@linktr.ee/create-link-app 2.2.1 → 2.2.3

package/README.md

@@ -173,14 +173,14 @@ DESCRIPTION
 
 ## `create-link-app logout`
 
-Logout and clear browser session
+Logout and clear local credentials
 
 ```
 USAGE
   $ create-link-app logout
 
 DESCRIPTION
-  Logout and clear browser session
+  Logout and clear local credentials
 ```
 
 ## `create-link-app storybook`

package/dist/commands/login.js

@@ -1,37 +1,128 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.loginCommand = void 0;
 const core_1 = require("@oclif/core");
+const p = __importStar(require("@clack/prompts"));
+const axios_1 = __importDefault(require("axios"));
+const open_1 = __importDefault(require("open"));
+const picocolors_1 = __importDefault(require("picocolors"));
 const base_1 = __importDefault(require("../base"));
-const access_token_1 = require("../lib/auth/access-token");
+const fetch_app_config_1 = __importDefault(require("../lib/fetch-app-config"));
 const device_auth_1 = require("../lib/auth/device-auth");
+const access_token_1 = require("../lib/auth/access-token");
+const write_line_1 = require("../lib/utils/write-line");
+function fixVerificationUrl(url, correctProjectId) {
+    try {
+        const parsed = new URL(url);
+        parsed.pathname = parsed.pathname.replace(/^\/login\/[A-Za-z0-9]+/, `/login/${correctProjectId}`);
+        return parsed.toString();
+    }
+    catch {
+        return url;
+    }
+}
+async function getDescopeHostedConfigStatus(projectId) {
+    const hostedConfigUrl = `https://api.descope.com/pages/${projectId}/v2-beta/config.json`;
+    try {
+        const response = await axios_1.default.get(hostedConfigUrl, {
+            validateStatus: () => true,
+        });
+        return response.status;
+    }
+    catch {
+        return null;
+    }
+}
+async function loginCommand(options) {
+    const env = options.qa ? 'qa' : 'production';
+    p.intro(picocolors_1.default.cyan('Login to Linktree'));
+    const s = p.spinner();
+    s.start('Fetching configuration');
+    const config = await (0, fetch_app_config_1.default)(env);
+    s.stop('Configuration loaded');
+    // Initiate device authorization
+    s.start('Starting device authorization');
+    const handle = await (0, device_auth_1.initDeviceAuthorization)(config.auth);
+    s.stop('Device authorization initiated');
+    const { expires_in, user_code, verification_uri, verification_uri_complete } = handle;
+    const expiryMinutes = Math.floor(expires_in / 60);
+    // The device authorization response may contain a project ID in the URL path that differs
+    // from config.auth.project_id (e.g. when overridden via env var or hardcoded fallback).
+    // Replace it so the browser opens the correct hosted login flow.
+    const fixedUri = config.auth.project_id ? fixVerificationUrl(verification_uri, config.auth.project_id) : verification_uri;
+    const fixedUriComplete = config.auth.project_id
+        ? fixVerificationUrl(verification_uri_complete, config.auth.project_id)
+        : verification_uri_complete;
+    (0, write_line_1.writeLine)();
+    (0, write_line_1.writeLine)(`${picocolors_1.default.green('✓ Authorization code:')} ${picocolors_1.default.bold(user_code)}`);
+    (0, write_line_1.writeLine)(picocolors_1.default.dim(`  ${fixedUriComplete}`));
+    if (fixedUri && fixedUri !== fixedUriComplete) {
+        (0, write_line_1.writeLine)(picocolors_1.default.dim(`  ${fixedUri}`));
+    }
+    (0, write_line_1.writeLine)(picocolors_1.default.dim(`  Expires in ${expiryMinutes} minutes`));
+    (0, write_line_1.writeLine)();
+    // Open browser first so the user can start authenticating immediately
+    await (0, open_1.default)(fixedUriComplete);
+    (0, write_line_1.writeLine)(picocolors_1.default.cyan('🌐 Browser opened for authentication'));
+    (0, write_line_1.writeLine)(picocolors_1.default.dim('  If browser did not open, visit the link above'));
+    (0, write_line_1.writeLine)();
+    // Fire-and-forget diagnostic check — don't block the auth flow
+    const projectId = config.auth.project_id;
+    if (projectId) {
+        void getDescopeHostedConfigStatus(projectId).then((status) => {
+            if (status && status >= 400) {
+                (0, write_line_1.writeLine)(picocolors_1.default.yellow('⚠ Descope hosted login may be misconfigured for this project.'));
+                (0, write_line_1.writeLine)(picocolors_1.default.dim(`  https://api.descope.com/pages/${projectId}/v2-beta/config.json returned HTTP ${status}`));
+                (0, write_line_1.writeLine)(picocolors_1.default.dim('  This usually means an outdated auth project_id or missing Descope flow hosting config.'));
+                (0, write_line_1.writeLine)(picocolors_1.default.dim('  Ask your platform team to set auth.project_id in create-link-app.json, or set LINKAPP_DESCOPE_[QA|PRODUCTION]_PROJECT_ID.'));
+                (0, write_line_1.writeLine)();
+            }
+        });
+    }
+    // Poll for token
+    s.start('Waiting for authentication');
+    const token = await (0, device_auth_1.pollAccessToken)(handle);
+    s.stop('Authentication successful');
+    if ((0, access_token_1.isTokenValid)(token)) {
+        (0, access_token_1.saveAccessToken)(token.access_token);
+        (0, write_line_1.writeLine)(picocolors_1.default.green('✓ Login successful'));
+        if (token.expires_at) {
+            (0, write_line_1.writeLine)(picocolors_1.default.dim(`  Token expires at ${new Date(token.expires_at * 1000).toString()}`));
+        }
+    }
+    p.outro(picocolors_1.default.green('You are now logged in'));
+}
+exports.loginCommand = loginCommand;
 class Login extends base_1.default {
     async run() {
         const { flags } = await this.parse(Login);
-        this.log('🔐 Initiating login with Linktree credentials...');
-        const appConfig = await this.getAppConfig(flags.qa ? 'qa' : 'production');
-        const handle = await (0, device_auth_1.initDeviceAuthorization)(appConfig.auth);
-        const { expires_in, user_code, verification_uri_complete } = handle;
-        const expiryTime = expires_in % 60 === 0 ? `${expires_in / 60} minutes` : `${expires_in} seconds`;
-        this.log(`🌐 Please login via the opened web browser link. The browser window should display the following code: ${user_code}`);
-        this.log(`🔗 If browser does not open automatically, please go to the following link: ${verification_uri_complete}`);
-        this.log(`⏰ This link expires in ${expiryTime}. Press Ctrl-C to abort.`);
-        core_1.CliUx.ux.open(verification_uri_complete);
-        core_1.CliUx.ux.action.start('⏳ Waiting for user to authorize device from browser');
-        const token = await (0, device_auth_1.pollAccessToken)(handle);
-        core_1.CliUx.ux.action.stop();
-        if ((0, access_token_1.isTokenValid)(token)) {
-            (0, access_token_1.saveAccessToken)(token.access_token);
-            if (flags.qa) {
-                this.log('🔑 TOKEN: ', token.access_token);
-            }
-            this.log('✅ Device has been authorized. Login successful.');
-            if (token.expires_at) {
-                this.log(`⏰ Login will expire at ${new Date(token.expires_at * 1000).toString()}`);
-            }
-        }
+        await loginCommand({ qa: flags.qa });
     }
 }
 exports.default = Login;

