@mintmcp/hosted-cli 0.0.15 → 0.0.17

package/dist/auth.js

@@ -0,0 +1,659 @@
+import keytar from "keytar";
+import { z } from "zod";
+export const EnvSchema = z.enum(["staging", "production"]);
+const CLIENT_IDS = {
+    staging: "client_01K0WB8ABW72JSBZ62V98AZMPS",
+    production: "client_01K0WB8AHKS2J39SFKAPTHTR90",
+};
+const LegacyAuthSchema = z.object({
+    accessToken: z.string(),
+    email: z.string(),
+    organizationId: z.string(),
+});
+const WorkOsUserSchema = z.object({
+    id: z.string(),
+    email: z.string(),
+    first_name: z.string().nullable().optional(),
+    last_name: z.string().nullable().optional(),
+});
+const TokenResponseSchema = z.object({
+    access_token: z.string(),
+    refresh_token: z.string().optional(),
+    organization_id: z.string(),
+    expires_in: z.number().int().positive().optional(),
+    user: WorkOsUserSchema,
+});
+const StoredSessionSchema = z.object({
+    userId: z.string(),
+    email: z.string(),
+    firstName: z.string().nullable().optional(),
+    lastName: z.string().nullable().optional(),
+    refreshToken: z.string().optional(),
+    currentOrganizationId: z.string().optional(),
+    lastUsedAt: z.string().optional(),
+});
+const StoredOrgAccessSchema = z.object({
+    userId: z.string(),
+    organizationId: z.string(),
+    accessToken: z.string(),
+    expiresAt: z.string().optional(),
+    lastUsedAt: z.string().optional(),
+});
+const StoredSessionAccountSchema = z.object({
+    env: EnvSchema,
+    userId: z.string(),
+});
+const StoredAuthAccountSchema = z.object({
+    env: EnvSchema,
+    userId: z.string(),
+    organizationId: z.string(),
+});
+const keychainServiceName = "mintmcp-credentials";
+const currentAccountPrefix = "current:";
+const sessionAccountPrefix = "session:";
+const accessAccountPrefix = "access:";
+const deviceCodeGrantType = "urn:ietf:params:oauth:grant-type:device_code";
+const refreshGrantType = "refresh_token";
+const workosDeviceAuthorizeUrl = "https://api.workos.com/user_management/authorize/device";
+const workosAuthenticateUrl = "https://api.workos.com/user_management/authenticate";
+function currentSelectionStorageKey(env) {
+    return `${currentAccountPrefix}${env}`;
+}
+function makeStoredSessionAccount(env, userId) {
+    return { env, userId };
+}
+function serializeStoredSessionAccount(account) {
+    return `${sessionAccountPrefix}${account.env}:${account.userId}`;
+}
+function parseStoredSessionAccount(value) {
+    const match = new RegExp(`^${sessionAccountPrefix}(staging|production):(.+)$`).exec(value);
+    if (!match) {
+        return null;
+    }
+    try {
+        return StoredSessionAccountSchema.parse({
+            env: match[1],
+            userId: match[2],
+        });
+    }
+    catch {
+        return null;
+    }
+}
+function makeStoredAuthAccount(env, userId, organizationId) {
+    return { env, userId, organizationId };
+}
+function serializeStoredAuthAccount(account) {
+    return `${accessAccountPrefix}${account.env}:${account.userId}:${account.organizationId}`;
+}
+function parseStoredAuthAccount(value) {
+    const match = new RegExp(`^${accessAccountPrefix}(staging|production):([^:]+):(.+)$`).exec(value);
+    if (!match) {
+        return null;
+    }
+    try {
+        return StoredAuthAccountSchema.parse({
+            env: match[1],
+            userId: match[2],
+            organizationId: match[3],
+        });
+    }
+    catch {
+        return null;
+    }
+}
+export function sameStoredAuthAccount(left, right) {
+    return (left.env === right.env &&
+        left.userId === right.userId &&
+        left.organizationId === right.organizationId);
+}
+export function getTokenClaims(accessToken) {
+    const [, payload] = accessToken.split(".");
+    if (!payload) {
+        return {
+            exp: undefined,
