@syncular/cli 0.0.0-44

package/src/commands/auth.ts

@@ -0,0 +1,514 @@
+import { spawn } from 'node:child_process';
+import { randomUUID } from 'node:crypto';
+import { readFileSync } from 'node:fs';
+import { createServer } from 'node:http';
+import process from 'node:process';
+import {
+  clearStoredControlPlaneToken,
+  readStoredControlPlaneToken,
+  writeStoredControlPlaneToken,
+} from '../auth-storage';
+import { CLI_NAME } from '../constants';
+import { normalizeControlPlaneBaseUrl } from '../control-plane';
+import { printError, printInfo } from '../output';
+import { DEFAULT_CONTROL_PLANE_API_BASE } from '../spaces-config';
+
+interface AuthMeResponse {
+  actorId?: string;
+  source?: 'clerk' | 'insecure-header' | 'insecure-query';
+  clerkUserId?: string | null;
+  error?: string;
+  message?: string;
+}
+
+interface WhoAmIOutput {
+  controlPlane: string;
+  actorId: string | null;
+  source: AuthMeResponse['source'] | null;
+  clerkUserId: string | null;
+}
+
+function optionalFlag(
+  flagValues: Map<string, string>,
+  flag: string,
+  fallback: string
+): string {
+  const value = flagValues.get(flag)?.trim();
+  return value && value.length > 0 ? value : fallback;
+}
+
+function optionalIntegerFlag(
+  flagValues: Map<string, string>,
+  flag: string,
+  fallback: number
+): number {
+  const raw = flagValues.get(flag)?.trim();
+  if (!raw) {
+    return fallback;
+  }
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed) || parsed < 0) {
+    throw new Error(`Invalid ${flag} value: ${raw}`);
+  }
+  return parsed;
+}
+
+function optionalBooleanFlag(
+  flagValues: Map<string, string>,
+  flag: string,
+  fallback: boolean
+): boolean {
+  const value = flagValues.get(flag);
+  if (!value) {
+    return fallback;
+  }
+
+  const normalized = value.trim().toLowerCase();
+  if (
+    normalized === '1' ||
+    normalized === 'true' ||
+    normalized === 'yes' ||
+    normalized === 'on'
+  ) {
+    return true;
+  }
+  if (
+    normalized === '0' ||
+    normalized === 'false' ||
+    normalized === 'no' ||
+    normalized === 'off'
+  ) {
+    return false;
+  }
+
+  throw new Error(
+    `Invalid ${flag} value "${value}". Use true/false, yes/no, on/off, or 1/0.`
+  );
+}
+
+function parseBearerToken(token: string): string {
+  const trimmed = token.trim();
+  if (trimmed.toLowerCase().startsWith('bearer ')) {
+    return trimmed.slice('bearer '.length).trim();
+  }
+  return trimmed;
+}
+
+function resolveControlPlaneBase(flagValues: Map<string, string>): string {
+  const value = optionalFlag(
+    flagValues,
+    '--control-plane',
+    process.env.SPACES_CONTROL_PLANE_BASE_URL?.trim() ||
+      DEFAULT_CONTROL_PLANE_API_BASE
+  );
+  return normalizeControlPlaneBaseUrl(value);
+}
+
+function defaultCliAuthUrl(controlPlaneBase: string): string {
+  return `${controlPlaneBase.replace(/\/$/, '')}/cli-login`;
+}
+
+async function resolveProvidedToken(
+  flagValues: Map<string, string>
+): Promise<string | null> {
+  const explicitToken =
+    flagValues.get('--token')?.trim() ||
+    flagValues.get('--control-token')?.trim() ||
+    process.env.SPACES_CONTROL_PLANE_TOKEN?.trim() ||
+    process.env.SPACES_CONTROL_TOKEN?.trim() ||
+    null;
+  if (explicitToken && explicitToken.length > 0) {
+    return parseBearerToken(explicitToken);
+  }
+
+  if (process.argv.includes('--token-stdin')) {
+    try {
+      const stdinRaw = readFileSync(0, 'utf8');
+      const stdinToken = parseBearerToken(stdinRaw);
+      if (stdinToken.length > 0) {
+        return stdinToken;
+      }
+    } catch {
+      // ignore and fall through to browser flow
+    }
+  }
+
+  return null;
+}
+
+function openBrowser(url: string): boolean {
+  try {
