@metaplay/metaplay-auth 1.1.6 → 1.2.0

package/dist/{stackapi.js → src/stackapi.js}

@@ -1,18 +1,13 @@
 import { isValidFQDN, getGameserverAdminUrl } from './utils.js';
 import { logger } from './logging.js';
 export class StackAPI {
-    id_token;
-    access_token;
+    accessToken;
     _stack_api_base_uri;
-    constructor(idToken, accessToken) {
-        if (idToken == null) {
-            throw new Error('id_token is missing');
-        }
+    constructor(accessToken) {
         if (accessToken == null) {
-            throw new Error('access_token is missing');
+            throw new Error('accessToken must be provided');
         }
-        this.id_token = idToken;
-        this.access_token = accessToken;
+        this.accessToken = accessToken;
         this._stack_api_base_uri = 'https://infra.p1.metaplay.io/stackapi';
     }
     get stack_api_base_uri() {
@@ -43,12 +38,12 @@ export class StackAPI {
         const response = await fetch(url, {
             method: 'POST',
             headers: {
-                Authorization: `Bearer ${this.id_token}`,
+                Authorization: `Bearer ${this.accessToken}`,
                 'Content-Type': 'application/json'
             }
         });
         if (response.status !== 200) {
-            throw new Error(`Failed to fetch AWS credetials: ${response.statusText}`);
+            throw new Error(`Failed to fetch AWS credentials: ${response.statusText}, response code=${response.status}`);
         }
         return await response.json();
     }
@@ -73,7 +68,7 @@ export class StackAPI {
         const response = await fetch(url, {
             method: 'POST',
             headers: {
-                Authorization: `Bearer ${this.id_token}`,
+                Authorization: `Bearer ${this.accessToken}`,
                 'Content-Type': 'application/json'
             }
         });
@@ -103,7 +98,7 @@ export class StackAPI {
         const response = await fetch(url, {
             method: 'GET',
             headers: {
-                Authorization: `Bearer ${this.id_token}`,
+                Authorization: `Bearer ${this.accessToken}`,
                 'Content-Type': 'application/json'
             }
         });

