@mintmcp/hosted-cli 0.0.16 → 0.0.17

package/src/index.ts

@@ -6,7 +6,6 @@ import type { inferRouterInputs, inferRouterOutputs } from "@trpc/server";
 import archiver from "archiver";
 import * as fs from "fs";
 import { readFileSync } from "fs";
-import keytar from "keytar";
 import * as path from "path";
 import { dirname, join } from "path";
 import superjson from "superjson";
@@ -18,6 +17,23 @@ import {
   type HostedTransport,
   UserConfigUpdateSchema,
 } from "./api.js";
+import {
+  type Auth,
+  clearAllAuth,
+  clearSelectedAuth,
+  type Env,
+  EnvSchema,
+  formatAuthSummary,
+  getAuth,
+  getCurrentAuthAccount,
+  getSelectedAuth,
+  getTokenClaims,
+  listAuthRecords,
+  requestAndStoreAuth,
+  type StoredAuthAccount,
+  sameStoredAuthAccount,
+  useAuth,
+} from "./auth.js";
 import {
   buildPartialUpdate,
   type DeployOptions,
@@ -35,9 +51,6 @@ const version = packageJson.version;
 export type CliClientAppRouterInputs = inferRouterInputs<AppRouter>;
 export type CliClientAppRouterOutputs = inferRouterOutputs<AppRouter>;
 
-const EnvSchema = z.enum(["staging", "production"]);
-type Env = z.infer<typeof EnvSchema>;
-
 const TransportSchema = z.enum(["http", "stdio"]);
 
 const TRPC_API_URL: Record<Env, string> = {
@@ -50,11 +63,6 @@ const WEB_CLIENT_URL: Record<Env, string> = {
   production: "https://app.mintmcp.com",
 };
 
-const CLIENT_IDS: Record<Env, string> = {
-  staging: "client_01K0WB8ABW72JSBZ62V98AZMPS",
-  production: "client_01K0WB8AHKS2J39SFKAPTHTR90",
-};
-
 // Where to look for the hosted config, relative to "--base".
 const HOSTED_CONFIG_PATHS: Record<Env, string> = {
   staging: ".mintmcp/hosted-staging.json",
@@ -66,131 +74,27 @@ const HostedConfigSchema = z.object({
 
   // Directory containing data to send to hosted server, relative to "--base".
   mntDataDir: z.string(),
-});
-type HostedConfig = z.infer<typeof HostedConfigSchema>;
 
-const AuthSchema = z.object({
-  accessToken: z.string(),
-  email: z.string(),
-  organizationId: z.string(),
+  // Organization that owns this hosted server. Older config files may omit it.
+  organizationId: z.string().optional(),
 });
+type HostedConfig = z.infer<typeof HostedConfigSchema>;
 
-type Auth = z.infer<typeof AuthSchema>;
-
-async function requestAuth(env: Env): Promise<Auth> {
-  const clientId = CLIENT_IDS[env];
-
-  const deviceCodeResponse = await fetch(
-    "https://api.workos.com/user_management/authorize/device",
-    {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-      },
-      body: new URLSearchParams({
-        client_id: clientId,
-      }),
-    },
+function isTRPCUnauthorized(error: unknown): boolean {
+  return (
+    error instanceof Error &&
+    "data" in error &&
+    typeof (error as any).data === "object" &&
+    (error as any).data?.code === "UNAUTHORIZED"
   );
-
-  if (!deviceCodeResponse.ok) {
-    throw new Error(
-      `Failed to get device code: ${await deviceCodeResponse.text()}`,
-    );
-  }
-
-  const deviceData = (await deviceCodeResponse.json()) as any;
-  const {
-    device_code: deviceCode,
-    verification_uri_complete: verificationUriComplete,
-    interval = 5,
-  } = deviceData;
-
-  console.log(`To authenticate, visit ${verificationUriComplete}`);
-
-  // Poll for access token.
-  const maxAttempts = 60;
-  for (let attempts = 0; attempts < maxAttempts; attempts += 1) {
-    await new Promise<void>((resolve) => {
-      setTimeout(resolve, interval * 1000);
-    });
-
-    const tokenResponse = await fetch(
-      "https://api.workos.com/user_management/authenticate",
-      {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/x-www-form-urlencoded",
-        },
-        body: new URLSearchParams({
-          grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-          device_code: deviceCode,
-          client_id: clientId,
-        }),
-      },
-    );
-
-    if (!tokenResponse.ok) {
-      continue;
-    }
-
-    const tokenData = (await tokenResponse.json()) as any;
-
-    if (tokenData.error) {
-      if (tokenData.error === "authorization_pending") {
-        continue;
-      } else if (tokenData.error === "slow_down") {
-        // Increase interval as requested
-        await new Promise<void>((resolve) => {
-          setTimeout(resolve, 5000);
-        });
-        continue;
-      } else {
-        throw new Error(`Authentication failed: ${tokenData.error}`);
-      }
-    }
-
-    if (tokenData.access_token) {
-      if (!tokenData.user?.email) {
-        throw new Error("Authentication response missing user email");
-      }
-      if (!tokenData.organization_id) {
-        throw new Error("Authentication response missing organization ID");
-      }
-      return {
-        accessToken: tokenData.access_token,
-        email: tokenData.user.email,
-        organizationId: tokenData.organization_id,
-      };
-    }
-  }
-
-  throw new Error("Authentication timeout");
 }
 
