@vee-stack/delta-cli 2.0.4 → 2.0.5

package/dist/auth/secure-auth.js

@@ -0,0 +1,418 @@
+/**
+ * Secure Authentication System with OAuth2 + Keychain Integration
+ * Features:
+ * - OAuth2 PKCE flow
+ * - Secure token storage in OS keychain
+ * - Automatic token refresh
+ * - Session management
+ * - PAT (Personal Access Token) support for CI/CD
+ */
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+import fetch from 'node-fetch';
+import open from 'open';
+import { createServer } from 'http';
+import { URL } from 'url';
+import crypto from 'crypto';
+import chalk from 'chalk';
+import { printSuccess, printError, printInfo, printWarning, startSpinner, stopSpinner } from '../ui.js';
+const CONFIG_DIR = path.join(os.homedir(), '.delta');
+const TOKEN_FILE = path.join(CONFIG_DIR, 'tokens.enc');
+const KEY_FILE = path.join(CONFIG_DIR, '.key');
+// Derive encryption key from machine-specific data
+async function getEncryptionKey() {
+    try {
+        const keyData = await fs.readFile(KEY_FILE, 'utf-8').catch(() => null);
+        if (keyData) {
+            return Buffer.from(keyData, 'hex');
+        }
+    }
+    catch {
+        // File doesn't exist, generate new key
+    }
+    const machineId = `${os.userInfo().username}@${os.hostname()}`;
+    const salt = 'delta-cli-v2-fixed-salt';
+    const key = crypto.pbkdf2Sync(machineId, salt, 100000, 32, 'sha256');
+    await fs.mkdir(CONFIG_DIR, { recursive: true });
+    await fs.writeFile(KEY_FILE, key.toString('hex'), { mode: 0o600 });
+    return key;
+}
+// Encrypt data
+async function encrypt(data) {
+    const key = await getEncryptionKey();
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    let encrypted = cipher.update(data, 'utf-8', 'hex');
+    encrypted += cipher.final('hex');
+    const authTag = cipher.getAuthTag();
+    return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+}
+// Decrypt data
+async function decrypt(encryptedData) {
+    try {
+        const key = await getEncryptionKey();
+        const parts = encryptedData.split(':');
+        if (parts.length !== 3)
+            return null;
+        const iv = Buffer.from(parts[0], 'hex');
+        const authTag = Buffer.from(parts[1], 'hex');
+        const encrypted = parts[2];
+        const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+        decipher.setAuthTag(authTag);
+        let decrypted = decipher.update(encrypted, 'hex', 'utf-8');
+        decrypted += decipher.final('utf-8');
+        return decrypted;
+    }
+    catch {
+        return null;
+    }
+}
+// PKCE Code Generator
+function generatePKCE() {
+    const verifier = crypto.randomBytes(32).toString('base64url');
+    const challenge = crypto
+        .createHash('sha256')
+        .update(verifier)
+        .digest('base64url');
+    return { verifier, challenge };
+}
+// Secure Token Storage using encrypted file
+export class SecureTokenStore {
+    static async saveTokens(tokens) {
+        await fs.mkdir(CONFIG_DIR, { recursive: true });
+        const data = JSON.stringify({
+            access: tokens.access || null,
+            refresh: tokens.refresh || null,
+            updatedAt: new Date().toISOString(),
+        });
+        const encrypted = await encrypt(data);
+        await fs.writeFile(TOKEN_FILE, encrypted, { mode: 0o600 });
+    }
+    static async loadTokens() {
+        try {
+            const encrypted = await fs.readFile(TOKEN_FILE, 'utf-8');
+            const decrypted = await decrypt(encrypted);
+            if (!decrypted)
+                return { access: null, refresh: null };
+            const data = JSON.parse(decrypted);
+            return {
+                access: data.access || null,
+                refresh: data.refresh || null,
+            };
+        }
+        catch {
+            return { access: null, refresh: null };
+        }
+    }
+    static async saveAccessToken(token) {
+        const tokens = await this.loadTokens();
+        await this.saveTokens({ access: token, refresh: tokens.refresh ?? undefined });
+    }
+    static async getAccessToken() {
+        const tokens = await this.loadTokens();
+        return tokens.access;
+    }
+    static async saveRefreshToken(token) {
+        const tokens = await this.loadTokens();
+        await this.saveTokens({ refresh: token, access: tokens.access ?? undefined });
+    }
+    static async getRefreshToken() {
+        const tokens = await this.loadTokens();
+        return tokens.refresh;
+    }
+    static async clearTokens() {
+        try {
+            await fs.unlink(TOKEN_FILE);
+        }
+        catch {
+            // File may not exist
+        }
+    }
+    static async hasTokens() {
+        const token = await this.getAccessToken();
+        return !!token;
+    }
+}
+// OAuth2 Flow Handler - Uses configurable API URL for local development
+export async function startOAuthFlow(method = 'oauth') {
+    startSpinner('Starting OAuth2 authentication flow...');
+    try {
+        // Get API URL from environment or use default
+        const apiUrl = process.env.DELTA_API_URL || 'http://localhost:3000';
+        const { verifier, challenge } = generatePKCE();
+        const redirectUri = 'http://localhost:3456/callback';
+        const state = crypto.randomBytes(16).toString('hex');
+        // Build OAuth URL
+        const oauthUrl = new URL(`${apiUrl}/api/auth/authorize`);
