ok || !reg.client_id) {
+      throw new Error(reg.error_description || reg.error || `HTTP ${regRes.status}`);
+    }
+    clientId = reg.client_id as string;
+    config.oauth_client_id = clientId;
+    writeConfig(config);
+  } catch (e: any) {
+    callbackServer.close();
+    console.log(`  ✗ Dynamic client registration failed: ${e.message}\n`);
+    process.exit(1);
+  }
+  // 3. PKCE: generate verifier + S256 challenge
+  const codeVerifier = randomBytes(32).toString('base64url');
+  const codeChallenge = createHash('sha256').update(codeVerifier).digest('base64url');
+  const state = randomBytes(16).toString('base64url');
+  // 4. Run the callback server, waiting for /callback?code=...&state=...
+  //
+  // v0.6.5: capture the timeout handle and clearTimeout() in finally — same
+  // orphan-timer bug that v0.3.63 fixed for the device flow. Without the
+  // clear, Promise.race against a setTimeout keeps the Node event loop
+  // alive past success and the process hangs until Ctrl+C.
+  let codeTimeoutHandle: ReturnType<typeof setTimeout> | undefined;
+  const codePromise = new Promise<string>((resolve, reject) => {
+    callbackServer.on('request', (req: IncomingMessage, res: ServerResponse) => {
+      const url = new URL(req.url || '/', redirectUri);
       if (url.pathname !== '/callback') {
         res.writeHead(404);
         res.end('Not found');
         return;
       }
-      const token = url.searchParams.get('token');
+      const code = url.searchParams.get('code');
       const returnedState = url.searchParams.get('state');
       const error = url.searchParams.get('error');
+      // v0.6.6: `server.close()` alone does not terminate keep-alive
+      // sockets — the browser holds the connection open and the Node
+      // event loop never exits, so the CLI prints "Authenticated" and
+      // then hangs until Ctrl+C. Send `Connection: close` on the
+      // response and call `closeAllConnections()` to forcibly drop
+      // lingering sockets after we respond.
+      const shutdown = () => {
+        callbackServer.close();
+        if (typeof (callbackServer as any).closeAllConnections === 'function') {
+          (callbackServer as any).closeAllConnections();
+        }
+      };
       if (error) {
-        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.writeHead(200, { 'Content-Type': 'text/html', Connection: 'close' });
         res.end(errorPage('Authentication Failed', error));
-        server.close();
+        shutdown();
         reject(new Error(`OAuth error: ${error}`));
         return;
       }
-      if (!token || returnedState !== state) {
-        res.writeHead(400, { 'Content-Type': 'text/html' });
-        res.end(errorPage('Invalid Callback', 'Missing Firebase token or state mismatch. Please try again.'));
-        server.close();
+      if (!code || returnedState !== state) {
+        res.writeHead(400, { 'Content-Type': 'text/html', Connection: 'close' });
+        res.end(errorPage('Invalid Callback', 'Missing code or state mismatch. Please try again.'));
+        shutdown();
         reject(new Error('Invalid callback'));
         return;
       }
-      try {
-        const validation = await testToken(token);
-        if (!validation.valid) {
-          res.writeHead(200, { 'Content-Type': 'text/html' });
-          res.end(errorPage('Token Validation Failed', validation.error || 'Server rejected token'));
-          server.close();
-          reject(new Error(validation.error || 'Server rejected token'));
-          return;
-        }
-        res.writeHead(200, { 'Content-Type': 'text/html' });
-        res.end(successPage());
-        server.close();
-        resolve(token);
-      } catch (e: any) {
-        res.writeHead(500, { 'Content-Type': 'text/html' });
-        res.end(errorPage('Unexpected Error', e.message));
-        server.close();
-        reject(e);
-      }
-    });
-    server.listen(CALLBACK_PORT, () => {
-      // Server ready
+      res.writeHead(200, { 'Content-Type': 'text/html', Connection: 'close' });
+      res.end(successPage());
+      shutdown();
+      resolve(code);
     });
-    // Timeout after 2 minutes
-    setTimeout(() => {
-      server.close();
-      reject(new Error('Login timed out after 2 minutes'));
-    }, 120000);
+    codeTimeoutHandle = setTimeout(() => {
+      callbackServer.close();
+      reject(new Error('Login timed out after 5 minutes'));
+    }, 5 * 60 * 1000);
   });
-  const authorizeUrl = new URL('/login', `${DASHBOARD_BASE}/`);
-  authorizeUrl.searchParams.set('callback', callbackUrl);
+  // 5. Open the browser to the server's /authorize endpoint with PKCE params
+  const authorizeUrl = new URL('/authorize', SERVER_BASE);
+  authorizeUrl.searchParams.set('response_type', 'code');