package/dist/commands/logout.js

@@ -3,26 +3,47 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.logoutCommand = void 0;
 const core_1 = require("@oclif/core");
+const open_1 = __importDefault(require("open"));
+const picocolors_1 = __importDefault(require("picocolors"));
 const base_1 = __importDefault(require("../base"));
+const fetch_app_config_1 = __importDefault(require("../lib/fetch-app-config"));
 const access_token_1 = require("../lib/auth/access-token");
+const write_line_1 = require("../lib/utils/write-line");
+async function logoutCommand(options) {
+    const env = options.qa ? 'qa' : 'production';
+    try {
+        const config = await (0, fetch_app_config_1.default)(env);
+        const { audience } = config.auth;
+        (0, access_token_1.removeAccessToken)(audience);
+        (0, write_line_1.writeLine)(picocolors_1.default.green('✓ Logged out successfully'));
+        (0, write_line_1.writeLine)(picocolors_1.default.dim('  Local credentials have been removed'));
+        if (config.logout_redirect_url) {
+            try {
+                await (0, open_1.default)(config.logout_redirect_url);
+                (0, write_line_1.writeLine)(picocolors_1.default.cyan('🌐 Browser opened to complete provider sign-out'));
+            }
+            catch {
+                (0, write_line_1.writeLine)(picocolors_1.default.yellow('! Browser could not be opened automatically'));
+                (0, write_line_1.writeLine)(picocolors_1.default.dim(`  Complete sign-out here: ${config.logout_redirect_url}`));
+            }
+        }
+        (0, write_line_1.writeLine)();
+    }
+    catch (error) {
+        console.error(picocolors_1.default.red('✗ Logout failed:'), error);
+    }
+}
+exports.logoutCommand = logoutCommand;
 class Logout extends base_1.default {
     async run() {
         const { flags } = await this.parse(Logout);
-        this.log('🔓 Logging out and clearing browser session...');
-        const appConfig = await this.getAppConfig(flags.qa ? 'qa' : 'production');
-        const { auth, logout_redirect_url } = appConfig;
-        const { domain, client_id, audience } = auth;
-        (0, access_token_1.removeAccessToken)(audience);
-        // clear Auth0 session cookies so user gets prompted to enter credentials again for next login
-        const url = `${domain}/v2/logout?client_id=${client_id}&returnTo=${logout_redirect_url}`;
-        core_1.CliUx.ux.open(url);
-        this.log('✅ Logout successful.');
-        this.log(`🌐 If browser did not open automatically, please go to the following link to logout from the browser: ${url}`);
+        await logoutCommand({ qa: flags.qa });
     }
 }
 exports.default = Logout;
-Logout.description = 'Logout and clear browser session';
+Logout.description = 'Logout and clear local credentials';
 Logout.flags = {
     qa: core_1.Flags.boolean({
         description: 'Use QA environment. Admin use only.',

