@metaplay/metaplay-auth 1.7.0 → 1.7.2

package/index.ts

@@ -89,7 +89,7 @@ interface PortalEnvironmentInfo {
  * @param environment Environment slug.
  * @returns The portal's information about the environment.
  */
-// eslint-disable-next-line @typescript-eslint/max-params
+ 
 async function fetchManagedEnvironmentInfoWithSlugs(
   tokens: TokenSet,
   organization: string,
@@ -107,10 +107,7 @@ async function fetchManagedEnvironmentInfoWithSlugs(
   })
 
   // Throw on server errors (eg, forbidden)
-  if (!response.ok) {
-    const errorData = await response.json()
-    throw new Error(`Failed to fetch environment details with error ${response.status}: ${JSON.stringify(errorData)}`)
-  }
+  await checkEnvironmentInfoResponseError(response)
 
   // \todo Validate response?
   const portalEnvInfo = (await response.json()) as PortalEnvironmentInfo
@@ -130,20 +127,30 @@ async function fetchManageEnvironmentInfoWithHumanId(tokens: TokenSet, humanId:
   })
 
   // Throw on server errors (eg, forbidden)
-  if (!response.ok) {
-    const errorData = await response.json()
-    throw new Error(`Failed to fetch environment details with error ${response.status}: ${JSON.stringify(errorData)}`)
-  }
+  await checkEnvironmentInfoResponseError(response)
 
   // Return the result
   const portalEnvInfos = (await response.json()) as PortalEnvironmentInfo[]
   logger.debug(`Portal returned environment infos: ${JSON.stringify(portalEnvInfos, undefined, 2)}`)
   if (portalEnvInfos.length === 0) {
-    throw new Error(`Failed to fetch details from portal for environment ${humanId}: no matching environment found`)
+    throw new Error(`Environment ${humanId} does not exist or your account does not have permissions to access this environment`)
   }
   return portalEnvInfos[0]
 }
 
+async function checkEnvironmentInfoResponseError(response: Response): Promise<void> {
+  // Throw on server errors (eg, forbidden)
+  // Portal returns a helpful error message in 'message' field.
+  if (!response.ok) {
+    const errorData = await response.json()
+    if (typeof(errorData) === 'object' && errorData !== null && 'message' in errorData && typeof(errorData.message) === 'string') {
+      throw new Error(errorData.message)
+    } else {
+      throw new Error(`Failed to fetch environment details with error ${response.status}: ${JSON.stringify(errorData)}`)
+    }
+  }
+}
+
 /**
  * Resolve the target environment based on (org, proj, env) tuple. We fetch the information
  * from the portal and then construct the `TargetEnvironment` class with the required information
@@ -154,7 +161,7 @@ async function fetchManageEnvironmentInfoWithHumanId(tokens: TokenSet, humanId:
  * @param environment Environment slug.
  * @returns The TargetEnvironment instance needed to operate with the environment.
  */
-// eslint-disable-next-line @typescript-eslint/max-params
+ 
 async function resolveTargetEnvironmentFromSlugs(
   tokens: TokenSet,
   organization: string,
@@ -251,8 +258,10 @@ program
     }
 
     // Store the portal base URL for accessing globally
-    if (opts.portalBaseUrl) {
-      setPortalBaseUrl(opts.portalBaseUrl as string)
+    const overridePortalUrl: string | undefined = opts.portalBaseUrl ?? process.env.AUTHCLI_PORTAL_BASEURL
+    if (overridePortalUrl) {
+      logger.debug(`Using portal URL override: ${overridePortalUrl}`)
+      setPortalBaseUrl(overridePortalUrl)
     }
 