+            org_id: undefined,
+            sid: undefined,
+            sub: undefined,
+        };
+    }
+    try {
+        const parsed = JSON.parse(Buffer.from(payload, "base64url").toString());
+        return {
+            exp: typeof parsed.exp === "number" ? parsed.exp : undefined,
+            org_id: typeof parsed.org_id === "string" ? parsed.org_id : undefined,
+            sid: typeof parsed.sid === "string" ? parsed.sid : undefined,
+            sub: typeof parsed.sub === "string" ? parsed.sub : undefined,
+        };
+    }
+    catch {
+        return {
+            exp: undefined,
+            org_id: undefined,
+            sid: undefined,
+            sub: undefined,
+        };
+    }
+}
+function getExpiresAt(accessToken, expiresInSeconds) {
+    if (expiresInSeconds != undefined) {
+        return new Date(Date.now() + expiresInSeconds * 1000).toISOString();
+    }
+    const claims = getTokenClaims(accessToken);
+    if (claims.exp != undefined) {
+        return new Date(claims.exp * 1000).toISOString();
+    }
+    return undefined;
+}
+function isAccessTokenExpired(auth, skewMs = 60_000) {
+    if (auth.expiresAt == undefined) {
+        return false;
+    }
+    const expiresAtMs = Date.parse(auth.expiresAt);
+    if (Number.isNaN(expiresAtMs)) {
+        return false;
+    }
+    return expiresAtMs <= Date.now() + skewMs;
+}
+function makeAuthFromTokenResponse(tokenData, previousAuth) {
+    const parsed = TokenResponseSchema.parse(tokenData);
+    return {
+        userId: parsed.user.id,
+        email: parsed.user.email,
+        firstName: parsed.user.first_name ?? previousAuth?.firstName ?? null,
+        lastName: parsed.user.last_name ?? previousAuth?.lastName ?? null,
+        refreshToken: parsed.refresh_token ?? previousAuth?.refreshToken,
+        currentOrganizationId: parsed.organization_id,
+        organizationId: parsed.organization_id,
+        accessToken: parsed.access_token,
+        expiresAt: getExpiresAt(parsed.access_token, parsed.expires_in),
+        lastUsedAt: new Date().toISOString(),
+    };
+}
+function combineAuth(session, access) {
+    return {
+        userId: session.userId,
+        email: session.email,
+        firstName: session.firstName ?? null,
+        lastName: session.lastName ?? null,
+        refreshToken: session.refreshToken,
+        currentOrganizationId: session.currentOrganizationId,
+        lastUsedAt: access.lastUsedAt ?? session.lastUsedAt,
+        organizationId: access.organizationId,
+        accessToken: access.accessToken,
+        expiresAt: access.expiresAt,
+    };
+}
+export function formatAuthSummary(auth) {
+    const fullName = [auth.firstName, auth.lastName].filter(Boolean).join(" ");
+    const identity = fullName.length > 0 ? `${fullName} <${auth.email}>` : auth.email;
+    return `${identity} (${auth.userId}) in ${auth.organizationId}`;
+}
+async function clearLegacyAuth(env) {
+    await keytar.deletePassword(keychainServiceName, env);
+}
+async function getStoredSessionRecord(env, account) {
+    if (account.env !== env) {
+        return null;
+    }
+    const stored = await keytar.getPassword(keychainServiceName, serializeStoredSessionAccount(account));
+    if (!stored) {
+        return null;
+    }
+    try {
+        return {
+            account,
+            session: StoredSessionSchema.parse(JSON.parse(stored)),
+        };
+    }
+    catch (error) {
+        console.warn(`Invalid stored session for ${account.userId}, deleting:`, error);
+        await keytar.deletePassword(keychainServiceName, serializeStoredSessionAccount(account));
+        return null;
+    }
+}
+async function listStoredSessionRecords(env) {
+    const credentials = await keytar.findCredentials(keychainServiceName);
+    const records = [];
