@nado-language/mcp 0.1.0

package/dist/nado-mcp-auth.mjs

@@ -0,0 +1,495 @@
+#!/usr/bin/env node
+
+import { spawn } from 'node:child_process';
+import { createHash, randomBytes } from 'node:crypto';
+import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import http from 'node:http';
+import os from 'node:os';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const DEFAULT_SUPABASE_URL = 'https://ptbwzhxifxdnfmqsiugi.supabase.co';
+const DEFAULT_SUPABASE_ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InB0Ynd6aHhpZnhkbmZtcXNpdWdpIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzU1MTU4MjEsImV4cCI6MjA5MTA5MTgyMX0.c0SU8lvIb8BbwhYyI529dn7tQUfwTl1cGqeahGKaD_g';
+const DEFAULT_RELAY_URL = 'https://language.nado.ai.kr/auth/mcp-callback';
+const SUPPORTED_PROVIDERS = new Set(['google', 'kakao', 'apple']);
+const SUPPORTED_REDIRECT_MODES = new Set(['azure', 'local']);
+
+const scriptDir = path.dirname(fileURLToPath(import.meta.url));
+const repoRoot = path.resolve(scriptDir, '..');
+
+const { command, options } = parseCli(process.argv.slice(2));
+
+try {
+  if (options.help || command === 'help') {
+    printHelp();
+  } else if (command === 'login') {
+    await login(options);
+  } else if (command === 'status') {
+    printStatus(options);
+  } else if (command === 'logout') {
+    logout(options);
+  } else {
+    throw new Error(`Unknown command: ${command}`);
+  }
+} catch (error) {
+  console.error(`Nado MCP auth failed: ${error instanceof Error ? error.message : String(error)}`);
+  process.exitCode = 1;
+}
+
+function parseCli(argv) {
+  let command = 'login';
+  let args = argv;
+  if (argv[0] && !argv[0].startsWith('-')) {
+    command = argv[0];
+    args = argv.slice(1);
+  }
+
+  const options = {
+    provider: 'google',
+    port: 0,
+    envFile: process.env.NADO_MCP_AUTH_ENV_FILE || defaultAuthEnvFile(),
+    supabaseUrl: process.env.NADO_MCP_SUPABASE_URL || process.env.EXPO_PUBLIC_SUPABASE_URL || DEFAULT_SUPABASE_URL,
+    anonKey: process.env.NADO_MCP_SUPABASE_ANON_KEY || process.env.EXPO_PUBLIC_SUPABASE_ANON_KEY || DEFAULT_SUPABASE_ANON_KEY,
+    redirectMode: 'azure',
+    relayUrl: process.env.NADO_MCP_AUTH_RELAY_URL || DEFAULT_RELAY_URL,
+    noOpen: false,
+    timeoutMs: 300_000,
+    help: false,
+  };
+
+  for (let i = 0; i < args.length; i += 1) {
+    const arg = args[i];
+    const [flag, inlineValue] = arg.includes('=') ? arg.split(/=(.*)/s, 2) : [arg, undefined];
+    const readValue = () => {
+      if (inlineValue !== undefined) return inlineValue;
+      i += 1;
+      if (i >= args.length) throw new Error(`Missing value for ${flag}`);
+      return args[i];
+    };
+
+    if (flag === '--provider') options.provider = readValue();
+    else if (flag === '--port') options.port = Number(readValue());
+    else if (flag === '--auth-file') options.envFile = resolvePath(readValue());
+    else if (flag === '--supabase-url') options.supabaseUrl = readValue();
+    else if (flag === '--anon-key') options.anonKey = readValue();
+    else if (flag === '--redirect-mode') options.redirectMode = readValue();
+    else if (flag === '--relay-url') options.relayUrl = readValue();
+    else if (flag === '--timeout-ms') options.timeoutMs = Number(readValue());
+    else if (flag === '--no-open') options.noOpen = true;
+    else if (flag === '--help' || flag === '-h') options.help = true;
