@linktr.ee/create-link-app 2.2.4 → 2.2.5

package/dist/commands/deploy.js

@@ -7,9 +7,13 @@ const core_1 = require("@oclif/core");
 const axios_1 = __importDefault(require("axios"));
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
+const picocolors_1 = __importDefault(require("picocolors"));
 const slugify_1 = __importDefault(require("slugify"));
 const base_1 = __importDefault(require("../base"));
-const access_token_1 = require("../lib/auth/access-token");
+const inline_login_1 = require("../lib/auth/inline-login");
+const pkce_flow_1 = require("../lib/auth/pkce-flow");
+const token_storage_1 = require("../lib/auth/token-storage");
+const write_line_1 = require("../lib/utils/write-line");
 const check_link_app_exists_1 = __importDefault(require("../lib/deploy/check-link-app-exists"));
 const create_form_data_1 = __importDefault(require("../lib/deploy/create-form-data"));
 const pack_project_1 = __importDefault(require("../lib/deploy/pack-project"));
@@ -18,7 +22,21 @@ class Deploy extends base_1.default {
     async run() {
         const { flags } = await this.parse(Deploy);
         const appConfig = await this.getAppConfig(flags.qa ? 'qa' : 'production');
-        const accessToken = (0, access_token_1.getAccessToken)(appConfig.auth.audience);
+        let accessToken = (0, token_storage_1.getToken)(appConfig.auth.audience);
+        if (!accessToken) {
+            (0, write_line_1.writeLine)(picocolors_1.default.yellow('Not authenticated or token expired. Starting login...'));
+            (0, write_line_1.writeLine)();
+            try {
+                accessToken = await (0, inline_login_1.performLogin)(appConfig);
+            }
+            catch (error) {
+                if (error instanceof pkce_flow_1.LoginCancelledError) {
+                    this.log('❌ Deployment cancelled — login was not completed.');
+                    return;
+                }
+                throw error;
+            }
+        }
         const linkTypeServiceUrl = `${flags.endpoint ?? appConfig.link_types_url}/link-types`;
         const isForceUpdate = !!flags['force-update'];
         const isQa = !!flags.qa;

package/dist/commands/grant-access.js

@@ -6,13 +6,16 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const core_1 = require("@oclif/core");
 const axios_1 = __importDefault(require("axios"));
 const base_1 = __importDefault(require("../base"));
-const access_token_1 = require("../lib/auth/access-token");
+const token_storage_1 = require("../lib/auth/token-storage");
 class GrantAccess extends base_1.default {
     async run() {
         const { args, flags } = await this.parse(GrantAccess);
         this.log(`🔐 Granting access to Link App '${args.link_app_id}' for user '${args.username}'...`);
         const appConfig = await this.getAppConfig(flags.qa ? 'qa' : 'production');
-        const accessToken = (0, access_token_1.getAccessToken)(appConfig.auth.audience);
+        const accessToken = (0, token_storage_1.getToken)(appConfig.auth.audience);
+        if (!accessToken) {
+            this.error('Not logged in. Please login first using: create-link-app login');
+        }
         const url = `${flags.endpoint ?? appConfig.link_types_url}/link-types/${args.link_app_id}/maintainers`;
         const maintainerDto = {
             username: args.username,

