@open-vibe-lab/open-sub-auth 0.1.0 → 0.1.1

package/dist/index.mjs

@@ -5,6 +5,7 @@ import { dirname, join } from "node:path";
 import { execFile } from "node:child_process";
 import { createServer } from "node:http";
 import { createInterface } from "node:readline";
+import { EnvHttpProxyAgent, setGlobalDispatcher } from "node:undici";
 //#region src/errors.ts
 var OpenSubAuthError = class extends Error {
 	constructor(message) {
@@ -28,7 +29,8 @@ var TokenExpiredError = class extends OpenSubAuthError {
 };
 var TokenRefreshError = class extends OpenSubAuthError {
 	constructor(provider, cause_) {
-		super(`Failed to refresh token for "${provider}": ${cause_ instanceof Error ? cause_.message : String(cause_)}`);
+		const causeType = cause_ instanceof Error ? cause_.constructor.name : typeof cause_;
+		super(`Failed to refresh token for "${provider}" (${causeType}). Check logs for details.`);
 		this.provider = provider;
 		this.cause_ = cause_;
 		this.name = "TokenRefreshError";
@@ -397,16 +399,23 @@ var KeychainStore = class {
 //#endregion
 //#region src/storage/store.ts
 /**
-* Create a token store, preferring the OS keychain with encrypted file fallback.
-* @param preferKeychain - If true (default), try keychain first
+* Create a token store.
+*
+* @param storeType
+*   - `"auto"` (default): try OS keychain first, fall back to encrypted file store
+*   - `"keychain"`: force OS keychain; throws AuthenticationError if unavailable
+*   - `"file"`: always use the encrypted file store (~/.open-sub-auth/credentials.json)
 */
-async function createTokenStore(preferKeychain = true) {
-	if (preferKeychain) try {
+async function createTokenStore(storeType = "auto") {
+	if (storeType === "file") return new FileStore();
+	try {
 		const store = new KeychainStore();
 		await store.get("__probe__", "__probe__");
 		return store;
-	} catch {}
-	return new FileStore();
+	} catch (err) {
+		if (storeType === "keychain") throw new AuthenticationError(`OS keychain is not available on this system: ${err instanceof Error ? err.message : String(err)}`);
+		return new FileStore();
+	}
 }
 //#endregion
 //#region src/core/browser.ts
@@ -604,10 +613,7 @@ async function exchangeCode(config, code, codeVerifier, redirectUri, state) {
 		headers: { "Content-Type": useJson ? "application/json" : "application/x-www-form-urlencoded" },
 		body: useJson ? JSON.stringify(params) : new URLSearchParams(params).toString()
 	});
-	if (!response.ok) {
-		const errorText = await response.text();
-		throw new OAuthCallbackError(`Token exchange failed (${response.status}): ${errorText}`);
-	}
+	if (!response.ok) throw new OAuthCallbackError(`Token exchange failed (HTTP ${response.status})`);
 	return parseTokenResponse(await response.json());
 }
 /** Refresh an access token using a refresh token */
@@ -623,10 +629,7 @@ async function refreshAccessToken(config, refreshToken) {
 		headers: { "Content-Type": useJson ? "application/json" : "application/x-www-form-urlencoded" },
 		body: useJson ? JSON.stringify(params) : new URLSearchParams(params).toString()
 	});
-	if (!response.ok) {
-		const errorText = await response.text();
-		throw new OAuthCallbackError(`Token refresh failed (${response.status}): ${errorText}`);
-	}
+	if (!response.ok) throw new OAuthCallbackError(`Token refresh failed (HTTP ${response.status})`);
 	return parseTokenResponse(await response.json());
 }
 /** Execute the full PKCE flow: generate params, open browser, wait for callback, exchange code */
@@ -728,6 +731,20 @@ var ClaudeProvider = class {
 	}
 	getAccountLabel(_tokenSet) {}
 };
+/**
+* Import a Claude OAuth token from the CLAUDE_CODE_OAUTH_TOKEN environment variable.
+* This token is used directly as the access token for API calls.
