@kweaver-ai/kweaver-sdk 0.6.5 → 0.6.7

package/dist/auth/oauth.js

@@ -3,6 +3,21 @@ import { createPublicKey } from "node:crypto";
 import { isNoAuth } from "../config/no-auth.js";
 import { deleteClientConfig, getCurrentPlatform, loadClientConfig, loadTokenConfig, loadUserTokenConfig, resolveUserId, saveClientConfig, saveNoAuthPlatform, saveTokenConfig, setCurrentPlatform, } from "../config/store.js";
 import { HttpError, NetworkRequestError, fetchWithRetry } from "../utils/http.js";
+/** Thrown when `POST /oauth2/signin` returns HTTP 401 with EACP code `401001017` (initial password must be changed). */
+export class InitialPasswordChangeRequiredError extends Error {
+    code = 401001017;
+    account;
+    baseUrl;
+    httpStatus = 401;
+    serverMessage;
+    constructor(opts) {
+        super(opts.serverMessage);
+        this.name = "InitialPasswordChangeRequiredError";
+        this.account = opts.account;
+        this.baseUrl = opts.baseUrl;
+        this.serverMessage = opts.serverMessage;
+    }
+}
 const TOKEN_TTL_SECONDS = 3600;
 /** Seconds before access token expiry to trigger refresh (matches Python ConfigAuth). */
 const REFRESH_THRESHOLD_SEC = 60;
@@ -463,23 +478,36 @@ function stderrEmphasis(text) {
 /**
  * Headless login: read authorization code from stdin (full callback URL or raw code).
  * Used with `--no-browser` or when automatic browser launch fails.
+ *
+ * `io` is injectable for tests; defaults to `process.stdin` / `process.stderr`.
  */
-async function promptForCode(authUrl, state, port, pasteMode = "explicit") {
+export async function promptForCode(authUrl, state, port, pasteMode = "explicit", io) {
     const { createInterface } = await import("node:readline");
+    const stdin = io?.input ?? process.stdin;
+    const stderr = io?.output ?? process.stderr;
     const intro = pasteMode === "explicit"
         ? "Open this URL on any device (use a private/incognito window if you need the full sign-in form):\n\n"
         : "Could not open a browser automatically. Open this URL on any device:\n\n";
     const pasteInstructions = "After login, the browser may show an error page (this is expected if nothing listens on localhost).\n" +
         "Copy the FULL URL from the address bar and paste it here, or paste only the authorization code.\n" +
         `The URL looks like: http://127.0.0.1:${port}/callback?code=THIS_PART&state=...\n\n`;
-    process.stderr.write("\n" +
+    stderr.write("\n" +
         intro +
         `  ${authUrl}\n\n` +
         stderrEmphasis(pasteInstructions));
-    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    const rl = createInterface({ input: stdin, output: stderr });
+    // The `close` listener exists to surface Ctrl-D / EOF before the user answers.
+    // It MUST be a no-op once the question callback has fired, because `rl.close()`
+    // emits `close` synchronously and would otherwise reject the promise before
+    // `resolve(answer)` runs (race condition that turns valid input into "Login cancelled.").
     const input = await new Promise((resolve, reject) => {
-        rl.on("close", () => reject(new Error("Login cancelled.")));
+        let answered = false;
+        rl.on("close", () => {
+            if (!answered)
+                reject(new Error("Login cancelled."));
+        });
         rl.question("Paste URL or code> ", (answer) => {
+            answered = true;
             rl.close();
             resolve(answer.trim());
         });
@@ -512,6 +540,128 @@ async function promptForCode(authUrl, state, port, pasteMode = "explicit") {
     }
     return input;
 }
+/**
+ * Prompt the user for a username on stderr (input echoed).
+ *
+ * `io` is injectable for tests; defaults to `process.stdin` / `process.stderr`.
+ */
+export async function promptForUsername(promptLabel = "Username", io) {
+    const { createInterface } = await import("node:readline");
+    const stdin = io?.input ?? process.stdin;
+    const stderr = io?.output ?? process.stderr;
+    const rl = createInterface({ input: stdin, output: stderr });
+    const value = await new Promise((resolve, reject) => {
+        let answered = false;
+        rl.on("close", () => {
+            if (!answered)
+                reject(new Error("Login cancelled."));
+        });
+        rl.question(`${promptLabel}: `, (answer) => {
+            answered = true;
+            rl.close();
+            resolve(answer.trim());
+        });
+    });
+    if (!value) {
+        throw new Error(`${promptLabel} is required.`);
+    }
+    return value;
+}
+/**
+ * Prompt the user for a password on stderr without echoing keystrokes (TTY only).