+    for (const credential of credentials) {
+        const account = parseStoredSessionAccount(credential.account);
+        if (!account || account.env !== env) {
+            continue;
+        }
+        try {
+            records.push({
+                account,
+                session: StoredSessionSchema.parse(JSON.parse(credential.password)),
+            });
+        }
+        catch (error) {
+            console.warn(`Invalid stored session for ${credential.account}, deleting:`, error);
+            await keytar.deletePassword(keychainServiceName, credential.account);
+        }
+    }
+    return records;
+}
+async function getStoredOrgAccessRecord(env, account) {
+    if (account.env !== env) {
+        return null;
+    }
+    const stored = await keytar.getPassword(keychainServiceName, serializeStoredAuthAccount(account));
+    if (!stored) {
+        return null;
+    }
+    try {
+        return StoredOrgAccessSchema.parse(JSON.parse(stored));
+    }
+    catch (error) {
+        console.warn(`Invalid stored org access for ${serializeStoredAuthAccount(account)}, deleting:`, error);
+        await keytar.deletePassword(keychainServiceName, serializeStoredAuthAccount(account));
+        return null;
+    }
+}
+async function getStoredAuthRecord(env, account) {
+    const access = await getStoredOrgAccessRecord(env, account);
+    if (!access) {
+        return null;
+    }
+    const sessionRecord = await getStoredSessionRecord(env, makeStoredSessionAccount(env, account.userId));
+    if (!sessionRecord) {
+        await keytar.deletePassword(keychainServiceName, serializeStoredAuthAccount(account));
+        return null;
+    }
+    return {
+        account,
+        session: sessionRecord.session,
+        access,
+    };
+}
+async function listStoredAuthRecords(env) {
+    const credentials = await keytar.findCredentials(keychainServiceName);
+    const records = [];
+    for (const credential of credentials) {
+        const account = parseStoredAuthAccount(credential.account);
+        if (!account || account.env !== env) {
+            continue;
+        }
+        const record = await getStoredAuthRecord(env, account);
+        if (record) {
+            records.push(record);
+        }
+    }
+    records.sort((left, right) => {
+        const leftTs = left.access.lastUsedAt != undefined
+            ? Date.parse(left.access.lastUsedAt)
+            : Number.NEGATIVE_INFINITY;
+        const rightTs = right.access.lastUsedAt != undefined
+            ? Date.parse(right.access.lastUsedAt)
+            : Number.NEGATIVE_INFINITY;
+        return rightTs - leftTs;
+    });
+    return records;
+}
+export async function listAuthRecords(env) {
+    return (await listStoredAuthRecords(env)).map((record) => ({
+        account: record.account,
+        auth: combineAuth(record.session, record.access),
+    }));
+}
+async function selectStoredAuthRecord(env, record) {
+    const now = new Date().toISOString();
+    const session = {
+        ...record.session,
+        currentOrganizationId: record.account.organizationId,
+        lastUsedAt: now,
+    };
+    const access = {
+        ...record.access,
+        lastUsedAt: now,
+    };
+    await keytar.setPassword(keychainServiceName, serializeStoredSessionAccount(makeStoredSessionAccount(env, session.userId)), JSON.stringify(session));
+    await keytar.setPassword(keychainServiceName, serializeStoredAuthAccount(record.account), JSON.stringify(access));
+    await keytar.setPassword(keychainServiceName, currentSelectionStorageKey(env), JSON.stringify(record.account));
+    return combineAuth(session, access);
+}
+async function saveStoredAuth(env, auth, options) {
+    const now = new Date().toISOString();
+    const account = makeStoredAuthAccount(env, auth.userId, auth.organizationId);
