@tmlmobilidade/export-data 20251229.1536.41 → 20251229.1636.59

package/dist/index.js

@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+import { promptAccessKey } from './prompts/access-key.js';
 import { promptExportTypes } from './prompts/export-types.js';
 import { promptFilterByAgencyIds } from './prompts/filter-agency-ids.js';
 import { promptFilterByDates } from './prompts/filter-dates.js';
@@ -32,6 +33,9 @@ import { ASCII_CM_SHORT } from '@tmlmobilidade/consts';
     log.info(`O ID desta exportação é: ${context._id}`);
     log.info(`Todos os resultados serão guardados aqui: ${context.output}`);
     //
+    // Prompt for the access key
+    await promptAccessKey();
+    //
     // Request the export types and which filters to apply
     const exportTypes = await promptExportTypes();
     const filterTypes = await promptFilterTypes();

package/dist/prompts/access-key.d.ts

@@ -0,0 +1 @@
+export declare function promptAccessKey(): Promise<void>;

package/dist/prompts/access-key.js

@@ -0,0 +1,68 @@
+/* * */
+import { deleteCredential, getCredential, setCredential } from '../utils/credential-storage.js';
+import { cancel, isCancel, note, spinner, text } from '@clack/prompts';
+/* * */
+const CREDENTIAL_KEY = 'access-key';
+/* * */
+export async function promptAccessKey() {
+    //
+    //
+    // Check if there is an access key already saved in the computer
+    const s = spinner();
+    s.start('A verificar credenciais guardadas...');
+    const existingKey = await getCredential(CREDENTIAL_KEY);
+    //
+    // If --delete-credentials flag was passed, delete existing credentials
+    if (process.argv.includes('--delete-credentials') && existingKey) {
+        s.stop('Flag --delete-credentials detectada.');
+        s.start('A remover credenciais guardadas...');
+        await deleteCredential(CREDENTIAL_KEY);
+        s.stop('Credenciais removidas. A começar de novo...');
+    }
+    else if (existingKey) {
+        s.stop('Chave de acesso encontrada no armazenamento seguro do sistema.');
+        process.env.DATABASE_URI = existingKey;
+        return;
+    }
+    else {
+        s.stop('Nenhuma chave de acesso encontrada.');
+    }
+    //
+    // If no key exists, ask the user to enter the access key
+    note('A chave de acesso será guardada de forma segura:\n'
+        + '  • macOS: Keychain\n'
+        + '  • Windows: Credential Manager\n'
+        + '  • Linux: Secret Service (ou ficheiro encriptado)');
+    const accessKey = await text({
+        message: 'Por favor introduz a chave de acesso:',
+        placeholder: 'Chave de acesso...',
+        validate: (value) => {
+            if (!value || value.trim().length === 0) {
+                return 'A chave de acesso não pode estar vazia.';
+            }
+        },
+    });
+    //
+    // Verify if the user cancelled the operation
+    if (isCancel(accessKey)) {
+        cancel('Operação cancelada pelo utilizador.');
+        process.exit(0);
+    }
+    if (!accessKey || typeof accessKey !== 'string') {
+        cancel('Chave de acesso inválida.');
+        process.exit(1);
+    }
+    //
+    // Save the access key to the computer's secure storage
+    s.start('A guardar chave de acesso...');
+    try {
+        await setCredential(CREDENTIAL_KEY, accessKey);
+        s.stop('Chave de acesso guardada com sucesso no armazenamento seguro do sistema.');
+    }
+    catch (error) {
+        s.stop('Erro ao guardar a chave de acesso.');
+        cancel(`Erro: ${error instanceof Error ? error.message : 'Erro desconhecido'}`);
+        process.exit(1);
+    }
+    process.env.DATABASE_URI = accessKey;
+}

package/dist/prompts/export-types.d.ts

@@ -1,2 +1,2 @@
 import { type ExportType } from '../types.js';
-export declare function promptExportTypes(): Promise<(ExportType)[]>;
+export declare function promptExportTypes(): Promise<ExportType[]>;

