@secretstash/cli 0.1.3 → 0.1.5

package/dist/index.js

@@ -10,6 +10,7 @@ import { dirname as dirname2, join as join2 } from "path";
 // src/commands/auth.ts
 import enquirer from "enquirer";
 import qrcode from "qrcode-terminal";
+import { execFile } from "child_process";
 
 // src/config.ts
 import Conf from "conf";
@@ -305,7 +306,7 @@ var ApiClient = class {
     const refreshToken = configManager.getRefreshToken();
     if (!refreshToken) return false;
     try {
-      const response = await fetch(`${configManager.getApiUrl()}/api/auth/refresh`, {
+      const response = await fetch(`${configManager.getApiUrl()}/api/v1/auth/refresh`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json"
@@ -379,21 +380,33 @@ var ApiClient = class {
   }
   // Auth endpoints
   async login(email, password) {
-    return this.request("/api/auth/login", {
+    return this.request("/api/v1/auth/login", {
       method: "POST",
       body: { email, password, client: "cli" },
       requireAuth: false
     });
   }
+  // Browser-based CLI auth endpoints
+  async initBrowserAuth() {
+    return this.request("/api/v1/cli/auth/init", {
+      method: "POST",
+      requireAuth: false
+    });
+  }
+  async checkBrowserAuthStatus(code) {
+    return this.request(`/api/v1/cli/auth/status/${code}`, {
+      requireAuth: false
+    });
+  }
   async verify2FA(tempToken, code) {
-    return this.request("/api/auth/2fa/verify", {
+    return this.request("/api/v1/auth/2fa/verify", {
       method: "POST",
       body: { tempToken, code },
       requireAuth: false
     });
   }
   async register(email, password) {
-    return this.request("/api/auth/register", {
+    return this.request("/api/v1/auth/register", {
       method: "POST",
       body: { email, password },
       requireAuth: false
@@ -402,7 +415,7 @@ var ApiClient = class {
   async logout() {
     const refreshToken = configManager.getRefreshToken();
     if (refreshToken) {
-      await this.request("/api/auth/logout", {
+      await this.request("/api/v1/auth/logout", {
         method: "POST",
         body: { refreshToken }
       });
@@ -410,39 +423,39 @@ var ApiClient = class {
     configManager.logout();
   }
   async getMe() {
-    return this.request("/api/users/me");
+    return this.request("/api/v1/users/me");
   }
   // Team endpoints
   async getTeams() {
-    return this.request("/api/teams");
+    return this.request("/api/v1/teams");
   }
   async createTeam(name) {
-    return this.request("/api/teams", {
+    return this.request("/api/v1/teams", {
       method: "POST",
       body: { name }
     });
   }
   // Project endpoints
   async getProjects(teamId) {
-    return this.request(`/api/teams/${teamId}/projects`);
+    return this.request(`/api/v1/teams/${teamId}/projects`);
   }
   async createProject(teamId, name, description) {
-    return this.request(`/api/teams/${teamId}/projects`, {
+    return this.request(`/api/v1/teams/${teamId}/projects`, {
       method: "POST",
       body: { name, description }
     });
   }
   async deleteProject(projectId) {
-    return this.request(`/api/projects/${projectId}`, {
+    return this.request(`/api/v1/projects/${projectId}`, {
       method: "DELETE"
     });
   }
   // Environment endpoints
   async getEnvironments(projectId) {
-    return this.request(`/api/projects/${projectId}/environments`);
+    return this.request(`/api/v1/projects/${projectId}/environments`);
   }
   async createEnvironment(projectId, name, parentId) {
-    return this.request(`/api/projects/${projectId}/environments`, {
+    return this.request(`/api/v1/projects/${projectId}/environments`, {
       method: "POST",
       body: { name, parentId }
     });
@@ -454,29 +467,29 @@ var ApiClient = class {
   }
   // Secret endpoints (keys only, no decryption)
   async getSecrets(environmentId) {
-    return this.request(`/api/environments/${environmentId}/secrets`);