package/dist/commands/login.js

@@ -29,94 +29,49 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.loginCommand = void 0;
 const core_1 = require("@oclif/core");
 const p = __importStar(require("@clack/prompts"));
-const axios_1 = __importDefault(require("axios"));
-const open_1 = __importDefault(require("open"));
 const picocolors_1 = __importDefault(require("picocolors"));
 const base_1 = __importDefault(require("../base"));
 const fetch_app_config_1 = __importDefault(require("../lib/fetch-app-config"));
-const device_auth_1 = require("../lib/auth/device-auth");
-const access_token_1 = require("../lib/auth/access-token");
+const inline_login_1 = require("../lib/auth/inline-login");
+const pkce_flow_1 = require("../lib/auth/pkce-flow");
+const token_storage_1 = require("../lib/auth/token-storage");
 const write_line_1 = require("../lib/utils/write-line");
-function fixVerificationUrl(url, correctProjectId) {
-    try {
-        const parsed = new URL(url);
-        parsed.pathname = parsed.pathname.replace(/^\/login\/[A-Za-z0-9]+/, `/login/${correctProjectId}`);
-        return parsed.toString();
-    }
-    catch {
-        return url;
-    }
-}
-async function getDescopeHostedConfigStatus(projectId) {
-    const hostedConfigUrl = `https://api.descope.com/pages/${projectId}/v2-beta/config.json`;
-    try {
-        const response = await axios_1.default.get(hostedConfigUrl, {
-            validateStatus: () => true,
-        });
-        return response.status;
-    }
-    catch {
-        return null;
-    }
-}
 async function loginCommand(options) {
     const env = options.qa ? 'qa' : 'production';
-    p.intro(picocolors_1.default.cyan('Login to Linktree'));
-    const s = p.spinner();
-    s.start('Fetching configuration');
-    const config = await (0, fetch_app_config_1.default)(env);
-    s.stop('Configuration loaded');
-    // Initiate device authorization
-    s.start('Starting device authorization');
-    const handle = await (0, device_auth_1.initDeviceAuthorization)(config.auth);
-    s.stop('Device authorization initiated');
-    const { expires_in, user_code, verification_uri, verification_uri_complete } = handle;
-    const expiryMinutes = Math.floor(expires_in / 60);
-    // The device authorization response may contain a project ID in the URL path that differs
-    // from config.auth.project_id (e.g. when overridden via env var or hardcoded fallback).
-    // Replace it so the browser opens the correct hosted login flow.
-    const fixedUri = config.auth.project_id ? fixVerificationUrl(verification_uri, config.auth.project_id) : verification_uri;
-    const fixedUriComplete = config.auth.project_id
-        ? fixVerificationUrl(verification_uri_complete, config.auth.project_id)
-        : verification_uri_complete;
+    const envLabel = options.qa ? 'QA' : 'Production';
+    (0, write_line_1.writeLine)(picocolors_1.default.cyan(`Logging in to ${envLabel}...`));
     (0, write_line_1.writeLine)();
-    (0, write_line_1.writeLine)(`${picocolors_1.default.green('✓ Authorization code:')} ${picocolors_1.default.bold(user_code)}`);
-    (0, write_line_1.writeLine)(picocolors_1.default.dim(`  ${fixedUriComplete}`));
-    if (fixedUri && fixedUri !== fixedUriComplete) {
-        (0, write_line_1.writeLine)(picocolors_1.default.dim(`  ${fixedUri}`));
-    }
