@sanlam-fintech-digital/mfe-platform-cli 0.0.1

package/dist/auth/pkce.js

@@ -0,0 +1,286 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildAuthorizeUrl = buildAuthorizeUrl;
+exports.generateCodeVerifier = generateCodeVerifier;
+exports.generateCodeChallenge = generateCodeChallenge;
+exports.waitForAuthCode = waitForAuthCode;
+exports.findFreePort = findFreePort;
+exports.exchangeCodeForTokenWithEndpoint = exchangeCodeForTokenWithEndpoint;
+const crypto_1 = __importDefault(require("crypto"));
+const http_1 = __importDefault(require("http"));
+const url_1 = require("url");
+function buildAuthorizeUrl(request, codeChallenge, state) {
+    const params = new URLSearchParams({
+        client_id: request.clientId,
+        response_type: 'code',
+        redirect_uri: request.redirectUri,
+        response_mode: 'query',
+        scope: request.scope,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+        state,
+    });
+    return `${request.authorizeEndpoint}?${params.toString()}`;
+}
+function generateCodeVerifier() {
+    return base64Url(crypto_1.default.randomBytes(32));
+}
+async function generateCodeChallenge(codeVerifier) {
+    const hash = crypto_1.default.createHash('sha256').update(codeVerifier).digest();
+    return base64Url(hash);
+}
+async function waitForAuthCode(redirectUri, state, listenPort, expectedPath, timeoutMs = 120000, maxRetries = 3) {
+    const redirectUrl = new url_1.URL(redirectUri);
+    // If listenPort is not provided, try to extract from redirectUri (legacy behavior).
+    // Previously this defaulted to port 80, which requires elevated privileges on most systems.
+    // We now require an explicit, non-privileged port (>= 1024) either via listenPort or redirectUri.
+    const inferredPort = listenPort ?? (redirectUrl.port ? Number(redirectUrl.port) : undefined);
+    const port = inferredPort !== undefined &&
+        Number.isFinite(inferredPort) &&
+        Number.isInteger(inferredPort) &&
+        inferredPort >= 1024 &&
+        inferredPort <= 65535
+        ? inferredPort
+        : undefined;
+    if (port === undefined) {
+        throw new Error('Unable to determine a valid listen port for PKCE redirect. ' +
+            'Please provide a non-privileged port (>= 1024) via the listenPort parameter or include it in the redirectUri.');
+    }
+    const path = expectedPath || redirectUrl.pathname;
+    // Retry mechanism to handle race condition where port might be taken between
+    // findFreePort() returning and server.listen() attempting to bind
+    for (let attempt = 1; attempt <= maxRetries; attempt++) {
+        try {
+            return await attemptListenForAuthCode(port, path, state, timeoutMs);
+        }
+        catch (err) {
+            const isAddressInUse = err instanceof Error &&
+                (err.message.includes('EADDRINUSE') ||
+                    err.code === 'EADDRINUSE');
+            if (isAddressInUse && attempt < maxRetries) {
+                // Exponential backoff: 100ms, 200ms, 400ms
+                const delayMs = 100 * Math.pow(2, attempt - 1);
+                await new Promise(resolve => setTimeout(resolve, delayMs));
+                continue;
+            }
+            throw err;
+        }
+    }
+    // TypeScript requires a return statement here, but this code is unreachable
+    // because the loop either returns successfully or throws an error on the last attempt
+    throw new Error('Unexpected: Failed to bind to port after retries');
+}
+function attemptListenForAuthCode(port, path, state, timeoutMs) {
+    return new Promise((resolve, reject) => {
+        const sockets = new Set();
+        const server = http_1.default.createServer((req, res) => {
+            try {
+                if (!req.url) {
+                    res.writeHead(400, { 'Content-Type': 'text/plain' });
+                    res.end('Invalid request');
+                    return;
+                }
+                // We construct a dummy base to parse the URL relative to localhost
+                const requestUrl = new url_1.URL(req.url, `http://localhost:${port}`);
+                if (requestUrl.pathname !== path) {
+                    res.writeHead(404, { 'Content-Type': 'text/plain' });
+                    res.end('Not found');
+                    return;
+                }
+                const code = requestUrl.searchParams.get('code');
+                const returnedState = requestUrl.searchParams.get('state');
+                const error = requestUrl.searchParams.get('error');
+                const errorDescription = requestUrl.searchParams.get('error_description');
+                if (error) {
+                    res.writeHead(400, { 'Content-Type': 'text/plain' });
+                    res.end(`Authorization error: ${error}`);
+                    cleanup();
+                    reject(new Error(errorDescription || error));
+                    return;
+                }
+                // Check state for CSRF protection.
+                // The caller (pkce-flow) constructs the state as a JSON string, e.g.:
+                //   {"id":"pkce-...","port":12345}
+                // The provider (or relay service) should send back exactly what we sent.
+                // We validate both exact match and JSON structure to help diagnose relay service issues.
+                if (!code) {
+                    res.writeHead(400, { 'Content-Type': 'text/plain' });
+                    res.end('Missing authorization code');
+                    cleanup();
+                    reject(new Error('Missing authorization code in response'));
+                    return;
+                }
+                if (!returnedState) {
+                    res.writeHead(400, { 'Content-Type': 'text/plain' });
+                    res.end('Missing state parameter');
+                    cleanup();
+                    reject(new Error('Missing state parameter in response. This may indicate a relay service issue.'));
+                    return;
+                }