package/dist/lib/auth/access-token.js

@@ -7,6 +7,16 @@ exports.getAccessToken = exports.removeAccessToken = exports.saveAccessToken = e
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const netrc_parser_1 = __importDefault(require("netrc-parser"));
 const TokenExpiryThresholdSeconds = 60; // Used to consider tokens as 'expired' within the last x seconds of its actual expiry to ensure slow requests still use a valid token
+function normalizeClaimValues(claim) {
+    if (!claim) {
+        return [];
+    }
+    const values = Array.isArray(claim) ? claim : [claim];
+    return values
+        .flatMap((value) => value.split(/[,\s]+/))
+        .map((value) => value.trim())
+        .filter((value) => value.length > 0);
+}
 function isTokenValid(token) {
     if (!token.access_token || token.token_type !== 'Bearer') {
         throw new Error('Received access token is invalid');
@@ -15,16 +25,21 @@ function isTokenValid(token) {
     if (!payload) {
         throw new Error('There was an error parsing the access token, please try logging in again');
     }
-    const permissions = payload.permissions ?? [];
+    const permissions = normalizeClaimValues(payload.permissions);
     if (permissions.length === 0) {
-        throw new Error('Login request was successful, but the authenticated user does not have appropriate permissions to view or modify Link Apps');
+        // Descope and other providers may encode permissions in scope-like claims.
+        const scopePermissions = [...normalizeClaimValues(payload.scope), ...normalizeClaimValues(payload.scp)].filter((v) => /[:.]/u.test(v));
+        if (scopePermissions.length === 0) {
+            throw new Error('Login request was successful, but the authenticated user does not have appropriate permissions to view or modify Link Apps');
+        }
     }
     return true;
 }
 exports.isTokenValid = isTokenValid;
 function saveAccessToken(tokenString) {
     const token = jsonwebtoken_1.default.decode(tokenString, { json: true });
-    const audience = token?.aud;
+    const rawAudience = token?.aud;
+    const audience = Array.isArray(rawAudience) ? rawAudience[0] : rawAudience;
     if (audience && typeof audience === 'string') {
         netrc_parser_1.default.loadSync();
         netrc_parser_1.default.machines[audience] = {
@@ -53,15 +68,13 @@ function getAccessToken(audience) {
     if (!tokenString) {
         throw new Error('Not logged in. Please login using command: login');
     }
-    else {
-        const token = jsonwebtoken_1.default.decode(tokenString, { json: true });
-        if (!token?.exp) {
-            throw new Error('Cached login token is invalid. Please login again using command: login');
-        }
-        else if (token.exp - TokenExpiryThresholdSeconds < Math.floor(Date.now() / 1000)) {
-            throw new Error('Login expired. Please login again using command: login');
-        }
-        return tokenString;
+    const token = jsonwebtoken_1.default.decode(tokenString, { json: true });
+    if (!token?.exp) {
+        throw new Error('Cached login token is invalid. Please login again using command: login');
+    }
+    if (token.exp - TokenExpiryThresholdSeconds < Math.floor(Date.now() / 1000)) {
+        throw new Error('Login expired. Please login again using command: login');
     }
+    return tokenString;
 }
 exports.getAccessToken = getAccessToken;