package/dist/src/stackapi.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stackapi.js","sourceRoot":"","sources":["../../src/stackapi.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAA;AAC/D,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAgBrC,MAAM,OAAO,QAAQ;IACF,WAAW,CAAQ;IAE5B,mBAAmB,CAAQ;IAEnC,YAAa,WAAmB;QAC9B,IAAI,WAAW,IAAI,IAAI,EAAE;YACvB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAA;SAChD;QAED,IAAI,CAAC,WAAW,GAAG,WAAW,CAAA;QAC9B,IAAI,CAAC,mBAAmB,GAAG,uCAAuC,CAAA;IACpE,CAAC;IAED,IAAI,kBAAkB;QACpB,OAAO,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;IACpD,CAAC;IAED,IAAI,kBAAkB,CAAE,GAAW;QACjC,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA,CAAC,wBAAwB;QACrD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAA;IAChC,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAE,EAAgB;QACvC,IAAI,GAAG,GAAG,EAAE,CAAA;QACZ,IAAI,EAAE,CAAC,UAAU,IAAI,IAAI,EAAE;YACzB,IAAI,WAAW,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC9B,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;gBACrD,GAAG,GAAG,WAAW,QAAQ,yBAAyB,CAAA;aACnD;iBAAM;gBACL,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,mBAAmB,EAAE,CAAC,UAAU,MAAM,CAAA;aACvE;SACF;aAAM,IAAI,EAAE,CAAC,YAAY,IAAI,IAAI,IAAI,EAAE,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,IAAI,IAAI,EAAE;YAClF,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,eAAe,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,kBAAkB,CAAA;SACjH;aAAM;YACL,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;SAC3D;QAED,MAAM,CAAC,KAAK,CAAC,gCAAgC,GAAG,KAAK,CAAC,CAAA;QACtD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,oCAAoC,QAAQ,CAAC,UAAU,mBAAmB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;SAC7G;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAED,KAAK,CAAC,aAAa,CAAE,EAAgB;QACnC,IAAI,GAAG,GAAG,EAAE,CAAA;QACZ,IAAI,EAAE,CAAC,UAAU,IAAI,IAAI,EAAE;YACzB,IAAI,WAAW,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC9B,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;gBACrD,GAAG,GAAG,WAAW,QAAQ,yBAAyB,CAAA;aACnD;iBAAM;gBACL,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,mBAAmB,EAAE,CAAC,UAAU,MAAM,CAAA;aACvE;SACF;aAAM,IAAI,EAAE,CAAC,YAAY,IAAI,IAAI,IAAI,EAAE,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,IAAI,IAAI,EAAE;YAClF,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,eAAe,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,kBAAkB,CAAA;SACjH;aAAM;YACL,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;SACvD;QAED,MAAM,CAAC,KAAK,CAAC,2BAA2B,GAAG,KAAK,CAAC,CAAA;QAEjD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAA;SACvE;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAE,EAAgB;QAC3C,IAAI,GAAG,GAAG,EAAE,CAAA;QACZ,IAAI,EAAE,CAAC,UAAU,IAAI,IAAI,EAAE;YACzB,IAAI,WAAW,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC9B,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;gBACrD,GAAG,GAAG,WAAW,QAAQ,qBAAqB,CAAA;aAC/C;iBAAM;gBACL,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,mBAAmB,EAAE,CAAC,UAAU,EAAE,CAAA;aACnE;SACF;aAAM,IAAI,EAAE,CAAC,YAAY,IAAI,IAAI,IAAI,EAAE,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,IAAI,IAAI,EAAE;YAClF,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,eAAe,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;SACjG;aAAM;YACL,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;SAC7D;QAED,MAAM,CAAC,KAAK,CAAC,oCAAoC,GAAG,KAAK,CAAC,CAAA;QAC1D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,wCAAwC,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAA;SAC/E;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;CACF"}

package/dist/src/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/utils.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,uBAAuB,CAAE,GAAW,EAAE,OAA4B;IAChF,OAAO,EAAE,CAAA;AACX,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAE,MAAc;IACzC,MAAM,SAAS,GAAG,+EAA+E,CAAA;IAEjG,OAAO,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;AAC/B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAE,SAAiB;IACnD,IAAI;QACF,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAA;QAE9B,oEAAoE;QACpE,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA,CAAC,2BAA2B;QACpE,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,IAAI,CAAA;QAE7B,yDAAyD;QACzD,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAA;QAE9C,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;KAC5C;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAA;KAC/B;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAE,GAAW;IAChD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAE5B,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;IACzB,MAAM,MAAM,GAAG,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAEjD,OAAO,GAAG,QAAQ,UAAU,MAAM,EAAE,CAAA;AACtC,CAAC"}

package/dist/tests/utils.spec.js

@@ -0,0 +1,18 @@
+import { expect, test, describe } from 'vitest';
+import { isValidFQDN } from '../src/utils.js';
+describe('isValidFQDN', () => {
+    test('should return true for valid FQDNs', () => {
+        expect(isValidFQDN('www.example.com')).toBe(true);
+        expect(isValidFQDN('subdomain.example.com')).toBe(true);
+        expect(isValidFQDN('example.com')).toBe(true);
+        expect(isValidFQDN('example.co.uk')).toBe(true);
+    });
+    test('should return false for invalid FQDNs', () => {
+        expect(isValidFQDN('example')).toBe(false);
+        expect(isValidFQDN('www.example..com')).toBe(false);
+        expect(isValidFQDN('www.-example.com')).toBe(false);
+        expect(isValidFQDN('www.example-.com')).toBe(false);
+        expect(isValidFQDN('www.example.com-')).toBe(false);
+    });
+});
+//# sourceMappingURL=utils.spec.js.map

package/dist/tests/utils.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.spec.js","sourceRoot":"","sources":["../../tests/utils.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAA;AAE/C,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAE7C,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,IAAI,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACjD,MAAM,CAAC,WAAW,CAAC,uBAAuB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACvD,MAAM,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC7C,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACjD,CAAC,CAAC,CAAA;IAEF,IAAI,CAAC,uCAAuC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC1C,MAAM,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACnD,MAAM,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACnD,MAAM,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACnD,MAAM,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACrD,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/{src/index.ts → index.ts}

