@husar.ai/cli 0.4.1 → 0.4.2

package/src/auth/login.ts

@@ -0,0 +1,631 @@
+/**
+ * Login flows for Husar CLI
+ *
+ * Two separate authentication flows:
+ * 1. Cloud login - OAuth via husar.ai, returns JWT for listing projects
+ * 2. Panel CMS login - SUPERADMIN credentials, returns adminToken for CMS operations
+ */
+
+import { createServer, IncomingMessage, ServerResponse } from 'node:http';
+import { URL } from 'node:url';
+import { randomBytes } from 'node:crypto';
+import { saveCloudAuth, saveProjectAuth, ProjectAuth, CloudAuth } from './config.js';
+
+const DEFAULT_CALLBACK_PORT = 9876;
+const CLOUD_AUTH_URL = process.env.HUSAR_AUTH_URL || 'https://husar.ai';
+
+// ═══════════════════════════════════════════════════════════════════════════
+// SECURITY UTILITIES
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Escape HTML special characters to prevent XSS attacks
+ * Used when interpolating user-provided data into HTML responses
+ */
+function escapeHtml(str: string): string {
+  return str
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#039;');
+}
+
+/**
+ * Generate a cryptographically secure random state parameter for OAuth
+ * This prevents CSRF attacks in the OAuth flow
+ */
+function generateState(): string {
+  return randomBytes(32).toString('hex');
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// TYPES
+// ═══════════════════════════════════════════════════════════════════════════
+
+export interface CloudLoginResult {
+  success: boolean;
+  email?: string;
+  accessToken?: string;
+  error?: string;
+}
+
+export interface PanelLoginResult {
+  success: boolean;
+  project?: ProjectAuth;
+  error?: string;
+}
+
+/** @deprecated Use CloudLoginResult or PanelLoginResult instead */
+export interface LoginResult {
+  success: boolean;
+  email?: string;
+  project?: ProjectAuth;
+  error?: string;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// CLOUD LOGIN FLOW
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Start cloud login flow - OAuth via husar.ai
+ * Returns JWT access token for cloud API operations (listing projects, etc.)
+ *
+ * Flow:
+ * 1. Opens browser to husar.ai/app/cli-auth
+ * 2. User logs in via OAuth (Google/GitHub/email)
+ * 3. Callback returns: access_token, user_email, state
+ *
+ * Security: Uses state parameter to prevent CSRF attacks
+ */
+export async function startCloudLoginFlow(options?: { port?: number; timeout?: number }): Promise<CloudLoginResult> {
+  const port = options?.port ?? DEFAULT_CALLBACK_PORT;
+  const timeout = options?.timeout ?? 300000; // 5 minutes default
+
+  // Generate state parameter for CSRF protection
+  const expectedState = generateState();
+
+  return new Promise((resolve) => {
+    let resolved = false;
+
+    const server = createServer((req: IncomingMessage, res: ServerResponse) => {
+      if (resolved) {
+        res.writeHead(200);
+        res.end('Already processed');
+        return;
+      }
+
+      const url = new URL(req.url ?? '/', `http://localhost:${port}`);
+
+      if (url.pathname === '/callback') {
+        // Parse callback parameters (cloud auth returns JWT)
+        const accessToken = url.searchParams.get('access_token');
+        const userEmail = url.searchParams.get('user_email');
+        const returnedState = url.searchParams.get('state');
+        const error = url.searchParams.get('error');
+
+        if (error) {
+          resolved = true;
+          res.writeHead(200, { 'Content-Type': 'text/html' });
+          res.end(getErrorHtml(error));
+          server.close();
+          resolve({ success: false, error });
+          return;
+        }
+
+        // Validate state parameter to prevent CSRF
+        if (returnedState !== expectedState) {
+          resolved = true;
+          res.writeHead(400, { 'Content-Type': 'text/html' });
+          res.end(getErrorHtml('Invalid state parameter. This may be a CSRF attack.'));
+          server.close();
+          resolve({ success: false, error: 'State parameter mismatch - possible CSRF attack' });
+          return;
+        }
+
+        if (!accessToken) {
+          resolved = true;
+          res.writeHead(400, { 'Content-Type': 'text/html' });
+          res.end(getErrorHtml('Missing access token'));
+          server.close();
+          resolve({ success: false, error: 'Missing access token from cloud auth' });
+          return;
+        }
+
+        // Success - save cloud auth and close server
+        resolved = true;
+
+        const cloudAuth: CloudAuth = {
+          email: userEmail ?? undefined,
+          accessToken,
+        };
+
+        // Send success response before processing