package/dist/prompts/filter-agency-ids.js

@@ -1,11 +1,11 @@
 /* * */
-import { log, text } from '@clack/prompts';
+import { note, text } from '@clack/prompts';
 /* * */
 export async function promptFilterByAgencyIds() {
     //
-    log.step('FILTRAR POR AGENCY ID:');
-    log.message('- Introduz os Agency IDs separados por vírgulas. Exemplo: 41,42,etc...');
-    log.message('- Se não introduzires nenhum Agency ID, este filtro não será aplicado.');
+    note('FILTRAR POR AGENCY ID:\n'
+        + '  • Introduz os Agency IDs separados por vírgulas. Exemplo: 41,42,etc...\n'
+        + '  • Se não introduzires nenhum Agency ID, este filtro não será aplicado.');
     const value = await text({
         message: 'Agency IDs:',
         placeholder: '41,42,etc...',

package/dist/prompts/filter-dates.js

@@ -1,13 +1,13 @@
 /* * */
-import { cancel, isCancel, log, text } from '@clack/prompts';
+import { cancel, isCancel, note, text } from '@clack/prompts';
 import { validateOperationalDate } from '@tmlmobilidade/types';
 /* * */
 export async function promptFilterByDates() {
     //
-    log.step('FILTRAR POR DATAS:');
-    log.message('- Introduz as datas operacionais no formato ano-mês-dia. Exemplo: 20250101 ou 2025-01-01');
-    log.message('- Devido ao enorme volume de dados, filtrar por datas é obrigatório.');
-    log.message('- A data de início não pode ser anterior a 1 Jan. 2024 (20240101).');
+    note('FILTRAR POR DATAS:\n'
+        + '  • Introduz as datas operacionais no formato ano-mês-dia. Exemplo: 20250101 ou 2025-01-01\n'
+        + '  • Devido ao enorme volume de dados, filtrar por datas é obrigatório.\n'
+        + '  • A data de início não pode ser anterior a 1 Jan. 2024 (20240101).');
     const startDate = await text({
         initialValue: '20250101',
         message: 'Data de Início:',

package/dist/prompts/filter-line-ids.js

@@ -1,11 +1,11 @@
 /* * */
-import { log, text } from '@clack/prompts';
+import { note, text } from '@clack/prompts';
 /* * */
 export async function promptFilterByLineIds() {
     //
-    log.step('FILTRAR POR LINE ID:');
-    log.message('- Introduz os Line IDs separados por vírgulas. Exemplo: 1001,1002,etc...');
-    log.message('- Se não introduzires nenhum Line ID, este filtro não será aplicado.');
+    note('FILTRAR POR LINE ID:\n'
+        + '  • Introduz os Line IDs separados por vírgulas. Exemplo: 1001,1002,etc...\n'
+        + '  • Se não introduzires nenhum Line ID, este filtro não será aplicado.');
     const value = await text({
         message: 'Line IDs:',
         placeholder: '1001,1002,etc...',

package/dist/prompts/filter-pattern-ids.js

@@ -1,11 +1,11 @@
 /* * */
-import { log, text } from '@clack/prompts';
+import { note, text } from '@clack/prompts';
 /* * */
 export async function promptFilterByPatternIds() {
     //
-    log.step('FILTRAR POR PATTERN ID:');
-    log.message('- Introduz os Pattern IDs separados por vírgulas. Exemplo: 1001_0_1,1001_0_2,etc...');
-    log.message('- Se não introduzires nenhum Pattern ID, este filtro não será aplicado.');
+    note('FILTRAR POR PATTERN ID:\n'
+        + '  • Introduz os Pattern IDs separados por vírgulas. Exemplo: 1001_0_1,1001_0_2,etc...\n'
+        + '  • Se não introduzires nenhum Pattern ID, este filtro não será aplicado.');
     const value = await text({
         message: 'Pattern IDs:',
         placeholder: '1001_0_1,1001_0_2,etc...',

package/dist/prompts/filter-stop-ids.js

@@ -1,12 +1,12 @@
 /* * */
-import { log, text } from '@clack/prompts';
+import { note, text } from '@clack/prompts';
 /* * */
 export async function promptFilterByStopIds() {
     //
-    log.step('FILTRAR POR STOP ID:');
-    log.message('- Introduz os Stop IDs separados por vírgulas. Exemplo: 010101,020202,etc...');
-    log.message('- Não te esqueças do zero à esquerda.');
-    log.message('- Se não introduzires nenhum Stop ID, este filtro não será aplicado.');
+    note('FILTRAR POR STOP ID:\n'
+        + '  • Introduz os Stop IDs separados por vírgulas. Exemplo: 010101,020202,etc...\n'
+        + '  • Não te esqueças do zero à esquerda.\n'
+        + '  • Se não introduzires nenhum Stop ID, este filtro não será aplicado.');
     const value = await text({
         message: 'Stop IDs:',
         placeholder: '010101,020202,etc...',

