@nevermined-io/cli 1.3.2 → 1.4.1

package/dist/utils/orgs.js

@@ -0,0 +1,65 @@
+import { createInterface } from 'readline';
+/**
+ * Resolve which organisation a top-level CLI widget flow should be
+ * scoped to.
+ *
+ * Rules (mirror the acceptance criteria in issue #1671):
+ *  - `--org <id>` wins outright (we don't double-check membership — the
+ *    backend's `POST /widgets/session/self` will reject if the user
+ *    isn't a member).
+ *  - Otherwise call `payments.organizations.getMyMemberships()`:
+ *      - 0 → exit with the "card setup is only available to org members"
+ *        message.
+ *      - 1 → use it silently.
+ *      - 2+ → if the terminal is interactive, prompt the user to pick;
+ *        otherwise exit non-zero with "Pass --org <id>".
+ *
+ * Errors thrown by this helper are formatted to be safe to print
+ * directly with `BaseCommand.handleError`.
+ */
+export async function resolveOrgIdInteractive(opts) {
+    if (opts.flagOrgId) {
+        return { orgId: opts.flagOrgId, orgName: '' };
+    }
+    const memberships = await opts.payments.organizations.getMyMemberships();
+    if (!memberships || memberships.length === 0) {
+        throw new Error('Card setup is only available to members of an organization. Create or join one in the dashboard, then re-run this command.');
+    }
+    if (memberships.length === 1) {
+        const m = memberships[0];
+        return { orgId: m.orgId, orgName: m.orgName ?? '' };
+    }
+    const isTTY = opts.isTTY ?? process.stdin.isTTY;
+    if (!isTTY) {
+        throw new Error(`Multiple organizations found (${memberships.length}). Pass --org <id> to specify which organization to use.`);
+    }
+    opts.log('You are a member of multiple organizations:');
+    memberships.forEach((m, idx) => {
+        const role = m.role ? ` — ${m.role}` : '';
+        opts.log(`  ${idx + 1}. ${m.orgName ?? m.orgId}${role}  (${m.orgId})`);
+    });
+    const pick = await promptIndex(memberships.length, '> Select an organization [1]: ');
+    const chosen = memberships[pick - 1];
+    return { orgId: chosen.orgId, orgName: chosen.orgName ?? '' };
+}
+async function promptIndex(max, prompt) {
+    return new Promise((resolve, reject) => {
+        const rl = createInterface({ input: process.stdin, output: process.stdout });
+        rl.question(prompt, (answer) => {
+            rl.close();
+            const trimmed = answer.trim();
+            // Default to 1 when the user just hits Enter — matches the "[1]" in
+            // the prompt and gives interactive users a single-keystroke happy
+            // path when the first org is the one they want.
+            if (trimmed === '')
+                return resolve(1);
+            const n = Number(trimmed);
+            if (!Number.isInteger(n) || n < 1 || n > max) {
+                reject(new Error(`Please enter a number between 1 and ${max}.`));
+                return;
+            }
+            resolve(n);
+        });
+    });
+}
+//# sourceMappingURL=orgs.js.map

package/dist/utils/orgs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"orgs.js","sourceRoot":"","sources":["../../src/utils/orgs.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAmB1C;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,IAAyB;IAEzB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,EAAE,EAAE,CAAA;IAC/C,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,gBAAgB,EAAE,CAAA;IACxE,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CACb,4HAA4H,CAC7H,CAAA;IACH,CAAC;IAED,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAA;QACxB,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,EAAE,EAAE,CAAA;IACrD,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,CAAA;IAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,iCAAiC,WAAW,CAAC,MAAM,0DAA0D,CAC9G,CAAA;IACH,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAA;IACvD,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE;QAC7B,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;QACzC,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,KAAK,GAAG,CAAC,CAAA;IACxE,CAAC,CAAC,CAAA;IAEF,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,WAAW,CAAC,MAAM,EAAE,gCAAgC,CAAC,CAAA;IACpF,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,GAAG,CAAC,CAAC,CAAA;IACpC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE,EAAE,CAAA;AAC/D,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,GAAW,EAAE,MAAc;IACpD,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,MAAM,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;QAC5E,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE;YAC7B,EAAE,CAAC,KAAK,EAAE,CAAA;YACV,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAA;YAC7B,oEAAoE;YACpE,kEAAkE;YAClE,gDAAgD;YAChD,IAAI,OAAO,KAAK,EAAE;gBAAE,OAAO,OAAO,CAAC,CAAC,CAAC,CAAA;YACrC,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,CAAA;YACzB,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;gBAC7C,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,GAAG,GAAG,CAAC,CAAC,CAAA;gBAChE,OAAM;YACR,CAAC;YACD,OAAO,CAAC,CAAC,CAAC,CAAA;QACZ,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC"}

package/dist/utils/widget-redirect-flow.d.ts

@@ -0,0 +1,83 @@
+export interface WidgetRedirectFlowOptions {
+    /** Frontend base URL — e.g. `Environments[env].frontend`. */
+    frontendUrl: string;
+    /**
+     * Relative embed path the CLI wants to open, e.g.
