@synsci/thesis 0.1.0

package/src/setup-auth.mjs

@@ -0,0 +1,548 @@
+import crypto from "node:crypto";
+import http from "node:http";
+import { spawn } from "node:child_process";
+
+const DEFAULT_AUTH_TIMEOUT_MS = 5 * 60 * 1000;
+const MIN_POLL_DELAY_MS = 1000;
+const MAX_POLL_DELAY_MS = 10_000;
+
+function openUrlInBrowser(url) {
+  const platform = process.platform;
+  if (platform === "darwin") {
+    return spawn("open", [url], { stdio: "ignore", detached: true });
+  }
+  if (platform === "win32") {
+    return spawn("cmd", ["/c", "start", "", url], {
+      stdio: "ignore",
+      detached: true,
+    });
+  }
+  return spawn("xdg-open", [url], { stdio: "ignore", detached: true });
+}
+
+function renderCallbackPage({ ok, message }) {
+  const title = ok ? "Connected to Thesis" : "Connection Failed";
+  const icon = ok
+    ? `<svg width="48" height="48" viewBox="0 0 24 24" fill="none" stroke="#e7e5e4" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M20 6L9 17l-5-5"/></svg>`
+    : `<svg width="48" height="48" viewBox="0 0 24 24" fill="none" stroke="#dc2626" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>`;
+  return `<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>${title}</title>
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=Space+Grotesk:wght@400;500;600&display=swap" rel="stylesheet">
+    <style>
+      * { margin: 0; padding: 0; box-sizing: border-box; }
+      body {
+        font-family: 'Space Grotesk', system-ui, sans-serif;
+        background: #0a0a0a;
+        color: #e7e5e4;
+        min-height: 100vh;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+      }
+      .container {
+        text-align: center;
+        padding: 3rem;
+      }
+      .icon { margin-bottom: 1.5rem; }
+      .brand {
+        font-size: 0.75rem;
+        font-weight: 500;
+        letter-spacing: 0.15em;
+        text-transform: uppercase;
+        color: #78716c;
+        margin-bottom: 1rem;
+      }
+      h1 {
+        font-size: 1.5rem;
+        font-weight: 600;
+        margin-bottom: 1rem;
+        color: ${ok ? "#e7e5e4" : "#dc2626"};
+      }
+      .message {
+        font-size: 0.875rem;
+        color: #a8a29e;
+        line-height: 1.6;
+      }
+      .hint {
+        font-size: 0.75rem;
+        color: #57534e;
+        margin-top: 2rem;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <div class="icon">${icon}</div>
+      <div class="brand">Thesis</div>
+      <h1>${title}</h1>
+      <p class="message">${message}</p>
+      <p class="hint">You can close this tab and return to your terminal.</p>
+    </div>
+  </body>
+</html>`;
+}
+
+function resolveErrorMessage(payload, fallback) {
+  if (!payload || typeof payload !== "object") {
+    return fallback;
+  }
+  const detail = payload.detail;
+  if (typeof detail === "string" && detail.trim()) {
+    return detail.trim();
+  }
+  if (detail && typeof detail === "object") {
+    const message = detail.message;
+    if (typeof message === "string" && message.trim()) {
+      return message.trim();
+    }
+  }
+  return fallback;
+}
+
+async function parseJsonResponse(response) {
+  let payload = {};
+  try {
+    payload = await response.json();
+  } catch {
+    payload = {};
+  }
+  return payload;
+}
+
+function nonEmptyString(value) {
+  if (typeof value !== "string") return null;
+  const candidate = value.trim();
+  return candidate ? candidate : null;
+}
+
+async function redeemSetupExchangeToken({
+  baseUrl,
+  exchangeToken,
+  state,
+  redirectUri,
+}) {
+  const redeemUrl = new URL(
+    "/api/auth/mcp-api-keys/setup-exchange/redeem",
+    baseUrl,
+  );
+  const response = await fetch(redeemUrl, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      "Idempotency-Key": `setup-redeem:${state}`,
