@indigoai-us/hq-cloud 5.1.9 → 5.1.10

package/src/cognito-auth.test.ts

@@ -1,9 +1,9 @@
 /**
  * Unit tests for cognito-auth.ts — focus on the `expiresAt` shape contract.
  *
- * Canonical on-disk shape is ISO 8601 (what both writers emit). The reader
- * also tolerates a raw number (ms since epoch) for forward/backward compat
- * during rollouts, and fails safe on anything unparseable.
+ * Canonical on-disk shape is epoch milliseconds (number). The reader also
+ * tolerates ISO 8601 strings for backward compatibility with pre-migration
+ * token files, and fails safe on anything unparseable.
  */
 
 import * as fs from "fs";
@@ -100,11 +100,21 @@ describe("isExpiring — expiresAt shape tolerance", () => {
 });
 
 // ---------------------------------------------------------------------------
-// Round-trip: writers emit ISO, readers read ISO
+// Round-trip: writers emit epoch-ms, readers read epoch-ms
 // ---------------------------------------------------------------------------
 
 describe("expiresAt shape round-trip", () => {
-  it("saveCachedTokens + loadCachedTokens preserves ISO string shape", async () => {
+  it("saveCachedTokens + loadCachedTokens preserves epoch-ms number shape", async () => {
+    const { saveCachedTokens, loadCachedTokens } = await importModule();
+    const epochMs = Date.now() + 3600 * 1000;
+    saveCachedTokens({ ...baseTokens, expiresAt: epochMs });
+    const loaded = loadCachedTokens();
+    expect(loaded).not.toBeNull();
+    expect(typeof loaded?.expiresAt).toBe("number");
+    expect(loaded?.expiresAt).toBe(epochMs);
+  });
+
+  it("saveCachedTokens + loadCachedTokens tolerates legacy ISO string", async () => {
     const { saveCachedTokens, loadCachedTokens } = await importModule();
     const iso = new Date(Date.now() + 3600 * 1000).toISOString();
     saveCachedTokens({ ...baseTokens, expiresAt: iso });
@@ -112,12 +122,9 @@ describe("expiresAt shape round-trip", () => {
     expect(loaded).not.toBeNull();
     expect(typeof loaded?.expiresAt).toBe("string");
     expect(loaded?.expiresAt).toBe(iso);
-    expect(loaded?.expiresAt).toMatch(
-      /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z$/,
-    );
   });
 
-  it("refreshTokens writes an ISO string to cache", async () => {
+  it("refreshTokens writes epoch milliseconds to cache", async () => {
     vi.stubGlobal(
       "fetch",
       vi.fn(async () =>
@@ -135,6 +142,7 @@ describe("expiresAt shape round-trip", () => {
     );
 
     const { refreshTokens, loadCachedTokens } = await importModule();
+    const before = Date.now();
     const result = await refreshTokens(
       {
         region: "us-east-1",
@@ -143,14 +151,14 @@ describe("expiresAt shape round-trip", () => {
       },
       "prior-refresh-token",
     );
+    const after = Date.now();
 
-    expect(typeof result.expiresAt).toBe("string");
-    expect(result.expiresAt).toMatch(
-      /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z$/,
-    );
+    expect(typeof result.expiresAt).toBe("number");
+    expect(result.expiresAt).toBeGreaterThanOrEqual(before + 3600 * 1000);
+    expect(result.expiresAt).toBeLessThanOrEqual(after + 3600 * 1000);
 
     const onDisk = loadCachedTokens();
     expect(onDisk?.expiresAt).toBe(result.expiresAt);
-    expect(typeof onDisk?.expiresAt).toBe("string");
+    expect(typeof onDisk?.expiresAt).toBe("number");
   });
 });

package/src/cognito-auth.ts

@@ -38,14 +38,25 @@ export interface CognitoAuthConfig {
   port?: number;
   /** OAuth scopes. Defaults to ["openid", "email", "profile"]. */
   scopes?: string[];
+  /**
+   * Force a federated IdP (e.g. "Google"). When set, the Hosted UI IdP picker
+   * is bypassed and Cognito redirects straight to the provider. When omitted,
+   * Cognito shows its default picker.
+   */
+  identityProvider?: string;
+  /**
+   * OAuth `prompt` param (e.g. "select_account"). Only meaningful when the IdP
+   * honors it — Google uses it to force account re-selection.
+   */
+  prompt?: string;
 }
 
 export interface CognitoTokens {
   accessToken: string;
   idToken: string;
   refreshToken: string;
-  /** ISO 8601 timestamp when the access token expires. */
-  expiresAt: string;
+  /** Epoch milliseconds when the access token expires. Writers MUST emit a number. Readers accept ISO 8601 strings for backward compatibility with pre-migration token files. */
+  expiresAt: string | number;
   tokenType: "Bearer";
 }
 