+     * `/embed/cards/setup` or `/embed/cards/enroll`.
+     */
+    embedPath: string;
+    /**
+     * Called once the local callback server is listening, with the bound
+     * `returnUrl`. The caller mints a widget session against that URL and
+     * returns the resulting `sessionToken`. Splitting it this way lets
+     * the backend validate `returnUrl` at session-creation time (the
+     * spec'd contract) — minting before the port is known would leave
+     * the backend's pre-flight allow-list check with no URL to verify.
+     */
+    mintSession: (args: {
+        returnUrl: string;
+    }) => Promise<{
+        sessionToken: string;
+    }>;
+    /** Extra query params to forward to the embed page (e.g. `provider=stripe`, `paymentMethodId=pm_x`). */
+    extraSearchParams?: Record<string, string>;
+    /** If true, prints the URL instead of opening the browser. */
+    noBrowser?: boolean;
+    /** Caller-supplied logger / printer. The login command uses oclif's formatter; this is the same shape. */
+    log: (msg: string) => void;
+    /** Suggested success-page wording — keeps the wording aligned with whichever command is calling. */
+    successPageTitle?: string;
+    /** Suggested timeout-error wording — keeps it specific to the calling command instead of "Card setup ..." for everything. */
+    timeoutMessage?: string;
+}
+export interface WidgetRedirectFlowResult {
+    /** Echoed `state` value — the helper has already verified it matches. */
+    state: string;
+    /** All query params the embed page redirected with (paymentMethodId, delegationId, …). */
+    query: Record<string, string>;
+}
+/**
+ * Shared redirect-mode handshake for any CLI command that hands the user
+ * off to an `/embed/*` page and waits for a localhost callback.
+ *
+ * Flow:
+ *   1. Bind a one-shot HTTP server on `127.0.0.1:0` (the OS picks a free port).
+ *   2. Compute `returnUrl = http://127.0.0.1:<port>/callback` and hand it
+ *      to `opts.mintSession`. The caller mints a widget session bound to
+ *      that exact returnUrl (which the backend can validate against the
+ *      session-specific allow-list at creation time). We use the literal
+ *      `127.0.0.1` rather than `localhost` because the server binds to
+ *      `127.0.0.1` and Node 17+ resolves `localhost` to `::1` first on
+ *      modern hosts — the browser would stall on the IPv6 attempt before
+ *      falling back to IPv4.
+ *   3. Open the browser at `{frontend}/embed/<path>?sessionToken=…&returnUrl=…&state=<rand>`.
+ *   4. Resolve when the embed page redirects to `/callback?…&state=<echo>`.
+ *      `state` is compared in constant time.
+ *
+ * Rejects on bind failure, mint failure, 5-minute timeout, or
+ * state-mismatched callback (the bad request gets a styled error page
+ * and the server stays alive — the legitimate callback can still land).
+ */
+export declare function runWidgetRedirectFlow(opts: WidgetRedirectFlowOptions): Promise<WidgetRedirectFlowResult>;
+/**
+ * POST to the `/widgets/session/self` endpoint with the caller's NVM
+ * API key. Lives here (not in the SDK) because v1 only wires this up
+ * for the CLI redirect flow — when the SDK exposes
+ * `payments.widgets.createSelfSession()` we can swap this for the SDK
+ * call without touching command callers.