-    (0, write_line_1.writeLine)(picocolors_1.default.dim(`  Expires in ${expiryMinutes} minutes`));
-    (0, write_line_1.writeLine)();
-    // Open browser first so the user can start authenticating immediately
-    await (0, open_1.default)(fixedUriComplete);
-    (0, write_line_1.writeLine)(picocolors_1.default.cyan('🌐 Browser opened for authentication'));
-    (0, write_line_1.writeLine)(picocolors_1.default.dim('  If browser did not open, visit the link above'));
-    (0, write_line_1.writeLine)();
-    // Fire-and-forget diagnostic check — don't block the auth flow
-    const projectId = config.auth.project_id;
-    if (projectId) {
-        void getDescopeHostedConfigStatus(projectId).then((status) => {
-            if (status && status >= 400) {
-                (0, write_line_1.writeLine)(picocolors_1.default.yellow('⚠ Descope hosted login may be misconfigured for this project.'));
-                (0, write_line_1.writeLine)(picocolors_1.default.dim(`  https://api.descope.com/pages/${projectId}/v2-beta/config.json returned HTTP ${status}`));
-                (0, write_line_1.writeLine)(picocolors_1.default.dim('  This usually means an outdated auth project_id or missing Descope flow hosting config.'));
-                (0, write_line_1.writeLine)(picocolors_1.default.dim('  Ask your platform team to set auth.project_id in create-link-app.json, or set LINKAPP_DESCOPE_[QA|PRODUCTION]_PROJECT_ID.'));
+    try {
+        const config = await (0, fetch_app_config_1.default)(env);
+        // Check if already logged in
+        if ((0, token_storage_1.isTokenValid)(config.auth.audience)) {
+            const shouldReauth = await p.confirm({
+                message: 'Already logged in. Re-authenticate?',
+                initialValue: false,
+            });
+            if (p.isCancel(shouldReauth) || !shouldReauth) {
                 (0, write_line_1.writeLine)();
+                (0, write_line_1.writeLine)(picocolors_1.default.dim('Login cancelled'));
+                return;
             }
-        });
+        }
+        await (0, inline_login_1.performLogin)(config);
+        process.exit(0);
     }
-    // Poll for token
-    s.start('Waiting for authentication');
-    const token = await (0, device_auth_1.pollAccessToken)(handle);
-    s.stop('Authentication successful');
-    if ((0, access_token_1.isTokenValid)(token)) {
-        (0, access_token_1.saveAccessToken)(token.access_token, config.auth.audience);
-        (0, write_line_1.writeLine)(picocolors_1.default.green('✓ Login successful'));
-        if (token.expires_at) {
-            (0, write_line_1.writeLine)(picocolors_1.default.dim(`  Token expires at ${new Date(token.expires_at * 1000).toString()}`));
+    catch (error) {
+        if (error instanceof pkce_flow_1.LoginCancelledError) {
+            (0, write_line_1.writeLine)();
+            (0, write_line_1.writeLine)(picocolors_1.default.dim('Login cancelled'));
+            process.exit(0);
+        }
+        if (error instanceof Error) {
+            console.error(picocolors_1.default.red('\n✗ Login failed:'), error.message);
+        }
+        else {
+            console.error(picocolors_1.default.red('\n✗ Login failed:'), error);
         }
+        process.exit(1);
     }
-    p.outro(picocolors_1.default.green('You are now logged in'));
 }
 exports.loginCommand = loginCommand;
 class Login extends base_1.default {