     // Store the stack API base URL for accessing globally
@@ -309,6 +318,7 @@ program
       await removeTokens()
       console.log('Done! You are now logged out.')
     } catch (error) {
+      logger.debug('Invocation failed with error:', error)
       if (error instanceof Error) {
         console.error(`Error logging out: ${error.message}`)
       }
@@ -328,6 +338,7 @@ program
       const tokens = await loadTokens()
       console.log(JSON.stringify(tokens, undefined, 2))
     } catch (error) {
+      logger.debug('Invocation failed with error:', error)
       if (error instanceof Error) {
         console.error(`Error showing tokens: ${error.message}`)
       }
@@ -381,8 +392,9 @@ program
           console.log(kubeconfigPayload)
         }
       } catch (error) {
+        logger.debug('Invocation failed with error:', error)
         if (error instanceof Error) {
-          console.error('Error getting KubeConfig:', error)
+          console.error('Error getting KubeConfig:', error.message)
         }
         exit(1)
       }
@@ -417,6 +429,7 @@ program
         const credentials = await targetEnv.getKubeExecCredential()
         console.log(credentials)
       } catch (error) {
+        logger.debug('Invocation failed with error:', error)
         if (error instanceof Error) {
           console.error(`Error getting Kubernetes ExecCredential: ${error.message}`)
         }
@@ -464,6 +477,7 @@ program
           )
         }
       } catch (error) {
+        logger.debug('Invocation failed with error:', error)
         if (error instanceof Error) {
           console.error(`Error getting AWS credentials: ${error.message}`)
         }
@@ -522,6 +536,7 @@ program
           )
         }
       } catch (error) {
+        logger.debug('Invocation failed with error:', error)
         if (error instanceof Error) {
           console.error(`Error getting docker login credentials: ${error.message}`)
         }
@@ -551,6 +566,7 @@ program
         const environment = await targetEnv.getEnvironmentDetails()
         console.log(JSON.stringify(environment, undefined, 2))
       } catch (error) {
+        logger.debug('Invocation failed with error:', error)
         if (error instanceof Error) {
           console.error(`Error getting environment details: ${error.message}`)
         }
@@ -630,7 +646,7 @@ program
                 reject(error)
               } else {
                 // result contains an array of all the progress objects
-                logger.debug('Succesfully finished pushing docker image')
+                logger.debug('Successfully finished pushing docker image')
                 resolve(result)
               }
             },
@@ -644,6 +660,7 @@ program
 
         console.log(`Successfully pushed docker image to ${dstImageName}!`)
       } catch (error) {
+        logger.debug('Invocation failed with error:', error)
         if (error instanceof Error) {
           console.error(`Failed to push docker image: ${error.message}`)
         }
@@ -749,7 +766,7 @@ program
                     reject(error)
                   } else {
                     // result contains an array of all the progress objects
-                    logger.debug('Succesfully finished pulling image')
+                    logger.debug('Successfully finished pulling image')
                     resolve(result)
                   }
                 },
@@ -790,14 +807,16 @@ program
           options.helmChartRepo ?? imageLabels['io.metaplay.default_helm_repo'] ?? 'https://charts.metaplay.dev'
         )
 
+        // Warn about Helm chart version needing to be specified explicitly (unless using a local chart)
+        if (!options.helmChartVersion && !options.localChartPath) {
+          console.warn('Warning: You should specify the Helm chart version explicitly with --helm-chart-version=<version>!')
+        }
+
         // Resolve helmChartVersion, in order of precedence:
         // - Specified in the cli options
         // - Specified in the docker image label
         // - Unknown, error out!
         const helmChartVersionSpec = options.helmChartVersion ?? imageLabels['io.metaplay.default_server_chart_version']
-        if (!options.helmChartVersion) {
-          console.warn('Warning: You should specify the Helm chart version with --helm-chart-version=<version>!')
-        }
         if (!helmChartVersionSpec) {
           throw new Error('No Helm chart version defined. With pre-R28 SDK versions, you must specify the Helm chart version explicitly with --helm-chart-version=<version>.')
         }
@@ -884,11 +903,13 @@ program
           console.log('Validating game server deployment...')
           await checkGameServerDeployment(envInfo, kubeconfig, imageTag)
         } catch (error) {
+          logger.debug('Invocation failed with error:', error)
           const errMessage = error instanceof Error ? error.message : String(error)
           console.error(`Failed to resolve game server deployment status: ${errMessage}`)
           exit(2)
         }
       } catch (error) {
+        logger.debug('Invocation failed with error:', error)
         if (error instanceof Error) {
           console.error(`Error deploying game server into target environment: ${error.message}`)
         }
@@ -933,6 +954,7 @@ program
         // \todo Get requiredImageTag from the Helm chart
         await checkGameServerDeployment(envInfo, kubeconfig, /* requiredImageTag: */ null)
       } catch (error: any) {
+        logger.debug('Invocation failed with error:', error)
         console.error(`Failed to check deployment status: ${error.message}`)
         exit(1)
       }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@metaplay/metaplay-auth",
   "description": "Utility CLI for authenticating with the Metaplay Auth and making authenticated calls to infrastructure endpoints.",
-  "version": "1.7.0",
+  "version": "1.7.2",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
   "homepage": "https://metaplay.io",
@@ -18,22 +18,22 @@
   "devDependencies": {
     "@metaplay/eslint-config": "workspace:*",
     "@types/dockerode": "3.3.31",
-    "@types/express": "4.17.21",
+    "@types/express": "5.0.0",
     "@types/js-yaml": "4.0.9",
     "@types/jsonwebtoken": "9.0.7",
     "@types/jwk-to-pem": "2.0.3",
-    "@types/node": "20.16.1",
+    "@types/node": "20.16.10",
     "@types/semver": "7.5.8",
     "esbuild": "0.24.0",
-    "tsx": "4.19.1",
-    "typescript": "5.6.2",
-    "vitest": "2.1.1",
-    "@aws-sdk/client-ecr": "3.654.0",
-    "@kubernetes/client-node": "1.0.0-rc6",
-    "@ory/client": "1.15.4",
+    "tsx": "4.19.2",
+    "typescript": "5.6.3",
+    "vitest": "2.1.4",
+    "@aws-sdk/client-ecr": "3.682.0",
+    "@kubernetes/client-node": "1.0.0-rc7",
+    "@ory/client": "1.15.7",
     "commander": "12.1.0",
     "dockerode": "4.0.2",
-    "h3": "1.12.0",
+    "h3": "1.13.0",
     "js-yaml": "4.1.0",
     "jsonwebtoken": "9.0.2",
     "jwk-to-pem": "2.0.6",