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(getCloudSuccessHtml(userEmail ?? 'user'));
+
+        // Save cloud auth
+        saveCloudAuth(cloudAuth)
+          .then(() => {
+            server.close();
+            resolve({
+              success: true,
+              email: userEmail ?? undefined,
+              accessToken,
+            });
+          })
+          .catch((err: Error) => {
+            server.close();
+            resolve({ success: false, error: err.message });
+          });
+      } else {
+        res.writeHead(404);
+        res.end('Not found');
+      }
+    });
+
+    server.listen(port, () => {
+      // Server is ready, open browser (include state parameter)
+      const authUrl = `${CLOUD_AUTH_URL}/en/app/cli-auth?callback_port=${port}&state=${expectedState}`;
+      console.log(`\n🔐 Opening browser for cloud authentication...`);
+      console.log(`   If the browser doesn't open, visit: ${authUrl}\n`);
+      openBrowser(authUrl);
+    });
+
+    server.on('error', (err) => {
+      if (!resolved) {
+        resolved = true;
+        resolve({ success: false, error: `Server error: ${err.message}` });
+      }
+    });
+
+    // Timeout after specified duration
+    setTimeout(() => {
+      if (!resolved) {
+        resolved = true;
+        server.close();
+        resolve({ success: false, error: 'Cloud login timed out. Please try again.' });
+      }
+    }, timeout);
+  });
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// PANEL CMS LOGIN FLOW
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Start panel CMS login flow - SUPERADMIN credentials
+ * Returns adminToken for CMS operations
+ *
+ * Flow:
+ * 1. Opens browser to {panelHost}/connect-device
+ * 2. User enters SUPERADMIN username/password (from email)
+ * 3. Panel verifies credentials and returns adminToken
+ * 4. Callback returns: admin_token, host, project_name, state
+ *
+ * Security: Uses state parameter to prevent CSRF attacks
+ */
+export async function startPanelLoginFlow(
+  panelHost: string,
+  options?: { port?: number; timeout?: number },
+): Promise<PanelLoginResult> {
+  const port = options?.port ?? DEFAULT_CALLBACK_PORT;
+  const timeout = options?.timeout ?? 300000; // 5 minutes default
+
+  // Normalize host URL
+  const normalizedHost = panelHost.endsWith('/') ? panelHost.slice(0, -1) : panelHost;
+
+  // Generate state parameter for CSRF protection
+  const expectedState = generateState();
+
+  return new Promise((resolve) => {
+    let resolved = false;
+
+    const server = createServer((req: IncomingMessage, res: ServerResponse) => {
+      if (resolved) {
+        res.writeHead(200);
+        res.end('Already processed');
+        return;
+      }
+
+      const url = new URL(req.url ?? '/', `http://localhost:${port}`);
+
+      if (url.pathname === '/callback') {
+        // Parse callback parameters (panel returns adminToken)
+        const adminToken = url.searchParams.get('admin_token');
+        const host = url.searchParams.get('host');
+        const projectName = url.searchParams.get('project_name');
+        const returnedState = url.searchParams.get('state');
+        const error = url.searchParams.get('error');
+
+        if (error) {
+          resolved = true;
+          res.writeHead(200, { 'Content-Type': 'text/html' });
+          res.end(getErrorHtml(error));
+          server.close();
+          resolve({ success: false, error });
+          return;
+        }
+
+        // Validate state parameter to prevent CSRF
+        if (returnedState !== expectedState) {
+          resolved = true;
+          res.writeHead(400, { 'Content-Type': 'text/html' });
+          res.end(getErrorHtml('Invalid state parameter. This may be a CSRF attack.'));
+          server.close();
+          resolve({ success: false, error: 'State parameter mismatch - possible CSRF attack' });
+          return;
+        }
+
+        if (!adminToken || !host || !projectName) {
+          resolved = true;
+          res.writeHead(400, { 'Content-Type': 'text/html' });
+          res.end(getErrorHtml('Missing required parameters'));
+          server.close();
+          resolve({ success: false, error: 'Missing admin_token, host, or project_name from panel' });
+          return;
+        }
+
+        // Success - save project auth and close server
+        resolved = true;
+
+        const project: ProjectAuth = {
+          projectName,
+          host,
+          adminToken,
+        };
+
+        // Send success response before processing
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(getPanelSuccessHtml(projectName));