package/dist/commands/logout.js

@@ -9,14 +9,16 @@ const open_1 = __importDefault(require("open"));
 const picocolors_1 = __importDefault(require("picocolors"));
 const base_1 = __importDefault(require("../base"));
 const fetch_app_config_1 = __importDefault(require("../lib/fetch-app-config"));
-const access_token_1 = require("../lib/auth/access-token");
+const token_storage_1 = require("../lib/auth/token-storage");
 const write_line_1 = require("../lib/utils/write-line");
 async function logoutCommand(options) {
-    const env = options.qa ? 'qa' : 'production';
+    const env = options.qa ? 'QA' : 'Production';
+    (0, write_line_1.writeLine)(picocolors_1.default.cyan(`🔓 Logging out from ${env}...`));
+    (0, write_line_1.writeLine)();
     try {
-        const config = await (0, fetch_app_config_1.default)(env);
-        const { audience } = config.auth;
-        (0, access_token_1.removeAccessToken)(audience);
+        const config = await (0, fetch_app_config_1.default)(options.qa ? 'qa' : 'production');
+        // Remove stored token for the specified audience
+        (0, token_storage_1.removeToken)(config.auth.audience);
         (0, write_line_1.writeLine)(picocolors_1.default.green('✓ Logged out successfully'));
         (0, write_line_1.writeLine)(picocolors_1.default.dim('  Local credentials have been removed'));
         if (config.logout_redirect_url) {
@@ -30,9 +32,16 @@ async function logoutCommand(options) {
             }
         }
         (0, write_line_1.writeLine)();
+        process.exit(0);
     }
     catch (error) {
-        console.error(picocolors_1.default.red('✗ Logout failed:'), error);
+        if (error instanceof Error) {
+            console.error(picocolors_1.default.red('✗ Logout failed:'), error.message);
+        }
+        else {
+            console.error(picocolors_1.default.red('✗ Logout failed:'), error);
+        }
+        process.exit(1);
     }
 }
 exports.logoutCommand = logoutCommand;