package/dist/prompts/filter-vehicle-ids.js

@@ -1,11 +1,11 @@
 /* * */
-import { log, text } from '@clack/prompts';
+import { note, text } from '@clack/prompts';
 /* * */
 export async function promptFilterByVehicleIds() {
     //
-    log.step('FILTRAR POR VEHICLE ID:');
-    log.message('- Introduz os Vehicle IDs separados por vírgulas. Exemplo: 1234,9876,etc...');
-    log.message('- Se não introduzires nenhum Vehicle ID, este filtro não será aplicado.');
+    note('FILTRAR POR VEHICLE ID:\n'
+        + '  • Introduz os Vehicle IDs separados por vírgulas. Exemplo: 1234,9876,etc...\n'
+        + '  • Se não introduzires nenhum Vehicle ID, este filtro não será aplicado.');
     const value = await text({
         message: 'Vehicle IDs:',
         placeholder: '1234,9876,etc...',

package/dist/utils/credential-storage.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Get a credential from the OS-native secure storage
+ * - macOS: Uses Keychain via `security` command
+ * - Windows: Uses Credential Manager via PowerShell
+ * - Linux: Uses secret-tool or fallback to encrypted file
+ */
+export declare function getCredential(key: string): Promise<null | string>;
+/**
+ * Store a credential in the OS-native secure storage
+ * - macOS: Uses Keychain via `security` command
+ * - Windows: Uses Credential Manager via PowerShell
+ * - Linux: Uses secret-tool or fallback to encrypted file
+ */
+export declare function setCredential(key: string, value: string): Promise<void>;
+/**
+ * Delete a credential from the OS-native secure storage
+ */
+export declare function deleteCredential(key: string): Promise<void>;

