@redocly/cli 1.29.0 → 1.30.0

package/src/auth/device-flow.ts

@@ -0,0 +1,175 @@
+import { blue, green } from 'colorette';
+import * as childProcess from 'child_process';
+import { ReuniteApiClient } from '../reunite/api/api-client';
+
+export type AuthToken = {
+  access_token: string;
+  refresh_token?: string;
+  token_type?: string;
+  expires_in?: number;
+};
+
+export class RedoclyOAuthDeviceFlow {
+  private apiClient: ReuniteApiClient;
+
+  constructor(private baseUrl: string, private clientName: string, private version: string) {
+    this.apiClient = new ReuniteApiClient(this.version, 'login');
+  }
+
+  async run() {
+    const code = await this.getDeviceCode();
+    process.stdout.write(
+      'Attempting to automatically open the SSO authorization page in your default browser.\n'
+    );
+    process.stdout.write(
+      'If the browser does not open or you wish to use a different device to authorize this request, open the following URL:\n\n'
+    );
+    process.stdout.write(blue(code.verificationUri));
+    process.stdout.write(`\n\n`);
+    process.stdout.write(`Then enter the code:\n\n`);
+    process.stdout.write(blue(code.userCode));
+    process.stdout.write(`\n\n`);
+
+    this.openBrowser(code.verificationUriComplete);
+
+    const accessToken = await this.pollingAccessToken(
+      code.deviceCode,
+      code.interval,
+      code.expiresIn
+    );
+    process.stdout.write(green('✅ Logged in\n\n'));
+
+    return accessToken;
+  }
+
+  private openBrowser(url: string) {
+    try {
+      const cmd =
+        process.platform === 'win32'
+          ? `start ${url}`
+          : process.platform === 'darwin'
+          ? `open ${url}`
+          : `xdg-open ${url}`;
+
+      childProcess.execSync(cmd);
+    } catch {
+      // silently fail if browser cannot be opened
+    }
+  }
+
+  async verifyToken(accessToken: string) {
+    try {
+      const response = await this.sendRequest('/session', 'GET', undefined, {
+        Cookie: `accessToken=${accessToken};`,
+      });
+
+      return !!response.user;
+    } catch {
+      return false;
+    }
+  }
+
+  async verifyApiKey(apiKey: string) {
+    try {
+      const response = await this.sendRequest('/api-keys-verify', 'POST', {
+        apiKey,
+      });
+      return !!response.success;
+    } catch {
+      return false;
+    }
+  }
+
+  async refreshToken(refreshToken: string) {
+    const response = await this.sendRequest(`/device-rotate-token`, 'POST', {
+      grant_type: 'refresh_token',
+      client_name: this.clientName,
+      refresh_token: refreshToken,
+    });
+
+    if (!response.access_token) {
+      throw new Error('Failed to refresh token');
+    }
+    return {
+      access_token: response.access_token,
+      refresh_token: response.refresh_token,
+      expires_in: response.expires_in,
+    };
+  }
+
+  private async pollingAccessToken(
+    deviceCode: string,
+    interval: number,
+    expiresIn: number
+  ): Promise<AuthToken> {
+    return new Promise((resolve, reject) => {
+      const intervalId = setInterval(async () => {
+        const response = await this.getAccessToken(deviceCode);
+        if (response.access_token) {
+          clearInterval(intervalId);
+          clearTimeout(timeoutId);
+          resolve(response);
+        }
+        if (response.error && response.error !== 'authorization_pending') {
+          clearInterval(intervalId);
+          clearTimeout(timeoutId);
+          reject(response.error_description);
+        }
+      }, interval * 1000);
+
+      const timeoutId = setTimeout(async () => {
+        clearInterval(intervalId);
+        clearTimeout(timeoutId);
+        reject('Authorization has expired. Please try again.');
+      }, expiresIn * 1000);
+    });
+  }
+
+  private async getAccessToken(deviceCode: string) {
+    return await this.sendRequest('/device-token', 'POST', {
+      client_name: this.clientName,
+      device_code: deviceCode,
+      grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+    });
+  }
+
+  private async getDeviceCode() {
+    const {
+      device_code: deviceCode,
+      user_code: userCode,
+      verification_uri: verificationUri,
+      verification_uri_complete: verificationUriComplete,
+      interval = 10,
+      expires_in: expiresIn = 300,
+    } = await this.sendRequest('/device-authorize', 'POST', {
+      client_name: this.clientName,
+    });
+
+    return {
+      deviceCode,
+      userCode,
+      verificationUri,
+      verificationUriComplete,
+      interval,
+      expiresIn,
+    };
+  }
+
+  private async sendRequest(
+    url: string,
+    method: string = 'GET',
+    body: Record<string, unknown> | undefined = undefined,
+    headers: Record<string, string> = {}
+  ) {
+    url = `${this.baseUrl}${url}`;
+    const response = await this.apiClient.request(url, {
+      body: body ? JSON.stringify(body) : body,
+      method,
+      headers: { 'Content-Type': 'application/json', ...headers },
+    });
+    if (response.status === 204) {
+      return { success: true };
+    }
+    return await response.json();
+  }
+}