+*/
+function importClaudeTokenFromEnv() {
+	const token = process.env.CLAUDE_CODE_OAUTH_TOKEN;
+	if (!token) return null;
+	return {
+		accessToken: token,
+		refreshToken: null,
+		expiresAt: Date.now() + 36e5,
+		tokenType: "bearer"
+	};
+}
 registerProvider("claude", () => new ClaudeProvider());
 //#endregion
 //#region src/token/jwt.ts
@@ -822,6 +839,238 @@ function importFromCodexCli() {
 }
 registerProvider("openai-codex", () => new OpenAICodexProvider());
 //#endregion
-export { AuthenticationError, ClaudeProvider, FileStore, KeychainStore, NoCredentialError, OAuthCallbackError, OAuthTimeoutError, OpenAICodexProvider, OpenSubAuthError, ProviderNotFoundError, StateMismatchError, TokenExpiredError, TokenManager, TokenRefreshError, buildAuthorizationUrl, createTokenStore, decodeJWT, exchangeCode, executePKCEFlow, generateCodeChallenge, generateCodeVerifier, generatePKCE, generateState, getProvider, importFromCodexCli, listProviders, openBrowser, parseCodeAndState, promptForCode, refreshAccessToken, registerProvider, startCallbackServer };
+//#region src/core/oauth-device.ts
+/** Request a device code from the provider's device code endpoint */
+async function requestDeviceCode(config) {
+	if (!config.deviceCodeEndpoint) throw new OAuthCallbackError(`Provider "${config.name}" has no device code endpoint`);
+	const params = { client_id: config.clientId };
+	if (config.scopes?.length) params.scope = config.scopes.join(" ");
+	const useJson = config.tokenBodyFormat === "json";
+	const response = await fetch(config.deviceCodeEndpoint, {
+		method: "POST",
+		headers: {
+			"Content-Type": useJson ? "application/json" : "application/x-www-form-urlencoded",
+			Accept: "application/json"
+		},
+		body: useJson ? JSON.stringify(params) : new URLSearchParams(params).toString()
+	});
+	if (!response.ok) throw new OAuthCallbackError(`Device code request failed (HTTP ${response.status})`);
+	const data = await response.json();
+	const deviceCode = data.device_code;
+	const userCode = data.user_code;
+	const verificationUri = data.verification_uri ?? data.verification_url;
+	if (!deviceCode || !userCode || !verificationUri) throw new OAuthCallbackError("Invalid device code response: missing required fields");
+	return {
+		deviceCode,
+		userCode,
+		verificationUri,
+		verificationUriComplete: data.verification_uri_complete ?? data.verification_url_complete,
+		expiresIn: data.expires_in ?? 900,
+		interval: data.interval ?? 5
+	};
+}
+/**
+* Poll the token endpoint until authorization is granted, denied, or times out.
+* Handles authorization_pending / slow_down / expired_token error codes per RFC 8628.
+*/
+async function pollForToken(config, deviceCode, interval, expiresIn) {
+	const params = {
+		client_id: config.clientId,
+		device_code: deviceCode,
+		grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+	};
+	const useJson = config.tokenBodyFormat === "json";
+	const deadline = Date.now() + expiresIn * 1e3;
+	let pollIntervalMs = interval * 1e3;
+	while (Date.now() < deadline) {
+		await sleep(pollIntervalMs);
+		const data = await (await fetch(config.tokenEndpoint, {
+			method: "POST",
+			headers: {
+				"Content-Type": useJson ? "application/json" : "application/x-www-form-urlencoded",
+				Accept: "application/json"
+			},
+			body: useJson ? JSON.stringify(params) : new URLSearchParams(params).toString()
+		})).json();
+		if (data.access_token) return parseDeviceTokenResponse(data);
+		const error = data.error;
+		if (error === "authorization_pending") continue;
+		if (error === "slow_down") {
+			pollIntervalMs += 5e3;
+			continue;
+		}
+		if (error === "expired_token") throw new OAuthTimeoutError(expiresIn * 1e3);
+		if (error === "access_denied") throw new OAuthCallbackError("User denied device authorization");
+		throw new OAuthCallbackError(`Device code token polling failed: ${error ?? "unknown error"}`);
+	}
+	throw new OAuthTimeoutError(expiresIn * 1e3);
+}
+/** Execute the full device code flow: request code, display to user, poll for token */
+async function executeDeviceCodeFlow(options) {
+	const { config, loginOptions } = options;
+	const deviceCode = await requestDeviceCode(config);
+	const displayInfo = {
+		userCode: deviceCode.userCode,
+		verificationUri: deviceCode.verificationUri,
+		expiresIn: deviceCode.expiresIn,
+		interval: deviceCode.interval
+	};
+	if (loginOptions?.onDeviceCode) loginOptions.onDeviceCode(displayInfo);
+	else {
+		openBrowser(deviceCode.verificationUriComplete ?? deviceCode.verificationUri);
+		process.stderr.write(`\nVisit: ${deviceCode.verificationUri}\nEnter code: ${deviceCode.userCode}\n\nWaiting for authorization...\n`);
+	}
+	return pollForToken(config, deviceCode.deviceCode, deviceCode.interval, deviceCode.expiresIn);
+}
+function sleep(ms) {
+	return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+* Parse device code token response.
