@redocly/cli 1.29.0 → 1.31.0

package/CHANGELOG.md

@@ -1,5 +1,27 @@
 # @redocly/cli
 
+## 1.31.0
+
+### Minor Changes
+
+- Added the `generate-arazzo` command to scaffold Arazzo description templates out of OpenAPI descriptions.
+- Added the `respect` command to test APIs against Arazzo description files.
+
+### Patch Changes
+
+- Updated @redocly/openapi-core to v1.31.0.
+
+## 1.30.0
+
+### Minor Changes
+
+- Added [OAuth 2.0 Device authorization flow](https://datatracker.ietf.org/doc/html/rfc8628) that enables users to authenticate through Reunite API.
+
+### Patch Changes
+
+- Updated `operation-tag-defined` built-in rule to verify tags are defined on the operation prior to matching them to a global tag.
+- Updated @redocly/openapi-core to v1.30.0.
+
 ## 1.29.0
 
 ### Minor Changes
@@ -226,7 +248,7 @@
 
 ### Minor Changes
 
-- Added Spot and Arazzo rules: `no-criteria-xpath`, `no-actions-type-end`, `criteria-unique`.
+- Added Respect and Arazzo rules: `no-criteria-xpath`, `no-actions-type-end`, `criteria-unique`.
 
 ### Patch Changes
 

package/README.md

@@ -1,6 +1,9 @@
 # Redocly CLI
 
-[@Redocly](https://redocly.com) CLI is your all-in-one OpenAPI utility. It builds, manages, improves, and quality-checks your OpenAPI descriptions, all of which comes in handy for various phases of the API Lifecycle. Create your own rulesets to make API governance easy, and publish beautiful API reference documentation. Supports OpenAPI 3.1, 3.0 and OpenAPI 2.0 (legacy Swagger).
+[@Redocly](https://redocly.com) CLI is your all-in-one OpenAPI utility.
+It builds, manages, improves, and quality-checks your OpenAPI descriptions, all of which comes in handy for various phases of the API Lifecycle.
+Create your own rulesets to make API governance easy, publish beautiful API reference documentation, and more.
+Supports OpenAPI 3.1, 3.0 and OpenAPI 2.0 (legacy Swagger), AsyncAPI 3.0 and 2.6, Arazzo 1.0.
 
 ![build and test](https://github.com/redocly/redocly-cli/actions/workflows/tests.yaml/badge.svg)
 ![npm (scoped)](https://img.shields.io/npm/v/@redocly/cli)
@@ -32,9 +35,8 @@ The minimum required versions of Node.js and NPM are 18.17.0 and 10.8.2 respecti
 
 ### Docker
 
-To give the Docker container access to the OpenAPI description files, you need to
-mount the containing directory as a volume. Assuming the API description is rooted
-in the current working directory, you need the following command:
+To give the Docker container access to the OpenAPI description files, you need to mount the containing directory as a volume.
+Assuming the API description is rooted in the current working directory, you need the following command:
 
 ```sh
 docker run --rm -v $PWD:/spec redocly/cli lint path-to-root-file.yaml
@@ -51,25 +53,36 @@ docker run --rm -v $PWD:/spec redocly/cli lint path-to-root-file.yaml
 
 ### Generate API reference documentation
 
-Redocly CLI is a great way to render API reference documentation. It uses open source [Redoc](https://github.com/redocly/redoc) to build your documentation. Use a command like this:
+Redocly CLI is a great way to render API reference documentation.
+It uses open source [Redoc](https://github.com/redocly/redoc) to build your documentation.
+Use a command like this:
 