package/dist/commands/test-url-match-rules.js

@@ -7,7 +7,7 @@ const core_1 = require("@oclif/core");
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
 const base_1 = __importDefault(require("../base"));
-const access_token_1 = require("../lib/auth/access-token");
+const token_storage_1 = require("../lib/auth/token-storage");
 const test_url_match_rules_1 = __importDefault(require("../lib/deploy/test-url-match-rules"));
 class TestUrlMatchRules extends base_1.default {
     async run() {
@@ -15,7 +15,10 @@ class TestUrlMatchRules extends base_1.default {
         this.log(`🧪 Testing URL match rules for: ${args.url}`);
         const appConfig = await this.getAppConfig(flags.qa ? 'qa' : 'production');
         const linkTypeServiceUrl = `${flags.endpoint ?? appConfig.link_types_url}/link-types`;
-        const accessToken = (0, access_token_1.getAccessToken)(appConfig.auth.audience);
+        const accessToken = (0, token_storage_1.getToken)(appConfig.auth.audience);
+        if (!accessToken) {
+            this.error('Not logged in. Please login first using: create-link-app login', { exit: 1 });
+        }
         const url = args.url;
         if (!url) {
             this.error('❌ URL is required', { exit: 1 });

package/dist/lib/auth/inline-login.js

@@ -0,0 +1,90 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.performLogin = void 0;
+const p = __importStar(require("@clack/prompts"));
+const detect_port_1 = require("detect-port");
+const open_1 = __importDefault(require("open"));
+const picocolors_1 = __importDefault(require("picocolors"));
+const write_line_1 = require("../utils/write-line");
+const pkce_flow_1 = require("./pkce-flow");
+const token_storage_1 = require("./token-storage");
+/**
+ * Performs the PKCE login flow and returns the access token.
+ * Reusable from both the login command and inline during deploy.
+ *
+ * @throws Error if login fails or is cancelled
+ */
+async function performLogin(config) {
+    const s = p.spinner();
+    const port = await (0, detect_port_1.detect)(3456);
+    s.start('Starting authentication');
+    const flow = await (0, pkce_flow_1.startPkceFlow)(config.auth, port);
+    s.stop('Authentication started');
+    const cleanup = () => {
+        flow.cancel();
+    };
+    process.on('SIGINT', cleanup);
+    process.on('SIGTERM', cleanup);
+    try {
+        (0, write_line_1.writeLine)();
+        (0, write_line_1.writeLine)(picocolors_1.default.dim(`  ${flow.authUrl}`));
+        (0, write_line_1.writeLine)();
+        await (0, open_1.default)(flow.authUrl);
+        (0, write_line_1.writeLine)(picocolors_1.default.cyan('  Browser opened for authentication'));
+        (0, write_line_1.writeLine)(picocolors_1.default.dim('  If browser did not open, visit the link above'));
+        (0, write_line_1.writeLine)();
+        s.start('Waiting for authorization');
+        const tokenSet = await flow.waitForCallback();
+        s.stop('Authorization successful');
+        if (!tokenSet.access_token) {
+            throw new Error('No access token received');
+        }
+        const expiresAt = tokenSet.expires_at ?? (tokenSet.expires_in ? Math.floor(Date.now() / 1000) + tokenSet.expires_in : undefined);
+        (0, token_storage_1.saveToken)(tokenSet.access_token, config.auth.audience, expiresAt);
+        (0, write_line_1.writeLine)();
+        (0, write_line_1.writeLine)(picocolors_1.default.green('  Login successful!'));
+        if (expiresAt) {
+            (0, write_line_1.writeLine)(picocolors_1.default.dim(`  Token expires: ${new Date(expiresAt * 1000).toLocaleString()}`));
+        }
+        (0, write_line_1.writeLine)();
+        return tokenSet.access_token;
+    }
+    catch (error) {
+        if (error instanceof pkce_flow_1.LoginCancelledError) {
+            s.stop('Login cancelled');
+            throw error;
+        }
+        throw error;
+    }
+    finally {
+        process.removeListener('SIGINT', cleanup);
+        process.removeListener('SIGTERM', cleanup);
+    }
+}
+exports.performLogin = performLogin;

