@metaplay/metaplay-auth 1.4.2 → 1.6.0

package/package.json

@@ -1,46 +1,47 @@
 {
   "name": "@metaplay/metaplay-auth",
   "description": "Utility CLI for authenticating with the Metaplay Auth and making authenticated calls to infrastructure endpoints.",
-  "version": "1.4.2",
+  "version": "1.6.0",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
   "homepage": "https://metaplay.io",
   "bin": {
-    "metaplay-auth": "dist/index.js"
+    "metaplay-auth": "dist/index.cjs"
   },
   "scripts": {
     "dev": "tsx index.ts",
-    "prepublish": "tsc"
+    "bake-version": "node -p \"'export const PACKAGE_VERSION = ' + JSON.stringify(require('./package.json').version)\" > src/version.ts"
   },
   "publishConfig": {
     "access": "public"
   },
   "devDependencies": {
     "@metaplay/eslint-config": "workspace:*",
-    "@metaplay/typescript-config": "workspace:*",
-    "@types/dockerode": "^3.3.28",
+    "@metaplay/prettier-config": "workspace:^",
+    "@prettier/plugin-pug": "workspace:^",
+    "@types/dockerode": "^3.3.31",
     "@types/express": "^4.17.21",
     "@types/js-yaml": "^4.0.9",
-    "@types/jsonwebtoken": "^9.0.5",
+    "@types/jsonwebtoken": "^9.0.6",
     "@types/jwk-to-pem": "^2.0.3",
-    "@types/node": "^20.12.5",
-    "tsx": "^4.7.1",
-    "typescript": "^5.1.6",
-    "vitest": "^1.4.0"
-  },
-  "dependencies": {
-    "@aws-sdk/client-ecr": "^3.549.0",
-    "@kubernetes/client-node": "^1.0.0-rc4",
-    "@ory/client": "^1.9.0",
+    "@types/node": "^20.16.1",
     "@types/semver": "^7.5.8",
-    "commander": "^12.0.0",
+    "esbuild": "^0.23.1",
+    "tsx": "^4.19.0",
+    "typescript": "5.5.4",
+    "vitest": "^2.0.5",
+    "@aws-sdk/client-ecr": "^3.637.0",
+    "@kubernetes/client-node": "^1.0.0-rc6",
+    "@ory/client": "^1.14.5",
+    "commander": "^12.1.0",
     "dockerode": "^4.0.2",
-    "h3": "^1.11.1",
+    "h3": "^1.12.0",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.2",
-    "jwk-to-pem": "^2.0.5",
-    "open": "^10.1.0",
-    "semver": "^7.6.0",
-    "tslog": "^4.9.2"
+    "jwk-to-pem": "^2.0.6",
+    "open": "^8.4.2",
+    "semver": "^7.6.3",
+    "tslog": "^4.9.3",
+    "prettier": "3.3.3"
   }
 }

package/prettier.config.js

@@ -0,0 +1,3 @@
+import MetaplayPrettierConfig from '@metaplay/prettier-config'
+
+export default MetaplayPrettierConfig

package/src/auth.ts

@@ -9,26 +9,36 @@ import jwt from 'jsonwebtoken'
 import jwkToPem from 'jwk-to-pem'
 import { Configuration, WellknownApi, OidcApi } from '@ory/client'
 import { setSecret, getSecret, removeSecret } from './secret_store.js'
-
+import { portalBaseUrl } from './config.js'
 import { logger } from './logging.js'
 
+export interface TokenSet {
+  id_token?: string
+  access_token: string
+  refresh_token?: string
+}
+
 // oauth2 client details (maybe move these to be discovered from some online location to make changes easier to manage?)
 const clientId = 'c16ea663-ced3-46c6-8f85-38c9681fe1f0'
 const baseURL = 'https://auth.metaplay.dev'
 const authorizationEndpoint = `${baseURL}/oauth2/auth`
 const tokenEndpoint = `${baseURL}/oauth2/token`
-const wellknownApi = new WellknownApi(new Configuration({
-  basePath: baseURL,
-}))
-const oidcApi = new OidcApi(new Configuration({
-  basePath: baseURL,
-}))
+const wellknownApi = new WellknownApi(
+  new Configuration({
+    basePath: baseURL,
+  })
+)
+const oidcApi = new OidcApi(
+  new Configuration({
+    basePath: baseURL,
+  })
+)
 