+* Note: GitHub uses comma-separated scopes (unlike space-separated in PKCE flow).
+*/
+function parseDeviceTokenResponse(data) {
+	const accessToken = data.access_token;
+	if (!accessToken) throw new OAuthCallbackError("No access_token in device code token response");
+	const expiresIn = data.expires_in;
+	const expiresAt = expiresIn ? Date.now() + expiresIn * 1e3 : Date.now() + 8 * 3600 * 1e3;
+	const rawScope = data.scope;
+	const scopes = rawScope ? rawScope.split(/[, ]+/).filter(Boolean) : void 0;
+	return {
+		accessToken,
+		refreshToken: data.refresh_token ?? null,
+		expiresAt,
+		tokenType: (data.token_type ?? "bearer").toLowerCase(),
+		scopes,
+		raw: data
+	};
+}
+//#endregion
+//#region src/providers/github-copilot.ts
+const GITHUB_COPILOT_CONFIG = {
+	name: "github-copilot",
+	displayName: "GitHub Copilot",
+	tokenEndpoint: "https://github.com/login/oauth/access_token",
+	deviceCodeEndpoint: "https://github.com/login/device/code",
+	clientId: "Iv1.b507a08c87ecfe98",
+	scopes: ["gist"],
+	grantType: "device_code"
+};
+/** Copilot session token endpoint (internal GitHub API) */
+const COPILOT_SESSION_ENDPOINT = "https://api.github.com/copilot_internal/v2/token";
+/** Fetch a short-lived Copilot session token using a GitHub OAuth access token */
+async function fetchCopilotSessionToken(githubToken) {
+	const response = await fetch(COPILOT_SESSION_ENDPOINT, { headers: {
+		Authorization: `Bearer ${githubToken}`,
+		"Content-Type": "application/json"
+	} });
+	if (!response.ok) throw new OAuthCallbackError(`Copilot session token request failed (HTTP ${response.status})`);
+	const data = await response.json();
+	const token = data.token;
+	if (!token) throw new OAuthCallbackError("No token in Copilot session token response");
+	return {
+		token,
+		expiresAt: typeof data.expires_at === "number" ? data.expires_at * 1e3 : Date.now() + 1800 * 1e3
+	};
+}
+/** Fetch the authenticated GitHub user info for account labelling */
+async function fetchGitHubUser(githubToken) {
+	try {
+		const response = await fetch("https://api.github.com/user", { headers: { Authorization: `Bearer ${githubToken}` } });
+		if (!response.ok) return { login: "unknown" };
+		return await response.json();
+	} catch {
+		return { login: "unknown" };
+	}
+}
+var GitHubCopilotProvider = class {
+	config = GITHUB_COPILOT_CONFIG;
+	async login(options) {
+		const githubTokenSet = await executeDeviceCodeFlow({
+			config: this.config,
+			loginOptions: options
+		});
+		const githubToken = githubTokenSet.accessToken;
+		const session = await fetchCopilotSessionToken(githubToken);
+		const user = await fetchGitHubUser(githubToken);
+		return {
+			accessToken: session.token,
+			refreshToken: githubToken,
+			expiresAt: session.expiresAt,
+			tokenType: "bearer",
+			scopes: githubTokenSet.scopes,
+			raw: {
+				githubToken,
+				githubRefreshToken: githubTokenSet.refreshToken,
+				login: user.login,
+				name: user.name,
+				email: user.email
+			}
+		};
+	}
+	/** Refresh by exchanging the stored GitHub OAuth token for a new Copilot session token */