+    const session = {
+        userId: auth.userId,
+        email: auth.email,
+        firstName: auth.firstName ?? null,
+        lastName: auth.lastName ?? null,
+        refreshToken: auth.refreshToken,
+        currentOrganizationId: auth.organizationId,
+        lastUsedAt: now,
+    };
+    const access = {
+        userId: auth.userId,
+        organizationId: auth.organizationId,
+        accessToken: auth.accessToken,
+        expiresAt: auth.expiresAt,
+        lastUsedAt: now,
+    };
+    await keytar.setPassword(keychainServiceName, serializeStoredSessionAccount(makeStoredSessionAccount(env, auth.userId)), JSON.stringify(session));
+    await keytar.setPassword(keychainServiceName, serializeStoredAuthAccount(account), JSON.stringify(access));
+    const record = { account, session, access };
+    if (options?.selectCurrent !== false) {
+        await keytar.setPassword(keychainServiceName, currentSelectionStorageKey(env), JSON.stringify(account));
+    }
+    return record;
+}
+async function deleteStoredSessionAndAuthRecords(env, userId) {
+    const currentAccountValue = await keytar.getPassword(keychainServiceName, currentSelectionStorageKey(env));
+    const records = await listStoredAuthRecords(env);
+    for (const record of records) {
+        if (record.account.userId !== userId) {
+            continue;
+        }
+        await keytar.deletePassword(keychainServiceName, serializeStoredAuthAccount(record.account));
+    }
+    await keytar.deletePassword(keychainServiceName, serializeStoredSessionAccount(makeStoredSessionAccount(env, userId)));
+    if (currentAccountValue) {
+        try {
+            const currentAccount = StoredAuthAccountSchema.parse(JSON.parse(currentAccountValue));
+            if (currentAccount.userId === userId) {
+                await keytar.deletePassword(keychainServiceName, currentSelectionStorageKey(env));
+            }
+        }
+        catch {
+            await keytar.deletePassword(keychainServiceName, currentSelectionStorageKey(env));
+        }
+    }
+}
+async function maybeMigrateLegacyAuth(env) {
+    const stored = await keytar.getPassword(keychainServiceName, env);
+    if (!stored) {
+        return null;
+    }
+    let legacyAuth;
+    try {
+        legacyAuth = LegacyAuthSchema.parse(JSON.parse(stored));
+    }
+    catch (error) {
+        console.warn("Invalid legacy stored credentials, clearing:", error);
+        await clearLegacyAuth(env);
+        return null;
+    }
+    const claims = getTokenClaims(legacyAuth.accessToken);
+    if (!claims.sub) {
+        return null;
+    }
+    const migratedAuth = {
+        userId: claims.sub,
+        email: legacyAuth.email,
+        firstName: null,
+        lastName: null,
+        refreshToken: undefined,
+        currentOrganizationId: legacyAuth.organizationId,
+        lastUsedAt: new Date().toISOString(),
+        organizationId: legacyAuth.organizationId,
+        accessToken: legacyAuth.accessToken,
+        expiresAt: getExpiresAt(legacyAuth.accessToken),
+    };
+    const record = await saveStoredAuth(env, migratedAuth);
+    await clearLegacyAuth(env);
+    return combineAuth(record.session, record.access);
+}
+async function resolveSelectedAuth(env) {
+    const currentAccountValue = await keytar.getPassword(keychainServiceName, currentSelectionStorageKey(env));
+    if (currentAccountValue) {
+        try {
+            const currentAccount = StoredAuthAccountSchema.parse(JSON.parse(currentAccountValue));
+            const currentRecord = await getStoredAuthRecord(env, currentAccount);
+            if (currentRecord) {
+                return combineAuth(currentRecord.session, currentRecord.access);
+            }
+        }
+        catch {
+            // Fall through to clearing invalid current selection.
