@vellumai/assistant 0.5.11 → 0.5.13

package/src/cli/commands/oauth/connect.ts

@@ -1,3 +1,5 @@
+import { createServer, type Server } from "node:http";
+
 import type { Command } from "commander";
 
 import { orchestrateOAuthConnect } from "../../../oauth/connect-orchestrator.js";
@@ -6,7 +8,7 @@ import {
   getMostRecentAppByProvider,
   getProvider,
 } from "../../../oauth/oauth-store.js";
-import { getProviderBehavior } from "../../../oauth/provider-behaviors.js";
+import { renderOAuthCompletionPage } from "../../../security/oauth-completion-page.js";
 import { openInBrowser } from "../../../util/browser.js";
 import { getSecureKeyViaDaemon } from "../../lib/daemon-credential-client.js";
 import { getCliLogger } from "../../logger.js";
@@ -15,12 +17,57 @@ import {
   fetchActiveConnections,
   isManagedMode,
   requirePlatformClient,
-  resolveService,
-  toBareProvider,
 } from "./shared.js";
 
 const log = getCliLogger("cli");
 
+/**
+ * Start a temporary loopback server to serve a nice completion page after the
+ * platform redirects the user's browser following a managed OAuth flow.
+ * Returns the base URL and a cleanup function.
+ */
+function startManagedRedirectServer(provider: string): Promise<{
+  redirectUrl: string;
+  cleanup: () => void;
+}> {
+  return new Promise((resolve, reject) => {
+    const server: Server = createServer((req, res) => {
+      const url = new URL(req.url ?? "/", "http://127.0.0.1");
+      const error = url.searchParams.get("error");
+      const errorDesc = url.searchParams.get("error_description");
+      const providerHint = url.searchParams.get("provider") ?? provider;
+
+      if (error) {
+        const message = errorDesc ?? error;
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(renderOAuthCompletionPage(message, false, providerHint));
+      } else {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(
+          renderOAuthCompletionPage(
+            "You can close this tab and return to your assistant.",
+            true,
+            providerHint,
+          ),
+        );
+      }
+    });
+
+    server.listen(0, "localhost", () => {
+      const addr = server.address() as { port: number };
+      const redirectUrl = `http://localhost:${addr.port}/oauth/complete`;
+      resolve({
+        redirectUrl,
+        cleanup: () => server.close(),
+      });
+    });
+
+    server.on("error", (err) => {
+      reject(new Error(`Failed to start redirect server: ${err.message}`));
+    });
+  });
+}
+
 // ---------------------------------------------------------------------------
 // Command registration
 // ---------------------------------------------------------------------------
@@ -29,7 +76,7 @@ export function registerConnectCommand(oauth: Command): void {
   oauth
     .command("connect <provider>")
     .description(
-      "Initiate an OAuth authorization flow for a provider (auto-detects managed vs BYO mode)",
+      "Initiate an OAuth authorization flow for a specified provider",
     )
     .option("--scopes <scopes...>", "Scopes to request for the authorization")
     .option(
@@ -41,36 +88,18 @@ export function registerConnectCommand(oauth: Command): void {
       "after",
       `
 Arguments:
-  provider   Provider key, alias, or ID from 'assistant oauth providers list'.
-             Accepts canonical keys (e.g. integration:google), aliases (e.g.
-             gmail), or bare provider names (e.g. google).
-
-Options:
-  --scopes <scopes...>   Scopes to request for the authorization. In managed
-                         mode, each scope must be in the provider's allowed set
-                         (use full scope URLs where required). In BYO mode,
-                         scopes are appended to the provider's defaults.
-  --open-browser         Open the authorization URL in your browser and wait
-                         for completion. In managed mode, polls for a new
-                         platform connection. In BYO mode, starts a local
-                         callback server and blocks until the OAuth redirect.
-  --client-id <id>       BYO-only: select a specific OAuth app when multiple
-                         apps exist for the same provider. Ignored for
-                         platform-managed providers.
-
-Mode detection:
-  The command checks the services config to determine whether the provider
-  runs in platform-managed or BYO (bring-your-own credentials) mode.
-
-  Managed mode: Calls the platform /start/ endpoint, returns a connect URL.
-    With --open-browser, opens the URL and polls for a new connection.
-  BYO mode: Resolves local client credentials from the OAuth app store and
-    runs the OAuth2 authorization code flow via the local orchestrator.
+  provider   Provider name (e.g. google, slack, notion).
+             Run 'assistant oauth providers list' to see available providers.
+
+In managed mode, --scopes must be in the provider's allowed set (use full
+scope URLs). In BYO mode, --scopes are appended to the provider's defaults.
+The --open-browser flag polls for a platform connection (managed) or starts
+a local callback server (BYO).
 
 Examples:
   $ assistant oauth connect google
-  $ assistant oauth connect gmail --open-browser
-  $ assistant oauth connect integration:google --scopes https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/calendar.events
+  $ assistant oauth connect google --open-browser
+  $ assistant oauth connect google --scopes https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/calendar.events
   $ assistant oauth connect google --client-id abc123 --open-browser`,
     )
     .action(
@@ -93,17 +122,12 @@ Examples:
 
         try {
           // ---------------------------------------------------------------
-          // 1. Resolve provider key
-          // ---------------------------------------------------------------
-          const providerKey = resolveService(provider);
-
-          // ---------------------------------------------------------------
-          // 2. Validate provider exists
+          // 1. Validate provider exists
           // ---------------------------------------------------------------
-          const providerRow = getProvider(providerKey);
+          const providerRow = getProvider(provider);
           if (!providerRow) {
             writeError(
-              `Unknown provider "${providerKey}". ` +
+              `Unknown provider "${provider}". ` +
                 `Run 'assistant oauth providers list' to see available providers.`,
             );
             return;
@@ -112,7 +136,7 @@ Examples:
           // ---------------------------------------------------------------
           // 3. Detect mode
           // ---------------------------------------------------------------
-          const managed = isManagedMode(providerKey);
+          const managed = isManagedMode(provider);
 
           if (managed) {
             // =============================================================
@@ -122,7 +146,7 @@ Examples:
             // Warn about --client-id being ignored in managed mode
             if (opts.clientId) {
               log.info(
-                `Warning: --client-id is ignored for platform-managed providers. The platform manages OAuth apps for "${providerKey}".`,
+                `Warning: --client-id is ignored for platform-managed providers. The platform manages OAuth apps for "${provider}".`,
               );
             }
 