+    return this.request(`/api/v1/environments/${environmentId}/secrets`);
   }
   // Decrypted secrets (requires password)
   async getDecryptedSecrets(environmentId, password) {
-    return this.request(`/api/environments/${environmentId}/secrets/decrypt`, {
+    return this.request(`/api/v1/environments/${environmentId}/secrets/decrypt`, {
       method: "POST",
       body: { password }
     });
   }
   async createSecret(environmentId, key, value, password, description) {
-    return this.request(`/api/environments/${environmentId}/secrets`, {
+    return this.request(`/api/v1/environments/${environmentId}/secrets`, {
       method: "POST",
       body: { key, value, password, description }
     });
   }
   async updateSecret(secretId, value, password, description) {
-    return this.request(`/api/secrets/${secretId}`, {
+    return this.request(`/api/v1/secrets/${secretId}`, {
       method: "PATCH",
       body: { value, password, description }
     });
   }
   async deleteSecret(secretId) {
-    return this.request(`/api/secrets/${secretId}`, {
+    return this.request(`/api/v1/secrets/${secretId}`, {
       method: "DELETE"
     });
   }
@@ -484,58 +497,58 @@ var ApiClient = class {
   async pullSecrets(teamSlug, projectSlug, environment, password, options) {
     const includeInherited = options?.includeInherited ?? true;
     const query = includeInherited ? "" : "?includeInherited=false";
-    return this.request(`/api/teams/${teamSlug}/projects/${projectSlug}/environments/${environment}/secrets/decrypt${query}`, {
+    return this.request(`/api/v1/teams/${teamSlug}/projects/${projectSlug}/environments/${environment}/secrets/decrypt${query}`, {
       method: "POST",
       body: { password }
     });
   }
   async pushSecrets(teamSlug, projectSlug, environment, secrets, password) {
-    return this.request(`/api/teams/${teamSlug}/projects/${projectSlug}/environments/${environment}/secrets/bulk`, {
+    return this.request(`/api/v1/teams/${teamSlug}/projects/${projectSlug}/environments/${environment}/secrets/bulk`, {
       method: "PUT",
       body: { secrets, password }
     });
   }
   // 2FA endpoints
   async setup2FA() {
-    return this.request("/api/users/me/2fa/setup", {
+    return this.request("/api/v1/users/me/2fa/setup", {
       method: "POST"
     });
   }
   async enable2FA(code) {
-    return this.request("/api/users/me/2fa/enable", {
+    return this.request("/api/v1/users/me/2fa/enable", {
       method: "POST",
       body: { code }
     });
   }
   async disable2FA(code) {
-    return this.request("/api/users/me/2fa/disable", {
+    return this.request("/api/v1/users/me/2fa/disable", {
       method: "POST",
       body: { code }
     });
   }
   // Team member endpoints
   async getTeamMembers(teamId) {
-    return this.request(`/api/teams/${teamId}/members`);
+    return this.request(`/api/v1/teams/${teamId}/members`);
   }
   async inviteTeamMember(teamId, email, role) {
-    return this.request(`/api/teams/${teamId}/invitations`, {
+    return this.request(`/api/v1/teams/${teamId}/invitations`, {
       method: "POST",
       body: { email, role }
     });
   }
   async removeTeamMember(teamId, memberId) {
-    return this.request(`/api/teams/${teamId}/members/${memberId}`, {
+    return this.request(`/api/v1/teams/${teamId}/members/${memberId}`, {
       method: "DELETE"
     });
   }
   async updateTeamMemberRole(teamId, memberId, role) {
-    return this.request(`/api/teams/${teamId}/members/${memberId}`, {
+    return this.request(`/api/v1/teams/${teamId}/members/${memberId}`, {
       method: "PATCH",
       body: { role }
     });
   }
   async getPendingInvitations(teamId) {
-    return this.request(`/api/teams/${teamId}/invitations`);
+    return this.request(`/api/v1/teams/${teamId}/invitations`);
   }
   // Share link endpoints