package/src/auth/oauth-client.ts

@@ -0,0 +1,111 @@
+import { homedir } from 'node:os';
+import * as path from 'node:path';
+import { mkdirSync, existsSync, writeFileSync, readFileSync, rmSync } from 'node:fs';
+import * as crypto from 'node:crypto';
+import { Buffer } from 'node:buffer';
+import { type AuthToken, RedoclyOAuthDeviceFlow } from './device-flow';
+
+const SALT = '4618dbc9-8aed-4e27-aaf0-225f4603e5a4';
+const CRYPTO_ALGORITHM = 'aes-256-cbc';
+
+export class RedoclyOAuthClient {
+  private dir: string;
+  private cipher: crypto.Cipher;
+  private decipher: crypto.Decipher;
+
+  constructor(private clientName: string, private version: string) {
+    this.dir = path.join(homedir(), '.redocly');
+    if (!existsSync(this.dir)) {
+      mkdirSync(this.dir);
+    }
+
+    const homeDirPath = process.env.HOME as string;
+    const hash = crypto.createHash('sha256');
+    hash.update(`${homeDirPath}${SALT}`);
+    const hashHex = hash.digest('hex');
+
+    const key = Buffer.alloc(
+      32,
+      Buffer.from(hashHex).toString('base64')
+    ).toString() as crypto.CipherKey;
+    const iv = Buffer.alloc(
+      16,
+      Buffer.from(process.env.HOME as string).toString('base64')
+    ).toString() as crypto.BinaryLike;
+    this.cipher = crypto.createCipheriv(CRYPTO_ALGORITHM, key, iv);
+    this.decipher = crypto.createDecipheriv(CRYPTO_ALGORITHM, key, iv);
+  }
+
+  async login(baseUrl: string) {
+    const deviceFlow = new RedoclyOAuthDeviceFlow(baseUrl, this.clientName, this.version);
+
+    const token = await deviceFlow.run();
+    if (!token) {
+      throw new Error('Failed to login');
+    }
+    this.saveToken(token);
+  }
+
+  async logout() {
+    try {
+      this.removeToken();
+    } catch (err) {
+      // do nothing
+    }
+  }
+
+  async isAuthorized(baseUrl: string, apiKey?: string) {
+    const deviceFlow = new RedoclyOAuthDeviceFlow(baseUrl, this.clientName, this.version);
+
+    if (apiKey) {
+      return await deviceFlow.verifyApiKey(apiKey);
+    }
+
+    const token = await this.readToken();
+    if (!token) {
+      return false;
+    }
+
+    const isValidAccessToken = await deviceFlow.verifyToken(token.access_token);
+
+    if (isValidAccessToken) {
+      return true;
+    }
+
+    try {
+      const newToken = await deviceFlow.refreshToken(token.refresh_token);
+      await this.saveToken(newToken);
+    } catch {
+      return false;
+    }
+
+    return true;
+  }
+
+  private async saveToken(token: AuthToken) {
+    try {
+      const encrypted =
+        this.cipher.update(JSON.stringify(token), 'utf8', 'hex') + this.cipher.final('hex');
+      writeFileSync(path.join(this.dir, 'auth.json'), encrypted);
+    } catch (error) {
+      process.stderr.write('Error saving tokens:', error);
+    }
+  }
+
+  private async readToken() {
+    try {
+      const token = readFileSync(path.join(this.dir, 'auth.json'), 'utf8');
+      const decrypted = this.decipher.update(token, 'hex', 'utf8') + this.decipher.final('utf8');
+      return decrypted ? JSON.parse(decrypted) : null;
+    } catch {
+      return null;
+    }
+  }
+
+  private async removeToken() {
+    const tokenPath = path.join(this.dir, 'auth.json');
+    if (existsSync(tokenPath)) {
+      rmSync(tokenPath);
+    }
+  }
+}