@@ -1,17 +1,18 @@
 #!/usr/bin/env node
 import { Command } from 'commander'
-import { loginAndSaveTokens, extendCurrentSession, loadTokens, saveTokens, removeTokens } from './auth.js'
-import { StackAPI } from './stackapi.js'
-import { checkGameServerDeployment } from './deployment.js'
-import { setLogLevel } from './logging.js'
+import { loginAndSaveTokens, machineLoginAndSaveTokens, extendCurrentSession, loadTokens, removeTokens } from './src/auth.js'
+import { StackAPI } from './src/stackapi.js'
+import { checkGameServerDeployment } from './src/deployment.js'
+import { logger, setLogLevel } from './src/logging.js'
 import { exit } from 'process'
+import { ECRClient, GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr'
 
 const program = new Command()
 
 program
   .name('metaplay-auth')
   .description('Authenticate with Metaplay and get AWS and Kubernetes credentials for game servers.')
-  .version('1.1.6')
+  .version('1.2.0')
   .option('-d, --debug', 'enable debug output')
   .hook('preAction', (thisCommand) => {
     // Handle debug flag for all commands.
@@ -30,26 +31,31 @@ program.command('login')
   })
 
 program.command('machine-login')
-  .description('[experimental] login to the Metaplay cloud using a machine account (using credentials in environment variable METAPLAY_CREDENTIALS)')
-  .action(async () => {
-    const credentials = process.env.METAPLAY_CREDENTIALS
-    if (!credentials || credentials === '') {
-      throw new Error('Unable to find the credentials, the environment variable METAPLAY_CREDENTIALS is not defined!')
+  .description('login to the Metaplay cloud using a machine account (using credentials in environment variable METAPLAY_CREDENTIALS)')
+  .option('--dev-credentials', 'machine user credentials to use, only for dev purposes, use METAPLAY_CREDENTIALS env variable for better safety!')
+  .action(async (options) => {
+    // Get credentials from command line or from METAPLAY_CREDENTIALS environment variable
+    let credentials
+    if (options.devCredentials) {
+      credentials = options.devCredentials
+    } else {
+      credentials = process.env.METAPLAY_CREDENTIALS
+      if (!credentials || credentials === '') {
+        throw new Error('Unable to find the credentials, the environment variable METAPLAY_CREDENTIALS is not defined!')
+      }
     }
 
-    // Exchange the credentials for tokens. For now, as we don't have proper M2M accounts implemented, we're simulating it by ingesting the raw tokens JSON instead.
-    // \todo Replace (or extend) this with exchanging the credentials to usable tokens
-    let tokens
-    try {
-      tokens = JSON.parse(credentials)
-    } catch (error) {
-      throw new Error('Unable to parse METAPLAY_CREDENTIALS: not valid JSON. Expecting a JSON blob with the access tokens, as outputted by `metaplay-auth show-tokens`.')
+    // Parse the clientId and clientSecret from the credentials (separate by a '+' character)
+    // \note We can't be certain that the secret does not contain pluses so split at the first occurrence
+    const splitOffset = credentials.indexOf('+')
+    if (splitOffset === -1) {
+      throw new Error('Invalid format for credentials, you should copy-paste the value from the developer portal verbatim')
     }
+    const clientId = credentials.substring(0, splitOffset)
+    const clientSecret = credentials.substring(splitOffset + 1)
 