 ```sh
 redocly build-docs openapi.yaml
 ```
 
-Your API reference docs are in `redoc-static.html` by default. You can customize this in many ways. [Read the main docs](https://redocly.com/docs/cli/commands/build-docs) for more information.
+Your API reference docs are in `redoc-static.html` by default.
+You can customize this in many ways.
+[Read the main docs](https://redocly.com/docs/cli/commands/build-docs) for more information.
 
-> :bulb: Redocly also has [hosted API reference docs](https://redocly.com/docs/api-registry/guides/api-registry-quickstart/), a (commercial) alternative to Redoc. Both Redoc and Redocly API reference docs can be worked on locally using the `preview-docs` command.
+> :bulb: Redocly also has [hosted API reference docs](https://redocly.com/docs/api-registry/guides/api-registry-quickstart/), a (commercial) alternative to Redoc.
+> Both Redoc and Redocly API reference docs can be worked on locally using the `preview-docs` command.
 
 ### Bundle multiple OpenAPI documents
 
-Having one massive OpenAPI description can be annoying, so most people split them up into multiple documents via `$ref`, only to later find out some tools don't support `$ref` or don't support multiple documents. Redocly CLI to the rescue! It has a `bundle` command you can use to recombine all of those documents back into one single document. The bundled output that Redocly CLI provides is clean, tidy, and looks like a human made it.
+Having one massive OpenAPI description can be annoying, so most people split them up into multiple documents via `$ref`, only to later find out some tools don't support `$ref` or don't support multiple documents.
+Redocly CLI to the rescue! It has a `bundle` command you can use to recombine all of those documents back into one single document.
+The bundled output that Redocly CLI provides is clean, tidy, and looks like a human made it.
 
 ### Automate API guidelines with Linting
 
-Check that your API matches the expected API guidelines by using the `lint` command. API guidelines are an important piece of API governance. They help to keep APIs consistent by enforcing the same standards and naming conventions, and they can also guide API teams through potential security hazards and other pitfalls. Automating API guidelines means you can keep APIs consistent and secure throughout their lifecycle. Even better, you can shape the design of the API before it even exists by combining API linting with a design-first API workflow.
+Check that your API matches the expected API guidelines by using the `lint` command.
+API guidelines are an important piece of API governance. They help to keep APIs consistent by enforcing the same standards and naming conventions, and they can also guide API teams through potential security hazards and other pitfalls.
+Automating API guidelines means you can keep APIs consistent and secure throughout their lifecycle.
+Even better, you can shape the design of the API before it even exists by combining API linting with a design-first API workflow.
 
-Our API linter is designed for speed on even large documents, and it's easy to run locally, in CI, or anywhere you need it. It's also designed for humans, with meaningful error messages to help you get your API right every time.
+Our API linter is designed for speed on even large documents, and it's easy to run locally, in CI, or anywhere you need it.
+It's also designed for humans, with meaningful error messages to help you get your API right every time.
 
 Try it like this:
 
@@ -77,9 +90,12 @@ Try it like this:
 redocly lint openapi.yaml
 ```
 
-**Configure the rules** as you wish. Other API Linters use complicated identifiers like JSONPath, but Redocly makes life easy with simple expressions that understand the OpenAPI structure. You can either use the [built-in rules](https://redocly.com/docs/cli/rules) to mix-and-match your ideal API guidelines, or break out the tools to build your own.
+**Configure the rules** as you wish.
+Other API Linters use complicated identifiers like JSONPath, but Redocly makes life easy with simple expressions that understand the OpenAPI structure.
+You can either use the [built-in rules](https://redocly.com/docs/cli/rules) to mix-and-match your ideal API guidelines, or break out the tools to build your own.
 
-**Format the output** in whatever way you need. The `stylish` output is as good as it sounds, but if you need JSON or Checkstyle outputs to integrate with other tools, the `lint` command can output those too.
+**Format the output** in whatever way you need.
+The `stylish` output is as good as it sounds, but if you need JSON or Checkstyle outputs to integrate with other tools, the `lint` command can output those too.
 
 **Multiple files supported** so you don't need to bundle your API description to lint it; just point Redocly CLI at the "entry point" (e.g.: `openapi.yaml`) and it handles the rest.
 
@@ -87,7 +103,8 @@ redocly lint openapi.yaml
 
 ### Transform an OpenAPI description
 
-If your OpenAPI description isn't everything you hoped it would be, enhance it with the Redocly [decorators](https://redocly.com/docs/cli/decorators) feature. This allows you to:
+If your OpenAPI description isn't everything you hoped it would be, enhance it with the Redocly [decorators](https://redocly.com/docs/cli/decorators) feature.
+This allows you to:
 
 - Publish reference docs with a subset of endpoints for public use
 - Improve the docs by adding examples and descriptions
@@ -95,11 +112,13 @@ If your OpenAPI description isn't everything you hoped it would be, enhance it w
 
 ## Data collection
 
-This tool [collects data](./docs/usage-data.md) to help Redocly improve our products and services. You can opt out by setting the `REDOCLY_TELEMETRY` environment variable to `off`.
+This tool [collects data](./docs/usage-data.md) to help Redocly improve our products and services.
+You can opt out by setting the `REDOCLY_TELEMETRY` environment variable to `off`.
 