+                // First check for exact match (the happy path)
+                if (returnedState !== state) {
+                    // State mismatch - try to provide helpful diagnostics
+                    let errorMessage = 'State parameter mismatch';
+                    let errorDetails = '';
+                    // Try to parse expected state to see its structure
+                    try {
+                        JSON.parse(state);
+                        // Expected state is valid JSON
+                        // Try to parse returned state
+                        try {
+                            JSON.parse(returnedState);
+                            // Both are valid JSON but don't match - could be modified by relay
+                            errorDetails = ' (both states are valid JSON but differ - possible relay service modification)';
+                        }
+                        catch {
+                            // Returned state is not valid JSON - likely corrupted by relay
+                            errorDetails = ' (returned state is not valid JSON - likely corrupted by relay service)';
+                        }
+                    }
+                    catch {
+                        // Expected state is not JSON - shouldn't happen with current implementation
+                        errorDetails = ' (unexpected state format)';
+                    }
+                    res.writeHead(400, { 'Content-Type': 'text/plain' });
+                    res.end('Invalid authorization response: state mismatch');
+                    cleanup();
+                    reject(new Error(`${errorMessage}${errorDetails}. Expected: ${state}, Received: ${returnedState}`));
+                    return;
+                }
+                res.writeHead(200, { 'Content-Type': 'text/plain' });
+                res.end('Authorization complete. You can close this window.');
+                cleanup();
+                resolve(code);
+            }
+            catch (err) {
+                cleanup();
+                reject(err instanceof Error ? err : new Error(String(err)));
+            }
+        });
+        server.on('connection', (socket) => {
+            sockets.add(socket);
+            socket.on('close', () => sockets.delete(socket));
+        });
+        // Handle server errors, including EADDRINUSE
+        server.on('error', (err) => {
+            cleanup();
+            reject(err);
+        });
+        const timeout = setTimeout(() => {
+            cleanup();
+            reject(new Error('Authorization timed out'));
+        }, timeoutMs);
+        const cleanup = () => {
+            clearTimeout(timeout);
+            for (const socket of sockets) {
+                socket.destroy();
+            }
+            server.close();
+        };
+        server.listen(port, 'localhost');
+        server.unref();
+    });
+}
+/**
+ * Finds a free port by binding to port 0 and returning the OS-assigned port.
+ *
+ * **Race Condition Warning**: There is a small window between when this function
+ * closes the temporary server and when the caller attempts to bind to the returned port.
+ * During this window, another process could potentially claim the port.
+ *
+ * To handle this race condition, callers should implement retry logic with exponential
+ * backoff when binding fails with EADDRINUSE. The `waitForAuthCode` function already
+ * implements this retry mechanism.
+ *
+ * @returns A promise that resolves to a free port number
+ * @throws Error if unable to find a free port within the timeout period
+ */
+async function findFreePort() {
+    return new Promise((resolve, reject) => {
+        const server = http_1.default.createServer();
+        let settled = false;
+        const timeout = setTimeout(() => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            try {
+                server.close();
+            }
+            catch {
+                // Ignore errors while closing on timeout
+            }
+            reject(new Error('Timed out while trying to find a free port'));
+        }, 5000);
+        const safeResolve = (port) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            clearTimeout(timeout);
+            resolve(port);
+        };
+        const safeReject = (err) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            clearTimeout(timeout);
+            reject(err);
+        };
+        server.on('error', (err) => {
+            safeReject(err);
+        });
+        server.listen(0, () => {
+            const address = server.address();
+            const port = typeof address === 'object' && address ? address.port : 0;
+            try {
+                server.close(() => {
+                    if (port > 0) {
+                        safeResolve(port);
+                    }
+                    else {
+                        safeReject(new Error('Failed to obtain a free port'));
+                    }
+                });
+            }
+            catch (err) {
+                safeReject(err instanceof Error
+                    ? err
+                    : new Error('Failed to close server while finding a free port'));
+            }
+        });
+    });
+}
+async function exchangeCodeForTokenWithEndpoint(tokenEndpoint, clientId, redirectUri, code, codeVerifier, scope) {
+    const response = await fetch(tokenEndpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            Accept: 'application/json',
+        },
+        body: new URLSearchParams({
+            client_id: clientId,
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: redirectUri,
+            code_verifier: codeVerifier,
+            scope,
+        }),
+    });
+    const data = (await response.json());
+    if (!response.ok) {
+        throw new Error(`Token request failed: ${data.error || response.statusText} - ${data.error_description || ''}`);
+    }
+    return data;
+}
+function base64Url(buffer) {
+    return buffer
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/g, '');
+}

