@hogsend/cli 0.19.0 → 0.20.0

package/src/lib/loopback.ts

@@ -0,0 +1,223 @@
+import { createServer, type Server } from "node:http";
+import { CALLBACK_PATH, CALLBACK_TIMEOUT_MS } from "./oauth.js";
+
+/**
+ * RFC 8252 loopback redirect receiver for the OAuth callback. Binds
+ * 127.0.0.1 ONLY (never 0.0.0.0), tries the fixed port list in order
+ * (production: `LOOPBACK_PORTS`, registered in the CIMD document; tests
+ * inject `[0]` for ephemeral binds), and settles exactly once — later
+ * requests get a 410.
+ */
+
+export type LoopbackFailure =
+  | "ports_busy"
+  | "state_mismatch"
+  | "consent_denied"
+  | "timeout"
+  | "oauth_error";
+
+export class LoopbackError extends Error {
+  readonly reason: LoopbackFailure;
+  readonly detail?: string;
+
+  constructor(reason: LoopbackFailure, message: string, detail?: string) {
+    super(message);
+    this.name = "LoopbackError";
+    this.reason = reason;
+    this.detail = detail;
+  }
+}
+
+export interface LoopbackServer {
+  port: number;
+  /** `http://127.0.0.1:${port}${callbackPath}` */
+  redirectUri: string;
+  waitForCallback(opts?: { timeoutMs?: number }): Promise<{ code: string }>;
+  close(): Promise<void>;
+}
+
+const page = (title: string, body: string): string =>
+  `<!doctype html><html><head><meta charset="utf-8"><title>Hogsend</title>` +
+  `<style>body{font-family:system-ui,sans-serif;max-width:32rem;` +
+  `margin:6rem auto;padding:0 1rem;color:#1a1a1a}</style></head>` +
+  `<body><h1>${title}</h1><p>${body}</p></body></html>`;
+
+const SUCCESS_HTML = page(
+  "Connected",
+  "You can close this tab and return to your terminal.",
+);
+const DENIED_HTML = page(
+  "Not connected",
+  "Authorization was denied. Close this tab and re-run the command if that " +
+    "was a mistake.",
+);
+const MISMATCH_HTML = page(
+  "Not connected",
+  "State mismatch. Close this tab and re-run the command.",
+);
+const NO_CODE_HTML = page(
+  "Not connected",
+  "The callback carried no authorization code. Close this tab and re-run " +
+    "the command.",
+);
+
+/** Bind to 127.0.0.1:port; resolves null on EADDRINUSE, rejects otherwise. */
+function tryListen(
+  port: number,
+  handler: Parameters<typeof createServer>[1],
+): Promise<Server | null> {
+  return new Promise((resolve, reject) => {
+    const server = createServer(handler);
+    const onError = (err: NodeJS.ErrnoException) => {
+      server.close();
+      if (err.code === "EADDRINUSE") resolve(null);
+      else reject(err);
+    };
+    server.once("error", onError);
+    server.listen({ host: "127.0.0.1", port }, () => {
+      server.removeListener("error", onError);
+      resolve(server);
+    });
+  });
+}
+
+export async function startLoopbackServer(opts: {
+  /** Production: LOOPBACK_PORTS; tests inject [0] for an ephemeral bind. */
+  ports: readonly number[];
+  state: string;
+  /** Default CALLBACK_PATH. */
+  callbackPath?: string;
+}): Promise<LoopbackServer> {
+  const callbackPath = opts.callbackPath ?? CALLBACK_PATH;
+
+  let settled = false;
+  let settleResolve!: (value: { code: string }) => void;
+  let settleReject!: (error: Error) => void;
+  const settlePromise = new Promise<{ code: string }>((resolve, reject) => {
+    settleResolve = resolve;
+    settleReject = reject;
+  });
+  // A callback can settle (reject) before/without waitForCallback being
+  // awaited — keep the bare promise from surfacing an unhandled rejection.
+  settlePromise.catch(() => {});
+
+  const handler: Parameters<typeof createServer>[1] = (req, res) => {
+    const url = new URL(req.url ?? "/", "http://127.0.0.1");
+
+    if (url.pathname !== callbackPath) {
+      res.writeHead(404, { "content-type": "text/plain; charset=utf-8" });
+      res.end("Not found");
+      return;
+    }
+
+    // First settled answer wins; later requests are stale.