-async function getAuth(env: Env): Promise<Auth> {
-  const keychainServiceName = "mintmcp-credentials";
-  const stored = await keytar.getPassword(keychainServiceName, env);
-  if (stored) {
-    try {
-      const parsedData = JSON.parse(stored);
-      const validatedAuth = AuthSchema.parse(parsedData);
-      return validatedAuth;
-    } catch (error) {
-      console.warn("Invalid stored credentials, re-authenticating:", error);
-      // If validation fails, delete the invalid stored credentials and re-authenticate
-      await keytar.deletePassword(keychainServiceName, env);
-    }
-  }
-  const auth = await requestAuth(env);
-  await keytar.setPassword(keychainServiceName, env, JSON.stringify(auth));
-  return auth;
-}
+async function makeAuthenticatedClient(
+  env: Env,
+  options?: { forceRefresh?: boolean },
+) {
+  const auth = await getAuth(env, options);
 
-async function makeAuthenticatedClient(env: Env) {
-  const auth = await getAuth(env);
-
-  // TODO: Get the organization name because that is more human readable.
   console.log(`Authenticated as ${auth.email} in ${auth.organizationId}.`);
 
   return createTRPCClient<AppRouter>({
@@ -206,6 +110,29 @@ async function makeAuthenticatedClient(env: Env) {
   });
 }
 
+type AuthenticatedClient = Awaited<ReturnType<typeof makeAuthenticatedClient>>;
+
+async function withAuthRetry<T>(
+  env: Env,
+  fn: (client: AuthenticatedClient) => Promise<T>,
+): Promise<T> {
+  const client = await makeAuthenticatedClient(env);
+  try {
+    return await fn(client);
+  } catch (error) {
+    if (isTRPCUnauthorized(error)) {
+      console.warn(
+        "Session expired or invalid. Refreshing credentials and retrying...",
+      );
+      const newClient = await makeAuthenticatedClient(env, {
+        forceRefresh: true,
+      });
+      return await fn(newClient);
+    }
+    throw error;
+  }
+}
+
 function argParser<T>(schema: ZodSchema<T>) {
   return (value: string): T => {
     const result = schema.safeParse(value);
@@ -292,6 +219,7 @@ const DEPLOY_OPTIONS_NEW_SERVER_DEFAULTS = {
 async function createNew(
   client: Awaited<ReturnType<typeof makeAuthenticatedClient>>,
   base: string,
+  organizationId: string,
   options: DeployOptions,
 ): Promise<HostedConfig> {
   const {
@@ -324,6 +252,7 @@ async function createNew(
   return {
     hostedId: createdServer.hostedId,
     mntDataDir,
+    organizationId,
   };
 }
 
@@ -331,12 +260,22 @@ async function updateExisting(
   client: Awaited<ReturnType<typeof makeAuthenticatedClient>>,
   base: string,
   config: HostedConfig,
+  organizationId: string,
   options: DeployOptions,
 ): Promise<HostedConfig> {
+  if (
+    config.organizationId != undefined &&
+    config.organizationId !== organizationId
+  ) {
+    throw new Error(
+      `Hosted config belongs to organization ${config.organizationId}, but the selected credentials are for ${organizationId}. Switch organizations with "hosted auth use --organization-id ${config.organizationId}" before deploying.`,
+    );
+  }
   const newConfig = { ...config };
   if (options.mntDataDir != undefined) {
     newConfig.mntDataDir = options.mntDataDir;
   }
+  newConfig.organizationId = organizationId;
   const upload = await uploadData(
     client,
     path.join(base, newConfig.mntDataDir),
@@ -366,6 +305,66 @@ function makeDefaultMessage(
   return `Defaults to '${DEPLOY_OPTIONS_NEW_SERVER_DEFAULTS[optionName]}' for new servers.`;
 }
 