+    if (process.platform === 'darwin') {
+      const child = spawn('open', [url], {
+        detached: true,
+        stdio: 'ignore',
+      });
+      child.unref();
+      return true;
+    }
+
+    if (process.platform === 'win32') {
+      const child = spawn('cmd', ['/c', 'start', '', url], {
+        detached: true,
+        stdio: 'ignore',
+        windowsHide: true,
+      });
+      child.unref();
+      return true;
+    }
+
+    const child = spawn('xdg-open', [url], {
+      detached: true,
+      stdio: 'ignore',
+    });
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function isAllowedCallbackHost(hostname: string): boolean {
+  const normalized = hostname.trim().toLowerCase();
+  return normalized === '127.0.0.1' || normalized === 'localhost';
+}
+
+async function waitForTokenViaBrowser(args: {
+  callbackHost: string;
+  callbackPort: number;
+  authUrl: string;
+  timeoutSeconds: number;
+}): Promise<string> {
+  if (!isAllowedCallbackHost(args.callbackHost)) {
+    throw new Error(
+      `Invalid --callback-host "${args.callbackHost}". Use 127.0.0.1 or localhost.`
+    );
+  }
+
+  const state = randomUUID();
+  let settled = false;
+  let resolveToken: ((token: string) => void) | null = null;
+  let rejectToken: ((error: Error) => void) | null = null;
+
+  const tokenPromise = new Promise<string>((resolve, reject) => {
+    resolveToken = resolve;
+    rejectToken = reject;
+  });
+
+  const server = createServer((req, res) => {
+    try {
+      const requestUrl = new URL(
+        req.url || '/',
+        `http://${args.callbackHost}:${listeningPort}`
+      );
+      if (requestUrl.pathname !== '/callback') {
+        res.statusCode = 404;
+        res.end('Not found');
+        return;
+      }
+
+      const responseHeaders = {
+        'Content-Type': 'text/html; charset=utf-8',
+      };
+
+      const callbackState = requestUrl.searchParams.get('state')?.trim() || '';
+      if (callbackState !== state) {
+        res.writeHead(400, responseHeaders);
+        res.end(
+          '<h2>CLI Login Failed</h2><p>Invalid state. Return to terminal.</p>'
+        );
+        if (!settled) {
+          settled = true;
+          rejectToken?.(new Error('CLI login state mismatch.'));
+        }
+        return;
+      }
+
+      const error = requestUrl.searchParams.get('error')?.trim();
+      if (error && error.length > 0) {
+        res.writeHead(400, responseHeaders);
+        res.end(
+          `<h2>CLI Login Failed</h2><p>${error}</p><p>Return to terminal.</p>`
+        );
+        if (!settled) {
+          settled = true;
+          rejectToken?.(new Error(`CLI login failed: ${error}`));
+        }
+        return;
+      }
+
+      const token = parseBearerToken(
+        requestUrl.searchParams.get('token')?.trim() || ''
+      );
+      if (token.length === 0) {
+        res.writeHead(400, responseHeaders);
+        res.end(
+          '<h2>CLI Login Failed</h2><p>Missing token in callback.</p><p>Return to terminal.</p>'
+        );
+        if (!settled) {
+          settled = true;
+          rejectToken?.(new Error('CLI login callback did not include token.'));
+        }
+        return;
+      }
+
+      res.writeHead(200, responseHeaders);
+      res.end(
+        '<h2>CLI Login Complete</h2><p>You can close this tab and return to the terminal.</p>'
+      );
+      if (!settled) {
+        settled = true;
+        resolveToken?.(token);
+      }
+    } catch (error: unknown) {
+      res.statusCode = 500;
+      res.end('Unexpected callback error');
+      if (!settled) {
+        settled = true;
+        rejectToken?.(
+          error instanceof Error
+            ? error
+            : new Error('Unexpected callback parsing error.')
