@orth/cli 0.2.16 → 0.2.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/auth.js +23 -2
- package/package.json +1 -1
package/dist/commands/auth.js
CHANGED
|
@@ -7,6 +7,7 @@ exports.loginCommand = loginCommand;
|
|
|
7
7
|
exports.logoutCommand = logoutCommand;
|
|
8
8
|
exports.whoamiCommand = whoamiCommand;
|
|
9
9
|
const chalk_1 = __importDefault(require("chalk"));
|
|
10
|
+
const crypto_1 = __importDefault(require("crypto"));
|
|
10
11
|
const http_1 = __importDefault(require("http"));
|
|
11
12
|
const config_js_1 = require("../config.js");
|
|
12
13
|
const API_BASE = process.env.ORTH_API_URL || "https://api.orth.sh";
|
|
@@ -22,13 +23,33 @@ function openBrowser(url) {
|
|
|
22
23
|
exec(`xdg-open "${url}"`);
|
|
23
24
|
}
|
|
24
25
|
async function browserLogin() {
|
|
26
|
+
// Generate a random state token to prevent CSRF
|
|
27
|
+
const state = crypto_1.default.randomBytes(32).toString("hex");
|
|
25
28
|
return new Promise((resolve, reject) => {
|
|
26
|
-
// Find a random available port
|
|
27
29
|
const server = http_1.default.createServer((req, res) => {
|
|
28
30
|
const url = new URL(req.url || "/", `http://localhost`);
|
|
29
31
|
if (url.pathname === "/callback") {
|
|
30
32
|
const key = url.searchParams.get("key");
|
|
31
33
|
const error = url.searchParams.get("error");
|
|
34
|
+
const returnedState = url.searchParams.get("state");
|
|
35
|
+
// Verify state token
|
|
36
|
+
if (returnedState !== state) {
|
|
37
|
+
res.writeHead(403, { "Content-Type": "text/html" });
|
|
38
|
+
res.end(`
|
|
39
|
+
<html>
|
|
40
|
+
<body style="font-family: -apple-system, sans-serif; display: flex; align-items: center; justify-content: center; height: 100vh; margin: 0; background: #f0f0f0;">
|
|
41
|
+
<div style="text-align: center; background: white; padding: 48px; border-radius: 16px; box-shadow: 0 4px 12px rgba(0,0,0,0.1);">
|
|
42
|
+
<h1 style="font-size: 24px; margin: 0 0 8px; color: #e11d48;">Invalid Request</h1>
|
|
43
|
+
<p style="color: #666; margin: 0;">State token mismatch. Please try again.</p>
|
|
44
|
+
</div>
|
|
45
|
+
</body>
|
|
46
|
+
</html>
|
|
47
|
+
`);
|
|
48
|
+
console.log(chalk_1.default.red("\n✗ Login failed: state token mismatch"));
|
|
49
|
+
server.close();
|
|
50
|
+
reject(new Error("State token mismatch"));
|
|
51
|
+
return;
|
|
52
|
+
}
|
|
32
53
|
if (key) {
|
|
33
54
|
// Send a nice HTML response
|
|
34
55
|
res.writeHead(200, { "Content-Type": "text/html" });
|
|
@@ -78,7 +99,7 @@ async function browserLogin() {
|
|
|
78
99
|
}
|
|
79
100
|
const port = address.port;
|
|
80
101
|
const callbackUrl = `http://127.0.0.1:${port}/callback`;
|
|
81
|
-
const authUrl = `${WEB_BASE}/cli-auth?callback=${encodeURIComponent(callbackUrl)}`;
|
|
102
|
+
const authUrl = `${WEB_BASE}/cli-auth?callback=${encodeURIComponent(callbackUrl)}&state=${state}`;
|
|
82
103
|
console.log(chalk_1.default.gray("Opening browser to authenticate..."));
|
|
83
104
|
console.log(chalk_1.default.gray(`If it doesn't open, visit: ${authUrl}\n`));
|
|
84
105
|
openBrowser(authUrl);
|