package/dist/lib/auth/pkce-flow.js

@@ -0,0 +1,152 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startPkceFlow = exports.LoginCancelledError = void 0;
+const node_http_1 = require("node:http");
+const openid_client_1 = require("openid-client");
+const LOGIN_TIMEOUT_MS = 5 * 60 * 1000;
+class LoginCancelledError extends Error {
+    constructor() {
+        super('Login cancelled');
+        this.name = 'LoginCancelledError';
+    }
+}
+exports.LoginCancelledError = LoginCancelledError;
+function successHtml() {
+    return `<!DOCTYPE html><html><head><title>Login Successful</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;align-items:center;min-height:100vh;margin:0;background:#f0fdf4}
+.card{text-align:center;padding:2rem;border-radius:8px;background:white;box-shadow:0 1px 3px rgba(0,0,0,0.1)}
+h1{color:#16a34a;margin-bottom:0.5rem}p{color:#6b7280}</style></head>
+<body><div class="card"><h1>Login Successful</h1><p>You can close this window and return to the terminal.</p></div></body></html>`;
+}
+function errorHtml(message) {
+    const escaped = message.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+    return `<!DOCTYPE html><html><head><title>Login Failed</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;align-items:center;min-height:100vh;margin:0;background:#fef2f2}
+.card{text-align:center;padding:2rem;border-radius:8px;background:white;box-shadow:0 1px 3px rgba(0,0,0,0.1)}
+h1{color:#dc2626;margin-bottom:0.5rem}p{color:#6b7280}</style></head>
+<body><div class="card"><h1>Login Failed</h1><p>${escaped}</p><p>Please close this tab and try again.</p></div></body></html>`;
+}
+function startPkceFlow(config, port) {
+    const { domain, client_id, audience, project_id } = config;
+    if (!project_id) {
+        return Promise.reject(new Error('Authentication configuration is missing the project_id. Please update to the latest CLI version and try again.'));
+    }
+    const issuer = new openid_client_1.Issuer({
+        issuer: `${domain}/v1/apps/customized/${project_id}`,
+        authorization_endpoint: `${domain}/oauth2/v1/apps/${project_id}/authorize`,
+        token_endpoint: `${domain}/oauth2/v1/apps/${project_id}/token`,
+        jwks_uri: `${domain}/${project_id}/.well-known/jwks.json`,
+    });
+    const client = new issuer.Client({
+        client_id,
+        token_endpoint_auth_method: 'none',
+    });
+    const codeVerifier = openid_client_1.generators.codeVerifier();
+    const codeChallenge = openid_client_1.generators.codeChallenge(codeVerifier);
+    const state = openid_client_1.generators.state();
+    const redirectUri = `http://localhost:${port}/callback`;
+    const authUrl = client.authorizationUrl({
+        scope: 'openid',
+        audience,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+        state,
+        redirect_uri: redirectUri,
+        response_type: 'code',
+    });
+    let settled = false;
+    let resolveCallback;
+    let rejectCallback;
+    let timeoutId;
+    const callbackPromise = new Promise((resolve, reject) => {
+        resolveCallback = resolve;
+        rejectCallback = reject;
+    });
+    const server = (0, node_http_1.createServer)(async (req, res) => {
+        try {
+            const url = new URL(req.url ?? '/', `http://localhost:${port}`);
+            if (url.pathname !== '/callback') {
+                res.writeHead(404, { 'Content-Type': 'text/plain' });
+                res.end('Not found');
+                return;
+            }
+            if (settled) {
+                res.writeHead(200, { 'Content-Type': 'text/html' });
+                res.end(successHtml());
+                return;
+            }
+            const params = client.callbackParams(req);
+            const tokenSet = await client.callback(redirectUri, params, {
+                code_verifier: codeVerifier,
+                state,
+            });
+            settled = true;
+            res.writeHead(200, { 'Content-Type': 'text/html' });
+            res.end(successHtml());
+            if (timeoutId)
+                clearTimeout(timeoutId);
+            server.close(() => {
+                /* noop */
+            });
+            resolveCallback(tokenSet);
+        }
+        catch (err) {
+            if (settled)
+                return;
+            settled = true;
+            const message = err instanceof Error ? err.message : 'Unknown error during authentication';
+            res.writeHead(200, { 'Content-Type': 'text/html' });
+            res.end(errorHtml(message));
+            if (timeoutId)
+                clearTimeout(timeoutId);
+            server.close(() => {
+                /* noop */
+            });
+            if (err instanceof openid_client_1.errors.OPError) {
+                rejectCallback(new Error(err.error_description ?? err.message));
+            }
+            else if (err instanceof Error) {
+                rejectCallback(err);
+            }
+            else {
+                rejectCallback(new Error(message));
+            }
+        }
+    });
+    return new Promise((resolveSetup, rejectSetup) => {
+        server.listen(port, 'localhost', () => {
+            resolveSetup({
+                authUrl,
+                cancel: () => {
+                    if (!settled) {
+                        settled = true;
+                        if (timeoutId)
+                            clearTimeout(timeoutId);
+                        rejectCallback(new LoginCancelledError());
+                    }
+                    server.close(() => {
+                        /* noop */
+                    });
+                },
+                waitForCallback: () => {
+                    if (!settled) {
+                        timeoutId = setTimeout(() => {
+                            if (!settled) {
+                                settled = true;
+                                server.close(() => {
+                                    /* noop */
+                                });
+                                rejectCallback(new Error('Login timed out after 5 minutes. Please try again.'));
+                            }
+                        }, LOGIN_TIMEOUT_MS);
+                    }
+                    return callbackPromise;
+                },
+            });
+        });
+        server.on('error', (err) => {
+            rejectSetup(new Error(`Failed to start authentication server on port ${port}: ${err.message}`));
+        });
+    });
+}
+exports.startPkceFlow = startPkceFlow;