@@ -78,7 +89,9 @@ export function saveCachedTokens(tokens: CognitoTokens): void {
   if (!fs.existsSync(HQ_DIR)) {
     fs.mkdirSync(HQ_DIR, { recursive: true, mode: 0o700 });
   }
-  fs.writeFileSync(TOKEN_FILE, JSON.stringify(tokens, null, 2), { mode: 0o600 });
+  const tmpPath = path.join(HQ_DIR, `.cognito-tokens.json.tmp.${process.pid}`);
+  fs.writeFileSync(tmpPath, JSON.stringify(tokens, null, 2), { mode: 0o600 });
+  fs.renameSync(tmpPath, TOKEN_FILE);
 }
 
 export function clearCachedTokens(): void {
@@ -86,11 +99,10 @@ export function clearCachedTokens(): void {
 }
 
 /**
- * Parse `expiresAt` to epoch-ms. Canonical on-disk shape is ISO 8601 (what
- * both writers in this file emit), but older/external writers may have left a
- * raw number. Accept both so a shape mismatch during rollout doesn't wedge
- * sign-in. Returns null for anything unparseable — callers should treat that
- * as "expired" and force a refresh.
+ * Parse `expiresAt` to epoch-ms. Canonical on-disk shape is epoch milliseconds
+ * (number). Older token files may contain ISO 8601 strings. Accept both for
+ * migration safety. Returns null for anything unparseable — callers should
+ * treat that as "expired" and force a refresh.
  */
 function parseExpiresAtMs(raw: unknown): number | null {
   if (typeof raw === "number") return Number.isFinite(raw) ? raw : null;
@@ -158,7 +170,9 @@ export async function browserLogin(
   const { verifier, challenge } = generatePkce();
   const state = base64UrlEncode(crypto.randomBytes(16));
 
-  const authUrl = new URL(`${authBaseUrl(config)}/login`);
+  // Use `/oauth2/authorize` (not `/login`) so `identity_provider` + `prompt`
+  // are honored. `/login` ignores those params and always shows the IdP picker.
+  const authUrl = new URL(`${authBaseUrl(config)}/oauth2/authorize`);
   authUrl.searchParams.set("client_id", config.clientId);
   authUrl.searchParams.set("response_type", "code");
   authUrl.searchParams.set("scope", scopes);
@@ -166,6 +180,12 @@ export async function browserLogin(
   authUrl.searchParams.set("code_challenge", challenge);
   authUrl.searchParams.set("code_challenge_method", "S256");
   authUrl.searchParams.set("state", state);
+  if (config.identityProvider) {
+    authUrl.searchParams.set("identity_provider", config.identityProvider);
+  }
+  if (config.prompt) {
+    authUrl.searchParams.set("prompt", config.prompt);
+  }
 
   const code = await waitForAuthCode(port, state);
   const tokens = await exchangeCodeForTokens(config, code, verifier, port);
@@ -300,7 +320,7 @@ async function exchangeCodeForTokens(
     accessToken: data.access_token,
     idToken: data.id_token,
     refreshToken: data.refresh_token,
-    expiresAt: new Date(Date.now() + data.expires_in * 1000).toISOString(),
+    expiresAt: Date.now() + data.expires_in * 1000,
     tokenType: "Bearer",
   };
 }
@@ -336,7 +356,7 @@ export async function refreshTokens(
     accessToken: data.access_token,
     idToken: data.id_token,
     refreshToken: data.refresh_token ?? currentRefreshToken,
-    expiresAt: new Date(Date.now() + data.expires_in * 1000).toISOString(),
+    expiresAt: Date.now() + data.expires_in * 1000,
     tokenType: "Bearer",
   };
   saveCachedTokens(tokens);

package/test/invite-flow.integration.test.ts

@@ -57,7 +57,7 @@ describe("parseToken", () => {
   });
 
   it("extracts token from https:// URL", () => {
-    expect(parseToken("https://hq.indigoai.com/accept/tok_xyz")).toBe("tok_xyz");
+    expect(parseToken("https://example.com/accept/tok_xyz")).toBe("tok_xyz");
   });
 
   it("returns raw token unchanged", () => {