package/dist/auth/providers/azure-devops.d.ts

@@ -0,0 +1,15 @@
+import { Registry } from '../../types/config.js';
+/**
+ * OAuth scope for Azure DevOps device flow authentication
+ * Uses the Azure DevOps application ID with .default scope
+ */
+export declare const AZURE_DEVOPS_OAUTH_SCOPE = "499b84ac-1321-427f-aa17-267ca6975798/.default";
+/**
+ * Authenticate Azure DevOps registries using OAuth device flow
+ * Returns map of registry URL → PAT token
+ */
+export declare function authenticateAzureDevOps(clientId: string, tenantId: string, registries: Registry[], redirectUri?: string): Promise<Map<string, string>>;
+/**
+ * Generate PATs using a provided OAuth token (skips auth flow)
+ */
+export declare function authenticateAzureDevOpsWithOAuthToken(oauthToken: string, registries: Registry[]): Promise<Map<string, string>>;

package/dist/auth/providers/azure-devops.js

@@ -0,0 +1,130 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AZURE_DEVOPS_OAUTH_SCOPE = void 0;
+exports.authenticateAzureDevOps = authenticateAzureDevOps;
+exports.authenticateAzureDevOpsWithOAuthToken = authenticateAzureDevOpsWithOAuthToken;
+const chalk_1 = __importDefault(require("chalk"));
+const pkce_flow_js_1 = require("../pkce-flow.js");
+const constants_1 = require("../constants");
+/**
+ * Entra ID (Azure AD) OAuth endpoint templates
+ * Tenant ID will be substituted at runtime
+ */
+const AUTHORIZE_ENDPOINT_TEMPLATE = 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize';
+const TOKEN_ENDPOINT_TEMPLATE = 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token';
+/**
+ * OAuth scope for Azure DevOps device flow authentication
+ * Uses the Azure DevOps application ID with .default scope
+ */
+exports.AZURE_DEVOPS_OAUTH_SCOPE = '499b84ac-1321-427f-aa17-267ca6975798/.default';
+/**
+ * PAT scope for npm package access (read-only)
+ * vso.packaging is the read-only scope for accessing Azure DevOps package feeds
+ */
+const PAT_SCOPE = 'vso.packaging';
+/**
+ * PAT API endpoint pattern
+ */
+const PAT_API_ENDPOINT = 'https://vssps.dev.azure.com/{organization}/_apis/tokens/pats?api-version=7.1-preview.1';
+/**
+ * Authenticate Azure DevOps registries using OAuth device flow
+ * Returns map of registry URL → PAT token
+ */
+async function authenticateAzureDevOps(clientId, tenantId, registries, redirectUri) {
+    console.log(chalk_1.default.bold('\n🔐 Azure DevOps Authentication\n'));
+    // Step 1: PKCE auth to get OAuth token
+    // If redirectUri is provided (e.g. from CLI or config), use it (Relay mode if non-localhost).
+    // Otherwise fallback to legacy fixed port localhost URI.
+    const effectiveRedirectUri = redirectUri || constants_1.DEFAULT_REDIRECT_URI;
+    const tokenResponse = await (0, pkce_flow_js_1.runPkceFlow)({
+        authorizeEndpoint: AUTHORIZE_ENDPOINT_TEMPLATE.replace('{tenantId}', tenantId),
+        tokenEndpoint: TOKEN_ENDPOINT_TEMPLATE.replace('{tenantId}', tenantId),
+        clientId,
+        redirectUri: effectiveRedirectUri,
+        scope: exports.AZURE_DEVOPS_OAUTH_SCOPE,
+        providerName: 'Azure DevOps',
+    });
+    if (!tokenResponse.access_token) {
+        throw new Error('OAuth access token not returned from Entra ID');
+    }
+    return buildTokenMap(registries, tokenResponse.access_token);
+}
+/**
+ * Generate PATs using a provided OAuth token (skips auth flow)
+ */
+async function authenticateAzureDevOpsWithOAuthToken(oauthToken, registries) {
+    return buildTokenMap(registries, oauthToken);
+}
+async function buildTokenMap(registries, oauthToken) {
+    const organizations = extractOrganizations(registries);
+    console.log(chalk_1.default.gray(`\nFound ${organizations.size} unique organization(s): ${Array.from(organizations).join(', ')}\n`));
+    const tokenMap = new Map();
+    for (const org of organizations) {
+        const pat = await generatePat(org, oauthToken);
+        for (const registry of registries) {
+            const registryOrg = extractOrgFromUrl(registry.url);
+            if (registryOrg === org) {
+                tokenMap.set(registry.url, pat);
+            }
+        }
+    }
+    return tokenMap;
+}
+/**
+ * Extract unique organizations from registry URLs
+ */
+function extractOrganizations(registries) {
+    const orgs = new Set();
+    for (const registry of registries) {
+        const org = extractOrgFromUrl(registry.url);
+        if (org) {
+            orgs.add(org);
+        }
+    }
+    return orgs;
+}
+/**
+ * Extract organization from Azure DevOps registry URL
+ * Format: https://pkgs.dev.azure.com/{organization}/_packaging/...
+ */
+function extractOrgFromUrl(url) {
+    const match = url.match(/pkgs\.dev\.azure\.com\/([^/]+)\//);
+    return match ? match[1] : null;
+}
+/**
+ * Generate a Personal Access Token using the OAuth token
+ */
+async function generatePat(organization, oauthToken) {
+    const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+    const displayName = `mfe-platform-cli-${organization}-${timestamp}`;
+    // Set PAT to expire in 1 year
+    const validTo = new Date();
+    validTo.setFullYear(validTo.getFullYear() + 1);
+    const patRequest = {
+        displayName,
+        scope: PAT_SCOPE,
+        validTo: validTo.toISOString(),
+        allOrgs: false,
+    };
+    const endpoint = PAT_API_ENDPOINT.replace('{organization}', organization);
+    console.log(chalk_1.default.gray(`Generating PAT for organization: ${organization}...`));
+    const response = await fetch(endpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+            Authorization: `Bearer ${oauthToken}`,
+        },
+        body: JSON.stringify(patRequest),
+    });
+    if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Failed to generate PAT for ${organization}: ${response.status} ${response.statusText}\n${errorText}`);
+    }
+    const patResponse = (await response.json());
+    console.log(chalk_1.default.green(`✓ PAT generated: ${displayName}`));
+    return patResponse.patToken.token;
+}