+ *
+ * Falls back to a regular readline prompt when stdin is not a TTY (e.g. piped input
+ * during scripted use); callers needing strict no-echo should detect this case themselves.
+ *
+ * `io` is injectable for tests.
+ */
+export async function promptForPassword(promptLabel = "Password", io) {
+    const stdin = io?.input ?? process.stdin;
+    const stderr = io?.output ?? process.stderr;
+    // Non-TTY (piped, redirected, tests): use regular readline — no masking is possible
+    // without raw mode, so we accept echoed input rather than block forever.
+    if (!stdin.isTTY || typeof stdin.setRawMode !== "function") {
+        const { createInterface } = await import("node:readline");
+        const rl = createInterface({ input: stdin, output: stderr });
+        const value = await new Promise((resolve, reject) => {
+            let answered = false;
+            rl.on("close", () => {
+                if (!answered)
+                    reject(new Error("Login cancelled."));
+            });
+            rl.question(`${promptLabel}: `, (answer) => {
+                answered = true;
+                rl.close();
+                resolve(answer);
+            });
+        });
+        if (!value)
+            throw new Error(`${promptLabel} is required.`);
+        return value;
+    }
+    // TTY: read byte-by-byte in raw mode so keystrokes are not echoed.
+    return new Promise((resolve, reject) => {
+        stderr.write(`${promptLabel}: `);
+        let buf = "";
+        const onData = (chunk) => {
+            const s = chunk.toString("utf8");
+            for (const ch of s) {
+                const code = ch.charCodeAt(0);
+                if (ch === "\n" || ch === "\r") {
+                    cleanup();
+                    stderr.write("\n");
+                    if (!buf) {
+                        reject(new Error(`${promptLabel} is required.`));
+                    }
+                    else {
+                        resolve(buf);
+                    }
+                    return;
+                }
+                if (code === 3) {
+                    // Ctrl-C
+                    cleanup();
+                    stderr.write("\n");
+                    reject(new Error("Login cancelled."));
+                    return;
+                }
+                if (code === 4 && buf.length === 0) {
+                    // Ctrl-D on empty buffer -> cancel
+                    cleanup();
+                    stderr.write("\n");
+                    reject(new Error("Login cancelled."));
+                    return;
+                }
+                if (code === 8 || code === 127) {
+                    // Backspace / DEL
+                    buf = buf.slice(0, -1);
+                    continue;
+                }
+                if (code < 32)
+                    continue; // ignore other control chars
+                buf += ch;
+            }
+        };
+        const cleanup = () => {
+            try {
+                stdin.setRawMode(false);
+            }
+            catch { /* noop */ }
+            stdin.removeListener("data", onData);
+            if (typeof stdin.pause === "function") {
+                stdin.pause();
+            }
+        };
+        try {
+            stdin.setRawMode(true);
+        }
+        catch { /* noop */ }
+        if (typeof stdin.resume === "function") {
+            stdin.resume();
+        }
+        stdin.on("data", onData);
+    });
+}
 /**
  * OAuth2 Authorization Code login flow.
  * 1. Register client (if not already registered), OR use a provided client ID
@@ -755,174 +905,6 @@ async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redir
     saveTokenConfig(token);
     return token;
 }
-/**
- * Playwright-automated OAuth2 login.
- *
- * Uses the full OAuth2 authorization code flow (same as `oauth2Login`) but
- * automates the browser interaction with Playwright.  This produces a
- * refresh_token so the CLI can auto-refresh without re-login.
- *
- * When `username` and `password` are provided the browser runs headless and
- * fills the login form automatically.  Otherwise it opens a visible browser
- * window for manual login (same UX as the old cookie-based flow).