+    },
+    body: JSON.stringify({
+      exchange_token: exchangeToken,
+      state,
+      redirect_uri: redirectUri,
+    }),
+  });
+  const payload = await parseJsonResponse(response);
+  if (!response.ok) {
+    const detail = resolveErrorMessage(
+      payload,
+      "Setup exchange redemption failed.",
+    );
+    throw new Error(detail);
+  }
+  const key = nonEmptyString(payload?.key);
+  if (!key) {
+    throw new Error("Setup exchange response missing API key.");
+  }
+  return { apiKey: key };
+}
+
+async function startSetupDeviceSession({
+  baseUrl,
+  keyName,
+  verificationBaseUrl,
+}) {
+  const startUrl = new URL(
+    "/api/auth/mcp-api-keys/setup-device/start",
+    baseUrl,
+  );
+  const response = await fetch(startUrl, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      "Idempotency-Key": `setup-device-start:${crypto.randomUUID()}`,
+    },
+    body: JSON.stringify({
+      name: keyName,
+      verification_base_url: verificationBaseUrl,
+    }),
+  });
+  const payload = await parseJsonResponse(response);
+  if (!response.ok) {
+    const detail = resolveErrorMessage(
+      payload,
+      "Failed to start setup device flow.",
+    );
+    throw new Error(detail);
+  }
+
+  const deviceCode = nonEmptyString(payload.device_code);
+  const userCode = nonEmptyString(payload.user_code);
+  const verificationUri = nonEmptyString(payload.verification_uri);
+  const verificationUriComplete = nonEmptyString(
+    payload.verification_uri_complete,
+  );
+  const pollIntervalSeconds = Number(payload.poll_interval_seconds);
+  const expiresInSeconds = Number(payload.expires_in_seconds);
+
+  if (
+    !deviceCode ||
+    !userCode ||
+    !verificationUri ||
+    !verificationUriComplete
+  ) {
+    throw new Error(
+      "Setup device session response missing required fields.",
+    );
+  }
+  if (
+    !Number.isFinite(pollIntervalSeconds) ||
+    pollIntervalSeconds <= 0 ||
+    !Number.isFinite(expiresInSeconds) ||
+    expiresInSeconds <= 0
+  ) {
+    throw new Error(
+      "Setup device session response contained invalid timing values.",
+    );
+  }
+
+  return {
+    deviceCode,
+    userCode,
+    verificationUri,
+    verificationUriComplete,
+    pollIntervalSeconds: Math.floor(pollIntervalSeconds),
+    expiresInSeconds: Math.floor(expiresInSeconds),
+  };
+}
+
+async function pollSetupDeviceSession({ baseUrl, userCode, deviceCode }) {
+  const pollUrl = new URL(
+    "/api/auth/mcp-api-keys/setup-device/poll",
+    baseUrl,
+  );
+  const response = await fetch(pollUrl, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      "Idempotency-Key": `setup-device-poll:${deviceCode}:${Date.now()}`,
+    },
+    body: JSON.stringify({
+      user_code: userCode,
+      device_code: deviceCode,
+    }),
+  });
+  if (response.status === 404) {
+    return { status: "expired", pollIntervalSeconds: 0 };
+  }
+  const payload = await parseJsonResponse(response);
+  if (!response.ok) {
+    const detail = resolveErrorMessage(
+      payload,
+      "Setup device polling failed.",
+    );
+    throw new Error(detail);
+  }
+
+  const status = nonEmptyString(payload.status);
+  const pollIntervalSeconds = Number(payload.poll_interval_seconds);
+  if (
+    !status ||
+    !Number.isFinite(pollIntervalSeconds) ||
+    pollIntervalSeconds <= 0
+  ) {
+    throw new Error(
+      "Setup device poll response missing required status fields.",
+    );
+  }
+  if (status === "pending") {
+    return {
+      status,
+      pollIntervalSeconds: Math.floor(pollIntervalSeconds),
+    };
+  }
+  if (status === "approved") {
+    const key = nonEmptyString(payload.key);