package/dist/lib/auth/token-storage.js

@@ -0,0 +1,148 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isTokenValid = exports.removeToken = exports.getToken = exports.saveToken = void 0;
+const node_fs_1 = require("node:fs");
+const node_os_1 = require("node:os");
+const node_path_1 = require("node:path");
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const CONFIG_DIR = (0, node_path_1.join)((0, node_os_1.homedir)(), '.config', 'linkapp');
+const TOKEN_FILE = (0, node_path_1.join)(CONFIG_DIR, 'auth-token.json');
+const TOKEN_EXPIRY_THRESHOLD_SECONDS = 60; // Consider tokens as expired within the last 60s of actual expiry
+function normalizeClaimValues(claim) {
+    if (!claim) {
+        return [];
+    }
+    const values = Array.isArray(claim) ? claim : [claim];
+    return values
+        .flatMap((value) => value.split(/[,\s]+/))
+        .map((value) => value.trim())
+        .filter((value) => value.length > 0);
+}
+/**
+ * Validates that a JWT token has the correct structure and permissions
+ * @throws Error if token is invalid or lacks permissions
+ */
+function validateTokenStructure(tokenString) {
+    const payload = jsonwebtoken_1.default.decode(tokenString, { json: true });
+    if (!payload) {
+        throw new Error('There was an error parsing the access token, please try logging in again');
+    }
+    const permissions = normalizeClaimValues(payload.permissions);
+    if (permissions.length === 0) {
+        // Descope and other providers may encode permissions in scope-like claims.
+        const scopePermissions = [...normalizeClaimValues(payload.scope), ...normalizeClaimValues(payload.scp)].filter((s) => /[:./]/.test(s));
+        if (scopePermissions.length === 0) {
+            throw new Error('Login request was successful, but the authenticated user does not have appropriate permissions to view or modify LinkApps');
+        }
+    }
+}
+/**
+ * Type guard to check if stored data is in legacy format
+ */
+function isLegacyFormat(data) {
+    return typeof data === 'object' && data !== null && 'accessToken' in data && 'audience' in data && !('tokens' in data);
+}
+/**
+ * Reads the token storage, migrating from legacy format if needed
+ */
+function readTokenStorage() {
+    if (!(0, node_fs_1.existsSync)(TOKEN_FILE)) {
+        return { tokens: {} };
+    }
+    try {
+        const rawData = JSON.parse((0, node_fs_1.readFileSync)(TOKEN_FILE, 'utf-8'));
+        // Check if it's legacy format and migrate
+        if (isLegacyFormat(rawData)) {
+            const migrated = {
+                tokens: {
+                    [rawData.audience]: {
+                        accessToken: rawData.accessToken,
+                        expiresAt: rawData.expiresAt,
+                    },
+                },
+            };
+            // Write migrated format back to disk
+            (0, node_fs_1.writeFileSync)(TOKEN_FILE, JSON.stringify(migrated, null, 2), 'utf-8');
+            return migrated;
+        }
+        // Already in new format
+        return rawData;
+    }
+    catch (error) {
+        console.error('Failed to read token storage:', error);
+        return { tokens: {} };
+    }
+}
+/**
+ * Writes the token storage to disk
+ */
+function writeTokenStorage(storage) {
+    // Ensure config directory exists
+    if (!(0, node_fs_1.existsSync)(CONFIG_DIR)) {
+        (0, node_fs_1.mkdirSync)(CONFIG_DIR, { recursive: true });
+    }
+    (0, node_fs_1.writeFileSync)(TOKEN_FILE, JSON.stringify(storage, null, 2), 'utf-8');
+}
+function saveToken(token, audience, expiresAt) {
+    // Validate token structure and permissions before saving
+    validateTokenStructure(token);
+    // Read existing storage (handles migration if needed)
+    const storage = readTokenStorage();
+    // Add or update token for this audience
+    storage.tokens[audience] = {
+        accessToken: token,
+        expiresAt,
+    };
+    // Write updated storage
+    writeTokenStorage(storage);
+}
+exports.saveToken = saveToken;
+function getToken(audience) {
+    // Read storage (handles migration if needed)
+    const storage = readTokenStorage();
+    // Get token for this audience
+    const tokenEntry = storage.tokens[audience];
+    if (!tokenEntry) {
+        return null;
+    }
+    // Check if token is expired (with threshold buffer)
+    if (tokenEntry.expiresAt && tokenEntry.expiresAt - TOKEN_EXPIRY_THRESHOLD_SECONDS < Math.floor(Date.now() / 1000)) {
+        // Remove expired token
+        removeToken(audience);
+        return null;
+    }
+    return tokenEntry.accessToken;
+}
+exports.getToken = getToken;
+function removeToken(audience) {
+    // Read storage (handles migration if needed)
+    const storage = readTokenStorage();
+    // If audience is specified, only remove that token
+    if (audience) {
+        if (storage.tokens[audience]) {
+            delete storage.tokens[audience];
+            // If there are remaining tokens, write updated storage
+            // Otherwise, delete the file
+            if (Object.keys(storage.tokens).length > 0) {
+                writeTokenStorage(storage);
+            }
+            else if ((0, node_fs_1.existsSync)(TOKEN_FILE)) {
+                (0, node_fs_1.unlinkSync)(TOKEN_FILE);
+            }
+        }
+    }
+    else {
+        // No audience specified - remove all tokens
+        if ((0, node_fs_1.existsSync)(TOKEN_FILE)) {
+            (0, node_fs_1.unlinkSync)(TOKEN_FILE);
+        }
+    }
+}
+exports.removeToken = removeToken;
+function isTokenValid(audience) {
+    return getToken(audience) !== null;
+}
+exports.isTokenValid = isTokenValid;