+        }
+        await keytar.deletePassword(keychainServiceName, currentSelectionStorageKey(env));
+    }
+    const migratedLegacyAuth = await maybeMigrateLegacyAuth(env);
+    if (migratedLegacyAuth) {
+        return migratedLegacyAuth;
+    }
+    const records = await listStoredAuthRecords(env);
+    const mostRecentRecord = records[0];
+    if (!mostRecentRecord) {
+        return null;
+    }
+    return await selectStoredAuthRecord(env, mostRecentRecord);
+}
+async function requestAuth(env) {
+    const clientId = CLIENT_IDS[env];
+    const deviceCodeResponse = await fetch(workosDeviceAuthorizeUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: new URLSearchParams({
+            client_id: clientId,
+        }),
+    });
+    if (!deviceCodeResponse.ok) {
+        throw new Error(`Failed to get device code: ${await deviceCodeResponse.text()}`);
+    }
+    const deviceData = (await deviceCodeResponse.json());
+    const { device_code: deviceCode, verification_uri_complete: verificationUriComplete, interval = 5, } = deviceData;
+    console.log(`To authenticate, visit ${verificationUriComplete}`);
+    const maxAttempts = 60;
+    for (let attempts = 0; attempts < maxAttempts; attempts += 1) {
+        await new Promise((resolve) => {
+            setTimeout(resolve, interval * 1000);
+        });
+        const tokenResponse = await fetch(workosAuthenticateUrl, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+            },
+            body: new URLSearchParams({
+                grant_type: deviceCodeGrantType,
+                device_code: deviceCode,
+                client_id: clientId,
+            }),
+        });
+        if (!tokenResponse.ok) {
+            continue;
+        }
+        const tokenData = (await tokenResponse.json());
+        if (tokenData.error) {
+            if (tokenData.error === "authorization_pending") {
+                continue;
+            }
+            else if (tokenData.error === "slow_down") {
+                await new Promise((resolve) => {
+                    setTimeout(resolve, 5000);
+                });
+                continue;
+            }
+            else {
+                throw new Error(`Authentication failed: ${tokenData.error}`);
+            }
+        }
+        if (tokenData.access_token) {
+            return makeAuthFromTokenResponse(tokenData);
+        }
+    }
+    throw new Error("Authentication timeout");
+}
+async function refreshAuth(env, auth, organizationId = auth.organizationId) {
+    if (!auth.refreshToken) {
+        throw new Error("No refresh token is stored for the selected session.");
+    }
+    const response = await fetch(workosAuthenticateUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: new URLSearchParams({
+            grant_type: refreshGrantType,
+            refresh_token: auth.refreshToken,
+            client_id: CLIENT_IDS[env],
+            organization_id: organizationId,
+        }),
+    });
+    const rawBody = await response.text();
+    let body;
+    try {
+        body = JSON.parse(rawBody);
+    }
+    catch {
+        body = { error: rawBody };
+    }
+    if (!response.ok) {
+        const errorCode = typeof body.error === "string"
+            ? body.error
+            : rawBody;
+        throw new Error(`Refresh failed: ${errorCode}`);
+    }
+    if (typeof body.error === "string") {
+        throw new Error(`Refresh failed: ${body.error}`);
+    }
+    return makeAuthFromTokenResponse(body, auth);
+}
+export async function requestAndStoreAuth(env) {
+    const auth = await requestAuth(env);
+    const record = await saveStoredAuth(env, auth);
+    return combineAuth(record.session, record.access);
+}
+async function refreshOrRequestAuth(env, auth) {
+    if (auth.refreshToken) {
+        try {
+            const refreshedAuth = await refreshAuth(env, auth);
+            const record = await saveStoredAuth(env, refreshedAuth);
+            return combineAuth(record.session, record.access);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            console.warn(`Stored session could not be refreshed, re-authenticating: ${message}`);
+        }
+    }
+    await deleteStoredSessionAndAuthRecords(env, auth.userId);
+    return await requestAndStoreAuth(env);
+}
+function matchesAuthFilters(auth, filters) {
+    if (filters.userId && auth.userId !== filters.userId) {
+        return false;
+    }
+    if (filters.email && auth.email !== filters.email) {
+        return false;
+    }
+    if (filters.organizationId &&
+        auth.organizationId !== filters.organizationId) {
+        return false;
+    }
+    return true;
+}
+function matchesSessionFilters(session, filters) {