+        oauthUrl.searchParams.set('response_type', 'code');
+        oauthUrl.searchParams.set('client_id', 'delta-cli');
+        oauthUrl.searchParams.set('redirect_uri', redirectUri);
+        oauthUrl.searchParams.set('code_challenge', challenge);
+        oauthUrl.searchParams.set('code_challenge_method', 'S256');
+        oauthUrl.searchParams.set('state', state);
+        oauthUrl.searchParams.set('scope', 'read write analyze');
+        if (method === 'github') {
+            oauthUrl.searchParams.set('provider', 'github');
+        }
+        else if (method === 'google') {
+            oauthUrl.searchParams.set('provider', 'google');
+        }
+        stopSpinner(true, 'OAuth server ready');
+        // Open browser
+        printInfo(`Opening browser for authentication...`);
+        printInfo(`URL: ${oauthUrl.toString().substring(0, 80)}...`);
+        await open(oauthUrl.toString());
+        // Start local server to capture callback
+        const authCode = await new Promise((resolve, reject) => {
+            const server = createServer(async (req, res) => {
+                // Get actual port from server address
+                const address = server.address();
+                const actualPort = typeof address === 'object' && address ? address.port : 3000;
+                const url = new URL(req.url || '/', `http://localhost:${actualPort}`);
+                if (url.pathname === '/callback') {
+                    const code = url.searchParams.get('code');
+                    const returnedState = url.searchParams.get('state');
+                    const error = url.searchParams.get('error');
+                    if (error) {
+                        res.writeHead(400, { 'Content-Type': 'text/html' });
+                        res.end(`
+              <html>
+                <body style="font-family: system-ui; text-align: center; padding: 50px;">
+                  <h1 style="color: #e74c3c;">❌ Authentication Failed</h1>
+                  <p>${error}</p>
+                  <p>You can close this window.</p>
+                </body>
+              </html>
+            `);
+                        reject(new Error(error));
+                        server.close();
+                        return;
+                    }
+                    if (!code || returnedState !== state) {
+                        res.writeHead(400, { 'Content-Type': 'text/html' });
+                        res.end(`
+              <html>
+                <body style="font-family: system-ui; text-align: center; padding: 50px;">
+                  <h1 style="color: #e74c3c;">❌ Invalid Response</h1>
+                  <p>You can close this window.</p>
+                </body>
+              </html>
+            `);
+                        reject(new Error('Invalid OAuth response'));
+                        server.close();
+                        return;
+                    }
+                    res.writeHead(200, { 'Content-Type': 'text/html' });
+                    res.end(`
+            <html>
+              <head>
+                <style>
+                  body { 
+                    font-family: system-ui, -apple-system, sans-serif; 
+                    text-align: center; 
+                    padding: 50px;
+                    background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+                    color: white;
+                    min-height: 100vh;
+                    display: flex;
+                    align-items: center;
+                    justify-content: center;
+                  }
+                  .container {
+                    background: rgba(255,255,255,0.1);
+                    backdrop-filter: blur(10px);
+                    padding: 40px;
+                    border-radius: 20px;
+                    box-shadow: 0 20px 60px rgba(0,0,0,0.3);
+                  }
+                  h1 { margin: 0 0 20px; font-size: 48px; }
+                  .check { font-size: 64px; margin-bottom: 20px; }
+                  p { font-size: 18px; opacity: 0.9; }
+                </style>
+              </head>
+              <body>
+                <div class="container">
+                  <div class="check">✓</div>
+                  <h1>Successfully Signed In!</h1>
+                  <p>You can close this window and return to the terminal.</p>
+                </div>
+              </body>
+            </html>
+          `);
+                    resolve(code);
+                    server.close();
+                }
+            });
+            // Try to listen on port 3456, or let OS assign available port if busy
+            server.listen(3456, '127.0.0.1', () => {
+                const address = server.address();
+                const actualPort = typeof address === 'object' && address ? address.port : 3456;
+                console.log(chalk.dim(`  Waiting for authentication on port ${actualPort}...`));
+            });
+            // Handle port in use error by trying random port
+            server.on('error', (err) => {
+                if (err.code === 'EADDRINUSE') {
+                    printWarning('Port 3456 is busy, trying alternative port...');
+                    server.listen(0, '127.0.0.1'); // Let OS assign available port
+                }
+                else {
+                    reject(err);
+                }