+ */
+export interface SelfMintSessionResponse {
+    sessionToken: string;
+    userId: string;
+    userWallet: string;
+    apiKeyHash: string;
+    expiresAt: string;
+    isReturnUrlAllowed?: boolean | null;
+}
+export declare function mintSelfWidgetSession(args: {
+    backendUrl: string;
+    nvmApiKey: string;
+    orgId: string;
+    returnUrl?: string;
+}): Promise<SelfMintSessionResponse>;
+//# sourceMappingURL=widget-redirect-flow.d.ts.map

package/dist/utils/widget-redirect-flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"widget-redirect-flow.d.ts","sourceRoot":"","sources":["../../src/utils/widget-redirect-flow.ts"],"names":[],"mappings":"AAgCA,MAAM,WAAW,yBAAyB;IACxC,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAA;IACnB;;;OAGG;IACH,SAAS,EAAE,MAAM,CAAA;IACjB;;;;;;;OAOG;IACH,WAAW,EAAE,CAAC,IAAI,EAAE;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC/E,wGAAwG;IACxG,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC1C,8DAA8D;IAC9D,SAAS,CAAC,EAAE,OAAO,CAAA;IACnB,0GAA0G;IAC1G,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;IAC1B,oGAAoG;IACpG,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,6HAA6H;IAC7H,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAED,MAAM,WAAW,wBAAwB;IACvC,yEAAyE;IACzE,KAAK,EAAE,MAAM,CAAA;IACb,0FAA0F;IAC1F,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAC9B;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,yBAAyB,GAC9B,OAAO,CAAC,wBAAwB,CAAC,CAqHnC;AAgED;;;;;;GAMG;AACH,MAAM,WAAW,uBAAuB;IACtC,YAAY,EAAE,MAAM,CAAA;IACpB,MAAM,EAAE,MAAM,CAAA;IACd,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,kBAAkB,CAAC,EAAE,OAAO,GAAG,IAAI,CAAA;CACpC;AAiBD,wBAAsB,qBAAqB,CAAC,IAAI,EAAE;IAChD,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAyDnC"}

package/dist/utils/widget-redirect-flow.js

@@ -0,0 +1,259 @@
+import { createServer } from 'http';
+import { randomBytes, timingSafeEqual } from 'crypto';
+import { openBrowser } from './browser.js';
+const SELF_MINT_FETCH_TIMEOUT_MS = 15_000;
+/**
+ * Default timeout for a redirect-mode CLI flow. Mirrors the existing
+ * `nvm login` callback timeout — 5 minutes is enough for the user to
+ * tab into the browser, complete a card enrolment + delegation, and
+ * land back at the CLI.
+ */
+const REDIRECT_TIMEOUT_MS = 5 * 60 * 1000;
+/**
+ * Constant-time string equality for the CSRF `state` nonce. The state we
+ * issue is a 32-char hex string (`randomBytes(16).toString('hex')`), so
+ * we ALWAYS allocate fixed 16-byte buffers from `hex` regardless of the
+ * caller-supplied value's encoding. Computing buffer length from string
+ * length would diverge on non-ASCII input (`a.length` is UTF-16 code
+ * units; `Buffer.from(a, 'utf8').length` is byte count), and a crafted
+ * non-hex `received` could otherwise throw inside `timingSafeEqual`.
+ *
+ * Inputs must already have been verified to be 32 hex chars by the
+ * caller (or we reject up front).
+ */
+function safeEqualHexState(received, expected) {
+    if (!/^[0-9a-f]{32}$/i.test(received) || !/^[0-9a-f]{32}$/i.test(expected))
+        return false;
+    return timingSafeEqual(Buffer.from(received, 'hex'), Buffer.from(expected, 'hex'));
+}
+/**
+ * Shared redirect-mode handshake for any CLI command that hands the user
+ * off to an `/embed/*` page and waits for a localhost callback.
+ *
+ * Flow:
+ *   1. Bind a one-shot HTTP server on `127.0.0.1:0` (the OS picks a free port).
+ *   2. Compute `returnUrl = http://127.0.0.1:<port>/callback` and hand it
+ *      to `opts.mintSession`. The caller mints a widget session bound to
+ *      that exact returnUrl (which the backend can validate against the
+ *      session-specific allow-list at creation time). We use the literal
+ *      `127.0.0.1` rather than `localhost` because the server binds to
+ *      `127.0.0.1` and Node 17+ resolves `localhost` to `::1` first on
+ *      modern hosts — the browser would stall on the IPv6 attempt before
+ *      falling back to IPv4.
+ *   3. Open the browser at `{frontend}/embed/<path>?sessionToken=…&returnUrl=…&state=<rand>`.
+ *   4. Resolve when the embed page redirects to `/callback?…&state=<echo>`.