   async createShare(teamSlug, projectSlug, environment, secretKey, options) {
@@ -561,7 +574,7 @@ var ApiClient = class {
   }
   // Service token verification - make a request to validate the token works
   async verifyServiceToken(token) {
-    return this.request("/api/teams", {
+    return this.request("/api/v1/teams", {
       headers: {
         "Authorization": `Bearer ${token}`
       },
@@ -819,6 +832,79 @@ var ui = {
 // src/commands/auth.ts
 var { prompt } = enquirer;
 var SERVICE_TOKEN_PREFIX = "stk_";
+function openBrowser(url) {
+  const opener = process.platform === "darwin" ? "open" : process.platform === "win32" ? "powershell" : "xdg-open";
+  const args = process.platform === "win32" ? ["-Command", "Start-Process", url] : [url];
+  execFile(opener, args, (error) => {
+    if (error) {
+      ui.warning("Could not open browser automatically");
+      ui.info(`Please open this URL manually: ${colors.highlight(url)}`);
+    }
+  });
+}
+async function handleBrowserLogin() {
+  ui.heading("SecretStash Login");
+  ui.br();
+  const initSpinner = ui.spinner("Starting authentication...");
+  const initResult = await apiClient.initBrowserAuth();
+  if (initResult.error) {
+    initSpinner.fail();
+    ui.error(initResult.error.message);
+    process.exit(1);
+  }
+  initSpinner.succeed("Authentication session started");
+  const { code, authUrl, expiresIn } = initResult.data;
+  ui.br();
+  ui.box("Browser Authentication", [
+    "A browser window will open for you to sign in.",
+    "If it doesn't open automatically, visit:",
+    "",
+    `  ${colors.highlight(authUrl)}`,
+    "",
+    `Code: ${colors.primary.bold(code)}`,
+    "",
+    colors.muted(`This code expires in ${Math.floor(expiresIn / 60)} minutes`)
+  ]);
+  openBrowser(authUrl);
+  ui.br();
+  const pollSpinner = ui.spinner("Waiting for authentication...");
+  const pollInterval = 2e3;
+  const maxAttempts = Math.floor(expiresIn * 1e3 / pollInterval);
+  let attempts = 0;
+  while (attempts < maxAttempts) {
+    await new Promise((resolve) => setTimeout(resolve, pollInterval));
+    attempts++;
+    const statusResult = await apiClient.checkBrowserAuthStatus(code);
+    if (statusResult.error) {
+      if (statusResult.error.code === "EXPIRED" || statusResult.error.code === "NOT_FOUND") {
+        pollSpinner.fail();
+        ui.error("Authentication session expired. Please try again.");
+        process.exit(1);
+      }
+      continue;
+    }
+    const { status, accessToken, refreshToken, expiresIn: tokenExpiry, user } = statusResult.data;
+    if (status === "completed" && accessToken && refreshToken && user) {
+      pollSpinner.succeed("Authentication successful!");
+      configManager.setTokens(accessToken, refreshToken, tokenExpiry || 3600);
+      configManager.setUser(user.id, user.email);
+      ui.br();
+      ui.keyValue("Email", user.email);
+      ui.keyValue("Config", configManager.getConfigPath());
+      ui.br();
+      ui.info(`Run ${ui.code("sstash teams")} to see your teams`);
+      return;
+    }
+    if (status === "expired") {
+      pollSpinner.fail();
+      ui.error("Authentication session expired. Please try again.");
+      process.exit(1);
+    }
+  }
+  pollSpinner.fail();
+  ui.error("Authentication timed out. Please try again.");
+  process.exit(1);
+}
 async function handleServiceTokenLogin(token, fromEnvVar = false) {
   ui.heading("SecretStash Service Token Login");
   if (!token.startsWith(SERVICE_TOKEN_PREFIX)) {
@@ -866,7 +952,7 @@ async function handleServiceTokenLogin(token, fromEnvVar = false) {
   ]);
 }
 function registerAuthCommands(program2) {
-  program2.command("login").description("Authenticate with SecretStash").option("-e, --email <email>", "Email address").option("-t, --token <token>", "Service token for CI/CD authentication (must start with stk_)").action(async (options) => {