+    if (!key) {
+      throw new Error("Setup device poll response missing API key.");
+    }
+    return {
+      status,
+      pollIntervalSeconds: Math.floor(pollIntervalSeconds),
+      apiKey: key,
+    };
+  }
+  throw new Error(`Unsupported setup device session status: ${status}`);
+}
+
+function pollDelayMs({ pollIntervalSeconds, attempt }) {
+  const baseMs = Math.max(
+    MIN_POLL_DELAY_MS,
+    Math.floor(pollIntervalSeconds * 1000),
+  );
+  const rampMs = Math.min(5000, attempt * 250);
+  const jitterMs = Math.floor(Math.random() * 250);
+  return Math.min(MAX_POLL_DELAY_MS, baseMs + rampMs + jitterMs);
+}
+
+function defaultSleep(ms) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}
+
+function launchBrowser(openUrl, url) {
+  try {
+    const child = openUrl(url);
+    if (child && typeof child.once === "function") {
+      child.once("error", () => {
+        // URL is printed to stdout; opener failures should not abort setup.
+      });
+    }
+    if (child && typeof child.unref === "function") {
+      child.unref();
+    }
+  } catch {
+    // User can still open URL manually.
+  }
+}
+
+export function resolveSetupAuthMode({ requestedMode, env = process.env }) {
+  const normalizedRequested = String(requestedMode || "auto")
+    .trim()
+    .toLowerCase();
+
+  if (
+    normalizedRequested === "device" ||
+    normalizedRequested === "loopback"
+  ) {
+    return normalizedRequested;
+  }
+
+  const isRemoteShell =
+    nonEmptyString(env.SSH_CONNECTION) ||
+    nonEmptyString(env.SSH_CLIENT) ||
+    nonEmptyString(env.SSH_TTY);
+  return isRemoteShell ? "device" : "loopback";
+}
+
+export async function acquireApiKeyViaBrowserBridge({
+  baseUrl,
+  keyName,
+  timeoutMs = DEFAULT_AUTH_TIMEOUT_MS,
+  openUrl = openUrlInBrowser,
+}) {
+  const state = crypto.randomUUID();
+
+  return await new Promise((resolve, reject) => {
+    let settled = false;
+    let timeout = null;
+    let server = null;
+    let callbackUrl = "";
+
+    const cleanup = () => {
+      if (timeout) {
+        clearTimeout(timeout);
+        timeout = null;
+      }
+      if (server) {
+        server.close();
+        server.closeAllConnections?.();
+        server.closeIdleConnections?.();
+        server = null;
+      }
+    };
+
+    const fail = (error) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      reject(error);
+    };
+
+    const succeed = (result) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      resolve(result);
+    };
+
+    server = http.createServer(async (req, res) => {
+      const reqUrl = new URL(req.url || "/", "http://127.0.0.1");
+      if (reqUrl.pathname !== "/callback") {
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Not Found");
+        return;
+      }
+
+      const callbackState = (
+        reqUrl.searchParams.get("state") || ""
+      ).trim();
+      const exchangeToken = (
+        reqUrl.searchParams.get("exchange_token") || ""
+      ).trim();
+      const error = (reqUrl.searchParams.get("error") || "").trim();
+
+      if (callbackState !== state) {
+        res.writeHead(400, {
+          "Content-Type": "text/html; charset=utf-8",
+        });
+        res.end(
+          renderCallbackPage({
+            ok: false,
+            message: "State mismatch. Please retry setup.",
+          }),
+        );
+        fail(new Error("Setup callback state mismatch."));
+        return;
+      }
+
+      if (error) {
+        res.writeHead(400, {
+          "Content-Type": "text/html; charset=utf-8",
+        });
+        res.end(renderCallbackPage({ ok: false, message: error }));
+        fail(new Error(error));
+        return;
+      }
+
+      if (!exchangeToken) {
+        res.writeHead(400, {