-    // Save tokens
-    await saveTokens(tokens)
-
-    console.log('Successfully logged in to Metaplay cloud using machine account!')
+    // Login with machine user and save the tokens
+    await machineLoginAndSaveTokens(clientId, clientSecret)
   })
 
 program.command('logout')
@@ -71,23 +77,14 @@ program.command('logout')
 
 program.command('show-tokens')
   .description('show loaded tokens')
-  .option('-f, --format <format>', 'output format (json or pretty)', 'json')
   .hook('preAction', async () => {
     await extendCurrentSession()
   })
   .action(async (options) => {
     try {
-      if (options.format !== 'json' && options.format !== 'pretty') {
-        throw new Error('Invalid format; must be one of json or pretty')
-      }
-
       // TODO: Could detect if not logged in and fail more gracefully?
       const tokens = await loadTokens()
-      if (options.format === 'json') {
-        console.log(JSON.stringify(tokens))
-      } else {
-        console.log(tokens)
-      }
+      console.log(tokens)
     } catch (error) {
       if (error instanceof Error) {
         console.error(`Error showing tokens: ${error.message}`)
@@ -114,7 +111,7 @@ program.command('get-kubeconfig')
         throw new Error('Could not determine a deployment to fetch the KubeConfigs from. You need to specify either a gameserver or an organization, project, and environment')
       }
 
-      const stackApi = new StackAPI(tokens.id_token, tokens.access_token)
+      const stackApi = new StackAPI(tokens.access_token)
       if (options.stackApi) {
         stackApi.stack_api_base_uri = options.stackApi
       }
@@ -154,7 +151,7 @@ program.command('get-aws-credentials')
         throw new Error('Could not determine a deployment to fetch the AWS credentials from. You need to specify either a gameserver or an organization, project, and environment')
       }
 
-      const stackApi = new StackAPI(tokens.id_token, tokens.access_token)
+      const stackApi = new StackAPI(tokens.access_token)
       if (options.stackApi) {
         stackApi.stack_api_base_uri = options.stackApi
       }
@@ -181,6 +178,89 @@ program.command('get-aws-credentials')
     }
   })
 