 ## Update notifications
 
-Redocly CLI checks for updates on startup. You can disable this by setting the `REDOCLY_SUPPRESS_UPDATE_NOTICE` environment variable to `true`.
+Redocly CLI checks for updates on startup.
+You can disable this by setting the `REDOCLY_SUPPRESS_UPDATE_NOTICE` environment variable to `true`.
 
 ## More resources
 
@@ -111,4 +130,5 @@ Thanks to [graphql-js](https://github.com/graphql/graphql-js) and [eslint](https
 
 ## Development
 
-Contributions are welcome! All the information you need is in [CONTRIBUTING.md](CONTRIBUTING.md).
+Contributions are welcome!
+All the information you need is in [CONTRIBUTING.md](CONTRIBUTING.md).

package/lib/__tests__/commands/push-region.test.js

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const openapi_core_1 = require("@redocly/openapi-core");
 const push_1 = require("../../commands/push");
-const login_1 = require("../../commands/login");
+const auth_1 = require("../../commands/auth");
 const config_1 = require("../fixtures/config");
 const node_stream_1 = require("node:stream");
 // Mock fs operations
@@ -22,9 +22,9 @@ jest.mock('fs', () => ({
 openapi_core_1.getMergedConfig.mockImplementation((config) => config);
 // Mock OpenAPI core
 jest.mock('@redocly/openapi-core');
-jest.mock('../../commands/login');
+jest.mock('../../commands/auth');
 jest.mock('../../utils/miscellaneous');
-const mockPromptClientToken = login_1.promptClientToken;
+const mockPromptClientToken = auth_1.promptClientToken;
 describe('push-with-region', () => {
     const redoclyClient = require('@redocly/openapi-core').__redoclyClient;
     redoclyClient.isAuthorizedWithRedoclyByRegion = jest.fn().mockResolvedValue(false);

package/lib/auth/__tests__/device-flow.test.js

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const device_flow_1 = require("../device-flow");
+jest.mock('child_process');
+describe('RedoclyOAuthDeviceFlow', () => {
+    const mockBaseUrl = 'https://test.redocly.com';
+    const mockClientName = 'test-client';
+    const mockVersion = '1.0.0';
+    let flow;
+    beforeEach(() => {
+        flow = new device_flow_1.RedoclyOAuthDeviceFlow(mockBaseUrl, mockClientName, mockVersion);
+        jest.resetAllMocks();
+    });
+    describe('verifyToken', () => {
+        it('returns true for valid token', async () => {
+            jest.spyOn(flow['apiClient'], 'request').mockResolvedValue({
+                json: () => Promise.resolve({ user: { id: '123' } }),
+            });
+            const result = await flow.verifyToken('valid-token');
+            expect(result).toBe(true);
+        });
+        it('returns false for invalid token', async () => {
+            jest.spyOn(flow['apiClient'], 'request').mockRejectedValue(new Error('Invalid token'));
+            const result = await flow.verifyToken('invalid-token');
+            expect(result).toBe(false);
+        });
+    });
+    describe('verifyApiKey', () => {
+        it('returns true for valid API key', async () => {
+            jest.spyOn(flow['apiClient'], 'request').mockResolvedValue({
+                json: () => Promise.resolve({ success: true }),
+            });
+            const result = await flow.verifyApiKey('valid-key');
+            expect(result).toBe(true);
+        });
+        it('returns false for invalid API key', async () => {
+            jest.spyOn(flow['apiClient'], 'request').mockRejectedValue(new Error('Invalid API key'));
+            const result = await flow.verifyApiKey('invalid-key');
+            expect(result).toBe(false);
+        });
+    });
+    describe('refreshToken', () => {
+        it('successfully refreshes token', async () => {
+            const mockResponse = {
+                access_token: 'new-token',
+                refresh_token: 'new-refresh',
+                expires_in: 3600,
+            };
+            jest.spyOn(flow['apiClient'], 'request').mockResolvedValue({
+                json: () => Promise.resolve(mockResponse),
+            });
+            const result = await flow.refreshToken('old-refresh-token');
+            expect(result).toEqual(mockResponse);
+        });
+        it('throws error when refresh fails', async () => {
+            jest.spyOn(flow['apiClient'], 'request').mockResolvedValue({
+                json: () => Promise.resolve({}),
+            });
+            await expect(flow.refreshToken('invalid-refresh')).rejects.toThrow('Failed to refresh token');
+        });
+    });
+});