package/src/commands/auth.ts

@@ -0,0 +1,66 @@
+import { blue, green, gray, yellow } from 'colorette';
+import { RedoclyClient } from '@redocly/openapi-core';
+import { exitWithError, promptUser } from '../utils/miscellaneous';
+import { RedoclyOAuthClient } from '../auth/oauth-client';
+import { getReuniteUrl } from '../reunite/api';
+
+import type { CommandArgs } from '../wrapper';
+import type { Region } from '@redocly/openapi-core';
+
+export function promptClientToken(domain: string) {
+  return promptUser(
+    green(
+      `\n  🔑 Copy your API key from ${blue(`https://app.${domain}/profile`)} and paste it below`
+    ) + yellow(' (if you want to log in with Reunite, please run `redocly login --next` instead)'),
+    true
+  );
+}
+
+export type LoginOptions = {
+  verbose?: boolean;
+  residency?: string;
+  config?: string;
+  next?: boolean;
+};
+
+export async function handleLogin({ argv, config, version }: CommandArgs<LoginOptions>) {
+  if (argv.next) {
+    try {
+      const reuniteUrl = getReuniteUrl(argv.residency);
+      const oauthClient = new RedoclyOAuthClient('redocly-cli', version);
+      await oauthClient.login(reuniteUrl);
+    } catch {
+      if (argv.residency) {
+        const reuniteUrl = getReuniteUrl(argv.residency);
+        exitWithError(`❌ Connection to ${reuniteUrl} failed.`);
+      } else {
+        exitWithError(`❌ Login failed. Please check your credentials and try again.`);
+      }
+    }
+  } else {
+    try {
+      const region = (argv.residency as Region) || config.region;
+      const client = new RedoclyClient(region);
+      const clientToken = await promptClientToken(client.domain);
+      process.stdout.write(gray('\n  Logging in...\n'));
+      await client.login(clientToken, argv.verbose);
+      process.stdout.write(green('  Authorization confirmed. ✅\n\n'));
+    } catch (err) {
+      exitWithError('  ' + err?.message);
+    }
+  }
+}
+
+export type LogoutOptions = {
+  config?: string;
+};
+
+export async function handleLogout({ version }: CommandArgs<LogoutOptions>) {
+  const client = new RedoclyClient();
+  client.logout();
+
+  const oauthClient = new RedoclyOAuthClient('redocly-cli', version);
+  oauthClient.logout();
+
+  process.stdout.write('Logged out from the Redocly account. ✋ \n');
+}

package/src/commands/push.ts

@@ -19,9 +19,9 @@ import {
   getFallbackApisOrExit,
   dumpBundle,
 } from '../utils/miscellaneous';
-import { promptClientToken } from './login';
-import { handlePush as handleCMSPush } from '../cms/commands/push';
-import { streamToBuffer } from '../cms/api/api-client';
+import { promptClientToken } from './auth';
+import { handlePush as handleCMSPush } from '../reunite/commands/push';
+import { streamToBuffer } from '../reunite/api/api-client';
 
 import type { Readable } from 'node:stream';
 import type { Agent } from 'node:http';

package/src/index.ts

@@ -3,16 +3,15 @@
 import './utils/assert-node-version';
 import * as yargs from 'yargs';
 import * as colors from 'colorette';
-import { RedoclyClient } from '@redocly/openapi-core';
 import { outputExtensions, regionChoices } from './types';
 import { previewDocs } from './commands/preview-docs';
 import { handleStats } from './commands/stats';
 import { handleSplit } from './commands/split';
 import { handleJoin } from './commands/join';
-import { handlePushStatus } from './cms/commands/push-status';
+import { handlePushStatus } from './reunite/commands/push-status';
 import { handleLint } from './commands/lint';
 import { handleBundle } from './commands/bundle';
-import { handleLogin } from './commands/login';
+import { handleLogin, handleLogout } from './commands/auth';
 import { handlerBuildCommand } from './commands/build-docs';
 import {
   cacheLatestVersion,
@@ -29,7 +28,7 @@ import { commonPushHandler } from './commands/push';
 import type { Arguments } from 'yargs';
 import type { OutputFormat, RuleSeverity } from '@redocly/openapi-core';
 import type { BuildDocsArgv } from './commands/build-docs/types';
-import type { PushStatusOptions } from './cms/commands/push-status';
+import type { PushStatusOptions } from './reunite/commands/push-status';
 import type { PushArguments } from './types';
 import type { EjectOptions } from './commands/eject';
 