package/dist/utils/credential-storage.js

@@ -0,0 +1,293 @@
+/* * */
+import { exec } from 'node:child_process';
+import crypto from 'node:crypto';
+import fs from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { promisify } from 'node:util';
+/* * */
+const execAsync = promisify(exec);
+/* * */
+const SERVICE_NAME = 'TMLMobilidadeGO';
+const ACCOUNT_NAME = 'export-data-access-key';
+/**
+ * Get a credential from the OS-native secure storage
+ * - macOS: Uses Keychain via `security` command
+ * - Windows: Uses Credential Manager via PowerShell
+ * - Linux: Uses secret-tool or fallback to encrypted file
+ */
+export async function getCredential(key) {
+    const platform = os.platform();
+    try {
+        if (platform === 'darwin') {
+            // macOS Keychain
+            return await getMacOSCredential(key);
+        }
+        else if (platform === 'win32') {
+            // Windows Credential Manager
+            return await getWindowsCredential(key);
+        }
+        else {
+            // Linux (and other Unix-like systems)
+            return await getLinuxCredential(key);
+        }
+    }
+    catch {
+        // If credential doesn't exist or there's an error, return null
+        return null;
+    }
+}
+/**
+ * Store a credential in the OS-native secure storage
+ * - macOS: Uses Keychain via `security` command
+ * - Windows: Uses Credential Manager via PowerShell
+ * - Linux: Uses secret-tool or fallback to encrypted file
+ */
+export async function setCredential(key, value) {
+    const platform = os.platform();
+    if (platform === 'darwin') {
+        // macOS Keychain
+        await setMacOSCredential(key, value);
+    }
+    else if (platform === 'win32') {
+        // Windows Credential Manager
+        await setWindowsCredential(key, value);
+    }
+    else {
+        // Linux (and other Unix-like systems)
+        await setLinuxCredential(key, value);
+    }
+}
+/**
+ * Delete a credential from the OS-native secure storage
+ */
+export async function deleteCredential(key) {
+    try {
+        const platform = os.platform();
+        if (platform === 'darwin') {
+            await execAsync(`security delete-generic-password -s "${SERVICE_NAME}" -a "${key}"`);
+        }
+        else if (platform === 'win32') {
+            const targetName = `${SERVICE_NAME}:${key}`;
+            await execAsync(`powershell -Command "cmdkey /delete:'${targetName}'"`);
+        }
+        else {
+            await execAsync(`secret-tool clear service "${SERVICE_NAME}" account "${key}"`);
+        }
+    }
+    catch {
+        // Credential might not exist, which is fine
+    }
+}
+/**
+ * Get credential from macOS Keychain.
+ * @param key The credential key.
+ * @returns The credential value or null if not found.
+ */
+async function getMacOSCredential(key) {
+    try {
+        const { stdout } = await execAsync(`security find-generic-password -s "${SERVICE_NAME}" -a "${key}" -w`);
+        return stdout.trim();
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Store credential in macOS Keychain.
+ * @param key The credential key.
+ * @param value The credential value.
+ */
+async function setMacOSCredential(key, value) {
+    // First, try to delete existing credential to avoid duplicates
+    await deleteCredential(key);
+    // Add new credential
+    await execAsync(`security add-generic-password -s "${SERVICE_NAME}" -a "${key}" -w "${value}" -U`);
+}
+/**
+ * Get credential from Windows Credential Manager.
+ * @param key The credential key.
+ * @returns The credential value or null if not found.
+ */
+async function getWindowsCredential(key) {
+    try {
+        const targetName = `${SERVICE_NAME}:${key}`;
+        const { stdout } = await execAsync(`powershell -Command "$cred = cmdkey /list:'${targetName}' 2>$null; if($cred) { [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-StoredCredential -Target '${targetName}').Password)) }"`);
+        // If the above doesn't work, use a simpler approach with a custom PowerShell script
+        if (!stdout || stdout.trim() === '') {
+            // Fallback: Use Windows Data Protection API (DPAPI) with a file
+            return await getWindowsCredentialFallback(key);
+        }
+        return stdout.trim();
+    }
+    catch {
+        // Try fallback method
+        return await getWindowsCredentialFallback(key);
+    }
+}
+/**
+ * Store credential in Windows Credential Manager.
+ * @param key The credential key.
+ * @param value The credential value.
+ */
+async function setWindowsCredential(key, value) {
+    try {
+        // Use PowerShell to store the credential
+        const targetName = `${SERVICE_NAME}:${key}`;
+        // Create a PowerShell script to store the credential
+        const script = `
+			$password = ConvertTo-SecureString "${value}" -AsPlainText -Force
+			$credential = New-Object System.Management.Automation.PSCredential("${ACCOUNT_NAME}", $password)
+			cmdkey /generic:"${targetName}" /user:"${ACCOUNT_NAME}" /pass:"${value}"
+		`;
+        // Execute the PowerShell script
+        await execAsync(`powershell -Command "${script.replace(/\n/g, ' ')}"`);
+    }
+    catch {
+        // Fallback to file-based storage with DPAPI
+        await setWindowsCredentialFallback(key, value);
+    }
+}
+/**
+ * Fallback method to get credential from encrypted file on Windows.
+ * @param key The credential key.
