@hyperdrive.bot/cli 1.0.12 → 1.0.16

package/dist/utils/auth-flow.js

@@ -1,479 +0,0 @@
-import { CognitoIdentityClient, GetCredentialsForIdentityCommand, GetIdCommand } from '@aws-sdk/client-cognito-identity';
-import { CognitoIdentityProviderClient, InitiateAuthCommand, } from '@aws-sdk/client-cognito-identity-provider';
-import axios from 'axios';
-import crypto from 'crypto';
-import { existsSync, mkdirSync, writeFileSync } from 'fs';
-import { createServer } from 'http';
-import open from 'open';
-import { homedir } from 'os';
-import { join } from 'path';
-import { parse } from 'url';
-import { TenantService } from '../services/tenant-service.js';
-/**
- * Generate PKCE code verifier (random base64url string)
- */
-export function generateCodeVerifier() {
-    return crypto.randomBytes(32).toString('base64url');
-}
-/**
- * Generate PKCE code challenge (SHA256 hash of verifier)
- */
-export function generateCodeChallenge(verifier) {
-    return crypto.createHash('sha256').update(verifier).digest('base64url');
-}
-/**
- * Build Cognito authorization URL with PKCE parameters
- */
-export function buildAuthUrl(tenantConfig, codeChallenge, port) {
-    // CLI only needs these scopes to authenticate and get AWS credentials via Identity Pool
-    // - openid: Required for OIDC authentication
-    // - email: User's email address (used by Identity Pool)
-    // - profile: User's profile information
-    const requiredScopes = 'openid email profile';
-    const params = new URLSearchParams({
-        client_id: tenantConfig.cognitoClientId,
-        code_challenge: codeChallenge,
-        code_challenge_method: 'S256',
-        redirect_uri: `http://localhost:${port}/callback`,
-        response_type: 'code',
-        scope: requiredScopes,
-    });
-    return `https://${tenantConfig.cognitoDomain}/oauth2/authorize?${params}`;
-}
-/**
- * Start local HTTP server to receive OAuth callback
- * Returns a promise that resolves with the authorization code
- */
-export function startCallbackServer(port, timeout) {
-    return new Promise((resolve, reject) => {
-        let timeoutId = null;
-        const server = createServer((req, res) => {
-            const { pathname, query } = parse(req.url || '', true);
-            if (pathname === '/callback') {
-                if (timeoutId) {
-                    clearTimeout(timeoutId);
-                }
-                if (query.code) {
-                    // Success response
-                    res.writeHead(200, { 'Content-Type': 'text/html' });
-                    res.end(`
-            <!DOCTYPE html>
-            <html>
-              <head>
-                <title>Hyperdrive - Authentication Successful</title>
-                <style>
-                  body {
-                    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
-                    display: flex;
-                    align-items: center;
-                    justify-content: center;
-                    height: 100vh;
-                    margin: 0;
-                    background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-                  }
-                  .container {
-                    text-align: center;
-                    background: white;
-                    padding: 3rem;
-                    border-radius: 1rem;
-                    box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1);
-                    max-width: 400px;
-                  }
-                  .checkmark {
-                    width: 80px;
-                    height: 80px;
-                    border-radius: 50%;
-                    display: block;
-                    stroke-width: 4;
-                    stroke: #10B981;
-                    stroke-miterlimit: 10;
-                    margin: 0 auto 1.5rem;
-                    animation: fill 0.4s ease-in-out 0.4s forwards, scale 0.3s ease-in-out 0.9s both;
-                  }
-                  .checkmark-circle {
-                    stroke-dasharray: 166;
-                    stroke-dashoffset: 166;
-                    stroke-width: 4;
-                    stroke-miterlimit: 10;
-                    stroke: #10B981;
-                    fill: none;
-                    animation: stroke 0.6s cubic-bezier(0.65, 0, 0.45, 1) forwards;
-                  }
-                  .checkmark-check {
-                    transform-origin: 50% 50%;
-                    stroke-dasharray: 48;
-                    stroke-dashoffset: 48;
-                    animation: stroke 0.3s cubic-bezier(0.65, 0, 0.45, 1) 0.8s forwards;
-                  }
-                  @keyframes stroke {
-                    100% { stroke-dashoffset: 0; }
-                  }
-                  @keyframes scale {
-                    0%, 100% { transform: none; }
-                    50% { transform: scale3d(1.1, 1.1, 1); }
-                  }
-                  h1 { color: #1F2937; margin: 0 0 0.5rem; }