+    else throw new Error(`Unknown option: ${arg}`);
+  }
+
+  options.supabaseUrl = normalizeUrl(options.supabaseUrl);
+  options.redirectMode = String(options.redirectMode || '').toLowerCase();
+  if (!Number.isFinite(options.port) || options.port < 0 || options.port > 65535) {
+    throw new Error('--port must be between 0 and 65535');
+  }
+  if (!SUPPORTED_REDIRECT_MODES.has(options.redirectMode)) {
+    throw new Error('--redirect-mode must be azure or local');
+  }
+  if (!Number.isFinite(options.timeoutMs) || options.timeoutMs < 1000) {
+    throw new Error('--timeout-ms must be at least 1000');
+  }
+
+  return { command, options };
+}
+
+function defaultAuthEnvFile() {
+  if (isRepoCheckout()) return path.join(repoRoot, '.env.mcp.local');
+  return defaultUserAuthEnvFile();
+}
+
+function isRepoCheckout() {
+  return existsSync(path.join(repoRoot, 'mcp', 'nado-language-server.mjs'));
+}
+
+function defaultUserAuthEnvFile() {
+  if (process.platform === 'win32') {
+    return path.join(process.env.APPDATA || path.join(os.homedir(), 'AppData', 'Roaming'), 'Nado', 'MCP', 'auth.env');
+  }
+  if (process.platform === 'darwin') {
+    return path.join(os.homedir(), 'Library', 'Application Support', 'Nado', 'MCP', 'auth.env');
+  }
+  return path.join(process.env.XDG_CONFIG_HOME || path.join(os.homedir(), '.config'), 'nado', 'mcp', 'auth.env');
+}
+
+async function login(options) {
+  const provider = String(options.provider || '').toLowerCase();
+  if (provider === 'naver') {
+    throw new Error('Naver login is not available for local MCP auth yet because the Naver Edge Function uses fixed redirect URLs. Use google, kakao, or apple.');
+  }
+  if (!SUPPORTED_PROVIDERS.has(provider)) {
+    throw new Error(`Unsupported provider: ${provider}. Use google, kakao, or apple.`);
+  }
+
+  const codeVerifier = base64Url(randomBytes(48));
+  const codeChallenge = base64Url(createHash('sha256').update(codeVerifier).digest());
+  const state = base64Url(randomBytes(24));
+
+  let settled = false;
+  let server;
+
+  const sessionPromise = new Promise((resolve, reject) => {
+    server = http.createServer(async (request, response) => {
+      try {
+        const url = new URL(request.url || '/', 'http://127.0.0.1');
+        if (url.pathname !== '/callback') {
+          sendHtml(response, 404, 'Nado MCP Auth', 'Unknown callback path.');
+          return;
+        }
+        if (settled) {
+          sendHtml(response, 200, 'Nado MCP Auth', 'Login already completed. You can close this tab.');
+          return;
+        }
+
+        const oauthError = url.searchParams.get('error_description') || url.searchParams.get('error');
+        if (oauthError) throw new Error(oauthError);
+        if (url.searchParams.get('state') !== state) throw new Error('Invalid OAuth state.');
+
+        const code = url.searchParams.get('code');
+        if (!code) throw new Error('Missing OAuth code.');
+
+        const session = await exchangeCodeForSession({
+          supabaseUrl: options.supabaseUrl,
+          anonKey: options.anonKey,
+          code,
+          codeVerifier,
+        });
+        const user = await fetchUser(options.supabaseUrl, options.anonKey, session.access_token);
+
+        writeAuthEnv(options.envFile, {
+          NADO_MCP_SUPABASE_URL: options.supabaseUrl,
+          NADO_MCP_SUPABASE_ANON_KEY: options.anonKey,