+	async refresh(refreshToken) {
+		const session = await fetchCopilotSessionToken(refreshToken);
+		return {
+			accessToken: session.token,
+			refreshToken,
+			expiresAt: session.expiresAt,
+			tokenType: "bearer"
+		};
+	}
+	getAuthHeaders(accessToken) {
+		return {
+			authorization: `Bearer ${accessToken}`,
+			"content-type": "application/json"
+		};
+	}
+	getAccountId(tokenSet) {
+		if (tokenSet.raw?.login && typeof tokenSet.raw.login === "string" && tokenSet.raw.login !== "unknown") return tokenSet.raw.login;
+		const source = tokenSet.refreshToken ?? tokenSet.accessToken;
+		return createHash("sha256").update(source).digest("hex").slice(0, 16);
+	}
+	getAccountLabel(tokenSet) {
+		if (tokenSet.raw?.name && typeof tokenSet.raw.name === "string") return tokenSet.raw.name;
+		if (tokenSet.raw?.login && typeof tokenSet.raw.login === "string" && tokenSet.raw.login !== "unknown") return tokenSet.raw.login;
+	}
+};
+/**
+* Import a GitHub OAuth token from the COPILOT_GITHUB_TOKEN environment variable.
+* The GitHub OAuth token becomes the refresh token; the expired access token forces an
+* immediate Copilot session token fetch on the first call to getToken().
+*/
+function importCopilotTokenFromEnv() {
+	const token = process.env.COPILOT_GITHUB_TOKEN;
+	if (!token) return null;
+	return {
+		accessToken: "",
+		refreshToken: token,
+		expiresAt: 0,
+		tokenType: "bearer"
+	};
+}
+registerProvider("github-copilot", () => new GitHubCopilotProvider());
+//#endregion
+//#region src/core/proxy.ts
+/**
+* Initialize HTTP proxy support for all outgoing fetch() calls.
+*
+* Reads HTTPS_PROXY / HTTP_PROXY / NO_PROXY environment variables automatically.
+* If a proxyUrl is provided, it overrides those env vars before installing the dispatcher.
+*
+* Call this once at startup — CLI entry point or library init — before any network requests.
+*
+* @param proxyUrl - Optional explicit proxy URL (e.g. "http://proxy.corp:8080").
+*                   Sets both HTTPS_PROXY and HTTP_PROXY env vars when provided.
+*/
+function initProxy(proxyUrl) {
+	if (proxyUrl) {
+		process.env.HTTPS_PROXY = proxyUrl;
+		process.env.HTTP_PROXY = proxyUrl;
+	}
+	setGlobalDispatcher(new EnvHttpProxyAgent());
+}
+//#endregion
+export { AuthenticationError, ClaudeProvider, FileStore, GitHubCopilotProvider, KeychainStore, NoCredentialError, OAuthCallbackError, OAuthTimeoutError, OpenAICodexProvider, OpenSubAuthError, ProviderNotFoundError, StateMismatchError, TokenExpiredError, TokenManager, TokenRefreshError, buildAuthorizationUrl, createTokenStore, decodeJWT, exchangeCode, executeDeviceCodeFlow, executePKCEFlow, generateCodeChallenge, generateCodeVerifier, generatePKCE, generateState, getProvider, importClaudeTokenFromEnv, importCopilotTokenFromEnv, importFromCodexCli, initProxy, listProviders, openBrowser, parseCodeAndState, pollForToken, promptForCode, refreshAccessToken, registerProvider, requestDeviceCode, startCallbackServer };
 
 //# sourceMappingURL=index.mjs.map