-                  p { color: #6B7280; margin: 0 0 1.5rem; }
-                  .close-btn {
-                    background: #667eea;
-                    color: white;
-                    border: none;
-                    padding: 0.75rem 2rem;
-                    border-radius: 0.5rem;
-                    font-size: 1rem;
-                    cursor: pointer;
-                    transition: background 0.2s;
-                  }
-                  .close-btn:hover { background: #5a67d8; }
-                </style>
-              </head>
-              <body>
-                <div class="container">
-                  <svg class="checkmark" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 52 52">
-                    <circle class="checkmark-circle" cx="26" cy="26" r="25" fill="none"/>
-                    <path class="checkmark-check" fill="none" d="M14.1 27.2l7.1 7.2 16.7-16.8"/>
-                  </svg>
-                  <h1>Authentication Successful!</h1>
-                  <p>You can close this window and return to the CLI.</p>
-                  <button class="close-btn" onclick="window.close()">Close Window</button>
-                </div>
-                <script>setTimeout(() => window.close(), 3000);</script>
-              </body>
-            </html>
-          `);
-                    server.close();
-                    resolve(query.code);
-                }
-                else if (query.error) {
-                    // Error response
-                    res.writeHead(400, { 'Content-Type': 'text/html' });
-                    res.end(`
-            <h1>Authentication Failed</h1>
-            <p>Error: ${query.error}</p>
-            <p>Description: ${query.error_description || 'Unknown error'}</p>
-          `);
-                    server.close();
-                    reject(new Error(`Authentication failed: ${query.error}`));
-                }
-            }
-            else {
-                res.writeHead(404);
-                res.end('Not Found');
-            }
-        });
-        server.listen(port, 'localhost');
-        server.on('error', (err) => {
-            if (timeoutId) {
-                clearTimeout(timeoutId);
-            }
-            reject(new Error(`Failed to start callback server: ${err.message}`));
-        });
-        // Set timeout for authentication
-        timeoutId = setTimeout(() => {
-            server.close();
-            reject(new Error('Authentication timed out. Please try again.'));
-        }, timeout);
-    });
-}
-/**
- * Exchange authorization code for Cognito tokens
- */
-export async function exchangeCodeForTokens(tenantConfig, code, codeVerifier, port) {
-    try {
-        const response = await axios.post(`https://${tenantConfig.cognitoDomain}/oauth2/token`, new URLSearchParams({
-            client_id: tenantConfig.cognitoClientId,
-            code,
-            code_verifier: codeVerifier,
-            grant_type: 'authorization_code',
-            redirect_uri: `http://localhost:${port}/callback`,
-        }), {
-            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-        });
-        return response.data;
-    }
-    catch (error) {
-        if (axios.isAxiosError(error)) {
-            throw new Error(`Token exchange failed: ${error.response?.data?.error_description || error.message}`);
-        }
-        throw error;
-    }
-}
-/**
- * Get AWS credentials from Cognito Identity Pool
- */
-export async function getAWSCredentials(tenantConfig, idToken) {
-    const client = new CognitoIdentityClient({ region: tenantConfig.region });
-    try {
-        // Step 1: Get Identity ID
-        const getIdResponse = await client.send(new GetIdCommand({
-            IdentityPoolId: tenantConfig.cognitoIdentityPoolId,
-            Logins: {
-                [`cognito-idp.${tenantConfig.region}.amazonaws.com/${tenantConfig.cognitoUserPoolId}`]: idToken,
-            },
-        }));
-        if (!getIdResponse.IdentityId) {
-            throw new Error('Failed to get Identity ID from Cognito');
-        }
-        // Step 2: Get temporary AWS credentials
-        const getCredentialsResponse = await client.send(new GetCredentialsForIdentityCommand({
-            IdentityId: getIdResponse.IdentityId,
-            Logins: {
-                [`cognito-idp.${tenantConfig.region}.amazonaws.com/${tenantConfig.cognitoUserPoolId}`]: idToken,
-            },
-        }));
-        if (!getCredentialsResponse.Credentials) {
-            throw new Error('Failed to get AWS credentials from Cognito');
-        }
-        const { AccessKeyId, Expiration, SecretKey, SessionToken } = getCredentialsResponse.Credentials;
-        if (!AccessKeyId || !SecretKey || !SessionToken || !Expiration) {
-            throw new Error('Incomplete AWS credentials received from Cognito');
-        }
-        return {
-            accessKeyId: AccessKeyId,