+const authCommand = program
+  .command("auth")
+  .description("Manage cached hosted-cli authentication credentials.");
+
+authCommand
+  .command("login")
+  .description(
+    "Authenticate and cache credentials for the current environment.",
+  )
+  .action(async () => {
+    const { env } = program.opts();
+    const auth = await requestAndStoreAuth(env);
+    console.log(`Cached ${formatAuthSummary(auth)}.`);
+  });
+
+authCommand
+  .command("list")
+  .description("List cached credentials for the current environment.")
+  .action(async () => {
+    const { env } = program.opts();
+    const currentAccount = await getCurrentAuthAccount(env);
+    const records = await listAuthRecords(env);
+    if (records.length === 0) {
+      console.log(`No cached credentials found for ${env}.`);
+      return;
+    }
+    for (const record of records) {
+      const marker =
+        currentAccount && sameStoredAuthAccount(record.account, currentAccount)
+          ? "*"
+          : " ";
+      console.log(`${marker} ${formatAuthSummary(record.auth)}`);
+    }
+  });
+
+authCommand
+  .command("use")
+  .description("Select which cached credentials the CLI should use.")
+  .option("--user-id <id>", "WorkOS user ID to select.")
+  .option("--email <email>", "Email address to select.")
+  .option("--organization-id <id>", "Organization ID to select.")
+  .action(
+    async (options: {
+      userId?: string;
+      email?: string;
+      organizationId?: string;
+    }) => {
+      const { env } = program.opts();
+      if (!options.userId && !options.email && !options.organizationId) {
+        throw new Error(
+          'Specify at least one filter, for example "hosted auth use --organization-id <id>".',
+        );
+      }
+      const result = await useAuth(env, options);
+      const message =
+        result.mode === "switched" ? "Cached and selected" : "Selected";
+      console.log(`${message} ${formatAuthSummary(result.auth)}.`);
+    },
+  );
+
 program
   .command("deploy")
   .description("Create or update a hosted server.")
@@ -388,32 +387,78 @@ program
   )
   .action(async (options) => {
     const { env, base } = program.opts();
-    const client = await makeAuthenticatedClient(env);
-
-    const configPath = path.join(base, HOSTED_CONFIG_PATHS[env]);
-
-    let newOrUpdatedConfig: HostedConfig;
-    if (fs.existsSync(configPath)) {
-      console.log("Updating existing server...");
-      const configData = fs.readFileSync(configPath, "utf8");
-      newOrUpdatedConfig = await updateExisting(
-        client,
-        base,
-        HostedConfigSchema.parse(JSON.parse(configData)),
-        options,
-      );
-      console.log(
-        `Updated ${WEB_CLIENT_URL[env]}/hosted/${newOrUpdatedConfig.hostedId}`,
-      );
+    const auth = await getAuth(env);
+
+    await withAuthRetry(env, async (client) => {
+      const configPath = path.join(base, HOSTED_CONFIG_PATHS[env]);
+
+      let newOrUpdatedConfig: HostedConfig;
+      if (fs.existsSync(configPath)) {
+        console.log("Updating existing server...");
+        const configData = fs.readFileSync(configPath, "utf8");
+        newOrUpdatedConfig = await updateExisting(
+          client,
+          base,
+          HostedConfigSchema.parse(JSON.parse(configData)),
+          auth.organizationId,
+          options,
+        );
+        console.log(
+          `Updated ${WEB_CLIENT_URL[env]}/hosted/${newOrUpdatedConfig.hostedId}`,
+        );
+      } else {
+        console.log("Creating new server...");
+        newOrUpdatedConfig = await createNew(
+          client,
+          base,
+          auth.organizationId,
+          options,
+        );
+        console.log(
+          `Created ${WEB_CLIENT_URL[env]}/hosted/${newOrUpdatedConfig.hostedId}`,
+        );
+      }
+      fs.mkdirSync(path.dirname(configPath), { recursive: true });
+      fs.writeFileSync(configPath, JSON.stringify(newOrUpdatedConfig, null, 2));
+    });
+  });
+
+program
+  .command("logout")
+  .description(
+    "Clear stored credentials and sign out of the WorkOS browser session.",
+  )
+  .option("--all", "Clear all cached credentials for the current environment.")
+  .action(async (options: { all?: boolean }) => {
+    const { env } = program.opts();
+
+    let logoutUrl: string | undefined;
+
+    const selectedAuth = await getSelectedAuth(env);
+    if (selectedAuth) {
+      const { sid } = getTokenClaims(selectedAuth.accessToken);
+      if (sid) {
+        logoutUrl = `https://api.workos.com/user_management/sessions/logout?session_id=${sid}`;
+      }
+    }
+
+    if (options.all) {
+      await clearAllAuth(env);
+      console.log(`All cached credentials cleared for ${env}.`);
     } else {
-      console.log("Creating new server...");
-      newOrUpdatedConfig = await createNew(client, base, options);
-      console.log(
-        `Created ${WEB_CLIENT_URL[env]}/hosted/${newOrUpdatedConfig.hostedId}`,
-      );
+      const clearedAuth = await clearSelectedAuth(env);
+      if (clearedAuth) {
+        console.log(
+          `Cleared cached credentials for ${formatAuthSummary(clearedAuth)}.`,
+        );
+      } else {
+        console.log(`No cached credentials found for ${env}.`);
+      }
+    }
+    if (logoutUrl) {
+      console.log("To fully sign out of the WorkOS browser session, visit:");
+      console.log(logoutUrl);
     }
-    fs.mkdirSync(path.dirname(configPath), { recursive: true });
-    fs.writeFileSync(configPath, JSON.stringify(newOrUpdatedConfig, null, 2));
   });
 
 program.parse();