package/lib/auth/__tests__/oauth-client.test.js

@@ -0,0 +1,93 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const oauth_client_1 = require("../oauth-client");
+const device_flow_1 = require("../device-flow");
+const fs = require("node:fs");
+const path = require("node:path");
+const os = require("node:os");
+jest.mock('node:fs');
+jest.mock('node:os');
+jest.mock('../device-flow');
+describe('RedoclyOAuthClient', () => {
+    const mockClientName = 'test-client';
+    const mockVersion = '1.0.0';
+    const mockBaseUrl = 'https://test.redocly.com';
+    const mockHomeDir = '/mock/home/dir';
+    const mockRedoclyDir = path.join(mockHomeDir, '.redocly');
+    let client;
+    beforeEach(() => {
+        jest.resetAllMocks();
+        os.homedir.mockReturnValue(mockHomeDir);
+        process.env.HOME = mockHomeDir;
+        client = new oauth_client_1.RedoclyOAuthClient(mockClientName, mockVersion);
+    });
+    describe('login', () => {
+        it('successfully logs in and saves token', async () => {
+            const mockToken = { access_token: 'test-token' };
+            const mockDeviceFlow = {
+                run: jest.fn().mockResolvedValue(mockToken),
+            };
+            device_flow_1.RedoclyOAuthDeviceFlow.mockImplementation(() => mockDeviceFlow);
+            await client.login(mockBaseUrl);
+            expect(mockDeviceFlow.run).toHaveBeenCalled();
+            expect(fs.writeFileSync).toHaveBeenCalled();
+        });
+        it('throws error when login fails', async () => {
+            const mockDeviceFlow = {
+                run: jest.fn().mockResolvedValue(null),
+            };
+            device_flow_1.RedoclyOAuthDeviceFlow.mockImplementation(() => mockDeviceFlow);
+            await expect(client.login(mockBaseUrl)).rejects.toThrow('Failed to login');
+        });
+    });
+    describe('logout', () => {
+        it('removes token file if it exists', async () => {
+            fs.existsSync.mockReturnValue(true);
+            await client.logout();
+            expect(fs.rmSync).toHaveBeenCalledWith(path.join(mockRedoclyDir, 'auth.json'));
+        });
+        it('silently fails if token file does not exist', async () => {
+            fs.existsSync.mockReturnValue(false);
+            await expect(client.logout()).resolves.not.toThrow();
+            expect(fs.rmSync).not.toHaveBeenCalled();
+        });
+    });
+    describe('isAuthorized', () => {
+        it('verifies API key if provided', async () => {
+            const mockDeviceFlow = {
+                verifyApiKey: jest.fn().mockResolvedValue(true),
+            };
+            device_flow_1.RedoclyOAuthDeviceFlow.mockImplementation(() => mockDeviceFlow);
+            const result = await client.isAuthorized(mockBaseUrl, 'test-api-key');
+            expect(result).toBe(true);
+            expect(mockDeviceFlow.verifyApiKey).toHaveBeenCalledWith('test-api-key');
+        });
+        it('verifies access token if no API key provided', async () => {
+            const mockToken = { access_token: 'test-token' };
+            const mockDeviceFlow = {
+                verifyToken: jest.fn().mockResolvedValue(true),
+            };
+            device_flow_1.RedoclyOAuthDeviceFlow.mockImplementation(() => mockDeviceFlow);
+            fs.readFileSync.mockReturnValue(client['cipher'].update(JSON.stringify(mockToken), 'utf8', 'hex') +
+                client['cipher'].final('hex'));
+            const result = await client.isAuthorized(mockBaseUrl);
+            expect(result).toBe(true);
+            expect(mockDeviceFlow.verifyToken).toHaveBeenCalledWith('test-token');
+        });
+        it('returns false if token refresh fails', async () => {
+            const mockToken = {
+                access_token: 'old-token',
+                refresh_token: 'refresh-token',
+            };
+            const mockDeviceFlow = {
+                verifyToken: jest.fn().mockResolvedValue(false),
+                refreshToken: jest.fn().mockRejectedValue(new Error('Refresh failed')),
+            };
+            device_flow_1.RedoclyOAuthDeviceFlow.mockImplementation(() => mockDeviceFlow);
+            fs.readFileSync.mockReturnValue(client['cipher'].update(JSON.stringify(mockToken), 'utf8', 'hex') +
+                client['cipher'].final('hex'));
+            const result = await client.isAuthorized(mockBaseUrl);
+            expect(result).toBe(false);
+        });
+    });
+});