+
+        // Save project auth
+        saveProjectAuth(project)
+          .then(() => {
+            server.close();
+            resolve({
+              success: true,
+              project,
+            });
+          })
+          .catch((err) => {
+            server.close();
+            resolve({ success: false, error: err.message });
+          });
+      } else {
+        res.writeHead(404);
+        res.end('Not found');
+      }
+    });
+
+    server.listen(port, () => {
+      // Server is ready, open browser (include state parameter)
+      const authUrl = `${normalizedHost}/connect-device?callback_port=${port}&state=${expectedState}`;
+      console.log(`\n🔐 Opening browser for CMS authentication...`);
+      console.log(`   You'll need your SUPERADMIN credentials (from the welcome email)`);
+      console.log(`   If the browser doesn't open, visit: ${authUrl}\n`);
+      openBrowser(authUrl);
+    });
+
+    server.on('error', (err) => {
+      if (!resolved) {
+        resolved = true;
+        resolve({ success: false, error: `Server error: ${err.message}` });
+      }
+    });
+
+    // Timeout after specified duration
+    setTimeout(() => {
+      if (!resolved) {
+        resolved = true;
+        server.close();
+        resolve({ success: false, error: 'Panel login timed out. Please try again.' });
+      }
+    }, timeout);
+  });
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// LEGACY COMBINED LOGIN FLOW (for backward compatibility)
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * @deprecated Use startCloudLoginFlow() or startPanelLoginFlow() instead
+ *
+ * Start local callback server and initiate browser login flow
+ * This is the old combined flow that opens husar.ai/app/cli-auth
+ * and expects both project selection AND admin token generation
+ */
+export async function startLoginFlow(options?: { port?: number; timeout?: number }): Promise<LoginResult> {
+  const port = options?.port ?? DEFAULT_CALLBACK_PORT;
+  const timeout = options?.timeout ?? 300000; // 5 minutes default
+
+  return new Promise((resolve) => {
+    let resolved = false;
+
+    const server = createServer((req: IncomingMessage, res: ServerResponse) => {
+      if (resolved) {
+        res.writeHead(200);
+        res.end('Already processed');
+        return;
+      }
+
+      const url = new URL(req.url ?? '/', `http://localhost:${port}`);
+
+      if (url.pathname === '/callback') {
+        // Parse callback parameters
+        const host = url.searchParams.get('host');
+        const adminToken = url.searchParams.get('admin_token');
+        const projectName = url.searchParams.get('project_name');
+        const userEmail = url.searchParams.get('user_email');
+        const error = url.searchParams.get('error');
+
+        if (error) {
+          resolved = true;
+          res.writeHead(200, { 'Content-Type': 'text/html' });
+          res.end(getErrorHtml(error));
+          server.close();
+          resolve({ success: false, error });
+          return;
+        }
+
+        if (!host || !adminToken || !projectName) {
+          resolved = true;
+          res.writeHead(400, { 'Content-Type': 'text/html' });
+          res.end(getErrorHtml('Missing required parameters'));
+          server.close();
+          resolve({ success: false, error: 'Missing required parameters' });
+          return;
+        }
+
+        // Success - save credentials and close server
+        resolved = true;
+
+        const project: ProjectAuth = {
+          projectName,
+          host,
+          adminToken,
+        };
+
+        // Send success response before processing
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(getPanelSuccessHtml(projectName, userEmail ?? 'user'));
+
+        // Save credentials
+        Promise.all([
+          userEmail ? saveCloudAuth({ email: userEmail, accessToken: adminToken }) : Promise.resolve(),
+          saveProjectAuth(project),
+        ])
+          .then(() => {
+            server.close();
+            resolve({
+              success: true,
+              email: userEmail ?? undefined,
+              project,
+            });
+          })
+          .catch((err) => {
+            server.close();
+            resolve({ success: false, error: err.message });
+          });
+      } else {
+        res.writeHead(404);
+        res.end('Not found');
+      }
+    });
+
+    server.listen(port, () => {
+      // Server is ready, open browser
+      const authUrl = `${CLOUD_AUTH_URL}/en/app/cli-auth?callback_port=${port}`;
+      console.log(`\n🔐 Opening browser for authentication...`);