+ *      `state` is compared in constant time.
+ *
+ * Rejects on bind failure, mint failure, 5-minute timeout, or
+ * state-mismatched callback (the bad request gets a styled error page
+ * and the server stays alive — the legitimate callback can still land).
+ */
+export async function runWidgetRedirectFlow(opts) {
+    const state = randomBytes(16).toString('hex');
+    return new Promise((resolve, reject) => {
+        let resolved = false;
+        let timeout;
+        const finalize = (err, value) => {
+            if (resolved)
+                return;
+            resolved = true;
+            if (timeout)
+                clearTimeout(timeout);
+            server.close();
+            if (err)
+                reject(err);
+            else if (value)
+                resolve(value);
+        };
+        const server = createServer((req, res) => {
+            const url = new URL(req.url || '/', 'http://localhost');
+            if (url.pathname !== '/callback') {
+                res.writeHead(404).end('Not found');
+                return;
+            }
+            const receivedState = url.searchParams.get('state');
+            if (!receivedState || !safeEqualHexState(receivedState, state)) {
+                // INTENTIONALLY do NOT close the server here. The state nonce
+                // is 128 bits of randomness, so brute-forcing one bad callback
+                // per request is infeasible. Closing on first 400 would let an
+                // attacker (or a misconfigured redirect) DoS the legitimate
+                // browser callback that's about to arrive. The 5-minute timer
+                // is the upper bound on how long we'll wait either way.
+                res.writeHead(400, { 'Content-Type': 'text/html' }).end(errorHtml('Callback rejected', 'State mismatch. This callback did not match the request that started the flow — close this tab and re-run the command.'));
+                return;
+            }
+            // Convert URLSearchParams → plain object, dropping the bookkeeping
+            // `state` field (the caller doesn't need to re-validate it).
+            const query = {};
+            for (const [key, value] of url.searchParams.entries()) {
+                if (key === 'state')
+                    continue;
+                query[key] = value;
+            }
+            res.writeHead(200, { 'Content-Type': 'text/html' }).end(successHtml(opts.successPageTitle ?? 'All done', 'You can close this tab and return to your terminal.'));
+            finalize(undefined, { state, query });
+        });
+        timeout = setTimeout(() => {
+            finalize(new Error(opts.timeoutMessage ?? 'Browser flow timed out after 5 minutes. Please try again.'));
+        }, REDIRECT_TIMEOUT_MS);
+        server.on('error', (err) => {
+            finalize(new Error(`Failed to start local callback server: ${err.message}`));
+        });
+        server.listen(0, '127.0.0.1', () => {
+            const addr = server.address();
+            if (!addr || typeof addr === 'string') {
+                finalize(new Error('Failed to obtain local callback port'));
+                return;
+            }
+            // Symmetric with the server bind above (`127.0.0.1` only). Using
+            // the `localhost` alias here would cause an IPv6 stall on modern
+            // Linux/macOS where Node's `dns.lookup` prefers `::1`. The backend
+            // returnUrl allow-list accepts both forms.
+            const returnUrl = `http://127.0.0.1:${addr.port}/callback`;
+            // Mint the session now that returnUrl is known. The backend's
+            // allow-list check at session creation can validate the URL the
+            // browser will actually be redirected to.
+            void (async () => {
+                let sessionToken;
+                try {
+                    const minted = await opts.mintSession({ returnUrl });
+                    sessionToken = minted.sessionToken;
+                }
+                catch (mintErr) {
+                    finalize(mintErr instanceof Error ? mintErr : new Error(String(mintErr)));
+                    return;
+                }
+                const browserUrl = buildEmbedUrl({
+                    frontendUrl: opts.frontendUrl,
+                    embedPath: opts.embedPath,
+                    sessionToken,
+                    returnUrl,
+                    state,
+                    extra: opts.extraSearchParams,
+                });
+                if (opts.noBrowser) {
+                    opts.log('Open this URL in your browser to continue:');
+                    opts.log('');
+                    opts.log(browserUrl);
+                    opts.log('');
+                    opts.log('Waiting for completion...');
+                }
+                else {
+                    opts.log('Opening browser...');
+                    openBrowser(browserUrl).catch(() => {
+                        opts.log('Could not open the browser automatically. Open this URL manually:');
+                        opts.log('');
+                        opts.log(browserUrl);
+                    });
+                    opts.log('Waiting for completion...');
+                }
+            })();
+        });
+    });
+}
+function buildEmbedUrl(opts) {
+    const url = new URL(opts.embedPath, opts.frontendUrl);
+    url.searchParams.set('sessionToken', opts.sessionToken);
+    url.searchParams.set('returnUrl', opts.returnUrl);
+    url.searchParams.set('state', opts.state);
+    if (opts.extra) {
+        for (const [k, v] of Object.entries(opts.extra)) {
+            url.searchParams.set(k, v);
+        }
+    }
+    return url.toString();
+}
+function successHtml(title, message) {
+    // Plain HTML, no third-party assets, no scripts. The page is shown
+    // once and the user closes the tab; keep it self-contained so a
+    // captive-portal-style network doesn't break the success state.