package/lib/auth/device-flow.d.ts

@@ -0,0 +1,26 @@
+export type AuthToken = {
+    access_token: string;
+    refresh_token?: string;
+    token_type?: string;
+    expires_in?: number;
+};
+export declare class RedoclyOAuthDeviceFlow {
+    private baseUrl;
+    private clientName;
+    private version;
+    private apiClient;
+    constructor(baseUrl: string, clientName: string, version: string);
+    run(): Promise<AuthToken>;
+    private openBrowser;
+    verifyToken(accessToken: string): Promise<boolean>;
+    verifyApiKey(apiKey: string): Promise<boolean>;
+    refreshToken(refreshToken: string): Promise<{
+        access_token: any;
+        refresh_token: any;
+        expires_in: any;
+    }>;
+    private pollingAccessToken;
+    private getAccessToken;
+    private getDeviceCode;
+    private sendRequest;
+}

package/lib/auth/device-flow.js

@@ -0,0 +1,133 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RedoclyOAuthDeviceFlow = void 0;
+const colorette_1 = require("colorette");
+const childProcess = require("child_process");
+const api_client_1 = require("../reunite/api/api-client");
+class RedoclyOAuthDeviceFlow {
+    constructor(baseUrl, clientName, version) {
+        this.baseUrl = baseUrl;
+        this.clientName = clientName;
+        this.version = version;
+        this.apiClient = new api_client_1.ReuniteApiClient(this.version, 'login');
+    }
+    async run() {
+        const code = await this.getDeviceCode();
+        process.stdout.write('Attempting to automatically open the SSO authorization page in your default browser.\n');
+        process.stdout.write('If the browser does not open or you wish to use a different device to authorize this request, open the following URL:\n\n');
+        process.stdout.write((0, colorette_1.blue)(code.verificationUri));
+        process.stdout.write(`\n\n`);
+        process.stdout.write(`Then enter the code:\n\n`);
+        process.stdout.write((0, colorette_1.blue)(code.userCode));
+        process.stdout.write(`\n\n`);
+        this.openBrowser(code.verificationUriComplete);
+        const accessToken = await this.pollingAccessToken(code.deviceCode, code.interval, code.expiresIn);
+        process.stdout.write((0, colorette_1.green)('✅ Logged in\n\n'));
+        return accessToken;
+    }
+    openBrowser(url) {
+        try {
+            const cmd = process.platform === 'win32'
+                ? `start ${url}`
+                : process.platform === 'darwin'
+                    ? `open ${url}`
+                    : `xdg-open ${url}`;
+            childProcess.execSync(cmd);
+        }
+        catch {
+            // silently fail if browser cannot be opened
+        }
+    }
+    async verifyToken(accessToken) {
+        try {
+            const response = await this.sendRequest('/session', 'GET', undefined, {
+                Cookie: `accessToken=${accessToken};`,
+            });
+            return !!response.user;
+        }
+        catch {
+            return false;
+        }
+    }
+    async verifyApiKey(apiKey) {
+        try {
+            const response = await this.sendRequest('/api-keys-verify', 'POST', {
+                apiKey,
+            });
+            return !!response.success;
+        }
+        catch {
+            return false;
+        }
+    }
+    async refreshToken(refreshToken) {
+        const response = await this.sendRequest(`/device-rotate-token`, 'POST', {
+            grant_type: 'refresh_token',
+            client_name: this.clientName,
+            refresh_token: refreshToken,
+        });
+        if (!response.access_token) {
+            throw new Error('Failed to refresh token');
+        }
+        return {
+            access_token: response.access_token,
+            refresh_token: response.refresh_token,
+            expires_in: response.expires_in,
+        };
+    }
+    async pollingAccessToken(deviceCode, interval, expiresIn) {
+        return new Promise((resolve, reject) => {
+            const intervalId = setInterval(async () => {
+                const response = await this.getAccessToken(deviceCode);
+                if (response.access_token) {
+                    clearInterval(intervalId);
+                    clearTimeout(timeoutId);
+                    resolve(response);
+                }
+                if (response.error && response.error !== 'authorization_pending') {
+                    clearInterval(intervalId);
+                    clearTimeout(timeoutId);
+                    reject(response.error_description);
+                }
+            }, interval * 1000);
+            const timeoutId = setTimeout(async () => {
+                clearInterval(intervalId);
+                clearTimeout(timeoutId);
+                reject('Authorization has expired. Please try again.');
+            }, expiresIn * 1000);
+        });
+    }
+    async getAccessToken(deviceCode) {
+        return await this.sendRequest('/device-token', 'POST', {
+            client_name: this.clientName,
+            device_code: deviceCode,
+            grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+        });
+    }
+    async getDeviceCode() {
+        const { device_code: deviceCode, user_code: userCode, verification_uri: verificationUri, verification_uri_complete: verificationUriComplete, interval = 10, expires_in: expiresIn = 300, } = await this.sendRequest('/device-authorize', 'POST', {
+            client_name: this.clientName,
+        });
+        return {
+            deviceCode,
+            userCode,
+            verificationUri,
+            verificationUriComplete,
+            interval,
+            expiresIn,
+        };
+    }
+    async sendRequest(url, method = 'GET', body = undefined, headers = {}) {
+        url = `${this.baseUrl}${url}`;
+        const response = await this.apiClient.request(url, {
+            body: body ? JSON.stringify(body) : body,
+            method,
+            headers: { 'Content-Type': 'application/json', ...headers },
+        });
+        if (response.status === 204) {
+            return { success: true };
+        }
+        return await response.json();
+    }
+}
+exports.RedoclyOAuthDeviceFlow = RedoclyOAuthDeviceFlow;