+      console.log(`   If the browser doesn't open, visit: ${authUrl}\n`);
+      openBrowser(authUrl);
+    });
+
+    server.on('error', (err) => {
+      if (!resolved) {
+        resolved = true;
+        resolve({ success: false, error: `Server error: ${err.message}` });
+      }
+    });
+
+    // Timeout after specified duration
+    setTimeout(() => {
+      if (!resolved) {
+        resolved = true;
+        server.close();
+        resolve({ success: false, error: 'Login timed out. Please try again.' });
+      }
+    }, timeout);
+  });
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// HELPERS
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Open URL in default browser
+ */
+function openBrowser(url: string): void {
+  const { exec } = require('node:child_process');
+  const platform = process.platform;
+
+  let command: string;
+  if (platform === 'darwin') {
+    command = `open "${url}"`;
+  } else if (platform === 'win32') {
+    command = `start "" "${url}"`;
+  } else {
+    // Linux and others
+    command = `xdg-open "${url}"`;
+  }
+
+  exec(command, (err: Error | null) => {
+    if (err) {
+      console.error('Could not open browser automatically.');
+    }
+  });
+}
+
+/**
+ * Generate cloud auth success HTML page
+ */
+function getCloudSuccessHtml(email: string): string {
+  return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Husar CLI - Cloud Login Successful</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
+      color: white;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      margin: 0;
+    }
+    .container {
+      text-align: center;
+      padding: 40px;
+      background: rgba(255,255,255,0.05);
+      border-radius: 16px;
+      border: 1px solid rgba(255,255,255,0.1);
+    }
+    .success-icon {
+      font-size: 64px;
+      margin-bottom: 20px;
+    }
+    h1 { margin: 0 0 10px; }
+    p { color: #a0a0a0; margin: 5px 0; }
+    .email { color: #60a5fa; font-weight: 600; }
+    .close-note {
+      margin-top: 30px;
+      font-size: 14px;
+      color: #666;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="success-icon">✅</div>
+    <h1>Cloud Login Successful!</h1>
+    <p>Logged in as <span class="email">${escapeHtml(email)}</span></p>
+    <p class="close-note">You can close this window and return to the terminal.</p>
+  </div>
+</body>
+</html>
+  `.trim();
+}
+
+/**
+ * Generate panel auth success HTML page
+ */
+function getPanelSuccessHtml(projectName: string, email?: string): string {
+  const emailLine = email ? `<p>Logged in as <strong>${escapeHtml(email)}</strong></p>` : '';
+
+  return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Husar CLI - CMS Connected</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
+      color: white;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      margin: 0;
+    }
+    .container {
+      text-align: center;
+      padding: 40px;
+      background: rgba(255,255,255,0.05);
+      border-radius: 16px;
+      border: 1px solid rgba(255,255,255,0.1);
+    }
+    .success-icon {
+      font-size: 64px;
+      margin-bottom: 20px;
+    }
+    h1 { margin: 0 0 10px; }
+    p { color: #a0a0a0; margin: 5px 0; }
+    .project { color: #60a5fa; font-weight: 600; }
+    .close-note {
+      margin-top: 30px;
+      font-size: 14px;
+      color: #666;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="success-icon">✅</div>
+    <h1>CMS Connected!</h1>
+    ${emailLine}
+    <p>Connected to project <span class="project">${escapeHtml(projectName)}</span></p>
+    <p class="close-note">You can close this window and return to the terminal.</p>
+  </div>
+</body>
+</html>
+  `.trim();
+}
+
+/**
+ * Generate error HTML page
+ */
+function getErrorHtml(error: string): string {
+  return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Husar CLI - Error</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
+      color: white;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      margin: 0;
+    }
+    .container {
+      text-align: center;
+      padding: 40px;
+      background: rgba(255,255,255,0.05);
+      border-radius: 16px;
+      border: 1px solid rgba(239,68,68,0.3);
+    }
+    .error-icon {
+      font-size: 64px;
+      margin-bottom: 20px;
+    }
+    h1 { margin: 0 0 10px; color: #ef4444; }
+    p { color: #a0a0a0; margin: 5px 0; }
+    .error-msg { color: #fca5a5; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="error-icon">❌</div>
+    <h1>Authorization Failed</h1>
+    <p class="error-msg">${escapeHtml(error)}</p>
+    <p>Please try again or contact support.</p>
+  </div>
+</body>
+</html>
+  `.trim();
+}