@occam-scaly/scaly-cli 0.2.0 → 0.2.1

package/lib/scaly-api.js

@@ -1,6 +1,9 @@
 'use strict';
 
 const axios = require('axios');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
 
 const STAGE_ENDPOINTS = {
   prod: 'https://api.scalyapps.io/graphql',
@@ -27,7 +30,74 @@ function normalizeStage(stage) {
   return s;
 }
 
+function decodeBase64Url(input) {
+  const padLen = (4 - (input.length % 4)) % 4;
+  const padded =
+    input.replace(/-/g, '+').replace(/_/g, '/') + '='.repeat(padLen);
+  return Buffer.from(padded, 'base64').toString('utf8');
+}
+
+function tryGetJwtExpSeconds(token) {
+  if (!token || typeof token !== 'string') return null;
+  const parts = token.split('.');
+  if (parts.length !== 3) return null;
+  try {
+    const payloadJson = decodeBase64Url(parts[1] || '');
+    const payload = JSON.parse(payloadJson);
+    const exp = payload && payload.exp;
+    return typeof exp === 'number' ? exp : null;
+  } catch {
+    return null;
+  }
+}
+
+function isJwtExpired(token, nowMs = Date.now()) {
+  const expSeconds = tryGetJwtExpSeconds(token);
+  if (!expSeconds) return false;
+  return nowMs >= expSeconds * 1000;
+}
+
+function resolveAuthStorePath() {
+  if (process.env.SCALY_AUTH_STORE_PATH)
+    return String(process.env.SCALY_AUTH_STORE_PATH);
+  const base =
+    process.env.SCALY_CONFIG_DIR ||
+    process.env.XDG_CONFIG_HOME ||
+    path.join(os.homedir(), '.config');
+  const primary = path.join(base, 'scaly', 'auth.json');
+  if (fs.existsSync(primary)) return primary;
+  const legacy = path.join(os.homedir(), '.scaly', 'auth.json');
+  if (fs.existsSync(legacy)) return legacy;
+  return primary;
+}
+
+function tryReadAuthStoreToken() {
+  const p = resolveAuthStorePath();
+  try {
+    const text = fs.readFileSync(p, 'utf8');
+    const obj = JSON.parse(text);
+    const token =
+      obj && typeof obj.access_token === 'string' ? obj.access_token : null;
+    if (!token) return null;
+    const expiresAtMs =
+      typeof obj.expires_at === 'number' ? obj.expires_at : null;
+    if (expiresAtMs && Date.now() >= expiresAtMs) return null;
+    if (isJwtExpired(token)) return null;
+    return token;
+  } catch {
+    return null;
+  }
+}
+
 function resolveAuth() {
+  const scalyApiKey = process.env.SCALY_API_KEY;
+
+  const oidcToken =
+    process.env.SCALY_OIDC_TOKEN || tryReadAuthStoreToken() || null;
+  if (oidcToken && scalyApiKey) {
+    return { mode: 'oidc', token: oidcToken, scalyApiKey };
+  }
+
   const bearer =
     process.env.SCALY_API_BEARER ||
     process.env.API_BEARER_TOKEN ||
@@ -36,7 +106,6 @@ function resolveAuth() {
     return { mode: 'bearer', token: bearer };
   }
 
-  const scalyApiKey = process.env.SCALY_API_KEY;
   const stage = normalizeStage(process.env.SCALY_STAGE);
   const appSyncApiKey =
     process.env.SCALY_APPSYNC_KEY ||
@@ -59,6 +128,12 @@ function buildHeaders(auth) {
   if (auth.mode === 'bearer') {
     return { authorization: `Bearer ${auth.token}` };
   }
+  if (auth.mode === 'oidc') {
+    return {
+      authorization: `Bearer ${auth.token}`,
+      'x-scaly-api-key': auth.scalyApiKey
+    };
+  }
   return {
     'x-api-key': auth.appSyncApiKey,
     'x-scaly-api-key': auth.scalyApiKey
@@ -70,7 +145,7 @@ async function graphqlRequest(query, variables) {
   const auth = resolveAuth();
   if (!auth) {
     const e = new Error(
-      'Missing auth. Provide SCALY_API_BEARER (or run `scaly login`) OR set SCALY_API_KEY.'
+      'Missing auth. Set SCALY_API_KEY. For advanced planning (add-ons), run `scaly auth login` to create a session token.'
     );
     e.code = 'SCALY_AUTH_MISSING';
     throw e;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@occam-scaly/scaly-cli",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Scaly CLI (auth + project config helpers)",
   "bin": {
     "scaly": "./bin/scaly.js"