+        );
+      }
+    }
+  });
+
+  let listeningPort = args.callbackPort;
+  await new Promise<void>((resolve, reject) => {
+    server.once('error', (error) =>
+      reject(error instanceof Error ? error : new Error(String(error)))
+    );
+    server.listen(args.callbackPort, args.callbackHost, () => {
+      const address = server.address();
+      if (!address || typeof address === 'string') {
+        reject(new Error('Failed to allocate callback server port.'));
+        return;
+      }
+      listeningPort = address.port;
+      resolve();
+    });
+  });
+
+  const callbackUrl = `http://${args.callbackHost}:${listeningPort}/callback`;
+  const loginUrl = new URL(args.authUrl);
+  loginUrl.searchParams.set('callback', callbackUrl);
+  loginUrl.searchParams.set('state', state);
+
+  const opened = openBrowser(loginUrl.toString());
+  if (opened) {
+    printInfo(`Opening browser for CLI authentication: ${loginUrl}`);
+  } else {
+    printInfo('Failed to auto-open browser. Open this URL manually:');
+    console.log(loginUrl.toString());
+  }
+
+  try {
+    const timeoutMs = args.timeoutSeconds * 1000;
+    const timeoutPromise = new Promise<string>((_, reject) => {
+      setTimeout(() => {
+        reject(
+          new Error(
+            `Timed out waiting for browser login callback after ${args.timeoutSeconds}s.`
+          )
+        );
+      }, timeoutMs);
+    });
+    return await Promise.race([tokenPromise, timeoutPromise]);
+  } finally {
+    server.close();
+  }
+}
+
+async function fetchAuthMe(args: {
+  controlPlaneBase: string;
+  token: string;
+}): Promise<{
+  ok: boolean;
+  status: number;
+  payload: AuthMeResponse | null;
+}> {
+  const response = await fetch(
+    `${args.controlPlaneBase.replace(/\/$/, '')}/auth/me`,
+    {
+      method: 'GET',
+      headers: {
+        Authorization: `Bearer ${args.token}`,
+      },
+    }
+  );
+
+  let payload: AuthMeResponse | null = null;
+  try {
+    payload = (await response.json()) as AuthMeResponse;
+  } catch {
+    payload = null;
+  }
+
+  return {
+    ok: response.ok,
+    status: response.status,
+    payload,
+  };
+}
+
+function printWhoAmIHuman(payload: WhoAmIOutput): void {
+  const rows: Array<{ label: string; value: string }> = [
+    { label: 'Status', value: 'authenticated' },
+    { label: 'Control Plane', value: payload.controlPlane },
+    { label: 'Actor ID', value: payload.actorId ?? '(missing)' },
+    { label: 'Auth Source', value: payload.source ?? '(unknown)' },
+  ];
+
+  if (payload.clerkUserId) {
+    rows.push({ label: 'Clerk User ID', value: payload.clerkUserId });
+  }
+
+  const keyWidth = rows.reduce(
+    (width, row) => Math.max(width, row.label.length),
+    0
+  );
+  const contentLines = rows.map(
+    (row) => `${row.label.padEnd(keyWidth)} : ${row.value}`
+  );
+  const title = 'syncular whoami';
+  const contentWidth = Math.max(
+    title.length,
+    ...contentLines.map((line) => line.length)
+  );
+  const horizontal = '─'.repeat(contentWidth + 2);
+
+  console.log(`╭${horizontal}╮`);
+  console.log(`│ ${title.padEnd(contentWidth)} │`);
+  console.log(`├${horizontal}┤`);
+  for (const line of contentLines) {
+    console.log(`│ ${line.padEnd(contentWidth)} │`);
+  }
+  console.log(`╰${horizontal}╯`);
+}
+
+export async function runLogin(
+  flagValues: Map<string, string>
+): Promise<number> {
+  try {
+    const controlPlaneBase = resolveControlPlaneBase(flagValues);