package/lib/auth/oauth-client.d.ts

@@ -0,0 +1,14 @@
+export declare class RedoclyOAuthClient {
+    private clientName;
+    private version;
+    private dir;
+    private cipher;
+    private decipher;
+    constructor(clientName: string, version: string);
+    login(baseUrl: string): Promise<void>;
+    logout(): Promise<void>;
+    isAuthorized(baseUrl: string, apiKey?: string): Promise<boolean>;
+    private saveToken;
+    private readToken;
+    private removeToken;
+}

package/lib/auth/oauth-client.js

@@ -0,0 +1,93 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RedoclyOAuthClient = void 0;
+const node_os_1 = require("node:os");
+const path = require("node:path");
+const node_fs_1 = require("node:fs");
+const crypto = require("node:crypto");
+const node_buffer_1 = require("node:buffer");
+const device_flow_1 = require("./device-flow");
+const SALT = '4618dbc9-8aed-4e27-aaf0-225f4603e5a4';
+const CRYPTO_ALGORITHM = 'aes-256-cbc';
+class RedoclyOAuthClient {
+    constructor(clientName, version) {
+        this.clientName = clientName;
+        this.version = version;
+        this.dir = path.join((0, node_os_1.homedir)(), '.redocly');
+        if (!(0, node_fs_1.existsSync)(this.dir)) {
+            (0, node_fs_1.mkdirSync)(this.dir);
+        }
+        const homeDirPath = process.env.HOME;
+        const hash = crypto.createHash('sha256');
+        hash.update(`${homeDirPath}${SALT}`);
+        const hashHex = hash.digest('hex');
+        const key = node_buffer_1.Buffer.alloc(32, node_buffer_1.Buffer.from(hashHex).toString('base64')).toString();
+        const iv = node_buffer_1.Buffer.alloc(16, node_buffer_1.Buffer.from(process.env.HOME).toString('base64')).toString();
+        this.cipher = crypto.createCipheriv(CRYPTO_ALGORITHM, key, iv);
+        this.decipher = crypto.createDecipheriv(CRYPTO_ALGORITHM, key, iv);
+    }
+    async login(baseUrl) {
+        const deviceFlow = new device_flow_1.RedoclyOAuthDeviceFlow(baseUrl, this.clientName, this.version);
+        const token = await deviceFlow.run();
+        if (!token) {
+            throw new Error('Failed to login');
+        }
+        this.saveToken(token);
+    }
+    async logout() {
+        try {
+            this.removeToken();
+        }
+        catch (err) {
+            // do nothing
+        }
+    }
+    async isAuthorized(baseUrl, apiKey) {
+        const deviceFlow = new device_flow_1.RedoclyOAuthDeviceFlow(baseUrl, this.clientName, this.version);
+        if (apiKey) {
+            return await deviceFlow.verifyApiKey(apiKey);
+        }
+        const token = await this.readToken();
+        if (!token) {
+            return false;
+        }
+        const isValidAccessToken = await deviceFlow.verifyToken(token.access_token);
+        if (isValidAccessToken) {
+            return true;
+        }
+        try {
+            const newToken = await deviceFlow.refreshToken(token.refresh_token);
+            await this.saveToken(newToken);
+        }
+        catch {
+            return false;
+        }
+        return true;
+    }
+    async saveToken(token) {
+        try {
+            const encrypted = this.cipher.update(JSON.stringify(token), 'utf8', 'hex') + this.cipher.final('hex');
+            (0, node_fs_1.writeFileSync)(path.join(this.dir, 'auth.json'), encrypted);
+        }
+        catch (error) {
+            process.stderr.write('Error saving tokens:', error);
+        }
+    }
+    async readToken() {
+        try {
+            const token = (0, node_fs_1.readFileSync)(path.join(this.dir, 'auth.json'), 'utf8');
+            const decrypted = this.decipher.update(token, 'hex', 'utf8') + this.decipher.final('utf8');
+            return decrypted ? JSON.parse(decrypted) : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async removeToken() {
+        const tokenPath = path.join(this.dir, 'auth.json');
+        if ((0, node_fs_1.existsSync)(tokenPath)) {
+            (0, node_fs_1.rmSync)(tokenPath);
+        }
+    }
+}
+exports.RedoclyOAuthClient = RedoclyOAuthClient;