-            expiration: Expiration,
-            secretAccessKey: SecretKey,
-            sessionToken: SessionToken,
-        };
-    }
-    catch (error) {
-        if (error instanceof Error) {
-            throw new Error(`Failed to obtain AWS credentials: ${error.message}`);
-        }
-        throw error;
-    }
-}
-/**
- * Save credentials to domain-specific path (always required)
- */
-export function saveCredentials(credentials, domain) {
-    // Prevent saving test/mock credentials to production path
-    const testPatterns = ['test-client-id', 'us-east-1_TEST', 'test-identity', 'test.auth.amazoncognito'];
-    const credString = JSON.stringify(credentials);
-    for (const pattern of testPatterns) {
-        if (credString.includes(pattern)) {
-            throw new Error(`Refusing to save credentials containing test value: "${pattern}". This looks like test data.`);
-        }
-    }
-    if (!domain) {
-        throw new Error('Domain is required to save credentials');
-    }
-    const credDir = join(homedir(), '.hyperdrive');
-    const credPath = join(credDir, `credentials.${domain}`);
-    // Create directory if it doesn't exist
-    if (!existsSync(credDir)) {
-        mkdirSync(credDir, { recursive: true });
-    }
-    // Write credentials with secure file permissions
-    writeFileSync(credPath, JSON.stringify(credentials, null, 2), { mode: 0o600 });
-}
-/**
- * Get the path to the credentials file for a domain
- */
-export function getCredentialsPath(domain) {
-    if (!domain) {
-        throw new Error('Domain is required to get credentials path');
-    }
-    return join(homedir(), '.hyperdrive', `credentials.${domain}`);
-}
-/**
- * Execute the complete OAuth PKCE authentication flow
- *
- * This function orchestrates the entire authentication flow:
- * 1. Bootstrap tenant to get Cognito config
- * 2. Generate PKCE codes
- * 3. Start callback server
- * 4. Open browser for authentication
- * 5. Wait for callback with timeout
- * 6. Exchange code for tokens
- * 7. Get AWS credentials from Identity Pool
- * 8. Save credentials to file
- *
- * @param options - Configuration options for the auth flow
- * @returns AuthResult indicating success or failure
- */
-export async function executeAuthFlow(options) {
-    const { callbackPort = 8765, logger, tenantDomain, timeout = 300000 } = options;
-    const tenantService = new TenantService(tenantDomain);
-    try {
-        // Step 1: Bootstrap tenant to get Cognito config
-        const tenantConfig = await tenantService.fetchTenantConfig(tenantDomain);
-        // Step 2: Generate PKCE parameters
-        const codeVerifier = generateCodeVerifier();
-        const codeChallenge = generateCodeChallenge(codeVerifier);
-        // Step 3: Start local callback server and get promise for auth code
-        const authCodePromise = startCallbackServer(callbackPort, timeout);
-        // Step 4: Open browser for authentication
-        const authUrl = buildAuthUrl(tenantConfig, codeChallenge, callbackPort);
-        // Display URL to user in case browser opens in wrong profile
-        if (logger) {
-            logger(`Opening browser for authentication...`);
-            logger(`If browser doesn't open or opens in wrong profile, copy this URL:`);
-            logger(`  ${authUrl}`);
-            logger('');
-        }
-        await open(authUrl);
-        // Step 5: Wait for callback with auth code
-        const code = await authCodePromise;
-        // Step 6: Exchange code for tokens
-        const tokens = await exchangeCodeForTokens(tenantConfig, code, codeVerifier, callbackPort);
-        // Step 7: Get AWS credentials from Cognito Identity Pool
-        const awsCredentials = await getAWSCredentials(tenantConfig, tokens.id_token);
-        // Step 8: Save credentials
-        saveCredentials({
-            ...tokens,
-            additionalApiUrls: tenantConfig.additionalApiUrls,
-            apiUrl: tenantConfig.apiUrl,
-            awsCredentials,
-            cognitoConfig: {
-                clientId: tenantConfig.cognitoClientId,
-                domain: tenantConfig.cognitoDomain,
-                identityPoolId: tenantConfig.cognitoIdentityPoolId,
-                userPoolId: tenantConfig.cognitoUserPoolId,
-            },
-            obtainedAt: new Date().toISOString(),
-            region: tenantConfig.region,
-            tenantDomain: tenantConfig.tenantDomain,
-            tenantId: tenantConfig.tenantId,
-        }, tenantConfig.tenantDomain);
-        return { success: true };
-    }
-    catch (error) {
-        const errorMessage = error instanceof Error ? error.message : String(error);
-        return { error: errorMessage, success: false };
-    }
-}
-/**
- * Execute CI authentication flow using USER_PASSWORD_AUTH
- *
- * This is for non-interactive CI/CD environments where browser-based
- * OAuth is not possible. Uses Cognito's USER_PASSWORD_AUTH flow.