+    return buildHtmlPage(title, message, '#f8f9fa', '#0f5132', '#d1e7dd');
+}
+function errorHtml(title, message) {
+    // Same shell as the success page (so the layout looks consistent if
+    // the user sees both back-to-back), but tinted red so a state mismatch
+    // or other 4xx response is visually distinct from "we're done".
+    return buildHtmlPage(title, message, '#f8f9fa', '#842029', '#f8d7da');
+}
+function buildHtmlPage(title, message, pageBg, fgColor, panelBg) {
+    return `<!doctype html>
+<html><head><meta charset="utf-8"><title>${escapeHtml(title)}</title></head>
+<body style="font-family: system-ui, sans-serif; display:flex; align-items:center; justify-content:center; min-height:100vh; margin:0; background:${pageBg};">
+  <div style="text-align:center; max-width: 480px; padding: 24px; background:${panelBg}; color:${fgColor}; border-radius:8px;">
+    <h2 style="margin: 0 0 12px;">${escapeHtml(title)}</h2>
+    <p style="margin: 0;">${escapeHtml(message)}</p>
+  </div>
+</body></html>`;
+}
+function escapeHtml(value) {
+    return value
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+/**
+ * Hosts a request to `mintSelfWidgetSession` may be sent over plaintext
+ * without warning. Loopback addresses are always safe; every other host
+ * must use `https:` because we're about to send the user's NVM API key
+ * in the `Authorization` header. The `custom` environment variable
+ * (`NVM_BACKEND_URL`) is the only realistic way a user could accidentally
+ * point this at a plaintext non-localhost URL.
+ */
+const LOOPBACK_HOSTNAMES = new Set([
+    'localhost',
+    '127.0.0.1',
+    '::1',
+    '[::1]',
+]);
+export async function mintSelfWidgetSession(args) {
+    const url = new URL('/api/v1/widgets/session/self', args.backendUrl);
+    // Refuse to send the API key over plaintext to a non-loopback host.
+    // All four built-in environments are `https://`, so this only bites
+    // when a user has set `NVM_BACKEND_URL` to a custom plaintext
+    // endpoint — exactly the case where they'd otherwise leak the key
+    // without realising.
+    if (url.protocol === 'http:' &&
+        !LOOPBACK_HOSTNAMES.has(url.hostname.toLowerCase())) {
+        throw new Error(`Refusing to send the NVM API key over plaintext to ${url.host}. Set NVM_BACKEND_URL to an https:// endpoint, or use a loopback host (localhost / 127.0.0.1 / [::1]).`);
+    }
+    // 15s ceiling for the request — without it, an unreachable backend
+    // (DNS failure, TLS handshake hang, network partition) leaves the CLI
+    // frozen with no output. `AbortSignal.timeout` (Node 17.3+) is the
+    // idiomatic replacement for a hand-rolled `AbortController` + setTimeout.
+    let response;
+    try {
+        response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${args.nvmApiKey}`,
+            },
+            body: JSON.stringify({
+                orgId: args.orgId,
+                ...(args.returnUrl ? { returnUrl: args.returnUrl } : {}),
+            }),
+            signal: AbortSignal.timeout(SELF_MINT_FETCH_TIMEOUT_MS),
+        });
+    }
+    catch (cause) {
+        if (cause instanceof Error && (cause.name === 'TimeoutError' || cause.name === 'AbortError')) {
+            throw new Error(`Self-mint widget session request timed out after ${SELF_MINT_FETCH_TIMEOUT_MS / 1000}s — check that ${args.backendUrl} is reachable.`);
+        }
+        throw cause;
+    }
+    if (!response.ok) {
+        const detail = await response
+            .json()
+            .catch(() => ({ message: response.statusText }));
+        const message = detail.message ??