 /**
  * A helper function which generates a code verifier and challenge for exchaning code from Ory server.
  * @returns
  */
-function generateCodeVerifierAndChallenge (): { verifier: string, challenge: string } {
+function generateCodeVerifierAndChallenge(): { verifier: string; challenge: string } {
   const verifier: string = randomBytes(32).toString('hex')
   const challenge: string = createHash('sha256').update(verifier).digest('base64url')
   return { verifier, challenge }
@@ -39,7 +49,7 @@ function generateCodeVerifierAndChallenge (): { verifier: string, challenge: str
  * @param token The token to fetch the userinfo for.
  * @returns An object containing the user's info.
  */
-export async function getUserinfo (token: string): Promise<any> {
+export async function getUserinfo(token: string): Promise<any> {
   logger.debug('Trying to find OIDC well-known endpoints...')
   const oidcRes = await oidcApi.discoverOidcConfiguration()
 
@@ -51,8 +61,8 @@ export async function getUserinfo (token: string): Promise<any> {
 
   const userinfoRes = await fetch(userinfoEndpoint, {
     headers: {
-      Authorization: `Bearer ${token}`
-    }
+      Authorization: `Bearer ${token}`,
+    },
   })
 
   if (userinfoRes.status < 200 || userinfoRes.status >= 300) {
@@ -66,14 +76,14 @@ export async function getUserinfo (token: string): Promise<any> {
  * A helper function which finds an local available port to listen on.
  * @returns A promise that resolves to an available port.
  */
-async function findAvailablePort (): Promise<number> {
+async function findAvailablePort(): Promise<number> {
   return await new Promise((resolve, reject) => {
     // Ports need to be in sync with oauth2 client callbacks.
     const portsToCheck = [5000, 5001, 5002, 5003, 5004]
     let index = 0
 
     // Test ports by opening a server on them.
-    function tryNextPort () {
+    function tryNextPort(): void {
       if (index >= portsToCheck.length) {
         reject(new Error('Could not find an available port.'))
       }
@@ -103,7 +113,7 @@ async function findAvailablePort (): Promise<number> {
 /**
  * Log in and save tokens to the local secret store.
  */
-export async function loginAndSaveTokens () {
+export async function loginAndSaveTokens(): Promise<void> {
   // Find an available port to listen on.
   const availablePort = await findAvailablePort()
 
@@ -113,52 +123,57 @@ export async function loginAndSaveTokens () {
   const state = randomBytes(16).toString('hex')
 
   // Create a /callback endpoint that exchanges the code for tokens.
-  app.use('/callback', defineEventHandler(async event => {
-    // Read the query parameters.
-    const {
-      error,
-      error_description: errorDescription,
-      code
-    } = getQuery(event)
-
-    // Raise an error if the query parameters contain an error message.
-    if (error) {
-      console.error(`Error logging in. Received the following error:\n\n${String(error)}: ${String(errorDescription)}`)
-      sendError(event, new Error(`Authentication failed: ${String(error)}: ${String(errorDescription)}`))
-      server.close()
-      process.exit(1)
-    }
+  app.use(
+    '/callback',
+    defineEventHandler(async (event) => {
+      // Read the query parameters.
+      const { error, error_description: errorDescription, code } = getQuery(event)
+
+      // Raise an error if the query parameters contain an error message.
+      if (error) {
+        console.error(
+          `Error logging in. Received the following error:\n\n${String(error)}: ${String(errorDescription)}`
+        )
+        sendError(event, new Error(`Authentication failed: ${String(error)}: ${String(errorDescription)}`))
+        server.close()
+        process.exit(1)
+      }
 
-    // Raise an error if the query parameters do not contain a code.
-    if (typeof code !== 'string') {
-      console.error('Error logging in. No code received.')
-      sendError(event, new Error('Authentication failed: No code received.'))
-      server.close()
-      process.exit(1)
-    }
+      // Raise an error if the query parameters do not contain a code.
+      if (typeof code !== 'string') {
+        console.error('Error logging in. No code received.')
+        sendError(event, new Error('Authentication failed: No code received.'))
+        server.close()
+        process.exit(1)
+      }
 
-    // Exchange the code for tokens.
-    try {
-      logger.debug(`Received callback request with code ${code}. Preparing to exchange for tokens...`)
-      const tokens = await getTokensWithAuthorizationCode(state, redirectUri, verifier, code)
+      // Exchange the code for tokens.
+      try {
+        logger.debug(`Received callback request with code ${code}. Preparing to exchange for tokens...`)
+        const tokens = await getTokensWithAuthorizationCode(state, redirectUri, verifier, code)
 