+    if (filters.userId && session.userId !== filters.userId) {
+        return false;
+    }
+    if (filters.email && session.email !== filters.email) {
+        return false;
+    }
+    return true;
+}
+export async function clearAllAuth(env) {
+    const credentials = await keytar.findCredentials(keychainServiceName);
+    for (const credential of credentials) {
+        const isEnvScoped = parseStoredSessionAccount(credential.account)?.env === env ||
+            parseStoredAuthAccount(credential.account)?.env === env ||
+            credential.account === currentSelectionStorageKey(env) ||
+            credential.account === env;
+        if (isEnvScoped) {
+            await keytar.deletePassword(keychainServiceName, credential.account);
+        }
+    }
+}
+export async function clearSelectedAuth(env) {
+    const selectedAuth = await resolveSelectedAuth(env);
+    if (!selectedAuth) {
+        await keytar.deletePassword(keychainServiceName, currentSelectionStorageKey(env));
+        await clearLegacyAuth(env);
+        return null;
+    }
+    await deleteStoredSessionAndAuthRecords(env, selectedAuth.userId);
+    return selectedAuth;
+}
+export async function getCurrentAuthAccount(env) {
+    const currentAccountValue = await keytar.getPassword(keychainServiceName, currentSelectionStorageKey(env));
+    if (!currentAccountValue) {
+        return null;
+    }
+    try {
+        return StoredAuthAccountSchema.parse(JSON.parse(currentAccountValue));
+    }
+    catch {
+        return null;
+    }
+}
+export async function getAuth(env, options) {
+    const selectedAuth = await resolveSelectedAuth(env);
+    if (!selectedAuth) {
+        return await requestAndStoreAuth(env);
+    }
+    if (options?.forceRefresh || isAccessTokenExpired(selectedAuth)) {
+        return await refreshOrRequestAuth(env, selectedAuth);
+    }
+    return selectedAuth;
+}
+export async function getSelectedAuth(env) {
+    return await resolveSelectedAuth(env);
+}
+export async function useAuth(env, options) {
+    if (!options.userId && !options.email && !options.organizationId) {
+        throw new Error('Specify at least one filter, for example "hosted auth use --organization-id <id>".');
+    }
+    const records = await listStoredAuthRecords(env);
+    const matches = records.filter((record) => matchesAuthFilters(combineAuth(record.session, record.access), options));
+    if (matches.length > 1) {
+        throw new Error("Multiple cached credentials matched. Add --organization-id or --user-id to disambiguate.");
+    }
+    if (matches.length === 1) {
+        const match = matches[0];
+        if (!match) {
+            throw new Error(`No cached credentials matched for ${env}.`);
+        }
+        return {
+            auth: await selectStoredAuthRecord(env, match),
+            mode: "selected",
+        };
+    }
+    if (!options.organizationId) {
+        throw new Error(`No cached credentials matched for ${env}.`);
+    }
+    const selectedAuth = await resolveSelectedAuth(env);
+    const sessionCandidates = (await listStoredSessionRecords(env)).filter((record) => matchesSessionFilters(record.session, options));
+    let sourceAuth = null;
+    if (selectedAuth && matchesSessionFilters(selectedAuth, options)) {
+        sourceAuth = selectedAuth;
+    }
+    else if (sessionCandidates.length === 1) {
+        const sessionCandidate = sessionCandidates[0];
+        if (sessionCandidate) {
+            const sourceOrganizationId = sessionCandidate.session.currentOrganizationId ??
+                records.find((record) => record.account.userId === sessionCandidate.account.userId)?.account.organizationId;
+            if (sourceOrganizationId) {
+                const sourceRecord = await getStoredAuthRecord(env, makeStoredAuthAccount(env, sessionCandidate.account.userId, sourceOrganizationId));
+                if (sourceRecord) {
+                    sourceAuth = combineAuth(sourceRecord.session, sourceRecord.access);
+                }
+            }
+        }
+    }
+    else if (sessionCandidates.length > 1) {
+        throw new Error("Multiple cached identities could be refreshed into that organization. Add --user-id or --email to choose one.");
+    }
+    if (!sourceAuth) {
+        throw new Error(`No cached credentials were available to switch into ${options.organizationId}. Run "hosted auth login" first.`);
+    }
+    const refreshedAuth = await refreshAuth(env, sourceAuth, options.organizationId);
+    const record = await saveStoredAuth(env, refreshedAuth);
+    return {
+        auth: combineAuth(record.session, record.access),
+        mode: "switched",
+    };
+}
+//# sourceMappingURL=auth.js.map