+  authorizeUrl.searchParams.set('client_id', clientId);
+  authorizeUrl.searchParams.set('redirect_uri', redirectUri);
+  authorizeUrl.searchParams.set('code_challenge', codeChallenge);
+  authorizeUrl.searchParams.set('code_challenge_method', 'S256');
   authorizeUrl.searchParams.set('state', state);
   console.log('  Opening browser for authentication...');
@@ -482,33 +545,64 @@ async function loginBrowser(): Promise<void> {
   console.log(`  ${authorizeUrl.toString()}`);
   console.log('');
-  // Open browser
   const { exec } = await import('child_process');
   const openCmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
   exec(`${openCmd} "${authorizeUrl.toString()}"`);
   console.log('  Waiting for authorization...');
+  let authCode: string;
   try {
-    const accessToken = await tokenPromise;
-    // Save token
-    const config = readConfig();
-    config.token = accessToken;
-    config.token_type = 'firebase';
-    config.authenticated_at = new Date().toISOString();
-    config.server_url = SERVER_BASE;
-    config.dashboard_url = DASHBOARD_BASE;
-    writeConfig(config);
-    console.log('');
-    console.log('  ✓ Authenticated successfully');
-    console.log('  Token saved to ~/.gramatr.json');
-    console.log('  gramatr intelligence is now active.\n');
+    authCode = await codePromise;
   } catch (e: any) {
+    if (codeTimeoutHandle) clearTimeout(codeTimeoutHandle);
     console.log(`\n  ✗ Authentication failed: ${e.message}\n`);
     process.exit(1);
   }
+  if (codeTimeoutHandle) clearTimeout(codeTimeoutHandle);
+  // 6. Exchange the code for an opaque MCP access token at /token
+  let accessToken: string;
+  let expiresIn: number = 31536000; // server default = 1 year
+  try {
+    const tokenRes = await fetch(`${SERVER_BASE}/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        grant_type: 'authorization_code',
+        code: authCode,
+        code_verifier: codeVerifier,
+        client_id: clientId,
+        redirect_uri: redirectUri,
+      }),
+      signal: AbortSignal.timeout(10000),
+    });
+    const payload = await tokenRes.json().catch(() => ({}));
+    if (!tokenRes.ok || !payload.access_token) {
+      throw new Error(payload.error_description || payload.error || `HTTP ${tokenRes.status}`);
+    }
+    accessToken = payload.access_token as string;
+    if (typeof payload.expires_in === 'number') expiresIn = payload.expires_in;
+  } catch (e: any) {
+    console.log(`\n  ✗ Token exchange failed: ${e.message}\n`);
+    process.exit(1);
+  }
+  // 7. Save the opaque token — same shape as the device flow
+  const updated = readConfig();
+  updated.token = accessToken;
+  updated.token_type = 'oauth';
+  updated.authenticated_at = new Date().toISOString();
+  updated.server_url = SERVER_BASE;
+  updated.dashboard_url = DASHBOARD_BASE;
+  updated.token_expires_at = new Date(Date.now() + expiresIn * 1000).toISOString();
+  if (clientId) updated.oauth_client_id = clientId;
+  writeConfig(updated);
+  console.log('');
+  console.log('  ✓ Authenticated successfully');
+  console.log('  Token saved to ~/.gramatr.json');
+  console.log('  gramatr intelligence is now active.\n');
 }
 // ── CLI ──
@@ -563,13 +657,19 @@ export async function main(): Promise<void> {
   gmtr-login — Authenticate with the gramatr server
   Usage:
-    gmtr-login              Interactive dashboard login (browser or headless device flow)
+    gmtr-login              Interactive login (browser PKCE when display available,
+                            device flow otherwise — auto-detected)
+    gmtr-login --headless   Force the device flow even on desktops (escape hatch
+                            when the browser flow is broken or unavailable)
     gmtr-login --token      Paste a token (API key or Firebase token)
     gmtr-login --token <t>  Provide token directly
     gmtr-login --status     Check authentication status
     gmtr-login --logout     Remove stored credentials
     gmtr-login --help       Show this help
+  Environment:
+    GRAMATR_LOGIN_HEADLESS=1  Same as --headless (forces device flow)
   Token storage: ~/.gramatr.json
   Server: ${SERVER_BASE}
   Dashboard: ${DASHBOARD_BASE}
@@ -577,8 +677,10 @@ export async function main(): Promise<void> {
     return;
   }
-  // Default: browser login flow
-  await loginBrowser();
+  // Default: browser login flow (falls back to device flow if headless
+  // detected, OR if --headless / GRAMATR_LOGIN_HEADLESS=1 is set).
+  const forceHeadless = args.includes('--headless');
+  await loginBrowser({ forceHeadless });
 }
 // Module-run guard. Works both when invoked directly via

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@gramatr/client",
-  "version": "0.6.3",
+  "version": "0.6.6",
   "publishConfig": {
     "access": "public"
   },