- */
-export async function playwrightLogin(baseUrl, options) {
-    return runWithTlsInsecure(options?.tlsInsecure, async () => {
-        const { createServer } = await import("node:http");
-        const { randomBytes } = await import("node:crypto");
-        let chromium;
-        try {
-            const modName = "playwright";
-            const pw = await import(/* webpackIgnore: true */ modName);
-            chromium = pw.chromium;
-        }
-        catch {
-            throw new Error("Playwright is not installed. Run:\n  npm install playwright && npx playwright install chromium");
-        }
-        const base = normalizeBaseUrl(baseUrl);
-        const port = options?.port ?? DEFAULT_REDIRECT_PORT;
-        const scope = options?.scope ?? DEFAULT_SCOPE;
-        const redirectUri = `http://127.0.0.1:${port}/callback`;
-        const hasCredentials = !!(options?.username && options?.password);
-        // Step 1: Ensure registered OAuth2 client (with stale-client auto-recovery)
-        let client;
-        try {
-            client = await resolveOrRegisterClient(base, redirectUri, scope);
-        }
-        catch (e) {
-            if (e instanceof HttpError && e.status === 404) {
-                process.stderr.write("OAuth2 endpoint not found (404). Saving platform in no-auth mode.\n");
-                return saveNoAuthPlatform(base, { tlsInsecure: options?.tlsInsecure });
-            }
-            throw e;
-        }
-        // Step 2: Generate CSRF state
-        const state = randomBytes(12).toString("hex");
-        // Step 3: Build authorization URL
-        const authParams = new URLSearchParams({
-            redirect_uri: redirectUri,
-            "x-forwarded-prefix": "",
-            client_id: client.clientId,
-            scope,
-            response_type: "code",
-            state,
-            lang: "zh-cn",
-            product: "adp",
-        });
-        const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
-        // Step 4: Start local callback server; exchange code inside handler, then show credentials HTML
-        let browser;
-        const token = await new Promise((resolve, reject) => {
-            const TIMEOUT_MS = hasCredentials ? 30_000 : 120_000;
-            let server;
-            const timeoutId = setTimeout(() => {
-                server?.close();
-                browser?.close();
-                reject(new Error(`OAuth2 login timed out (${TIMEOUT_MS / 1000}s). No authorization code received.`));
-            }, TIMEOUT_MS);
-            server = createServer((req, res) => {
-                void (async () => {
-                    try {
-                        const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
-                        if (url.pathname !== "/callback") {
-                            res.writeHead(404);
-                            res.end();
-                            return;
-                        }
-                        const receivedState = url.searchParams.get("state");
-                        const receivedCode = url.searchParams.get("code");
-                        const callbackError = url.searchParams.get("error");
-                        const callbackErrorDesc = url.searchParams.get("error_description");
-                        if (receivedState !== state) {
-                            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
-                            res.end(buildCallbackExchangeErrorHtml("OAuth2 state mismatch — possible CSRF attack."));
-                            clearTimeout(timeoutId);
-                            server.close();
-                            browser?.close();
-                            reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
-                            return;
-                        }
-                        if (callbackError) {
-                            const msg = callbackErrorDesc
-                                ? `Authorization failed: ${callbackError} — ${callbackErrorDesc}`
-                                : `Authorization failed: ${callbackError}`;
-                            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
-                            res.end(buildCallbackExchangeErrorHtml(msg));
-                            clearTimeout(timeoutId);
-                            server.close();
-                            browser?.close();
-                            reject(new Error(msg));
-                            return;
-                        }
-                        if (!receivedCode) {
-                            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
-                            res.end(buildCallbackExchangeErrorHtml("No authorization code received in callback."));
-                            clearTimeout(timeoutId);
-                            server.close();
-                            browser?.close();
-                            reject(new Error("No authorization code received in callback."));
-                            return;
-                        }
-                        const exchanged = await exchangeCodeForToken(base, receivedCode, client.clientId, client.clientSecret, redirectUri, undefined, options?.tlsInsecure);
-                        const copyCommand = buildCopyCommand(base, client.clientId, client.clientSecret, exchanged.refreshToken, options?.tlsInsecure);
-                        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-                        res.end(buildCallbackHtml(copyCommand));
-                        clearTimeout(timeoutId);
-                        server.close();
-                        browser?.close();
-                        resolve(exchanged);
-                    }
-                    catch (err) {
