@husar.ai/cli 0.4.0 → 0.4.2

package/src/auth/config.ts

@@ -0,0 +1,198 @@
+/**
+ * Auth configuration storage for Husar CLI
+ * Stores user credentials in ~/.husar/config.json
+ *
+ * SECURITY: Files are created with restrictive permissions (0o600)
+ * to prevent other users from reading sensitive tokens.
+ */
+
+import { promises as fs } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+const CONFIG_DIR = join(homedir(), '.husar');
+const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
+
+/**
+ * File permission modes for secure storage
+ * - 0o700: Directory - owner can read/write/execute, no access for others
+ * - 0o600: File - owner can read/write, no access for others
+ *
+ * Note: These permissions only apply on Unix-like systems (macOS, Linux).
+ * On Windows, Node.js ignores the mode parameter and uses ACLs instead.
+ */
+const DIR_MODE = 0o700;
+const FILE_MODE = 0o600;
+
+export interface AuthConfig {
+  /** User's email address */
+  email?: string;
+  /** Access token from cloud backend */
+  accessToken?: string;
+  /** Refresh token for re-authentication */
+  refreshToken?: string;
+  /** Timestamp when the token was last refreshed */
+  lastRefresh?: number;
+}
+
+/**
+ * Cloud authentication data (JWT from husar.ai OAuth)
+ */
+export interface CloudAuth {
+  /** User's email address */
+  email?: string;
+  /** JWT access token from cloud backend */
+  accessToken: string;
+  /** Refresh token for re-authentication (optional) */
+  refreshToken?: string;
+}
+
+export interface ProjectAuth {
+  /** Project name */
+  projectName: string;
+  /** CMS instance host URL */
+  host: string;
+  /** Admin token for the CMS instance */
+  adminToken: string;
+}
+
+export interface FullAuthConfig extends AuthConfig {
+  /** Cached project authentications */
+  projects?: Record<string, ProjectAuth>;
+}
+
+/**
+ * Ensure the config directory exists with secure permissions
+ */
+async function ensureConfigDir(): Promise<void> {
+  try {
+    await fs.mkdir(CONFIG_DIR, { recursive: true, mode: DIR_MODE });
+  } catch (err) {
+    // Directory already exists - verify permissions are secure
+    try {
+      await fs.chmod(CONFIG_DIR, DIR_MODE);
+    } catch {
+      // chmod may fail on some systems, continue anyway
+    }
+  }
+}
+
+/**
+ * Read the auth configuration
+ */
+export async function readAuthConfig(): Promise<FullAuthConfig> {
+  try {
+    await ensureConfigDir();
+    const content = await fs.readFile(CONFIG_FILE, 'utf-8');
+    return JSON.parse(content) as FullAuthConfig;
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * Write the auth configuration with secure file permissions
+ */
+export async function writeAuthConfig(config: FullAuthConfig): Promise<void> {
+  await ensureConfigDir();
+  await fs.writeFile(CONFIG_FILE, JSON.stringify(config, null, 2), { encoding: 'utf-8', mode: FILE_MODE });
+
+  // Also ensure permissions are correct for existing files
+  try {
+    await fs.chmod(CONFIG_FILE, FILE_MODE);
+  } catch {
+    // chmod may fail on some systems (e.g., Windows), continue anyway
+  }
+}
+
+/**
+ * Check if the user is logged in
+ */
+export async function isLoggedIn(): Promise<boolean> {
+  const config = await readAuthConfig();
+  return !!(config.accessToken && config.email);
+}
+
+/**
+ * Get the current user info
+ */
+export async function getCurrentUser(): Promise<{ email: string } | null> {
+  const config = await readAuthConfig();
+  if (!config.accessToken || !config.email) {
+    return null;
+  }
+  return { email: config.email };
+}
+
+/**
+ * Save login credentials
+ */
+export async function saveLogin(email: string, accessToken: string, refreshToken?: string): Promise<void> {
+  const config = await readAuthConfig();
+  config.email = email;
+  config.accessToken = accessToken;
+  config.refreshToken = refreshToken;
+  config.lastRefresh = Date.now();
+  await writeAuthConfig(config);
+}
+
+/**
+ * Save cloud authentication (JWT from OAuth)
+ */
+export async function saveCloudAuth(cloudAuth: CloudAuth): Promise<void> {
+  const config = await readAuthConfig();
+  config.email = cloudAuth.email;
+  config.accessToken = cloudAuth.accessToken;
+  config.refreshToken = cloudAuth.refreshToken;
+  config.lastRefresh = Date.now();
+  await writeAuthConfig(config);
+}
+
+/**
+ * Get cloud authentication (JWT)
+ */
+export async function getCloudAuth(): Promise<CloudAuth | null> {
+  const config = await readAuthConfig();
+  if (!config.accessToken) {
+    return null;
+  }
+  return {
+    email: config.email,
+    accessToken: config.accessToken,
+    refreshToken: config.refreshToken,
+  };
+}
+
+/**
+ * Save project authentication
+ */
+export async function saveProjectAuth(project: ProjectAuth): Promise<void> {
+  const config = await readAuthConfig();
+  if (!config.projects) {
+    config.projects = {};
+  }
+  config.projects[project.projectName] = project;
+  await writeAuthConfig(config);
+}
+
+/**
+ * Get project authentication
+ */
+export async function getProjectAuth(projectName: string): Promise<ProjectAuth | null> {
+  const config = await readAuthConfig();
+  return config.projects?.[projectName] ?? null;
+}
+
+/**
+ * Clear all auth data (logout)
+ */
+export async function clearAuth(): Promise<void> {
+  await writeAuthConfig({});
+}
+
+/**
+ * Get the config file path (for display purposes)
+ */
+export function getConfigPath(): string {
+  return CONFIG_FILE;
+}