+          NADO_MCP_ACCESS_TOKEN: session.access_token,
+          NADO_MCP_REFRESH_TOKEN: session.refresh_token,
+        });
+
+        settled = true;
+        sendHtml(response, 200, 'Nado MCP Auth', 'Login completed. You can close this tab and return to the terminal.');
+        resolve({ session, user });
+      } catch (error) {
+        settled = true;
+        const message = error instanceof Error ? error.message : String(error);
+        sendHtml(response, 500, 'Nado MCP Auth Failed', message);
+        reject(error);
+      }
+    });
+  });
+
+  await listen(server, Number(options.port || 0));
+  const address = server.address();
+  if (!address || typeof address === 'string') throw new Error('Failed to allocate local callback port.');
+
+  const localCallbackUrl = new URL(`http://127.0.0.1:${address.port}/callback`);
+  localCallbackUrl.searchParams.set('state', state);
+  const redirectTo = buildRedirectTo(options, localCallbackUrl.toString());
+  const authUrl = buildAuthorizeUrl({
+    supabaseUrl: options.supabaseUrl,
+    provider,
+    redirectTo,
+    codeChallenge,
+  });
+
+  console.log(`Opening browser for Nado MCP login (${provider}).`);
+  console.log(`Local callback: ${localCallbackUrl.toString()}`);
+  if (options.redirectMode === 'azure') console.log(`Azure relay: ${options.relayUrl}`);
+  if (!options.noOpen) openBrowser(authUrl);
+  console.log(`If the browser did not open, visit:\n${authUrl}`);
+
+  let timeoutId;
+  const timeout = new Promise((_, reject) => {
+    timeoutId = setTimeout(() => reject(new Error('Timed out waiting for browser login.')), options.timeoutMs);
+  });
+
+  try {
+    const { user } = await Promise.race([sessionPromise, timeout]);
+    console.log(`Authenticated: ${user.email || user.id || 'unknown user'}`);
+    console.log(`Saved MCP auth tokens to ${options.envFile}`);
+  } finally {
+    if (timeoutId) clearTimeout(timeoutId);
+    await closeServer(server);
+  }
+}
+
+function buildRedirectTo(options, localCallbackUrl) {
+  if (options.redirectMode === 'local') return localCallbackUrl;
+
+  const relayUrl = new URL(options.relayUrl);
+  if (relayUrl.protocol !== 'https:') {
+    throw new Error('--relay-url must be an HTTPS URL when --redirect-mode azure is used.');
+  }
+  relayUrl.searchParams.set('local_callback', localCallbackUrl);
+  return relayUrl.toString();
+}
+
+function printStatus(options) {
+  const values = readEnvFile(options.envFile);
+  const accessToken = process.env.NADO_MCP_ACCESS_TOKEN || values.NADO_MCP_ACCESS_TOKEN || process.env.NADO_ACCESS_TOKEN || '';
+  const refreshToken = process.env.NADO_MCP_REFRESH_TOKEN || values.NADO_MCP_REFRESH_TOKEN || process.env.NADO_REFRESH_TOKEN || '';
+  const email = process.env.NADO_MCP_EMAIL || values.NADO_MCP_EMAIL || '';
+
+  console.log(`Env file: ${options.envFile}`);
+  console.log(`Access token: ${accessToken ? `present${tokenExpiryText(accessToken)}` : 'missing'}`);
+  console.log(`Refresh token: ${refreshToken ? 'present' : 'missing'}`);
+  console.log(`Email/password fallback: ${email ? `configured for ${email}` : 'missing'}`);
+}
+
+function logout(options) {
+  if (!existsSync(options.envFile)) {
+    console.log(`No auth env file found at ${options.envFile}`);
+    return;
+  }
+  removeEnvKeys(options.envFile, [
+    'NADO_MCP_ACCESS_TOKEN',
+    'NADO_MCP_REFRESH_TOKEN',