+program.command('get-docker-login')
+  .description('get docker login credentials for pushing the server image')
+  .argument('[gameserver]', 'address of gameserver (e.g. idler-develop.p1.metaplay.io)')
+  .option('-o, --organization <organization>', 'organization name (e.g. metaplay)')
+  .option('-p, --project <project>', 'project name (e.g. idler)')
+  .option('-e, --environment <environment>', 'environment name (e.g. develop)')
+  .option('-f, --format <format>', 'output format (json or env)', 'json')
+  .hook('preAction', async () => {
+    await extendCurrentSession()
+  })
+  .action(async (gameserver, options) => {
+    try {
+      if (options.format !== 'json' && options.format !== 'env') {
+        throw new Error('Invalid format; must be one of json or env')
+      }
+
+      const tokens = await loadTokens()
+
+      if (!gameserver && !(options.organization && options.project && options.environment)) {
+        throw new Error('Could not determine a game server deployment. You need to specify either a gameserver or an organization, project, and environment')
+      }
+
+      const stackApi = new StackAPI(tokens.access_token)
+      if (options.stackApi) {
+        stackApi.stack_api_base_uri = options.stackApi
+      }
+
+      // Fetch AWS credentials from Metaplay cloud
+      logger.debug('Get AWS credentials from Metaplay')
+      const payload = gameserver ? { gameserver } : { organization: options.organization, project: options.project, environment: options.environment }
+      const credentials = await stackApi.getAwsCredentials(payload)
+
+      // Get environment info (region is needed for ECR)
+      logger.debug('Get environment info')
+      const environment = await stackApi.getEnvironmentDetails(payload)
+      const awsRegion = environment.deployment.aws_region
+      const dockerRepo = environment.deployment.ecr_repo
+
+      // Create ECR client with credentials
+      logger.debug('Create ECR client')
+      const client = new ECRClient({
+        credentials: {
+          accessKeyId: credentials.AccessKeyId,
+          secretAccessKey: credentials.SecretAccessKey,
+          sessionToken: credentials.SessionToken
+        },
+        region: awsRegion
+      })
+
+      // Fetch the ECR docker authentication token
+      logger.debug('Fetch ECR login credentials from AWS')
+      const command = new GetAuthorizationTokenCommand({})
+      const response = await client.send(command)
+      if (!response.authorizationData || response.authorizationData.length === 0 || !response.authorizationData[0].authorizationToken) {
+        throw new Error('Received an empty authorization token response for ECR repository')
+      }
+
+      // Parse username and password from the response (separated by a ':')
+      logger.debug('Parse ECR response')
+      const authorization64 = response.authorizationData[0].authorizationToken
+      const authorization = Buffer.from(authorization64, 'base64').toString()
+      const [username, password] = authorization.split(':')
+
+      // Output the docker repo & credentials
+      if (options.format === 'env') {
+        console.log(`export DOCKER_REPO=${dockerRepo}`)
+        console.log(`export DOCKER_USERNAME=${username}`)
+        console.log(`export DOCKER_PASSWORD=${password}`)
+      } else {
+        console.log(JSON.stringify({
+          dockerRepo,
+          username,
+          password
+        }))
+      }
+    } catch (error) {
+      if (error instanceof Error) {
+        console.error(`Error getting docker login credentials: ${error.message}`)
+      }
+      exit(1)
+    }
+  })
+
 program.command('get-environment')
   .description('get environment details for deployment')
   .argument('[gameserver]', 'address of gameserver (e.g. idler-develop.p1.metaplay.io)')
@@ -199,7 +279,7 @@ program.command('get-environment')
         throw new Error('Could not determine a deployment to fetch environment details from. You need to specify either a gameserver or an organization, project, and environment')
       }
 
-      const stackApi = new StackAPI(tokens.id_token, tokens.access_token)
+      const stackApi = new StackAPI(tokens.access_token)
       if (options.stackApi) {
         stackApi.stack_api_base_uri = options.stackApi
       }
@@ -219,15 +299,21 @@ program.command('get-environment')
 program.command('check-deployment')
   .description('[experimental] check that a game server was successfully deployed, or print out useful error messages in case of failure')
   .argument('[namespace]', 'kubernetes namespace of the deployment')
-  .hook('preAction', async () => {
-    await extendCurrentSession()
-  })
-  .action(async (namespace: string, options) => {
+  .action(async (namespace: string) => {
     setLogLevel(0)
 
-    // Run the checks and exit with success/failure exitCode depending on result
-    const exitCode = await checkGameServerDeployment(namespace)
-    exit(exitCode)
+    try {
+      if (!namespace) {
+        throw new Error('Must specify value for argument "namespace"')
+      }
+
+      // Run the checks and exit with success/failure exitCode depending on result
+      const exitCode = await checkGameServerDeployment(namespace)
+      exit(exitCode)
+    } catch (error) {
+      console.error(`Failed to check deployment status: ${error}`)
+      exit(1)
+    }
   })
 
 void program.parseAsync()

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@metaplay/metaplay-auth",
   "description": "Utility CLI for authenticating with the Metaplay Auth and making authenticated calls to infrastructure endpoints.",
-  "version": "1.1.6",
+  "version": "1.2.0",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
   "homepage": "https://metaplay.io",
@@ -13,24 +13,26 @@
     "@types/express": "^4.17.21",
     "@types/jsonwebtoken": "^9.0.5",
     "@types/jwk-to-pem": "^2.0.3",
-    "@types/node": "^20.11.20",
+    "@types/node": "^20.11.28",
     "tsx": "^4.7.1",
     "typescript": "^5.1.6",
+    "vitest": "^1.3.1",
     "@metaplay/eslint-config": "1.0.0",
     "@metaplay/typescript-config": "1.0.0"
   },
   "dependencies": {
+    "@aws-sdk/client-ecr": "^3.535.0",
+    "@kubernetes/client-node": "^0.20.0",
     "@ory/client": "^1.6.2",
     "commander": "^12.0.0",
     "h3": "^1.10.2",
     "jsonwebtoken": "^9.0.2",
     "jwk-to-pem": "^2.0.5",
     "open": "^10.0.2",
-    "tslog": "^4.9.2",
-    "@kubernetes/client-node": "^0.20.0"
+    "tslog": "^4.9.2"
   },
   "scripts": {
-    "dev": "tsx src/index.ts",
+    "dev": "tsx index.ts",
     "prepublish": "tsc"
   }
 }