+            `Self-mint widget session failed (HTTP ${response.status})`;
+        const err = new Error(message);
+        err.status = response.status;
+        err.apiCode = detail.code;
+        throw err;
+    }
+    return (await response.json());
+}
+//# sourceMappingURL=widget-redirect-flow.js.map

package/dist/utils/widget-redirect-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"widget-redirect-flow.js","sourceRoot":"","sources":["../../src/utils/widget-redirect-flow.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAmC,MAAM,MAAM,CAAA;AACpE,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAA;AAErD,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAE1C,MAAM,0BAA0B,GAAG,MAAM,CAAA;AAEzC;;;;;GAKG;AACH,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAA;AAEzC;;;;;;;;;;;GAWG;AACH,SAAS,iBAAiB,CAAC,QAAgB,EAAE,QAAgB;IAC3D,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAA;IACxF,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAA;AACpF,CAAC;AAsCD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,IAA+B;IAE/B,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAE7C,OAAO,IAAI,OAAO,CAA2B,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC/D,IAAI,QAAQ,GAAG,KAAK,CAAA;QACpB,IAAI,OAAkD,CAAA;QAEtD,MAAM,QAAQ,GAAG,CAAC,GAAW,EAAE,KAAgC,EAAQ,EAAE;YACvE,IAAI,QAAQ;gBAAE,OAAM;YACpB,QAAQ,GAAG,IAAI,CAAA;YACf,IAAI,OAAO;gBAAE,YAAY,CAAC,OAAO,CAAC,CAAA;YAClC,MAAM,CAAC,KAAK,EAAE,CAAA;YACd,IAAI,GAAG;gBAAE,MAAM,CAAC,GAAG,CAAC,CAAA;iBACf,IAAI,KAAK;gBAAE,OAAO,CAAC,KAAK,CAAC,CAAA;QAChC,CAAC,CAAA;QAED,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;YACxE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAA;YACvD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACjC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;gBACnC,OAAM;YACR,CAAC;YAED,MAAM,aAAa,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;YACnD,IAAI,CAAC,aAAa,IAAI,CAAC,iBAAiB,CAAC,aAAa,EAAE,KAAK,CAAC,EAAE,CAAC;gBAC/D,8DAA8D;gBAC9D,+DAA+D;gBAC/D,+DAA+D;gBAC/D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,wDAAwD;gBACxD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CACrD,SAAS,CACP,mBAAmB,EACnB,wHAAwH,CACzH,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,mEAAmE;YACnE,6DAA6D;YAC7D,MAAM,KAAK,GAA2B,EAAE,CAAA;YACxC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,EAAE,CAAC;gBACtD,IAAI,GAAG,KAAK,OAAO;oBAAE,SAAQ;gBAC7B,KAAK,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;YACpB,CAAC;YAED,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CACrD,WAAW,CACT,IAAI,CAAC,gBAAgB,IAAI,UAAU,EACnC,qDAAqD,CACtD,CACF,CAAA;YACD,QAAQ,CAAC,SAAS,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAA;QACvC,CAAC,CAAC,CAAA;QAEF,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YACxB,QAAQ,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,cAAc,IAAI,2DAA2D,CAAC,CAAC,CAAA;QACzG,CAAC,EAAE,mBAAmB,CAAC,CAAA;QAEvB,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,QAAQ,CAAC,IAAI,KAAK,CAAC,0CAA0C,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;QAC9E,CAAC,CAAC,CAAA;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAA;YAC7B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACtC,QAAQ,CAAC,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC,CAAA;gBAC3D,OAAM;YACR,CAAC;YACD,iEAAiE;YACjE,iEAAiE;YACjE,mEAAmE;YACnE,2CAA2C;YAC3C,MAAM,SAAS,GAAG,oBAAoB,IAAI,CAAC,IAAI,WAAW,CAAA;YAE1D,8DAA8D;YAC9D,gEAAgE;YAChE,0CAA0C;YAC1C,KAAK,CAAC,KAAK,IAAI,EAAE;gBACf,IAAI,YAAoB,CAAA;gBACxB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,EAAE,SAAS,EAAE,CAAC,CAAA;oBACpD,YAAY,GAAG,MAAM,CAAC,YAAY,CAAA;gBACpC,CAAC;gBAAC,OAAO,OAAO,EAAE,CAAC;oBACjB,QAAQ,CAAC,OAAO,YAAY,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;oBACzE,OAAM;gBACR,CAAC;gBAED,MAAM,UAAU,GAAG,aAAa,CAAC;oBAC/B,WAAW,EAAE