+    if (settled) {
+      res.writeHead(410, { "content-type": "text/plain; charset=utf-8" });
+      res.end("This callback was already handled — return to your terminal.");
+      return;
+    }
+    settled = true;
+
+    const respond = (status: number, html: string) => {
+      res.writeHead(status, { "content-type": "text/html; charset=utf-8" });
+      res.end(html);
+    };
+
+    const error = url.searchParams.get("error");
+    if (error !== null) {
+      respond(200, DENIED_HTML);
+      const detail = url.searchParams.get("error_description") ?? error;
+      settleReject(
+        error === "access_denied"
+          ? new LoopbackError(
+              "consent_denied",
+              "authorization was denied in PostHog",
+              detail,
+            )
+          : new LoopbackError(
+              "oauth_error",
+              `the OAuth callback returned an error: ${error}`,
+              detail,
+            ),
+      );
+      return;
+    }
+
+    const state = url.searchParams.get("state");
+    if (state === null || state !== opts.state) {
+      respond(400, MISMATCH_HTML);
+      // High-entropy random state ⇒ plain `===` comparison is fine.
+      settleReject(
+        new LoopbackError(
+          "state_mismatch",
+          "state mismatch on the OAuth callback — possible CSRF; retry " +
+            "the command",
+        ),
+      );
+      return;
+    }
+
+    const code = url.searchParams.get("code");
+    if (code === null || code === "") {
+      respond(400, NO_CODE_HTML);
+      settleReject(
+        new LoopbackError(
+          "oauth_error",
+          "the OAuth callback carried no authorization code",
+        ),
+      );
+      return;
+    }
+
+    respond(200, SUCCESS_HTML);
+    settleResolve({ code });
+  };
+
+  let server: Server | null = null;
+  for (const port of opts.ports) {
+    server = await tryListen(port, handler);
+    if (server) break;
+  }
+  if (!server) {
+    throw new LoopbackError(
+      "ports_busy",
+      `ports ${opts.ports.join(", ")} on 127.0.0.1 are all in use`,
+    );
+  }
+
+  const address = server.address();
+  const port =
+    address !== null && typeof address === "object" ? address.port : 0;
+  const bound = server;
+
+  return {
+    port,
+    redirectUri: `http://127.0.0.1:${port}${callbackPath}`,
+
+    waitForCallback(waitOpts?: { timeoutMs?: number }) {
+      const timeoutMs = waitOpts?.timeoutMs ?? CALLBACK_TIMEOUT_MS;
+      let timer: NodeJS.Timeout | undefined;
+      const timeout = new Promise<never>((_, reject) => {
+        timer = setTimeout(() => {
+          reject(
+            new LoopbackError(
+              "timeout",
+              "timed out waiting for the OAuth callback (5 minutes)",
+            ),
+          );
+        }, timeoutMs);
+      });
+      return Promise.race([settlePromise, timeout]).finally(() => {
+        clearTimeout(timer);
+      });
+    },
+
+    close() {
+      return new Promise<void>((resolve) => {
+        // Keep-alive sockets would hold close() open indefinitely.
+        bound.closeAllConnections();
+        bound.close(() => resolve());
+      });
+    },
+  };
+}

package/src/lib/oauth.ts

@@ -0,0 +1,256 @@
+import { createHash, randomBytes } from "node:crypto";
+
+/**
+ * OAuth 2.0 primitives for `hogsend connect posthog`: PKCE (S256, RFC 7636),
+ * RFC 8414 authorization-server discovery, the authorize-URL builder, and the
+ * form-encoded public-client code exchange. Pure + injectable (`fetchImpl`)
+ * so everything is unit-testable without a live PostHog.
+ */
+
+/**
+ * The CIMD document URL — doubles as the OAuth `client_id` (PostHog public
+ * client, `token_endpoint_auth_method: "none"`).