package/src/auth.ts

@@ -20,7 +20,6 @@ const tokenEndpoint = `${baseURL}/oauth2/token`
 const wellknownApi = new WellknownApi(new Configuration({
   basePath: baseURL,
 }))
-const tokenList: string[] = ['id_token', 'access_token', 'refresh_token'] // List of compulsory tokens
 
 /**
  * A helper function which generates a code verifier and challenge for exchaning code from Ory server.
@@ -111,7 +110,9 @@ export async function loginAndSaveTokens () {
     try {
       logger.debug(`Received callback request with code ${code}. Preparing to exchange for tokens...`)
       const tokens = await getTokensWithAuthorizationCode(state, redirectUri, verifier, code)
-      await saveTokens(tokens)
+
+      // Only save access_token, id_token, and refresh_token
+      await saveTokens({ access_token: tokens.access_token, id_token: tokens.id_token, refresh_token: tokens.refresh_token })
 
       console.log('You are now logged in and can call the other commands.')
 
@@ -140,6 +141,40 @@ export async function loginAndSaveTokens () {
   void open(authorizationUrl)
 }
 
+export async function machineLoginAndSaveTokens (clientId: string, clientSecret: string) {
+  // Get a fresh access token from Metaplay Auth.
+  const params = new URLSearchParams()
+  params.set('grant_type', 'client_credentials')
+  params.set('client_id', clientId)
+  params.set('client_secret', clientSecret)
+  params.set('scope', 'openid email profile offline_access')
+
+  const res = await fetch(tokenEndpoint, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    body: params.toString(),
+  })
+
+  // Return type checked manually by Teemu on 2024-3-7.
+  const tokens = await res.json() as { access_token: string, token_type: string, expires_in: number, scope: string }
+
+  logger.debug('Received machine authentication tokens, saving them for future use...')
+
+  await saveTokens({ access_token: tokens.access_token })
+
+  const userInfoResponse = await fetch('https://portal.metaplay.dev/api/external/userinfo', {
+    headers: {
+      Authorization: `Bearer ${tokens.access_token}`
+    },
+  })
+
+  const userInfo = await userInfoResponse.json() as { given_name: string, family_name: string }
+
+  console.log(`You are now logged in with machine user ${userInfo.given_name} ${userInfo.family_name} (clientId=${clientId}) and can execute the other commands.`)
+}
+
 /**
  * Refresh access and ID token with a refresh token.
  */
@@ -147,18 +182,22 @@ export async function extendCurrentSession (): Promise<void> {
   try {
     const tokens = await loadTokens()
 
-    logger.debug('Validating access token...')
+    logger.debug('Check if access token still valid...')
     if (await validateToken(tokens.access_token)) {
       // Access token is not expired, return to the caller
-      logger.debug('Access token is valid, return to the caller.')
+      logger.debug('Access token is valid, no need to refresh.')
       return
     }
 
-    logger.debug('Access token is no longer valid, trying to extend the current session with a refresh token.')
+    // Check that the refresh_token exists (machine users don't have it)
+    if (!tokens.refresh_token) {
+      throw new Error('Cannot refresh an access_token without a refresh_token. With machine users, should just login again instead.')
+    }
 