-                        const message = err instanceof Error ? err.message : String(err);
-                        try {
-                            res.writeHead(500, { "Content-Type": "text/html; charset=utf-8" });
-                            res.end(buildCallbackExchangeErrorHtml(message));
-                        }
-                        catch {
-                            /* response may already be sent */
-                        }
-                        clearTimeout(timeoutId);
-                        server.close();
-                        browser?.close();
-                        reject(err instanceof Error ? err : new Error(message));
-                    }
-                })();
-            });
-            server.listen(port, "127.0.0.1", async () => {
-                try {
-                    browser = await chromium.launch({ headless: hasCredentials });
-                    const context = await browser.newContext({ ignoreHTTPSErrors: !!options?.tlsInsecure });
-                    const page = await context.newPage();
-                    // Navigate to OAuth2 auth URL — redirects to signin page
-                    await page.goto(authUrl, { waitUntil: "networkidle", timeout: 30_000 });
-                    if (hasCredentials) {
-                        // Auto-fill credentials
-                        await page.waitForSelector('input[name="account"]', { timeout: 10_000 });
-                        await page.fill('input[name="account"]', options.username);
-                        await page.fill('input[name="password"]', options.password);
-                        await page.click("button.ant-btn-primary");
-                    }
-                    // else: visible browser — user logs in manually
-                    // The OAuth2 callback will fire when login completes, resolving the promise above
-                }
-                catch (err) {
-                    clearTimeout(timeoutId);
-                    server.close();
-                    browser?.close();
-                    reject(err);
-                }
-            });
-        });
-        if (hasCredentials) {
-            const copyCommand = buildCopyCommand(base, client.clientId, client.clientSecret, token.refreshToken, options?.tlsInsecure);
-            process.stderr.write("\nHeadless login: copy this command and run it on a machine without a browser, or use `kweaver auth export`:\n\n" +
-                copyCommand +
-                "\n\n");
-        }
-        setCurrentPlatform(base);
-        return token;
-    });
-}
 function mergeCookieJarForSignin(existing, response) {
     const setCookies = typeof response.headers.getSetCookie === "function"
         ? response.headers.getSetCookie()
@@ -1041,7 +1023,7 @@ async function followSigninRedirectsUntilCallback(startUrl, initialJar, state, r
                 return consentResult;
             }
             throw new Error(`Unexpected OAuth page (HTTP 200) at ${url.slice(0, 120)}… ` +
-                `If this is a consent or MFA screen, use browser login or Playwright.`);
+                `If this is a consent or MFA screen, use browser login (kweaver auth login <url>).`);
         }
         const text = await resp.text().catch(() => "");
         throw new HttpError(resp.status, resp.statusText, text);
@@ -1094,17 +1076,38 @@ async function tryAcceptConsentAfterSignin(base, pageUrl, html, jar, scope, stat
     }
     return null;
 }
-const STUDIOWEB_SHELL_UNAVAILABLE_SNIPPETS = [
-    "Studioweb signin endpoint not available",
-    "Cannot reach studioweb signin endpoint",
-];
 /**
- * True when {@link oauth2PasswordSigninLogin} failed because the Studio web sign-in shell
- * (`/interface/studioweb/login`) is missing or unreachable — callers may fall back to Playwright.
+ * Build the JSON body for `POST /oauth2/signin` (matches the browser `oauth2-ui` form).
+ *
+ * `device.client_type` MUST be a value present in the EACP whitelist defined by
+ * `kweaver/deploy/auto_cofig/auto_config.sh`. `console_web` is the canonical CLI value
+ * (also used by `kweaver-admin`); other values such as `unknown` are rejected by strict
+ * deployments with `管理员已禁止此类客户端登录` — surfaced upstream as a `request_forbidden`
+ * `No CSRF value available in the session cookie` error after Hydra discards the rejected
+ * login challenge.
+ *
+ * `vcode` and `dualfactorauthinfo` must be present even when empty; otherwise eachttpserver
+ * returns HTTP 400 (invalid parameter).
  */
-export function isStudiowebShellUnavailableError(err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    return STUDIOWEB_SHELL_UNAVAILABLE_SNIPPETS.some((s) => msg.includes(s));
+export function buildOauth2SigninPostBody(opts) {
+    return {
+        _csrf: opts.csrftoken,
+        challenge: opts.challenge,
+        account: opts.account,
+        password: opts.passwordCipher,
+        vcode: { id: "", content: "" },
+        dualfactorauthinfo: {
+            validcode: { vcode: "" },
+            OTP: { OTP: "" },
+        },
+        remember: opts.remember,
+        device: {
+            name: "",
+            description: "",
+            client_type: "console_web",
+            udids: [],
+        },
+    };
 }
 /**
  * OAuth2 Authorization Code login using HTTP **only**: `GET /oauth2/signin` (Next.js shell) and
@@ -1127,27 +1130,10 @@ export async function oauth2PasswordSigninLogin(baseUrl, options) {
             (typeof process.env.KWEAVER_OAUTH_PRODUCT === "string" && process.env.KWEAVER_OAUTH_PRODUCT.trim()
                 ? process.env.KWEAVER_OAUTH_PRODUCT.trim()
                 : "adp");
-        // Pre-flight: verify studioweb signin shell exists (same entry as deploy auto_config.sh get_token).
-        // If the deployment lacks studioweb, abort before OAuth client registration.