-      // Only save access_token, id_token, and refresh_token
-      await saveTokens({ access_token: tokens.access_token, id_token: tokens.id_token, refresh_token: tokens.refresh_token })
+        // Only save access_token, id_token, and refresh_token
+        await saveTokens({
+          access_token: tokens.access_token,
+          id_token: tokens.id_token,
+          refresh_token: tokens.refresh_token,
+        })
 
-      console.log('You are now logged in and can call the other commands.')
+        console.log('You are now logged in and can call the other commands.')
 
-      // TODO: Could return a pre-generated HTML page instead of text?
-      return 'Authentication successful! You can close this window.'
-    } catch (error) {
-      if (error instanceof Error) {
-        console.error(`Error: ${error.message}`)
+        // TODO: Could return a pre-generated HTML page instead of text?
+        return 'Authentication successful! You can close this window.'
+      } catch (error) {
+        if (error instanceof Error) {
+          console.error(`Error: ${error.message}`)
+        }
+      } finally {
+        server.close()
       }
-    } finally {
-      server.close()
-    }
 
-    process.exit(0)
-  }))
+      process.exit(0)
+    })
+  )
 
   // Start the server.
   // We use use H3 and adapt it to Node.js's http server.
@@ -167,12 +182,14 @@ export async function loginAndSaveTokens () {
   logger.debug(`Listening on port ${availablePort} and waiting for callback...`)
 
   // Open the browser to log in.
-  const authorizationUrl: string = `${authorizationEndpoint}?response_type=code&client_id=${clientId}&redirect_uri=${encodeURIComponent(redirectUri)}&code_challenge=${challenge}&code_challenge_method=S256&scope=${encodeURIComponent('openid offline_access')}&state=${encodeURIComponent(state)}`
-  console.log(`Attempting to open a browser to log in. If a browser did not open up, you can copy-paste the following URL to authenticate:\n\n${authorizationUrl}\n`)
+  const authorizationUrl = `${authorizationEndpoint}?response_type=code&client_id=${clientId}&redirect_uri=${encodeURIComponent(redirectUri)}&code_challenge=${challenge}&code_challenge_method=S256&scope=${encodeURIComponent('openid offline_access')}&state=${encodeURIComponent(state)}`
+  console.log(
+    `Attempting to open a browser to log in. If a browser did not open up, you can copy-paste the following URL to authenticate:\n\n${authorizationUrl}\n`
+  )
   void open(authorizationUrl)
 }
 
-export async function machineLoginAndSaveTokens (clientId: string, clientSecret: string) {
+export async function machineLoginAndSaveTokens(clientId: string, clientSecret: string): Promise<void> {
   // Get a fresh access token from Metaplay Auth.
   const params = new URLSearchParams()
   params.set('grant_type', 'client_credentials')
@@ -189,27 +206,29 @@ export async function machineLoginAndSaveTokens (clientId: string, clientSecret:
   })
 
   // Return type checked manually by Teemu on 2024-3-7.
-  const tokens = await res.json() as { access_token: string, token_type: string, expires_in: number, scope: string }
+  const tokens = (await res.json()) as { access_token: string; token_type: string; expires_in: number; scope: string }
 
   logger.debug('Received machine authentication tokens, saving them for future use...')
 
   await saveTokens({ access_token: tokens.access_token })
 
-  const userInfoResponse = await fetch('https://portal.metaplay.dev/api/external/userinfo', {
+  const userInfoResponse = await fetch(`${portalBaseUrl}/api/external/userinfo`, {
     headers: {
-      Authorization: `Bearer ${tokens.access_token}`
+      Authorization: `Bearer ${tokens.access_token}`,
     },
   })
 
-  const userInfo = await userInfoResponse.json() as { given_name: string, family_name: string }
+  const userInfo = (await userInfoResponse.json()) as { given_name: string; family_name: string }
 
-  console.log(`You are now logged in with machine user ${userInfo.given_name} ${userInfo.family_name} (clientId=${clientId}) and can execute the other commands.`)
+  console.log(
+    `You are now logged in with machine user ${userInfo.given_name} ${userInfo.family_name} (clientId=${clientId}) and can execute the other commands.`
+  )
 }
 