package/lib/commands/auth.d.ts

@@ -0,0 +1,13 @@
+import type { CommandArgs } from '../wrapper';
+export declare function promptClientToken(domain: string): Promise<string>;
+export type LoginOptions = {
+    verbose?: boolean;
+    residency?: string;
+    config?: string;
+    next?: boolean;
+};
+export declare function handleLogin({ argv, config, version }: CommandArgs<LoginOptions>): Promise<void>;
+export type LogoutOptions = {
+    config?: string;
+};
+export declare function handleLogout({ version }: CommandArgs<LogoutOptions>): Promise<void>;

package/lib/commands/auth.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.promptClientToken = promptClientToken;
+exports.handleLogin = handleLogin;
+exports.handleLogout = handleLogout;
+const colorette_1 = require("colorette");
+const openapi_core_1 = require("@redocly/openapi-core");
+const miscellaneous_1 = require("../utils/miscellaneous");
+const oauth_client_1 = require("../auth/oauth-client");
+const api_1 = require("../reunite/api");
+function promptClientToken(domain) {
+    return (0, miscellaneous_1.promptUser)((0, colorette_1.green)(`\n  🔑 Copy your API key from ${(0, colorette_1.blue)(`https://app.${domain}/profile`)} and paste it below`) + (0, colorette_1.yellow)(' (if you want to log in with Reunite, please run `redocly login --next` instead)'), true);
+}
+async function handleLogin({ argv, config, version }) {
+    if (argv.next) {
+        try {
+            const reuniteUrl = (0, api_1.getReuniteUrl)(argv.residency);
+            const oauthClient = new oauth_client_1.RedoclyOAuthClient('redocly-cli', version);
+            await oauthClient.login(reuniteUrl);
+        }
+        catch {
+            if (argv.residency) {
+                const reuniteUrl = (0, api_1.getReuniteUrl)(argv.residency);
+                (0, miscellaneous_1.exitWithError)(`❌ Connection to ${reuniteUrl} failed.`);
+            }
+            else {
+                (0, miscellaneous_1.exitWithError)(`❌ Login failed. Please check your credentials and try again.`);
+            }
+        }
+    }
+    else {
+        try {
+            const region = argv.residency || config.region;
+            const client = new openapi_core_1.RedoclyClient(region);
+            const clientToken = await promptClientToken(client.domain);
+            process.stdout.write((0, colorette_1.gray)('\n  Logging in...\n'));
+            await client.login(clientToken, argv.verbose);
+            process.stdout.write((0, colorette_1.green)('  Authorization confirmed. ✅\n\n'));
+        }
+        catch (err) {
+            (0, miscellaneous_1.exitWithError)('  ' + err?.message);
+        }
+    }
+}
+async function handleLogout({ version }) {
+    const client = new openapi_core_1.RedoclyClient();
+    client.logout();
+    const oauthClient = new oauth_client_1.RedoclyOAuthClient('redocly-cli', version);
+    oauthClient.logout();
+    process.stdout.write('Logged out from the Redocly account. ✋ \n');
+}