+  program2.command("login").description("Authenticate with SecretStash via browser (supports passkeys and 2FA)").option("-t, --token <token>", "Service token for CI/CD authentication (must start with stk_)").action(async (options) => {
     if (options.token) {
       await handleServiceTokenLogin(options.token);
       return;
@@ -875,93 +961,7 @@ function registerAuthCommands(program2) {
       await handleServiceTokenLogin(process.env.SECRETSTASH_TOKEN, true);
       return;
     }
-    ui.heading("SecretStash Login");
-    let email = options.email;
-    if (!email) {
-      const response = await prompt({
-        type: "input",
-        name: "email",
-        message: "Email:",
-        validate: (value) => {
-          if (!value) return "Email is required";
-          if (!value.includes("@")) return "Invalid email format";
-          return true;
-        }
-      });
-      email = response.email;
-    }
-    const { password } = await prompt({
-      type: "password",
-      name: "password",
-      message: "Password:",
-      validate: (value) => value ? true : "Password is required"
-    });
-    const spinner = ui.spinner("Authenticating...");
-    const result = await apiClient.login(email, password);
-    if (result.error) {
-      spinner.fail();
-      if (result.error.code === "CLI_2FA_REQUIRED") {
-        ui.br();
-        ui.box("Two-Factor Authentication Required", [
-          "CLI access requires two-factor authentication.",
-          "",
-          "To set up 2FA:",
-          `  1. Visit ${colors.highlight("https://app.secretstash.dev/settings/security")}`,
-          "  2. Enable two-factor authentication",
-          "  3. Return here and try again",
-          "",
-          colors.muted("For CI/CD pipelines, use service tokens instead:"),
-          `  ${colors.highlight("sstash login --token <service-token>")}`
-        ]);
-        process.exit(1);
-      }
-      ui.error(result.error.message);
-      process.exit(1);
-    }
-    if (result.data?.requires2FA) {
-      spinner.stop();
-      ui.info("Two-factor authentication required");
-      const { code } = await prompt({
-        type: "input",
-        name: "code",
-        message: "2FA Code:",
-        validate: (value) => {
-          if (!value) return "2FA code is required";
-          if (!/^\d{6}$/.test(value)) return "Code must be 6 digits";
-          return true;
-        }
-      });
-      const spinner2 = ui.spinner("Verifying...");
-      const twoFAResult = await apiClient.verify2FA(
-        result.data.tempToken,
-        code
-      );
-      if (twoFAResult.error) {
-        spinner2.fail();
-        ui.error(twoFAResult.error.message);
-        process.exit(1);
-      }
-      configManager.setTokens(
-        twoFAResult.data.accessToken,
-        twoFAResult.data.refreshToken,
-        twoFAResult.data.expiresIn
-      );
-      configManager.setUser(twoFAResult.data.user.id, twoFAResult.data.user.email);
-      spinner2.succeed("Logged in successfully");
-    } else {
-      configManager.setTokens(
-        result.data.accessToken,
-        result.data.refreshToken,
-        result.data.expiresIn
-      );
-      configManager.setUser(result.data.user.id, result.data.user.email);
-      spinner.succeed("Logged in successfully");
-    }
-    ui.br();
-    ui.keyValue("Email", email);
-    ui.keyValue("Config", configManager.getConfigPath());
-    ui.br();
-    ui.info(`Run ${ui.code("sstash teams")} to see your teams`);
+    await handleBrowserLogin();
   });
   program2.command("logout").description("Log out from SecretStash").action(async () => {
     if (!configManager.isAuthenticated()) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@secretstash/cli",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "CLI tool for SecretStash - secure team secrets management",
   "type": "module",
   "main": "dist/index.js",