+  ]);
+  console.log(`Removed MCP auth tokens from ${options.envFile}`);
+}
+
+function buildAuthorizeUrl({ supabaseUrl, provider, redirectTo, codeChallenge }) {
+  const params = new URLSearchParams({
+    provider,
+    redirect_to: redirectTo,
+    code_challenge: codeChallenge,
+    code_challenge_method: 's256',
+  });
+  if (provider === 'kakao') params.set('scope', 'account_email');
+  return `${supabaseUrl}/auth/v1/authorize?${params.toString()}`;
+}
+
+async function exchangeCodeForSession({ supabaseUrl, anonKey, code, codeVerifier }) {
+  const response = await fetch(`${supabaseUrl}/auth/v1/token?grant_type=pkce`, {
+    method: 'POST',
+    headers: {
+      apikey: anonKey,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      auth_code: code,
+      code_verifier: codeVerifier,
+    }),
+  });
+  const body = await readJsonResponse(response);
+  if (!response.ok || !body.access_token || !body.refresh_token) {
+    throw new Error(`Token exchange failed (${response.status}): ${body.error_description || body.error || body.msg || 'missing session tokens'}`);
+  }
+  return body;
+}
+
+async function fetchUser(supabaseUrl, anonKey, accessToken) {
+  const response = await fetch(`${supabaseUrl}/auth/v1/user`, {
+    method: 'GET',
+    headers: {
+      apikey: anonKey,
+      Authorization: `Bearer ${accessToken}`,
+    },
+  });
+  const body = await readJsonResponse(response);
+  if (!response.ok) {
+    throw new Error(`User validation failed (${response.status}): ${body.error_description || body.error || body.msg || 'unknown error'}`);
+  }
+  return body;
+}
+
+async function readJsonResponse(response) {
+  const text = await response.text();
+  if (!text) return {};
+  try {
+    return JSON.parse(text);
+  } catch {
+    return { raw: text };
+  }
+}
+
+function openBrowser(url) {
+  const platform = os.platform();
+  const command = platform === 'darwin' ? 'open' : platform === 'win32' ? 'cmd' : 'xdg-open';
+  const args = platform === 'win32' ? ['/c', 'start', '', url] : [url];
+  try {
+    const child = spawn(command, args, { detached: true, stdio: 'ignore' });
+    child.on('error', () => {
+      console.error('Could not open the browser automatically. Use the printed URL.');
+    });
+    child.unref();
+  } catch {
+    console.error('Could not open the browser automatically. Use the printed URL.');
+  }
+}
+
+function writeAuthEnv(filePath, updates) {
+  mkdirSync(path.dirname(filePath), { recursive: true });
+  const nextUpdates = Object.fromEntries(
+    Object.entries(updates).filter(([, value]) => typeof value === 'string' && value.length > 0),
+  );
+  const seen = new Set();
+  const existingLines = existsSync(filePath) ? readFileSync(filePath, 'utf8').split(/\r?\n/) : [];
+  const lines = existingLines.map((line) => {
+    const parsed = parseEnvLine(line);
+    if (!parsed || !(parsed.key in nextUpdates)) return line;
+    seen.add(parsed.key);
+    return `${parsed.key}=${formatEnvValue(nextUpdates[parsed.key])}`;
+  });
+
+  for (const [key, value] of Object.entries(nextUpdates)) {
+    if (!seen.has(key)) lines.push(`${key}=${formatEnvValue(value)}`);
+  }
+
+  writeFileSync(filePath, `${trimTrailingEmptyLines(lines).join('\n')}\n`, { mode: 0o600 });
+  try {
+    chmodSync(filePath, 0o600);
+  } catch {
+    // Best effort. Some filesystems do not support chmod.