 /**
  * Refresh access and ID token with a refresh token.
  */
-export async function extendCurrentSession (): Promise<void> {
+export async function extendCurrentSession(): Promise<void> {
   try {
     const tokens = await loadTokens()
 
@@ -222,13 +241,19 @@ export async function extendCurrentSession (): Promise<void> {
 
     // Check that the refresh_token exists (machine users don't have it)
     if (!tokens.refresh_token) {
-      throw new Error('Cannot refresh an access_token without a refresh_token. With machine users, should just login again instead.')
+      throw new Error(
+        'Cannot refresh an access_token without a refresh_token. With machine users, should just login again instead.'
+      )
     }
 
     logger.debug('Access token is no longer valid, trying to extend the current session with a refresh token.')
     const refreshedTokens = await extendCurrentSessionWithRefreshToken(tokens.refresh_token)
 
-    await saveTokens({ access_token: refreshedTokens.access_token, id_token: refreshedTokens.id_token, refresh_token: refreshedTokens.refresh_token })
+    await saveTokens({
+      access_token: refreshedTokens.access_token,
+      id_token: refreshedTokens.id_token,
+      refresh_token: refreshedTokens.refresh_token,
+    })
   } catch (error) {
     if (error instanceof Error) {
       console.error(error.message)
@@ -242,13 +267,15 @@ export async function extendCurrentSession (): Promise<void> {
  * @param refreshToken: The refresh token to use to get a new set of tokens.
  * @returns A promise that resolves to a new set of tokens.
  */
-async function extendCurrentSessionWithRefreshToken (refreshToken: string): Promise<{ id_token: string, access_token: string, refresh_token: string }> {
+async function extendCurrentSessionWithRefreshToken(
+  refreshToken: string
+): Promise<{ id_token: string; access_token: string; refresh_token: string }> {
   // TODO: similar to the todo task in getTokensWithAuthorizationCode, http request can be handled by ory/client.
   const params = new URLSearchParams({
     grant_type: 'refresh_token',
     refresh_token: refreshToken,
     scope: 'openid offline_access',
-    client_id: clientId
+    client_id: clientId,
   })
 
   logger.debug('Refreshing tokens...')
@@ -268,14 +295,16 @@ async function extendCurrentSessionWithRefreshToken (refreshToken: string): Prom
     logger.error(`Failed to refresh tokens via endpoint ${tokenEndpoint}`)
     logger.error('Fetch error details:', error)
     if (error.cause?.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE') {
-      throw new Error(`Failed to refresh tokens: SSL certificate validation failed for ${tokenEndpoint}. Is someone trying to tamper with your internet connection?`)
+      throw new Error(
+        `Failed to refresh tokens: SSL certificate validation failed for ${tokenEndpoint}. Is someone trying to tamper with your internet connection?`
+      )
     }
     throw new Error(`Failed to refresh tokens via ${tokenEndpoint}: ${error}`)
   }
 
   // Check if the response is OK
   if (!response.ok) {
-    const responseJSON = await response.json()
+    const responseJSON = (await response.json()) as { error: string; error_description: string }
 
     logger.error('Failed to refresh tokens.')
     logger.error(`Error Type: ${responseJSON.error}`)
@@ -288,7 +317,7 @@ async function extendCurrentSessionWithRefreshToken (refreshToken: string): Prom
     throw new Error('Failed extending current session, exiting. Please log in again.')
   }
 
-  return await response.json()
+  return (await response.json()) as { id_token: string; access_token: string; refresh_token: string }
 }
 
 /**
@@ -299,22 +328,29 @@ async function extendCurrentSessionWithRefreshToken (refreshToken: string): Prom
  * @param code
  * @returns
  */
-async function getTokensWithAuthorizationCode (state: string, redirectUri: string, verifier: string, code: string): Promise<{ id_token: string, access_token: string, refresh_token: string }> {
+// eslint-disable-next-line @typescript-eslint/max-params
+async function getTokensWithAuthorizationCode(
+  state: string,
+  redirectUri: string,
+  verifier: string,
+  code: string
+): Promise<{ id_token: string; access_token: string; refresh_token: string }> {
   // TODO: the authorication code exchange flow might be better to be handled by ory/client, could check if there's any useful toosl there.
   try {
     const response = await fetch(tokenEndpoint, {
       method: 'POST',
       headers: {
-        'Content-Type': 'application/x-www-form-urlencoded'
+        'Content-Type': 'application/x-www-form-urlencoded',
       },
-      body: `grant_type=authorization_code&code=${code}&redirect_uri=${encodeURIComponent(redirectUri)}&client_id=${clientId}&code_verifier=${verifier}&state=${encodeURIComponent(state)}`
+      body: `grant_type=authorization_code&code=${code}&redirect_uri=${encodeURIComponent(redirectUri)}&client_id=${clientId}&code_verifier=${verifier}&state=${encodeURIComponent(state)}`,
     })
 