@@ -605,23 +604,27 @@ yargs
   )
   .command(
     'login',
-    'Login to the Redocly API registry with an access token.',
+    'Log in to Redocly.',
     async (yargs) =>
       yargs.options({
         verbose: {
           description: 'Include additional output.',
           type: 'boolean',
         },
-        region: {
-          description: 'Specify a region.',
-          alias: 'r',
-          choices: regionChoices,
+        residency: {
+          description: 'Residency of the application. Defaults to `us`.',
+          alias: ['r', 'region'],
+          type: 'string',
         },
         config: {
           description: 'Path to the config file.',
           requiresArg: true,
           type: 'string',
         },
+        next: {
+          description: 'Use Reunite application to login.',
+          type: 'boolean',
+        },
       }),
     (argv) => {
       process.env.REDOCLY_CLI_COMMAND = 'login';
@@ -632,13 +635,9 @@ yargs
     'logout',
     'Clear your stored credentials for the Redocly API registry.',
     (yargs) => yargs,
-    async (argv) => {
+    (argv) => {
       process.env.REDOCLY_CLI_COMMAND = 'logout';
-      await commandWrapper(async () => {
-        const client = new RedoclyClient();
-        client.logout();
-        process.stdout.write('Logged out from the Redocly account. ✋\n');
-      })(argv);
+      commandWrapper(handleLogout)(argv);
     }
   )
   .command(

package/src/otel.ts

@@ -0,0 +1,59 @@
+import { trace } from '@opentelemetry/api';
+import { Resource as OtelResource } from '@opentelemetry/resources';
+import { NodeTracerProvider, SimpleSpanProcessor } from '@opentelemetry/sdk-trace-node';
+import { OTLPTraceExporter } from '@opentelemetry/exporter-trace-otlp-http';
+import { ATTR_SERVICE_NAME, ATTR_SERVICE_VERSION } from '@opentelemetry/semantic-conventions';
+import { version } from './utils/update-version-notifier';
+import { DEFAULT_FETCH_TIMEOUT } from './utils/fetch-with-timeout';
+
+import type { Analytics } from './utils/miscellaneous';
+
+type Events = {
+  [key: string]: Analytics;
+};
+
+const OTEL_TRACES_URL = process.env.OTEL_TRACES_URL || 'https://otel.cloud.redocly.com/v1/traces';
+
+export class OtelServerTelemetry {
+  init() {
+    const nodeTracerProvider = new NodeTracerProvider({
+      resource: new OtelResource({
+        [ATTR_SERVICE_NAME]: `redocly-cli`,
+        [ATTR_SERVICE_VERSION]: `@redocly/cli@${version}`,
+      }),
+    });
+
+    nodeTracerProvider.addSpanProcessor(
+      new SimpleSpanProcessor(
+        new OTLPTraceExporter({
+          url: OTEL_TRACES_URL,
+          headers: {},
+          timeoutMillis: DEFAULT_FETCH_TIMEOUT,
+        })
+      )
+    );
+
+    nodeTracerProvider.register();
+  }
+
+  send<K extends keyof Events>(event: K, data: Events[K]): void {
+    const time = new Date();
+    const eventId = crypto.randomUUID();
+    const span = trace.getTracer('CliTelemetry').startSpan(`event.${event}`, {
+      attributes: {
+        'cloudevents.event_client.id': eventId,
+        'cloudevents.event_client.type': event,
+      },
+      startTime: time,
+    });
+    for (const [key, value] of Object.entries(data)) {
+      const keySnakeCase = key.replace(/([A-Z])/g, '_$1').toLowerCase();
+      if (value !== undefined) {
+        span.setAttribute(`cloudevents.event_data.${keySnakeCase}`, value);
+      }
+    }
+    span.end(time);
+  }
+}
+
+export const otelTelemetry = new OtelServerTelemetry();