+  }
+}
+
+function removeEnvKeys(filePath, keys) {
+  const remove = new Set(keys);
+  const lines = readFileSync(filePath, 'utf8')
+    .split(/\r?\n/)
+    .filter((line) => {
+      const parsed = parseEnvLine(line);
+      return !parsed || !remove.has(parsed.key);
+    });
+  writeFileSync(filePath, `${trimTrailingEmptyLines(lines).join('\n')}\n`, { mode: 0o600 });
+}
+
+function readEnvFile(filePath) {
+  if (!existsSync(filePath)) return {};
+  const values = {};
+  for (const line of readFileSync(filePath, 'utf8').split(/\r?\n/)) {
+    const parsed = parseEnvLine(line);
+    if (parsed) values[parsed.key] = parsed.value;
+  }
+  return values;
+}
+
+function parseEnvLine(line) {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith('#')) return null;
+
+  const withoutExport = trimmed.startsWith('export ') ? trimmed.slice('export '.length).trimStart() : trimmed;
+  const separator = withoutExport.indexOf('=');
+  if (separator <= 0) return null;
+
+  const key = withoutExport.slice(0, separator).trim();
+  if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) return null;
+
+  let value = withoutExport.slice(separator + 1).trim();
+  const quote = value[0];
+  if ((quote === '"' || quote === "'") && value.endsWith(quote)) {
+    value = value.slice(1, -1);
+  } else {
+    value = value.replace(/\s+#.*$/, '').trim();
+  }
+
+  return { key, value };
+}
+
+function trimTrailingEmptyLines(lines) {
+  const copy = [...lines];
+  while (copy.length > 0 && copy[copy.length - 1] === '') copy.pop();
+  return copy;
+}
+
+function tokenExpiryText(token) {
+  const expiresAt = jwtExpiresAtMs(token);
+  if (!expiresAt) return '';
+  return `, expires ${new Date(expiresAt).toISOString()}`;
+}
+
+function jwtExpiresAtMs(token) {
+  const parts = String(token || '').split('.');
+  if (parts.length < 2) return null;
+  try {
+    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'));
+    const exp = Number(payload.exp);
+    return Number.isFinite(exp) ? exp * 1000 : null;
+  } catch {
+    return null;
+  }
+}
+
+function formatEnvValue(value) {
+  if (/^[A-Za-z0-9_./:@-]+$/.test(value)) return value;
+  return JSON.stringify(value);
+}
+
+function base64Url(buffer) {
+  return Buffer.from(buffer).toString('base64url');
+}
+
+function normalizeUrl(value) {
+  return String(value || '').replace(/\/+$/, '');
+}
+
+function resolvePath(value) {
+  return path.isAbsolute(value) ? value : path.resolve(process.cwd(), value);
+}
+
+function listen(server, port) {
+  return new Promise((resolve, reject) => {
+    server.once('error', reject);
+    server.listen(port, '127.0.0.1', () => {
+      server.off('error', reject);
+      resolve();
+    });
+  });
+}
+
+function closeServer(server) {
+  return new Promise((resolve) => {
+    if (!server.listening) {
+      resolve();
+      return;
+    }
+    server.close(() => resolve());
+  });
+}
+
+function sendHtml(response, status, title, message) {
+  response.writeHead(status, { 'content-type': 'text/html; charset=utf-8' });
+  response.end(`<!doctype html><html><head><meta charset="utf-8"><title>${escapeHtml(title)}</title></head><body><h1>${escapeHtml(title)}</h1><p>${escapeHtml(message)}</p></body></html>`);
+}
+
+function escapeHtml(value) {
+  return String(value)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
+function printHelp() {
+  console.log(`Nado Language MCP browser auth
+
+Usage:
+  nado-mcp login [--provider google|kakao|apple]
+  nado-mcp status
+  nado-mcp logout
+
+Repo checkout aliases:
+  npm run mcp:nado:auth -- [login] [--provider google|kakao|apple]
+  npm run mcp:nado:auth -- status
+  npm run mcp:nado:auth -- logout
+
+Options:
+  --provider <name>       OAuth provider for login. Default: google
+  --auth-file <path>      Auth env file to write. Default: OS user config in package installs, .env.mcp.local in repo checkouts
+  --port <number>         Local callback port. Default: 0 (random)
+  --redirect-mode <mode>  azure or local. Default: azure
+  --relay-url <url>       Azure Static Web Apps relay URL. Default: ${DEFAULT_RELAY_URL}
+  --no-open               Print the URL without opening a browser
+  --timeout-ms <number>   Login wait timeout. Default: 300000
+  --supabase-url <url>    Supabase project URL
+  --anon-key <key>        Supabase anon key
+
+Default mode uses the existing Azure Static Web Apps site as a zero-new-resource
+OAuth relay. Supabase Auth must allow this redirect URL:
+  ${DEFAULT_RELAY_URL}
+
+The optional local mode requires Supabase Auth to allow:
+  http://127.0.0.1:*/callback
+`);
+}