+ *
+ * LOCKSTEP (M5): this URL is deliberately re-typed in THREE places — here,
+ * the engine's `HOGSEND_POSTHOG_CLIENT_ID`
+ * (`packages/engine/src/lib/oauth-token-manager.ts`), and the `client_id`
+ * field inside the hosted CIMD document
+ * (`apps/docs/public/.well-known/hogsend-posthog-client.json`). The CLI has
+ * no engine dependency, so there is no single importable source of truth;
+ * grep all three before changing any of them.
+ */
+export const POSTHOG_CLIENT_ID =
+  "https://hogsend.com/.well-known/hogsend-posthog-client.json";
+
+/**
+ * LOCKSTEP (M5): must match the `scope` field of the hosted CIMD document
+ * (`apps/docs/public/.well-known/hogsend-posthog-client.json`).
+ */
+export const POSTHOG_SCOPES =
+  "person:read person:write project:read hog_function:write";
+
+/**
+ * LOCKSTEP (M5): the CIMD document's `redirect_uris` list EXACTLY
+ * `http://127.0.0.1:{8423,8424,8425}/callback` — these constants and the
+ * hosted JSON (`apps/docs/public/.well-known/hogsend-posthog-client.json`)
+ * must stay in lockstep, or PostHog rejects the redirect at authorize time.
+ */
+export const LOOPBACK_PORTS = [8423, 8424, 8425] as const;
+export const CALLBACK_PATH = "/callback";
+export const CALLBACK_TIMEOUT_MS = 300_000; // 5 min
+
+/**
+ * Consent-scope refinement (verified: the authorize endpoint accepts a
+ * required_access_level param; "team" = least privilege). If the live consent
+ * page rejects the param during e2e verification, flip to undefined — the
+ * flow must not depend on it.
+ */
+export const REQUIRED_ACCESS_LEVEL: string | undefined = "team";
+
+const DISCOVERY_TIMEOUT_MS = 10_000;
+
+export interface PkcePair {
+  verifier: string;
+  challenge: string;
+  method: "S256";
+}
+
+/**
+ * base64url(sha256(ascii verifier)) — exported separately for the RFC 7636
+ * appendix B vector test.
+ */
+export function computeChallenge(verifier: string): string {
+  return createHash("sha256").update(verifier, "ascii").digest("base64url");
+}
+
+/**
+ * verifier = base64url(crypto.randomBytes(32)) → 43 chars, RFC 7636 §4.1
+ * charset (no padding — Node's base64url omits `=`).
+ */
+export function generatePkce(): PkcePair {
+  const verifier = randomBytes(32).toString("base64url");
+  return { verifier, challenge: computeChallenge(verifier), method: "S256" };
+}
+
+/** base64url(crypto.randomBytes(16)) — high-entropy CSRF state. */
+export function generateState(): string {
+  return randomBytes(16).toString("base64url");
+}
+
+export interface OAuthServerMetadata {
+  issuer: string;
+  authorization_endpoint: string;
+  token_endpoint: string;
+  [k: string]: unknown; // passthrough
+}
+
+export type DiscoveryResult =
+  | { status: "ok"; metadata: OAuthServerMetadata }
+  | { status: "unsupported" } // HTTP 404 or 410
+  | { status: "error"; message: string }; // transport / non-JSON / missing endpoints
+
+/**
+ * RFC 8414 discovery against the instance's own private host —
+ * `GET {privateHost}/.well-known/oauth-authorization-server`. Never hardcode
+ * `oauth.posthog.com`; per-region servers are discovered from the host.
+ * Self-hosted builds without OAuth 404 here → `unsupported` (clean
+ * personal-API-key fallback). Never throws.