package/src/reunite/api/__tests__/domains.test.ts

@@ -0,0 +1,41 @@
+import { getDomain } from '../domains';
+import { getReuniteUrl } from '../domains';
+
+import type { Region } from '@redocly/openapi-core';
+
+describe('getDomain()', () => {
+  afterEach(() => {
+    delete process.env.REDOCLY_DOMAIN;
+  });
+
+  it('should return the domain from environment variable', () => {
+    process.env.REDOCLY_DOMAIN = 'test-domain';
+
+    expect(getDomain()).toBe('test-domain');
+  });
+
+  it('should return the default domain if no domain provided', () => {
+    process.env.REDOCLY_DOMAIN = '';
+
+    expect(getDomain()).toBe('https://app.cloud.redocly.com');
+  });
+});
+
+describe('getReuniteUrl()', () => {
+  it('should return US API URL when US region specified', () => {
+    expect(getReuniteUrl('us')).toBe('https://app.cloud.redocly.com/api');
+  });
+
+  it('should return EU API URL when EU region specified', () => {
+    expect(getReuniteUrl('eu')).toBe('https://app.cloud.eu.redocly.com/api');
+  });
+
+  it('should return custom domain API URL when custom domain specified', () => {
+    const customDomain = 'https://custom.domain.com';
+    expect(getReuniteUrl(customDomain as Region)).toBe('https://custom.domain.com/api');
+  });
+
+  it('should return US API URL when no region specified', () => {
+    expect(getReuniteUrl()).toBe('https://app.cloud.redocly.com/api');
+  });
+});

package/src/{cms → reunite}/api/api-client.ts

@@ -26,7 +26,7 @@ export class ReuniteApiError extends Error {
   }
 }
 
-class ReuniteApiClient implements BaseApiClient {
+export class ReuniteApiClient implements BaseApiClient {
   public sunsetWarnings: SunsetWarningsBuffer = [];
 
   constructor(protected version: string, protected command: string) {}

package/src/reunite/api/domains.ts

@@ -0,0 +1,23 @@
+import type { Region } from '@redocly/openapi-core';
+
+export const REUNITE_URLS: Record<Region, string> = {
+  us: 'https://app.cloud.redocly.com',
+  eu: 'https://app.cloud.eu.redocly.com',
+} as const;
+
+export function getDomain(): string {
+  return process.env.REDOCLY_DOMAIN || REUNITE_URLS.us;
+}
+
+export function getReuniteUrl(residency?: string) {
+  if (!residency) residency = 'us';
+
+  let reuniteUrl: string = REUNITE_URLS[residency as Region];
+
+  if (!reuniteUrl) {
+    reuniteUrl = residency;
+  }
+
+  const url = new URL('/api', reuniteUrl).toString();
+  return url;
+}

package/src/types.ts

@@ -3,14 +3,14 @@ import type { ArgumentsCamelCase } from 'yargs';
 import type { LintOptions } from './commands/lint';
 import type { BundleOptions } from './commands/bundle';
 import type { JoinOptions } from './commands/join';
-import type { LoginOptions } from './commands/login';
+import type { LoginOptions, LogoutOptions } from './commands/auth';
 import type { PushOptions } from './commands/push';
 import type { StatsOptions } from './commands/stats';
 import type { SplitOptions } from './commands/split';
 import type { PreviewDocsOptions } from './commands/preview-docs';
 import type { BuildDocsArgv } from './commands/build-docs/types';
-import type { PushOptions as CMSPushOptions } from './cms/commands/push';
-import type { PushStatusOptions } from './cms/commands/push-status';
+import type { PushOptions as CMSPushOptions } from './reunite/commands/push';
+import type { PushStatusOptions } from './reunite/commands/push-status';
 import type { PreviewProjectOptions } from './commands/preview-project/types';
 import type { TranslationsOptions } from './commands/translations';
 import type { EjectOptions } from './commands/eject';
@@ -37,6 +37,7 @@ export type CommandOptions =
   | LintOptions
   | BundleOptions
   | LoginOptions
+  | LogoutOptions
   | PreviewDocsOptions
   | BuildDocsArgv
   | PushStatusOptions