+ * @returns The credential value or null if not found.
+ */
+async function getWindowsCredentialFallback(key) {
+    try {
+        const credPath = getCredentialFilePath(key);
+        const encrypted = await fs.readFile(credPath, 'utf8');
+        return decrypt(encrypted);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Fallback method to set credential in encrypted file on Windows.
+ * @param key The credential key.
+ * @param value The credential value.
+ */
+async function setWindowsCredentialFallback(key, value) {
+    const credPath = getCredentialFilePath(key);
+    const encrypted = encrypt(value);
+    // Ensure directory exists
+    await fs.mkdir(path.dirname(credPath), { recursive: true });
+    // Write with restricted permissions (owner only)
+    await fs.writeFile(credPath, encrypted, { mode: 0o600 });
+}
+/**
+ * Get credential from Linux secure storage (secret-tool) or fallback to encrypted file.
+ * @param key The credential key.
+ * @returns The credential value or null if not found.
+ */
+async function getLinuxCredential(key) {
+    try {
+        const { stdout } = await execAsync(`secret-tool lookup service "${SERVICE_NAME}" account "${key}"`);
+        return stdout.trim();
+    }
+    catch {
+        // Fallback to encrypted file if secret-tool is not available
+        return await getLinuxCredentialFallback(key);
+    }
+}
+/**
+ * Store credential in Linux secure storage (secret-tool) or fallback to encrypted file.
+ * @param key The credential key.
+ * @param value The credential value.
+ */
+async function setLinuxCredential(key, value) {
+    try {
+        // Try using secret-tool first
+        // Note: secret-tool reads password from stdin, so we use echo with pipe
+        await execAsync(`echo "${value}" | secret-tool store --label="${SERVICE_NAME} - ${key}" service "${SERVICE_NAME}" account "${key}"`);
+    }
+    catch {
+        // Fallback to encrypted file
+        await setLinuxCredentialFallback(key, value);
+    }
+}
+/**
+ * Fallback method to get credential from encrypted file on Linux.
+ * @param key The credential key.
+ * @returns The credential value or null if not found.
+ */
+async function getLinuxCredentialFallback(key) {
+    try {
+        const credPath = getCredentialFilePath(key);
+        const encrypted = await fs.readFile(credPath, 'utf8');
+        return decrypt(encrypted);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Fallback method to set credential in encrypted file on Linux.
+ * @param key The credential key.
+ * @param value The credential value.
+ */
+async function setLinuxCredentialFallback(key, value) {
+    const credPath = getCredentialFilePath(key);
+    const encrypted = encrypt(value);
+    // Ensure directory exists
+    await fs.mkdir(path.dirname(credPath), { recursive: true });
+    // Write with restricted permissions (owner only)
+    await fs.writeFile(credPath, encrypted, { mode: 0o600 });
+}
+/**
+ * Get the file path for storing encrypted credentials.
+ * @param key The credential key.
+ * @returns The file path.
+ */
+function getCredentialFilePath(key) {
+    const homeDir = os.homedir();
+    const configDir = process.platform === 'win32'
+        ? path.join(homeDir, 'AppData', 'Local', 'TMLMobilidadeGO')
+        : path.join(homeDir, '.config', 'tmlmobilidade-go');
+    return path.join(configDir, `${key}.enc`);
+}
+/**
+ * Generate a machine-specific encryption key.
+ * @returns The encryption key as a Buffer.
+ */
+function getEncryptionKey() {
+    // Use machine-specific identifier as part of the encryption key
+    // This provides basic obfuscation (not true security, but better than plaintext)
+    const machineId = os.hostname() + os.userInfo().username;
+    return crypto.createHash('sha256').update(machineId).digest();
+}
+/**
+ * Encrypt text using AES-256-GCM.
+ * @param text The plaintext to encrypt.
+ * @returns The encrypted text in hex format.
+ */
+function encrypt(text) {
+    const algorithm = 'aes-256-gcm';
+    const key = getEncryptionKey();
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv(algorithm, key, iv);
+    let encrypted = cipher.update(text, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    const authTag = cipher.getAuthTag();
+    // Return IV + authTag + encrypted data
+    return iv.toString('hex') + ':' + authTag.toString('hex') + ':' + encrypted;
+}
+/**
+ * Decrypt text using AES-256-GCM.
+ * @param encryptedText The encrypted text in hex format.
+ * @returns The decrypted plaintext.
+ */
+function decrypt(encryptedText) {
+    const algorithm = 'aes-256-gcm';
+    const key = getEncryptionKey();
+    const parts = encryptedText.split(':');
+    const iv = Buffer.from(parts[0], 'hex');
+    const authTag = Buffer.from(parts[1], 'hex');
+    const encrypted = parts[2];
+    const decipher = crypto.createDecipheriv(algorithm, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+}

package/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@tmlmobilidade/export-data",
 	"description": "CLI tool to export data from GO.",
-	"version": "20251229.1536.41",
+	"version": "20251229.1636.59",
 	"author": {
 		"email": "iso@tmlmobilidade.pt",
 		"name": "TML-ISO"
@@ -31,7 +31,7 @@
 	},
 	"scripts": {
 		"build": "tsc && resolve-tspaths",
-		"dev": "dotenv-run -f ./.env -- tsx src/index.ts",
+		"dev": "tsx src/index.ts",
 		"lint": "eslint .",
 		"lint:fix": "eslint . --fix"
 	},