+ */
+export async function discoverOAuthServer(opts: {
+  /** No trailing slash. */
+  privateHost: string;
+  fetchImpl?: typeof fetch;
+}): Promise<DiscoveryResult> {
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const url = `${opts.privateHost}/.well-known/oauth-authorization-server`;
+
+  let res: Response;
+  try {
+    res = await fetchImpl(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(DISCOVERY_TIMEOUT_MS),
+    });
+  } catch (cause) {
+    const msg = cause instanceof Error ? cause.message : String(cause);
+    return { status: "error", message: `OAuth discovery failed: ${msg}` };
+  }
+
+  if (res.status === 404 || res.status === 410) {
+    return { status: "unsupported" };
+  }
+  if (!res.ok) {
+    return {
+      status: "error",
+      message: `OAuth discovery failed (HTTP ${res.status})`,
+    };
+  }
+
+  let doc: unknown;
+  try {
+    doc = await res.json();
+  } catch {
+    return {
+      status: "error",
+      message: "malformed discovery document (not JSON)",
+    };
+  }
+
+  if (
+    typeof doc !== "object" ||
+    doc === null ||
+    typeof (doc as Record<string, unknown>).issuer !== "string" ||
+    typeof (doc as Record<string, unknown>).authorization_endpoint !==
+      "string" ||
+    typeof (doc as Record<string, unknown>).token_endpoint !== "string"
+  ) {
+    return {
+      status: "error",
+      message:
+        "malformed discovery document (missing issuer / " +
+        "authorization_endpoint / token_endpoint)",
+    };
+  }
+
+  return { status: "ok", metadata: doc as OAuthServerMetadata };
+}
+
+/** Build the user-facing authorize URL (PKCE S256, public client). */
+export function buildAuthorizeUrl(opts: {
+  authorizationEndpoint: string;
+  clientId: string;
+  redirectUri: string;
+  scope: string;
+  state: string;
+  pkce: PkcePair;
+  requiredAccessLevel?: string;
+}): string {
+  const url = new URL(opts.authorizationEndpoint);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", opts.clientId);
+  url.searchParams.set("redirect_uri", opts.redirectUri);
+  url.searchParams.set("scope", opts.scope);
+  url.searchParams.set("state", opts.state);
+  url.searchParams.set("code_challenge", opts.pkce.challenge);
+  url.searchParams.set("code_challenge_method", opts.pkce.method);
+  if (opts.requiredAccessLevel !== undefined) {
+    url.searchParams.set("required_access_level", opts.requiredAccessLevel);
+  }
+  return url.toString();
+}
+
+export interface TokenResponse {
+  access_token: string;
+  /** REQUIRED here — `exchangeCode` throws when a 200 omits it. */
+  refresh_token: string;
+  token_type: string;
+  expires_in: number;
+  scope?: string;
+  id_token?: string;
+  scoped_teams?: number[];
+  /** PostHog org ids are UUID strings (SYNTHESIS §0). */
+  scoped_organizations?: string[];
+}
+
+/**
+ * Public-client authorization-code exchange: form-encoded POST, NO
+ * Authorization header, NO client_secret. The error message NEVER includes
+ * the code or verifier.
+ */
+export async function exchangeCode(opts: {
+  tokenEndpoint: string;
+  clientId: string;
+  code: string;
+  codeVerifier: string;
+  redirectUri: string;
+  fetchImpl?: typeof fetch;
+}): Promise<TokenResponse> {
+  const fetchImpl = opts.fetchImpl ?? fetch;
+
+  const res = await fetchImpl(opts.tokenEndpoint, {
+    method: "POST",
+    headers: {
+      // URLSearchParams sets this automatically; explicit for clarity.
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json",
+    },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code: opts.code,
+      redirect_uri: opts.redirectUri,
+      client_id: opts.clientId,
+      code_verifier: opts.codeVerifier,
+    }),
+  });
+
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    let detail = text;
+    try {
+      const parsed: unknown = JSON.parse(text);
+      if (
+        typeof parsed === "object" &&
+        parsed !== null &&
+        typeof (parsed as Record<string, unknown>).error === "string"
+      ) {
+        detail = (parsed as { error: string }).error;
+      }
+    } catch {
+      // non-JSON body — keep the raw text
+    }
+    throw new Error(
+      `token exchange failed (${res.status})${detail ? `: ${detail}` : ""}`,
+    );
+  }
+
+  const json = (await res.json()) as Record<string, unknown>;
+  if (typeof json.access_token !== "string" || json.access_token === "") {
+    throw new Error("token response missing access_token");
+  }
+  if (typeof json.refresh_token !== "string" || json.refresh_token === "") {
+    throw new Error(
+      "token response missing refresh_token — cannot store a long-lived " +
+        "credential",
+    );
+  }
+  return json as unknown as TokenResponse;
+}