+            });
+            // Timeout after 5 minutes
+            setTimeout(() => {
+                server.close();
+                reject(new Error('Authentication timeout'));
+            }, 5 * 60 * 1000);
+        });
+        // Exchange code for tokens
+        startSpinner('Exchanging authorization code...');
+        const tokenResponse = await fetch(`${apiUrl}/api/auth/token`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                grant_type: 'authorization_code',
+                code: authCode,
+                redirect_uri: redirectUri,
+                client_id: 'delta-cli',
+                code_verifier: verifier,
+            }),
+        });
+        if (!tokenResponse.ok) {
+            throw new Error('Failed to exchange authorization code');
+        }
+        const tokens = await tokenResponse.json();
+        // Store tokens securely
+        await SecureTokenStore.saveAccessToken(tokens.access_token);
+        await SecureTokenStore.saveRefreshToken(tokens.refresh_token);
+        stopSpinner(true, 'Authentication successful!');
+        printSuccess('Successfully authenticated with Delta Cloud');
+        printInfo(`Token expires in ${tokens.expires_in} seconds`);
+        return true;
+    }
+    catch (error) {
+        stopSpinner(false, 'Authentication failed');
+        printError('OAuth2 authentication failed', error.message);
+        return false;
+    }
+}
+// PAT Authentication for CI/CD - Uses configurable API URL
+export async function authenticateWithPAT(token) {
+    startSpinner('Validating Personal Access Token...');
+    try {
+        const apiUrl = process.env.DELTA_API_URL || 'http://localhost:3000';
+        // Validate token
+        const response = await fetch(`${apiUrl}/api/auth/verify`, {
+            headers: {
+                'Authorization': `Bearer ${token}`,
+            },
+        });
+        if (!response.ok) {
+            throw new Error('Invalid token');
+        }
+        const data = await response.json();
+        // Store token
+        await SecureTokenStore.saveAccessToken(token);
+        stopSpinner(true, 'Token validated');
+        printSuccess(`Authenticated as ${data.user.email}`);
+        return true;
+    }
+    catch (error) {
+        stopSpinner(false, 'Token validation failed');
+        printError('PAT authentication failed', error.message);
+        return false;
+    }
+}
+// Token Refresh - Uses configurable API URL
+export async function refreshAccessToken() {
+    const refreshToken = await SecureTokenStore.getRefreshToken();
+    if (!refreshToken) {
+        printError('No refresh token available');
+        return false;
+    }
+    try {
+        const apiUrl = process.env.DELTA_API_URL || 'http://localhost:3000';
+        const response = await fetch(`${apiUrl}/api/auth/refresh`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+                client_id: 'delta-cli',
+            }),
+        });
+        if (!response.ok) {
+            throw new Error('Token refresh failed');
+        }
+        const tokens = await response.json();
+        await SecureTokenStore.saveAccessToken(tokens.access_token);
+        if (tokens.refresh_token) {
+            await SecureTokenStore.saveRefreshToken(tokens.refresh_token);
+        }
+        return true;
+    }
+    catch (error) {
+        printError('Failed to refresh token', error.message);
+        return false;
+    }
+}
+// Logout
+export async function logout() {
+    startSpinner('Clearing credentials...');
+    try {
+        await SecureTokenStore.clearTokens();
+        stopSpinner(true, 'Logged out');
+        printSuccess('Successfully logged out');
+    }
+    catch (error) {
+        stopSpinner(false, 'Logout failed');
+        printError('Failed to clear credentials', error.message);
+    }
+}
+// Auth Status - Uses configurable API URL
+export async function getAuthStatus() {
+    const token = await SecureTokenStore.getAccessToken();
+    if (!token) {
+        return { authenticated: false };
+    }
+    try {
+        const apiUrl = process.env.DELTA_API_URL || 'http://localhost:3000';
+        const response = await fetch(`${apiUrl}/api/auth/me`, {
+            headers: {
+                'Authorization': `Bearer ${token}`,
+            },
+        });
+        if (!response.ok) {
+            // Try to refresh token
+            const refreshed = await refreshAccessToken();
+            if (!refreshed) {
+                return { authenticated: false };
+            }
+            // Retry with new token
+            const newToken = await SecureTokenStore.getAccessToken();
+            const retryResponse = await fetch(`${apiUrl}/api/auth/me`, {
+                headers: {
+                    'Authorization': `Bearer ${newToken}`,
+                },
+            });
+            if (!retryResponse.ok) {
+                return { authenticated: false };
+            }
+            const userData = await retryResponse.json();
+            return {
+                authenticated: true,
+                user: userData,
+            };
+        }
+        const userData = await response.json();
+        return {
+            authenticated: true,
+            user: userData,
+        };
+    }
+    catch {
+        return { authenticated: false };
+    }
+}
+//# sourceMappingURL=secure-auth.js.map