package/dist/auth/providers/github.d.ts

@@ -0,0 +1,6 @@
+import { Registry } from '../../types/config.js';
+/**
+ * Authenticate GitHub registries using OAuth device flow
+ * Returns map of registry URL → access token (same token for all registries in group)
+ */
+export declare function authenticateGitHub(clientId: string, registries: Registry[]): Promise<Map<string, string>>;

package/dist/auth/providers/github.js

@@ -0,0 +1,38 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authenticateGitHub = authenticateGitHub;
+const chalk_1 = __importDefault(require("chalk"));
+const device_flow_js_1 = require("../device-flow.js");
+/**
+ * GitHub OAuth endpoints
+ */
+const DEVICE_AUTH_ENDPOINT = 'https://github.com/login/device/code';
+const TOKEN_ENDPOINT = 'https://github.com/login/oauth/access_token';
+/**
+ * Required scopes for npm package access (read-only)
+ */
+const REQUIRED_SCOPES = 'read:packages';
+/**
+ * Authenticate GitHub registries using OAuth device flow
+ * Returns map of registry URL → access token (same token for all registries in group)
+ */
+async function authenticateGitHub(clientId, registries) {
+    console.log(chalk_1.default.bold('\n🔐 GitHub Authentication\n'));
+    // Step 1: Device flow to get access token
+    const deviceAuth = await (0, device_flow_js_1.initiateDeviceFlow)(DEVICE_AUTH_ENDPOINT, clientId, REQUIRED_SCOPES);
+    (0, device_flow_js_1.displayUserInstructions)(deviceAuth.user_code, deviceAuth.verification_uri, 'GitHub');
+    const tokenResponse = await (0, device_flow_js_1.pollForToken)(TOKEN_ENDPOINT, clientId, deviceAuth.device_code, deviceAuth.interval, deviceAuth.expires_in);
+    if (!tokenResponse.access_token) {
+        throw new Error('GitHub access token not returned from OAuth device flow');
+    }
+    console.log(chalk_1.default.green('✓ GitHub access token acquired\n'));
+    // Step 2: Map all registries to the same token
+    const tokenMap = new Map();
+    for (const registry of registries) {
+        tokenMap.set(registry.url, tokenResponse.access_token);
+    }
+    return tokenMap;
+}

package/dist/commands/init.d.ts

@@ -0,0 +1,10 @@
+import { Command } from 'commander';
+import { ConfigSource } from '../types/config.js';
+/**
+ * Get stored config source and auth options for update command
+ */
+export declare function getStoredConfigSource(): Promise<ConfigSource | null>;
+/**
+ * Create and configure the init command
+ */
+export declare function createInitCommand(): Command;