package/src/auth.ts

@@ -1,4 +1,4 @@
-/* eslint-disable @typescript-eslint/no-misused-promises */
+ 
 import { toNodeListener, createApp, defineEventHandler, getQuery, sendError } from 'h3'
 import jwt from 'jsonwebtoken'
 import jwkToPem from 'jwk-to-pem'
@@ -324,7 +324,7 @@ async function extendCurrentSessionWithRefreshToken(
  * @param code
  * @returns
  */
-// eslint-disable-next-line @typescript-eslint/max-params
+ 
 async function getTokensWithAuthorizationCode(
   state: string,
   redirectUri: string,
@@ -356,7 +356,7 @@ async function getTokensWithAuthorizationCode(
  */
 export async function loadTokens(): Promise<TokenSet> {
   try {
-    const tokens = (await getSecret('tokens')) as TokenSet
+    const tokens = (await getSecret('tokens')) as unknown as TokenSet
 
     if (!tokens) {
       throw new Error('Unable to load tokens. You need to login first.')

package/src/config.ts

@@ -1,5 +1,6 @@
 /**
- * Base URL to the Metaplay developer portal. Override with global flag --portal-base-url.
+ * Base URL to the Metaplay developer portal. Override with global flag --portal-base-url
+ * or environment variable `AUTHCLI_PORTAL_BASEURL'.
  */
 export let portalBaseUrl = 'https://portal.metaplay.dev'
 

package/src/deployment.ts

@@ -3,7 +3,8 @@ import os from 'os'
 import path from 'path'
 import { exit } from 'process'
 import { EnvironmentDetails, TargetEnvironment } from 'targetenvironment.js'
-import * as net from 'net'
+import { promises as dns } from 'dns'
+import tls from 'tls'
 
 import {
   KubeConfig,
@@ -404,8 +405,8 @@ export async function waitForGameServerPodsToBeReady(
 
       // Handle state of the deployment
       if (anyPodsInPhase(podStatuses, GameServerPodPhase.Failed)) {
-        logger.error(`Gameserver start failed with pod statuses: ${JSON.stringify(podStatuses, undefined, 2)}`)
-        console.log('Gameserver failed to start due to the pods not starting properly! See above for details.')
+        logger.error(`Game server start failed with pod statuses: ${JSON.stringify(podStatuses, undefined, 2)}`)
+        console.log('Game server failed to start due to the pods not starting properly! See above for details.')
         for (let ndx = 0; ndx < pods.length; ndx += 1) {
           const status = podStatuses[ndx]
           const suffix = status.phase !== GameServerPodPhase.Ready ? ` -- ${status.message}` : ''
@@ -417,14 +418,14 @@ export async function waitForGameServerPodsToBeReady(
         anyPodsInPhase(podStatuses, GameServerPodPhase.Pending) ||
         anyPodsInPhase(podStatuses, GameServerPodPhase.Running)
       ) {
-        console.log('Waiting for gameserver(s) to be ready...')
+        console.log('Waiting for pod(s) to be ready...')
         for (let ndx = 0; ndx < pods.length; ndx += 1) {
           const status = podStatuses[ndx]
           const suffix = status.phase !== GameServerPodPhase.Ready ? ` -- ${status.message}` : ''
           console.log(`  ${pods[ndx].metadata?.name}: ${status.phase}${suffix}`)
         }
       } else if (allPodsInPhase(podStatuses, GameServerPodPhase.Ready)) {
-        console.log('Gameserver is up and ready to serve!')
+        console.log('Game server pod(s) are up and ready to serve!')
         return
       } else {
         console.log('Deployment in inconsistent state, waiting...')
@@ -445,9 +446,34 @@ export async function waitForGameServerPodsToBeReady(
   }
 }
 