+          "Content-Type": "text/html; charset=utf-8",
+        });
+        res.end(
+          renderCallbackPage({
+            ok: false,
+            message: "No setup exchange token was returned.",
+          }),
+        );
+        fail(new Error("Setup callback missing exchange token."));
+        return;
+      }
+
+      let redeemed;
+      try {
+        redeemed = await redeemSetupExchangeToken({
+          baseUrl,
+          exchangeToken,
+          state,
+          redirectUri: callbackUrl,
+        });
+      } catch (err) {
+        const message =
+          err instanceof Error
+            ? err.message
+            : "Failed to redeem setup exchange.";
+        res.writeHead(400, {
+          "Content-Type": "text/html; charset=utf-8",
+        });
+        res.end(renderCallbackPage({ ok: false, message }));
+        fail(new Error(message));
+        return;
+      }
+
+      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+      res.end(
+        renderCallbackPage({
+          ok: true,
+          message: "Thesis MCP was authorized successfully.",
+        }),
+      );
+      succeed({ apiKey: redeemed.apiKey });
+    });
+
+    server.once("error", (error) => {
+      fail(error);
+    });
+
+    server.listen(0, "127.0.0.1", () => {
+      const address = server.address();
+      if (!address || typeof address === "string") {
+        fail(new Error("Failed to allocate local callback port."));
+        return;
+      }
+
+      callbackUrl = `http://127.0.0.1:${address.port}/callback`;
+      const setupUrl = new URL("/auth/mcp/setup", baseUrl);
+      setupUrl.searchParams.set("state", state);
+      setupUrl.searchParams.set("redirect_uri", callbackUrl);
+      setupUrl.searchParams.set("name", keyName);
+
+      console.log(
+        "Opening browser for Thesis login and key creation...",
+      );
+      console.log(
+        `If it does not open, use this URL:\n${setupUrl.toString()}\n`,
+      );
+
+      launchBrowser(openUrl, setupUrl.toString());
+    });
+
+    timeout = setTimeout(() => {
+      fail(new Error("Timed out waiting for browser authorization."));
+    }, timeoutMs);
+  });
+}
+
+export async function acquireApiKeyViaDeviceFlow({
+  baseUrl,
+  keyName,
+  verificationBaseUrl = baseUrl,
+  timeoutMs = DEFAULT_AUTH_TIMEOUT_MS,
+  openUrl = openUrlInBrowser,
+  sleep = defaultSleep,
+}) {
+  const startedAt = Date.now();
+  const session = await startSetupDeviceSession({
+    baseUrl,
+    keyName,
+    verificationBaseUrl,
+  });
+
+  console.log("Opening browser for Thesis device authorization...");
+  console.log(`Approval URL:\n${session.verificationUriComplete}\n`);
+  console.log(`Code: ${session.userCode}`);
+  console.log(
+    "If the page does not open automatically, open the URL above and approve this code.\n",
+  );
+
+  launchBrowser(openUrl, session.verificationUriComplete);
+
+  let attempt = 0;
+  while (Date.now() - startedAt < timeoutMs) {
+    // eslint-disable-next-line no-await-in-loop
+    const pollResult = await pollSetupDeviceSession({
+      baseUrl,
+      userCode: session.userCode,
+      deviceCode: session.deviceCode,
+    });
+    if (pollResult.status === "approved") {
+      return { apiKey: pollResult.apiKey };
+    }
+    if (pollResult.status === "expired") {
+      throw new Error(
+        "Setup device session expired. Please rerun setup.",
+      );
+    }
+
+    attempt += 1;
+    const delayMs = pollDelayMs({
+      pollIntervalSeconds: pollResult.pollIntervalSeconds,
+      attempt,
+    });
+    // eslint-disable-next-line no-await-in-loop
+    await sleep(delayMs);
+  }
+
+  throw new Error("Timed out waiting for device authorization.");
+}