,IAAI,CAAC,WAAW;oBAC7B,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,YAAY;oBACZ,SAAS;oBACT,KAAK;oBACL,KAAK,EAAE,IAAI,CAAC,iBAAiB;iBAC9B,CAAC,CAAA;gBAEF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACnB,IAAI,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAA;oBACtD,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;oBACZ,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;oBACpB,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;oBACZ,IAAI,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAA;gBACvC,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAA;oBAC9B,WAAW,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;wBACjC,IAAI,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAA;wBAC7E,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;wBACZ,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;oBACtB,CAAC,CAAC,CAAA;oBACF,IAAI,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAA;gBACvC,CAAC;YACH,CAAC,CAAC,EAAE,CAAA;QACN,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC;AAWD,SAAS,aAAa,CAAC,IAA0B;IAC/C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,CAAA;IACrD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,YAAY,CAAC,CAAA;IACvD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,CAAA;IACjD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;IACzC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAChD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;QAC5B,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAA;AACvB,CAAC;AAED,SAAS,WAAW,CAAC,KAAa,EAAE,OAAe;IACjD,mEAAmE;IACnE,gEAAgE;IAChE,gEAAgE;IAChE,OAAO,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAA;AACvE,CAAC;AAED,SAAS,SAAS,CAAC,KAAa,EAAE,OAAe;IAC/C,oEAAoE;IACpE,uEAAuE;IACvE,gEAAgE;IAChE,OAAO,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAA;AACvE,CAAC;AAED,SAAS,aAAa,CACpB,KAAa,EACb,OAAe,EACf,MAAc,EACd,OAAe,EACf,OAAe;IAEf,OAAO;2CACkC,UAAU,CAAC,KAAK,CAAC;oJACwF,MAAM;+EAC3E,OAAO,WAAW,OAAO;oCACpE,UAAU,CAAC,KAAK,CAAC;4BACzB,UAAU,CAAC,OAAO,CAAC;;eAEhC,CAAA;AACf,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;AAC3B,CAAC;AAkBD;;;;;;;GAOG;AACH,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IACtD,WAAW;IACX,WAAW;IACX,KAAK;IACL,OAAO;CACR,CAAC,CAAA;AAEF,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,IAK3C;IACC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,8BAA8B,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IAEpE,oEAAoE;IACpE,oEAAoE;IACpE,8DAA8D;IAC9D,kEAAkE;IAClE,qBAAqB;IACrB,IACE,GAAG,CAAC,QAAQ,KAAK,OAAO;QACxB,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EACnD,CAAC;QACD,MAAM,IAAI,KAAK,CACb,sDAAsD,GAAG,CAAC,IAAI,wGAAwG,CACvK,CAAA;IACH,CAAC;IAED,mEAAmE;IACnE,sEAAsE;IACtE,mEAAmE;IACnE,0EAA0E;IAC1E,IAAI,QAAkB,CAAA;IACtB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC1B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,IAAI,CAAC,SAAS,EAAE;aAC1C;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACzD,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,0BAA0B,CAAC;SACxD,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,cAAc,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,CAAC,EAAE,CAAC;YAC7F,MAAM,IAAI,KAAK,CACb,oDAAoD,0BAA0B,GAAG,IAAI,kBAAkB,IAAI,CAAC,UAAU,gBAAgB,CACvI,CAAA;QACH,CAAC;QACD,MAAM,KAAK,CAAA;IACb,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,MAAM,QAAQ;aAC1B,IAAI,EAAE;aACN,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC,CAAA;QAClD,MAAM,OAAO,GACV,MAA+B,CAAC,OAAO;YACxC,yCAAyC,QAAQ,CAAC,MAAM,GAAG,CAAA;QAC7D,MAAM,GAAG,GAAG,IAAI,KAAK,CAAC,OAAO,CAAkD,CAAA;QAC/E,GAAG,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAA;QAC5B,GAAG,CAAC,OAAO,GAAI,MAA4B,CAAC,IAAI,CAAA;QAChD,MAAM,GAAG,CAAA;IACX,CAAC;IACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAA;AAC3D,CAAC"}