-        const studiowebProbeUrl = `${base}/interface/studioweb/login?lang=zh-cn&state=${encodeURIComponent(state)}` +
-            `&x-forwarded-prefix=&integrated=false&product=${encodeURIComponent(oauthProduct)}&_t=${Date.now()}`;
-        let probeResp;
-        try {
-            probeResp = await fetch(studiowebProbeUrl, { method: "GET", redirect: "manual" });
-        }
-        catch (cause) {
-            throw new Error(`Cannot reach studioweb signin endpoint at ${base}/interface/studioweb/login. ` +
-                `The deployment may not include studioweb. Use \`kweaver auth login ${base}\` ` +
-                `(OAuth code flow) instead.\n  Cause: ${cause instanceof Error ? cause.message : String(cause)}`);
-        }
-        const probeOk2xx = probeResp.status >= 200 && probeResp.status < 300;
-        const probeOkRedirect = [301, 302, 303, 307, 308].includes(probeResp.status);
-        await probeResp.text().catch(() => "");
-        if (!probeOk2xx && !probeOkRedirect) {
-            throw new Error(`Studioweb signin endpoint not available at ${base}/interface/studioweb/login ` +
-                `(HTTP ${probeResp.status}). The deployment may not include studioweb. ` +
-                `Use \`kweaver auth login ${base}\` (OAuth code flow) instead.`);
-        }
+        // Note: previously we pre-flighted `/interface/studioweb/login` to detect deployments
+        // missing the Studio web shell. The probe added an extra round-trip and was unreliable
+        // (see kweaver-admin which works fine without it). HTTP sign-in only needs `/oauth2/auth`
+        // and `/oauth2/signin`; if either is missing the request below will surface a precise error.
         let client;
         try {
             client = await resolveOrRegisterClient(base, redirectUri, scope, {
@@ -1231,26 +1217,13 @@ export async function oauth2PasswordSigninLogin(baseUrl, options) {
             : options.signinPasswordBase64Plain === false
                 ? false
                 : process.env.KWEAVER_SIGNIN_PASSWORD_B64_RSA_MIN !== "1";
-        // Body shape matches browser `POST /oauth2/signin` (EACP / oauth2-ui); omitting vcode/dualfactorauthinfo
-        // causes 400 from eachttpserver (invalid parameter).
-        const postBody = {
-            _csrf: csrftoken,
+        const postBody = buildOauth2SigninPostBody({
+            csrftoken,
             challenge: loginChallenge,
             account: options.username,
-            password: "",
-            vcode: { id: "", content: "" },
-            dualfactorauthinfo: {
-                validcode: { vcode: "" },
-                OTP: { OTP: "" },
-            },
+            passwordCipher: "",
             remember,
-            device: {
-                name: "",
-                description: "",
-                client_type: "unknown",
-                udids: [],
-            },
-        };
+        });
         const origin = new URL(base).origin;
         /** Some gateways (e.g. DIP) return HTTP 200 + `{"redirect":"..."}` instead of 3xx Location. */
         let signinRedirectFromJson;
@@ -1310,6 +1283,26 @@ export async function oauth2PasswordSigninLogin(baseUrl, options) {
                 }
             }
             else {
+                if (postResp.status === 401) {
+                    try {
+                        const j = JSON.parse(bodyText);
+                        const c = j.code;
+                        if (c === 401001017 || c === "401001017") {
+                            const msg = typeof j.message === "string" && j.message.trim() !== ""
+                                ? j.message.trim()
+                                : "Initial password must be changed before login.";
+                            throw new InitialPasswordChangeRequiredError({
+                                account: options.username,
+                                baseUrl: base,
+                                serverMessage: msg,
+                            });
+                        }
+                    }
+                    catch (e) {
+                        if (e instanceof InitialPasswordChangeRequiredError)
+                            throw e;
+                    }
+                }
                 throw new HttpError(postResp.status, postResp.statusText, bodyText);
             }
         }
@@ -1652,6 +1645,9 @@ function isTlsVerificationDisabledForProcess() {
         process.env.KWEAVER_TLS_INSECURE === "true");
 }
 export function formatHttpError(error) {
+    if (error instanceof InitialPasswordChangeRequiredError) {
+        return `${error.serverMessage} (code ${error.code})`;
+    }
     if (error instanceof HttpError) {
         const oauthMessage = formatOAuthErrorBody(error.body);
         if (oauthMessage) {

package/dist/cli.js

@@ -23,9 +23,10 @@ Usage:
   kweaver --version | -V
   kweaver --help | -h
 
-  kweaver auth <platform-url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--insecure|-k]
+  kweaver auth <platform-url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--new-password <pwd>] [--http-signin] [--insecure|-k]
   kweaver auth login <platform-url>          (alias for auth <url>)
   kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (run on host without browser)
+  kweaver auth change-password [<platform-url>] [-u <account>] [-o <old>] [-n <new>] [--insecure|-k]
   kweaver auth whoami [platform-url|alias] [--json]
   kweaver auth export [platform-url|alias] [--json]
   kweaver auth status [platform-url|alias]