-    return await response.json()
+    return (await response.json()) as { id_token: string; access_token: string; refresh_token: string }
   } catch (error) {
     if (error instanceof Error) {
       logger.error(`Error exchanging code for tokens: ${error.message}`)
     }
+    // eslint-disable-next-line @typescript-eslint/only-throw-error
     throw error
   }
 }
@@ -322,9 +358,9 @@ async function getTokensWithAuthorizationCode (state: string, redirectUri: strin
 /**
  * Load tokens from the local secret store.
  */
-export async function loadTokens (): Promise<{ id_token?: string, access_token: string, refresh_token?: string }> {
+export async function loadTokens(): Promise<TokenSet> {
   try {
-    const tokens = await getSecret('tokens') as { id_token?: string, access_token: string, refresh_token?: string }
+    const tokens = (await getSecret('tokens')) as TokenSet
 
     if (!tokens) {
       throw new Error('Unable to load tokens. You need to login first.')
@@ -335,6 +371,7 @@ export async function loadTokens (): Promise<{ id_token?: string, access_token:
     if (error instanceof Error) {
       throw new Error(`Error loading tokens: ${error.message}`)
     }
+    // eslint-disable-next-line @typescript-eslint/only-throw-error
     throw error
   }
 }
@@ -343,13 +380,15 @@ export async function loadTokens (): Promise<{ id_token?: string, access_token:
  * Save tokens to the local secret store.
  * @param tokens The tokens to save.
  */
-export async function saveTokens (tokens: Record<string, string>): Promise<void> {
+export async function saveTokens(tokens: Record<string, string>): Promise<void> {
   try {
     logger.debug('Received new tokens, verifying...')
 
     // All tokens must have an access_token (machine users only have it)
     if (!tokens.access_token) {
-      throw new Error('Metaplay token has no access_token. Please log in again and make sure all checkboxes of permissions are selected before proceeding.')
+      throw new Error(
+        'Metaplay token has no access_token. Please log in again and make sure all checkboxes of permissions are selected before proceeding.'
+      )
     }
 
     logger.debug('Token verification completed, storing tokens...')
@@ -363,6 +402,7 @@ export async function saveTokens (tokens: Record<string, string>): Promise<void>
     if (error instanceof Error) {
       throw new Error(`Failed to save tokens: ${error.message}`)
     }
+    // eslint-disable-next-line @typescript-eslint/only-throw-error
     throw error
   }
 }
@@ -370,7 +410,7 @@ export async function saveTokens (tokens: Record<string, string>): Promise<void>
 /**
  * Remove tokens from the local secret store.
  */
-export async function removeTokens (): Promise<void> {
+export async function removeTokens(): Promise<void> {
   try {
     await removeSecret('tokens')
     logger.debug('Removed tokens.')
@@ -378,6 +418,7 @@ export async function removeTokens (): Promise<void> {
     if (error instanceof Error) {
       throw new Error(`Error removing tokens: ${error.message}`)
     }
+    // eslint-disable-next-line @typescript-eslint/only-throw-error
     throw error
   }
 }
@@ -387,7 +428,7 @@ export async function removeTokens (): Promise<void> {
  * @param token The token being validated
  * @returns return if token is valid, throw errors otherwise
  */
-async function validateToken (token: string): Promise<boolean> {
+async function validateToken(token: string): Promise<boolean> {
   try {
     // Decode the token
     const completeTokenData = jwt.decode(token, { complete: true })
@@ -422,7 +463,7 @@ async function validateToken (token: string): Promise<boolean> {
  * A helper function which shows token info after being fully decoded.
  * @param token The token to show info for.
  */
-async function showTokenInfo (token: string): Promise<void> {
+async function showTokenInfo(token: string): Promise<void> {
   logger.debug('Showing access token info...')
   // Decode the token
   const completeTokenData = jwt.decode(token, { complete: true })