package/oclif.manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "2.2.4",
+  "version": "2.2.5",
   "commands": {
     "build": {
       "id": "build",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@linktr.ee/create-link-app",
-  "version": "2.2.4",
+  "version": "2.2.5",
   "description": "Create a Link App on Linktr.ee.",
   "license": "UNLICENSED",
   "author": "Linktree",
@@ -55,6 +55,7 @@
     "babel-loader": "^8.2.5",
     "camelcase": "^6.3.0",
     "css-loader": "^6.7.3",
+    "detect-port": "^2.1.0",
     "fork-ts-checker-webpack-plugin": "^7.2.11",
     "form-data": "^4.0.0",
     "fs-extra": "^10.1.0",
@@ -62,7 +63,6 @@
     "inject-body-webpack-plugin": "^1.3.0",
     "jsonwebtoken": "^8.5.1",
     "mini-css-extract-plugin": "^2.7.5",
-    "netrc-parser": "^3.1.6",
     "open": "^8.4.0",
     "openid-client": "^5.1.6",
     "picocolors": "^1.0.0",

package/dist/lib/auth/access-token.js

@@ -1,83 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getAccessToken = exports.removeAccessToken = exports.saveAccessToken = exports.isTokenValid = void 0;
-const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
-const netrc_parser_1 = __importDefault(require("netrc-parser"));
-const TokenExpiryThresholdSeconds = 60; // Used to consider tokens as 'expired' within the last x seconds of its actual expiry to ensure slow requests still use a valid token
-function normalizeClaimValues(claim) {
-    if (!claim) {
-        return [];
-    }
-    const values = Array.isArray(claim) ? claim : [claim];
-    return values
-        .flatMap((value) => value.split(/[,\s]+/))
-        .map((value) => value.trim())
-        .filter((value) => value.length > 0);
-}
-function isTokenValid(token) {
-    if (!token.access_token || token.token_type !== 'Bearer') {
-        throw new Error('Received access token is invalid');
-    }
-    const payload = jsonwebtoken_1.default.decode(token.access_token, { json: true });
-    if (!payload) {
-        throw new Error('There was an error parsing the access token, please try logging in again');
-    }
-    const permissions = normalizeClaimValues(payload.permissions);
-    if (permissions.length === 0) {
-        // Descope and other providers may encode permissions in scope-like claims.
-        const scopePermissions = [...normalizeClaimValues(payload.scope), ...normalizeClaimValues(payload.scp)].filter((v) => /[:.]/u.test(v));
-        if (scopePermissions.length === 0) {
-            throw new Error('Login request was successful, but the authenticated user does not have appropriate permissions to view or modify Link Apps');
-        }
-    }
-    return true;
-}
-exports.isTokenValid = isTokenValid;
-function saveAccessToken(tokenString, audience) {
-    if (!audience) {
-        // Fallback: derive from JWT aud claim (backward compat for external callers)
-        const token = jsonwebtoken_1.default.decode(tokenString, { json: true });
-        const rawAudience = token?.aud;
-        audience = Array.isArray(rawAudience) ? rawAudience[0] : rawAudience;
-    }
-    if (audience) {
-        netrc_parser_1.default.loadSync();
-        netrc_parser_1.default.machines[audience] = {
-            login: 'authToken',
-            password: tokenString,
-        };
-        netrc_parser_1.default.saveSync();
-    }
-    else {
-        throw new Error('Error whilst trying to save access token, please try logging in again');
-    }
-}
-exports.saveAccessToken = saveAccessToken;
-function removeAccessToken(audience) {
-    netrc_parser_1.default.loadSync();
-    netrc_parser_1.default.machines[audience] = {
-        login: undefined,
-        password: undefined,
-    };
-    netrc_parser_1.default.saveSync();
-}
-exports.removeAccessToken = removeAccessToken;
-function getAccessToken(audience) {
-    netrc_parser_1.default.loadSync();
-    const tokenString = netrc_parser_1.default.machines[audience]?.login === 'authToken' ? netrc_parser_1.default.machines[audience].password : undefined;
-    if (!tokenString) {
-        throw new Error('Not logged in. Please login using command: login');
-    }
-    const token = jsonwebtoken_1.default.decode(tokenString, { json: true });
-    if (!token?.exp) {
-        throw new Error('Cached login token is invalid. Please login again using command: login');
-    }
-    if (token.exp - TokenExpiryThresholdSeconds < Math.floor(Date.now() / 1000)) {
-        throw new Error('Login expired. Please login again using command: login');
-    }
-    return tokenString;
-}
-exports.getAccessToken = getAccessToken;

package/dist/lib/auth/device-auth.js

@@ -1,34 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.pollAccessToken = exports.initDeviceAuthorization = void 0;
-const openid_client_1 = require("openid-client");
-async function initDeviceAuthorization(config) {
-    const { domain, client_id, audience, project_id } = config;
-    if (!project_id) {
-        throw new Error('Authentication configuration is missing the project_id. Please update to the latest CLI version and try again.');
-    }
-    const issuer = new openid_client_1.Issuer({
-        issuer: `${domain}/v1/apps/customized/${project_id}`,
-        device_authorization_endpoint: `${domain}/oauth2/v1/apps/${project_id}/device`,
-        token_endpoint: `${domain}/oauth2/v1/apps/${project_id}/token`,
-        jwks_uri: `${domain}/${project_id}/.well-known/jwks.json`,
-    });
-    const client = new issuer.Client({
-        client_id,
-        token_endpoint_auth_method: 'none',
-    });
-    return client.deviceAuthorization({ scope: 'openid', audience });
-}
-exports.initDeviceAuthorization = initDeviceAuthorization;
-async function pollAccessToken(handle) {
-    try {
-        return await handle.poll();
-    }
-    catch (err) {
-        if (err instanceof openid_client_1.errors.OPError) {
-            throw new Error(err.error_description);
-        }
-        throw err;
-    }
-}
-exports.pollAccessToken = pollAccessToken;