+async function waitForDomainResolution(hostname: string): Promise<void> {
+  // Use 15min timeout -- DNS propagation can take a while
+  const timeoutAt = Date.now() + 15 * 60 * 1000
+
+  while (true) {
+    try {
+      const addresses = await dns.lookup(hostname)
+      console.log(`Successfully resolved domain ${hostname} to:`, addresses)
+      return
+    } catch (err) {
+      if (Date.now() > timeoutAt) {
+        throw new Error(`Could not resolve domain ${hostname} before timeout.`)
+      }
+
+      if (err instanceof Error && (err as NodeJS.ErrnoException).code === 'ENOTFOUND') {
+        console.log(`Waiting for domain name ${hostname} to propagate... This can take up to 15 minutes on the first deploy.`)
+      } else {
+        console.log(`Failed to resolve ${hostname}: ${String(err)}. Retrying...`)
+      }
+      await delay(5000) // use long timeout as it can take ~5min for DNS to propagate
+    }
+  }
+}
+
 /**
  * Wait until we can establish a client-simulating connection to the target
- * game server, or a timeout happens.
+ * game server and perform the TLS handshake and wait for the initial bytes
+ * to be received from the server, or a timeout happens.
  * @param hostname Hostname of the target server to connect to.
  * @param port Port to use for the connections (usually 9339).
  */
@@ -455,47 +481,49 @@ async function waitForGameServerClientEndpointToBeReady(
   hostname: string,
   port: number
 ): Promise<void> {
-  const checkConnection = async (): Promise<boolean> => {
-      return await new Promise((resolve) => {
-          const socket = new net.Socket()
-          // Set a short timeout for each attempt
-          // Note: This does not include the DNS resolve time which can take a minute or so.
-          // \todo Consider adding a DNS resolve step before trying to connect.
-          socket.setTimeout(2000)
-
-          socket.on('connect', () => {
-              socket.destroy() // Clean up after success
-              resolve(true)
-          })
-
-          socket.on('error', () => {
-              socket.destroy() // Clean up after error
-              resolve(false)
-          })
-
-          socket.on('timeout', () => {
-              socket.destroy() // Clean up after timeout
-              resolve(false)
-          })
-
-          socket.connect(port, hostname)
-      })
-  }
-
-  // Try for 2 min before giving up
-  const timeoutAt = Date.now() + 2 * 60 * 1000
+  // Try for a few minutes before giving up
+  const timeoutAt = Date.now() + 5 * 60 * 1000
 
   while (Date.now() < timeoutAt) {
-    const connected = await checkConnection()
-    if (connected) {
-      console.log(`Successfully connected to ${hostname}:${port}`)
+    try {
+      await new Promise<void>((resolve, reject) => {
+        const socket: tls.TLSSocket = tls.connect({ host: hostname, port }, () => {
+          if (socket.authorized) {
+            console.log('TLS handshake completed, waiting to receive data from the server...')
+            // \todo This is enough with direct connection to the server but with the upcoming
+            //       client-traffic-proxy, we may need to exchange the proper handshake messages
+            socket.once('data', (bytes: Buffer) => {
+              const hexBytes = Array.from(bytes).map(byte => byte.toString(16).padStart(2, '0'))
+              console.log(`Received ${bytes.length} bytes from server: ${hexBytes.join(' ')}`)
+              socket.end()
+              resolve()
+            })
+          } else {
+            socket.end()
+            reject(new Error(`TLS handshake failed: ${String(socket.authorizationError)}`))
+          }
+        })
+
+        socket.on('error', reject)
+
+        socket.setTimeout(5000, () => {
+          socket.end()
+          reject(new Error('Timeout while waiting for data after handshake'))
+        })
+      })
+
+      // Success
+      console.log(`Successfully connected to the target environment ${hostname}:${port}`)
       return
+    } catch (error) {
+      console.log(`Attempt failed, retrying: ${String(error)}`)
     }
-    console.log(`Retrying connection to ${hostname}:${port}...`)
-    await new Promise((resolve) => setTimeout(resolve, 1000))
+
+    // Wait a bit before trying again
+    await delay(1000)
   }
 