+    logger.debug('Access token is no longer valid, trying to extend the current session with a refresh token.')
     const refreshedTokens = await extendCurrentSessionWithRefreshToken(tokens.refresh_token)
 
-    await saveTokens(refreshedTokens)
+    await saveTokens({ access_token: refreshedTokens.access_token, id_token: refreshedTokens.id_token, refresh_token: refreshedTokens.refresh_token })
   } catch (error) {
     if (error instanceof Error) {
       console.error(error.message)
@@ -173,7 +212,7 @@ export async function extendCurrentSession (): Promise<void> {
  * @returns A promise that resolves to a new set of tokens.
  */
 async function extendCurrentSessionWithRefreshToken (refreshToken: string): Promise<{ id_token: string, access_token: string, refresh_token: string }> {
-  // TODO: similiar to the todo task in getTokensWithAuthorizationCode, http request can be handled by ory/client.
+  // TODO: similar to the todo task in getTokensWithAuthorizationCode, http request can be handled by ory/client.
   const params = new URLSearchParams({
     grant_type: 'refresh_token',
     refresh_token: refreshToken,
@@ -218,7 +257,7 @@ async function extendCurrentSessionWithRefreshToken (refreshToken: string): Prom
  * @param code
  * @returns
  */
-async function getTokensWithAuthorizationCode (state: string, redirectUri: string, verifier: string, code: string): Promise<{ id_token: string, access_token: string, refresh_token: string } | {}> {
+async function getTokensWithAuthorizationCode (state: string, redirectUri: string, verifier: string, code: string): Promise<{ id_token: string, access_token: string, refresh_token: string }> {
   // TODO: the authorication code exchange flow might be better to be handled by ory/client, could check if there's any useful toosl there.
   try {
     const response = await fetch(tokenEndpoint, {
@@ -234,29 +273,22 @@ async function getTokensWithAuthorizationCode (state: string, redirectUri: strin
     if (error instanceof Error) {
       logger.error(`Error exchanging code for tokens: ${error.message}`)
     }
-
-    return {}
+    throw error
   }
 }
 
 /**
  * Load tokens from the local secret store.
  */
-export async function loadTokens (): Promise<{ id_token: string, access_token: string, refresh_token: string }> {
+export async function loadTokens (): Promise<{ id_token?: string, access_token: string, refresh_token?: string }> {
   try {
-    const idToken = await getSecret('id_token')
-    const accessToken = await getSecret('access_token')
-    const refreshToken = await getSecret('refresh_token')
+    const tokens = await getSecret('tokens') as { id_token?: string, access_token: string, refresh_token?: string }
 
-    if (idToken == null || accessToken == null || refreshToken == null) {
-      throw new Error('Metaplay tokens not found. Are you logged in?')
+    if (!tokens) {
+      throw new Error('Unable to load tokens. You need to login first.')
     }
 
-    return {
-      id_token: idToken,
-      access_token: accessToken,
-      refresh_token: refreshToken
-    }
+    return tokens
   } catch (error) {
     if (error instanceof Error) {
       throw new Error(`Error loading tokens: ${error.message}`)
@@ -273,23 +305,18 @@ export async function saveTokens (tokens: Record<string, string>): Promise<void>
   try {
     logger.debug('Received new tokens, verifying...')
 
-    // Check if all tokens are present
-    for (const tokenName of tokenList) {
-      if (tokens[tokenName] === undefined) {
-        throw new Error(`Metaplay token ${tokenName} not found. Please log in again and make sure all checkboxes of permissions are selected before proceeding.`)
-      }
+    // All tokens must have an access_token (machine users only have it)
+    if (!tokens.access_token) {
+      throw new Error('Metaplay token has no access_token. Please log in again and make sure all checkboxes of permissions are selected before proceeding.')
     }
 
     logger.debug('Token verification completed, storing tokens...')
 