package/dist/lib/auth/device-auth.js

@@ -3,13 +3,21 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.pollAccessToken = exports.initDeviceAuthorization = void 0;
 const openid_client_1 = require("openid-client");
 async function initDeviceAuthorization(config) {
-    const { domain, client_id, audience } = config;
-    const auth0Issuer = await openid_client_1.Issuer.discover(domain);
-    const client = new auth0Issuer.Client({
+    const { domain, client_id, audience, project_id } = config;
+    if (!project_id) {
+        throw new Error('Authentication configuration is missing the project_id. Please update to the latest CLI version and try again.');
+    }
+    const issuer = new openid_client_1.Issuer({
+        issuer: `${domain}/v1/apps/customized/${project_id}`,
+        device_authorization_endpoint: `${domain}/oauth2/v1/apps/${project_id}/device`,
+        token_endpoint: `${domain}/oauth2/v1/apps/${project_id}/token`,
+        jwks_uri: `${domain}/${project_id}/.well-known/jwks.json`,
+    });
+    const client = new issuer.Client({
         client_id,
         token_endpoint_auth_method: 'none',
     });
-    return await client.deviceAuthorization({ scope: '', audience });
+    return client.deviceAuthorization({ scope: 'openid', audience });
 }
 exports.initDeviceAuthorization = initDeviceAuthorization;
 async function pollAccessToken(handle) {

package/dist/lib/fetch-app-config.js

@@ -4,15 +4,33 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const axios_1 = __importDefault(require("axios"));
+const PROJECT_IDS = {
+    'https://ciam.qa.linktr.ee': 'P32AChDvEswJtnBOsX26vHeCXTws',
+    'https://ciam.linktr.ee': 'P32ACVpudk8MNftmpf1LR1pW5k8s',
+};
+const PROJECT_ID_ENV_VARS = {
+    qa: 'LINKAPP_DESCOPE_QA_PROJECT_ID',
+    production: 'LINKAPP_DESCOPE_PRODUCTION_PROJECT_ID',
+};
 const fetchAppConfig = async (stage = 'production') => {
     const configUrl = `https://link-types-config.${stage}.linktr.ee/create-link-app.json`;
     try {
         const response = await axios_1.default.get(configUrl);
-        return response.data;
+        const config = response.data;
+        const projectIdOverride = process.env[PROJECT_ID_ENV_VARS[stage]] ?? process.env.LINKAPP_DESCOPE_PROJECT_ID;
+        if (projectIdOverride) {
+            config.auth.project_id = projectIdOverride;
+            return config;
+        }
+        // Inject project_id if not present in remote config (temporary until Davis config is deployed)
+        if (!config.auth.project_id && config.auth.domain) {
+            config.auth.project_id = PROJECT_IDS[config.auth.domain];
+        }
+        return config;
     }
     catch (err) {
         if (axios_1.default.isAxiosError(err)) {
-            throw new Error(err.message);
+            throw new Error(`Failed to fetch config from ${configUrl}: ${err.message}`);
         }
         throw err;
     }

package/dist/lib/utils/write-line.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.writeLine = void 0;
+function writeLine(message = '') {
+    process.stdout.write(message + '\n');
+}
+exports.writeLine = writeLine;

package/oclif.manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "2.2.1",
+  "version": "2.2.3",
   "commands": {
     "build": {
       "id": "build",
@@ -233,7 +233,7 @@
     },
     "logout": {
       "id": "logout",
-      "description": "Logout and clear browser session",
+      "description": "Logout and clear local credentials",
       "strict": true,
       "pluginName": "@linktr.ee/create-link-app",
       "pluginAlias": "@linktr.ee/create-link-app",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@linktr.ee/create-link-app",
-  "version": "2.2.1",
+  "version": "2.2.3",
   "description": "Create a Link App on Linktr.ee.",
   "license": "UNLICENSED",
   "author": "Linktree",
@@ -33,6 +33,7 @@
     "@babel/preset-react": "^7.17.12",
     "@babel/preset-typescript": "^7.17.12",
     "@babel/runtime": "^7.18.3",
+    "@clack/prompts": "^0.7.0",
     "@linktr.ee/ui-link-kit": "latest",
     "@oclif/core": "^1.9.0",
     "@oclif/plugin-help": "5.1.23",
@@ -62,7 +63,9 @@
     "jsonwebtoken": "^8.5.1",
     "mini-css-extract-plugin": "^2.7.5",
     "netrc-parser": "^3.1.6",
+    "open": "^8.4.0",
     "openid-client": "^5.1.6",
+    "picocolors": "^1.0.0",
     "postcss": "^8.4.21",
     "postcss-loader": "^4.3.0",
     "prettier": "^2.8.8",