-  throw new Error(`Timeout while trying to connect to ${hostname}:${port}.`)
+  throw new Error(`Timeout reached while waiting to establish connection to ${hostname}:${port}`)
 }
 
 /**
@@ -515,7 +543,10 @@ export async function checkGameServerDeployment(
   console.log('Waiting for game server pods to be ready...')
   await waitForGameServerPodsToBeReady(envInfo.deployment.kubernetes_namespace, kubeconfig, requiredImageTag)
 
-  // \todo Add a separate step for a DNS check on the game server
+  // Resolve DNS for the target server
+  // \todo Use the -proxy address when client-traffic-proxy is in use
+  console.log(`Resolving the domain name '${envInfo.deployment.server_hostname}' of the server...`)
+  await waitForDomainResolution(envInfo.deployment.server_hostname)
 
   // Check that the game server accepts traffic on its client-facing endpoint
   const clientTrafficPort = 9339 // \todo check for other ports, too?

package/src/secret_store.ts

@@ -78,7 +78,7 @@ export async function setSecret(key: string, value: any): Promise<void> {
   await fs.writeFile(filePath, content)
 }
 
-export async function getSecret(key: string): Promise<any | undefined> {
+export async function getSecret(key: string): Promise<string> {
   logger.debug(`Getting secret ${key}...`)
 
   const secrets = await loadSecrets()

package/src/targetenvironment.ts

@@ -85,6 +85,14 @@ export interface DockerCredentials {
   registryUrl: string
 }
 
+class FetchJsonHttpError extends Error {
+    response: Response;
+    constructor(method: string, url: string, response: Response) {
+      super(`Failed to fetch ${method} ${url}: ${response.statusText}, response code=${response.status}`)
+      this.response = response;
+    }
+}
+
 export class TargetEnvironment {
   private readonly accessToken: string
   private readonly humanId: string
@@ -106,14 +114,14 @@ export class TargetEnvironment {
     })
 
     if (response.status !== 200) {
-      throw new Error(`Failed to fetch ${method} ${url}: ${response.statusText}, response code=${response.status}`)
+      throw new FetchJsonHttpError(method, url, response)
     }
 
     return (await response.json()) as T
   }
 
   async fetchText(url: string, method: string): Promise<string> {
-    // eslint-disable-next-line @typescript-eslint/init-declarations
+     
     let response
     try {
       response = await fetch(url, {
@@ -168,12 +176,21 @@ export class TargetEnvironment {
     logger.debug(`Getting Kubernetes KubeConfig from ${url}...`)
 
     // get the execcredential and morph it into a kubeconfig which calls metaplay-auth for the token
-    // eslint-disable-next-line @typescript-eslint/init-declarations
+     
     let kubeExecCredential: KubeExecCredential
     try {
       kubeExecCredential = await this.fetchJson<KubeExecCredential>(url, 'POST')
-    } catch {
-      throw new Error(`Failed to fetch Kubernetes KubeConfig from ${url}`)
+    } catch (error) {
+      // User-friendly error messages for well-known HTTP errors.
+      if (error instanceof FetchJsonHttpError) {
+        if (error.response.status === 404) {
+          throw new Error(`Environment ${this.humanId} does not exist.`)
+        } else if (error.response.status === 403) {
+          throw new Error(`Your account does not have permissions to access environment ${this.humanId}.`)
+        }
+      }
+      const errorMessage = (error instanceof Error) ? error.message : String(error)
+      throw new Error(`Failed to fetch Kubernetes KubeConfig: ${errorMessage}`)
     }
 
     if (!kubeExecCredential.spec.cluster) {

package/src/version.ts

@@ -1 +1 @@
-export const PACKAGE_VERSION = "1.7.0"
+export const PACKAGE_VERSION = "1.7.2"