+    const providedToken = await resolveProvidedToken(flagValues);
+
+    let token = providedToken;
+    if (!token) {
+      const callbackHost = optionalFlag(
+        flagValues,
+        '--callback-host',
+        '127.0.0.1'
+      );
+      const callbackPort = optionalIntegerFlag(
+        flagValues,
+        '--callback-port',
+        0
+      );
+      const timeoutSeconds = optionalIntegerFlag(
+        flagValues,
+        '--timeout-seconds',
+        180
+      );
+      if (timeoutSeconds <= 0) {
+        throw new Error('--timeout-seconds must be greater than 0.');
+      }
+      const authUrl = optionalFlag(
+        flagValues,
+        '--auth-url',
+        defaultCliAuthUrl(controlPlaneBase)
+      );
+      token = await waitForTokenViaBrowser({
+        callbackHost,
+        callbackPort,
+        authUrl,
+        timeoutSeconds,
+      });
+    }
+
+    const me = await fetchAuthMe({ controlPlaneBase, token });
+    if (!me.ok) {
+      throw new Error(
+        `Login failed (${me.status}): ${me.payload?.message || me.payload?.error || 'UNAUTHENTICATED'}`
+      );
+    }
+
+    await writeStoredControlPlaneToken({ controlPlaneBase, token });
+    console.log('CLI login saved.');
+    console.log(`Control plane: ${controlPlaneBase}`);
+    if (me.payload?.actorId) {
+      console.log(`Actor: ${me.payload.actorId}`);
+    }
+    if (me.payload?.source) {
+      console.log(`Auth source: ${me.payload.source}`);
+    }
+    return 0;
+  } catch (error: unknown) {
+    printError(
+      error instanceof Error ? error.message : 'Login failed unexpectedly.'
+    );
+    return 1;
+  }
+}
+
+export async function runLogout(
+  flagValues: Map<string, string>
+): Promise<number> {
+  try {
+    const controlPlaneBase = resolveControlPlaneBase(flagValues);
+    await clearStoredControlPlaneToken(controlPlaneBase);
+    console.log(`Cleared stored CLI token for ${controlPlaneBase}`);
+    return 0;
+  } catch (error: unknown) {
+    printError(
+      error instanceof Error ? error.message : 'Logout failed unexpectedly.'
+    );
+    return 1;
+  }
+}
+
+export async function runWhoAmI(
+  flagValues: Map<string, string>
+): Promise<number> {
+  try {
+    const jsonOutput = optionalBooleanFlag(flagValues, '--json', false);
+    const controlPlaneBase = resolveControlPlaneBase(flagValues);
+    const token =
+      (await resolveProvidedToken(flagValues)) ||
+      (await readStoredControlPlaneToken(controlPlaneBase));
+
+    if (!token) {
+      printError(
+        `No control-plane token available. Run \`${CLI_NAME} login\` first (or pass --token).`
+      );
+      return 1;
+    }
+
+    const me = await fetchAuthMe({ controlPlaneBase, token });
+    if (!me.ok) {
+      throw new Error(
+        `whoami failed (${me.status}): ${me.payload?.message || me.payload?.error || 'UNAUTHENTICATED'}`
+      );
+    }
+
+    const output: WhoAmIOutput = {
+      controlPlane: controlPlaneBase,
+      actorId: me.payload?.actorId ?? null,
+      source: me.payload?.source ?? null,
+      clerkUserId: me.payload?.clerkUserId ?? null,
+    };
+
+    if (jsonOutput) {
+      console.log(JSON.stringify(output, null, 2));
+    } else {
+      printWhoAmIHuman(output);
+    }
+    return 0;
+  } catch (error: unknown) {
+    printError(
+      error instanceof Error ? error.message : 'whoami failed unexpectedly.'
+    );
+    return 1;
+  }
+}