- *
- * @param options - CI authentication options
- * @returns AuthResult indicating success or failure
- */
-export async function executeCIAuthFlow(options) {
-    const { logger, password, tenantDomain, username } = options;
-    const tenantService = new TenantService(tenantDomain);
-    try {
-        // Step 1: Bootstrap tenant to get Cognito config
-        if (logger)
-            logger('Fetching tenant configuration...');
-        const tenantConfig = await tenantService.fetchTenantConfig(tenantDomain);
-        // Step 2: Authenticate with Cognito using USER_PASSWORD_AUTH
-        if (logger)
-            logger('Authenticating with Cognito...');
-        const cognitoClient = new CognitoIdentityProviderClient({ region: tenantConfig.region });
-        let authResult;
-        try {
-            const initiateAuthResponse = await cognitoClient.send(new InitiateAuthCommand({
-                AuthFlow: 'USER_PASSWORD_AUTH',
-                AuthParameters: {
-                    PASSWORD: password,
-                    USERNAME: username,
-                },
-                ClientId: tenantConfig.cognitoClientId,
-            }));
-            // Handle NEW_PASSWORD_REQUIRED challenge (first login with temp password)
-            if (initiateAuthResponse.ChallengeName === 'NEW_PASSWORD_REQUIRED') {
-                throw new Error('This CI account requires a password change on first login.\n' +
-                    'Please log in interactively once with: hd auth login --domain ' + tenantDomain + '\n' +
-                    'Or create a new CI account with: hd ci account create');
-            }
-            authResult = initiateAuthResponse.AuthenticationResult;
-        }
-        catch (error) {
-            const err = error;
-            if (err.name === 'NotAuthorizedException') {
-                throw new Error('Invalid token. Check your HD_TOKEN environment variable.');
-            }
-            if (err.name === 'UserNotFoundException') {
-                throw new Error('CI token not found or revoked. Create a new one with: hd ci account create');
-            }
-            throw error;
-        }
-        if (!authResult || !authResult.IdToken) {
-            throw new Error('Authentication failed: No tokens received from Cognito');
-        }
-        if (logger)
-            logger('Authentication successful!');
-        // Step 3: Get AWS credentials from Cognito Identity Pool
-        if (logger)
-            logger('Obtaining AWS credentials...');
-        const awsCredentials = await getAWSCredentials(tenantConfig, authResult.IdToken);
-        // Step 4: Save credentials
-        if (logger)
-            logger('Saving credentials...');
-        saveCredentials({
-            access_token: authResult.AccessToken || '',
-            additionalApiUrls: tenantConfig.additionalApiUrls,
-            apiUrl: tenantConfig.apiUrl,
-            awsCredentials,
-            cognitoConfig: {
-                clientId: tenantConfig.cognitoClientId,
-                domain: tenantConfig.cognitoDomain,
-                identityPoolId: tenantConfig.cognitoIdentityPoolId,
-                userPoolId: tenantConfig.cognitoUserPoolId,
-            },
-            expires_in: authResult.ExpiresIn || 3600,
-            id_token: authResult.IdToken,
-            obtainedAt: new Date().toISOString(),
-            refresh_token: authResult.RefreshToken || '',
-            region: tenantConfig.region,
-            tenantDomain: tenantConfig.tenantDomain,
-            tenantId: tenantConfig.tenantId,
-            token_type: authResult.TokenType || 'Bearer',
-        }, tenantConfig.tenantDomain);
-        return { success: true };
-    }
-    catch (error) {
-        const errorMessage = error instanceof Error ? error.message : String(error);
-        return { error: errorMessage, success: false };
-    }
-}
-/**
- * Check if running in a CI environment
- */
-export function isCI() {
-    return !!(process.env.CI ||
-        process.env.GITHUB_ACTIONS ||
-        process.env.GITLAB_CI ||
-        process.env.JENKINS_URL ||
-        process.env.CIRCLECI ||
-        process.env.BUILDKITE ||
-        process.env.TRAVIS ||
-        process.env.CODEBUILD_BUILD_ID);
-}
-/**
- * Decode a CI token into username and password
- * Token format: hd_sk_{base64url(username:password)}
- */
-export function decodeToken(token) {
-    if (!token.startsWith('hd_sk_')) {
-        return null;
-    }
-    try {
-        const encoded = token.slice(6); // Remove 'hd_sk_' prefix
-        const decoded = Buffer.from(encoded, 'base64url').toString('utf-8');
-        const colonIndex = decoded.indexOf(':');
-        if (colonIndex === -1) {
-            return null;
-        }
-        return {
-            password: decoded.slice(colonIndex + 1),
-            username: decoded.slice(0, colonIndex),
-        };
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Get CI credentials from HD_TOKEN environment variable
- */
-export function getCICredentials() {
-    const token = process.env.HD_TOKEN;
-    if (!token) {
-        return null;
-    }
-    return decodeToken(token);
-}