-    await setSecret('id_token', tokens.id_token)
-    await setSecret('access_token', tokens.access_token)
-    await setSecret('refresh_token', tokens.refresh_token)
+    await setSecret('tokens', tokens)
 
     logger.debug('Tokens successfully stored.')
 
     await showTokenInfo(tokens.access_token)
-    // await showTokenInfo(tokens.id_token)
   } catch (error) {
     if (error instanceof Error) {
       throw new Error(`Failed to save tokens: ${error.message}`)
@@ -303,12 +330,8 @@ export async function saveTokens (tokens: Record<string, string>): Promise<void>
  */
 export async function removeTokens (): Promise<void> {
   try {
-    await removeSecret('id_token')
-    logger.debug('Removed id_token.')
-    await removeSecret('access_token')
-    logger.debug('Removed access_token.')
-    await removeSecret('refresh_token')
-    logger.debug('Removed refresh_token.')
+    await removeSecret('tokens')
+    logger.debug('Removed tokens.')
   } catch (error) {
     if (error instanceof Error) {
       throw new Error(`Error removing tokens: ${error.message}`)

package/src/deployment.ts

@@ -1,3 +1,4 @@
+import { promises as fs, existsSync } from 'fs'
 import { KubeConfig, CoreV1Api, V1Pod } from '@kubernetes/client-node'
 import { logger } from './logging.js'
 import { error } from 'console'
@@ -202,11 +203,22 @@ async function delay (ms: number): Promise<void> {
 }
 
 export async function checkGameServerDeployment (namespace: string): Promise<number> {
-  logger.info(`Validating deployment: namespace=${namespace}, ..`)
+  logger.info(`Validating game server deployment in namespace ${namespace}`)
+
+  // Check that the KUBECONFIG environment variable exists
+  const kubeconfigPath = process.env.KUBECONFIG
+  if (!kubeconfigPath) {
+    throw new Error('The KUBECONFIG environment variable must be specified')
+  }
+
+  // Check that the kubeconfig file exists
+  if (!await existsSync(kubeconfigPath)) {
+    throw new Error(`The environment variable KUBECONFIG points to a file '${kubeconfigPath}' that doesn't exist`)
+  }
 
   // Create Kubernetes API instance (with default kubeconfig)
   const kc = new KubeConfig()
-  kc.loadFromDefault()
+  kc.loadFromFile(kubeconfigPath)
   const k8sApi = kc.makeApiClient(CoreV1Api)
 
   // Figure out when to stop
@@ -220,21 +232,21 @@ export async function checkGameServerDeployment (namespace: string): Promise<num
 
     switch (podStatus.phase) {
       case GameServerPodPhase.Ready:
-        logger.error('Gameserver successfully started')
+        console.log('Gameserver successfully started')
         // \todo add further readiness checks -- ping endpoint, ping dashboard, other checks?
         return 0
 
       case GameServerPodPhase.Failed:
-        logger.error('Gameserver failed to start')
+        console.log('Gameserver failed to start')
         return 1
 
       case GameServerPodPhase.Pending:
-        logger.error('Gameserver still starting')
+        console.log('Gameserver still starting')
         break
 
       case GameServerPodPhase.Unknown:
       default:
-        logger.error('Gameserver in unknown state')
+        console.log('Gameserver in unknown state')
         break
     }
 

package/src/secret_store.ts

@@ -65,7 +65,7 @@ function decrypt (text: string): string {
   return decrypted.toString()
 }
 
-export async function setSecret (key: string, value: string): Promise<void> {
+export async function setSecret (key: string, value: any): Promise<void> {
   logger.debug(`Setting secret ${key}...`)
 
   const secrets = await loadSecrets()
@@ -75,7 +75,7 @@ export async function setSecret (key: string, value: string): Promise<void> {
   await fs.writeFile(filePath, content)
 }
 
-export async function getSecret (key: string): Promise<string | null> {
+export async function getSecret (key: string): Promise<any | undefined> {
   logger.debug(`Getting secret ${key}...`)
 
   const secrets = await loadSecrets()