@@ -130,148 +154,163 @@ Examples:
             if (!client) return;
 
             // Call the platform's OAuth start endpoint
-            const startPath = `/v1/assistants/${encodeURIComponent(client.platformAssistantId)}/oauth/${encodeURIComponent(toBareProvider(providerKey))}/start/`;
+            const startPath = `/v1/assistants/${encodeURIComponent(client.platformAssistantId)}/oauth/${encodeURIComponent(provider)}/start/`;
 
             const body: Record<string, unknown> = {};
             if (opts.scopes && opts.scopes.length > 0) {
               body.requested_scopes = opts.scopes;
             }
 
-            const response = await client.fetch(startPath, {
-              method: "POST",
-              headers: { "Content-Type": "application/json" },
-              body: JSON.stringify(body),
-            });
-
-            if (!response.ok) {
-              const errorText = await response.text().catch(() => "");
-              writeError(
-                `Platform returned HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`,
-              );
-              return;
+            // When opening the browser, start a local server to show a nice
+            // completion page instead of redirecting to the platform website.
+            let redirectServer:
+              | { redirectUrl: string; cleanup: () => void }
+              | undefined;
+            if (opts.openBrowser) {
+              try {
+                redirectServer = await startManagedRedirectServer(provider);
+                body.redirect_after_connect = redirectServer.redirectUrl;
+              } catch {
+                // Non-fatal — fall back to platform default redirect
+              }
             }
 
-            const result = (await response.json()) as {
-              connect_url?: string;
-            };
-
-            if (!result.connect_url) {
-              writeError(
-                "Platform did not return a connect URL — the OAuth flow could not be started",
-              );
-              return;
-            }
+            try {
+              const response = await client.fetch(startPath, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify(body),
+              });
 
-            if (opts.openBrowser) {
-              // Snapshot existing connection IDs before opening browser
-              const snapshotEntries = await fetchActiveConnections(
-                client,
-                providerKey,
-                cmd,
-              );
-              if (!snapshotEntries) {
-                // fetchActiveConnections already wrote the error output
+              if (!response.ok) {
+                const errorText = await response.text().catch(() => "");
+                writeError(
+                  `Platform returned HTTP ${response.status}${errorText ? `: ${errorText}` : ""}`,
+                );
                 return;
               }
-              const snapshotIds = new Set(snapshotEntries.map((e) => e.id));
 
-              openInBrowser(result.connect_url);
+              const result = (await response.json()) as {
+                connect_url?: string;
+              };
 
-              if (!jsonMode) {
-                log.info(
-                  `Opening browser to connect ${providerKey}. Waiting for authorization...`,
+              if (!result.connect_url) {
+                writeError(
+                  "Platform did not return a connect URL — the OAuth flow could not be started",
                 );
+                return;
               }
 
-              // Poll for a new connection every 2s for up to 5 minutes
-              const pollIntervalMs = 2000;
-              const timeoutMs = 5 * 60 * 1000;
-              const deadline = Date.now() + timeoutMs;
-              let newConnection: {
-                id: string;
-                account_label?: string;
-                scopes_granted?: string[];
-              } | null = null;
-
-              while (Date.now() < deadline) {
-                await new Promise((r) => setTimeout(r, pollIntervalMs));
-
-                const currentEntries = await fetchActiveConnections(
+              if (opts.openBrowser) {
+                // Snapshot existing connection IDs before opening browser
+                const snapshotEntries = await fetchActiveConnections(
                   client,
-                  providerKey,
+                  provider,
                   cmd,
-                  { silent: true },
                 );
-                if (!currentEntries) continue;
+                if (!snapshotEntries) {
+                  // fetchActiveConnections already wrote the error output
+                  return;
+                }
+                const snapshotIds = new Set(snapshotEntries.map((e) => e.id));
 
-                const found = currentEntries.find(
-                  (e) => !snapshotIds.has(e.id),
-                );
-                if (found) {
-                  newConnection = found;
-                  break;
+                openInBrowser(result.connect_url);
+
+                if (!jsonMode) {
+                  log.info(
+                    `Opening browser to connect ${provider}. Waiting for authorization...`,
+                  );
                 }
-              }
 
-              if (newConnection) {
-                // Success — new connection found
-                if (jsonMode) {
-                  writeOutput(cmd, {
-                    ok: true,
-                    provider: providerKey,
-                    connectionId: newConnection.id,
-                    accountLabel: newConnection.account_label ?? null,
-                    scopesGranted: newConnection.scopes_granted ?? [],
-                  });
+                // Poll for a new connection every 2s for up to 5 minutes
+                const pollIntervalMs = 2000;
+                const timeoutMs = 5 * 60 * 1000;
+                const deadline = Date.now() + timeoutMs;
+                let newConnection: {
+                  id: string;
+                  account_label?: string;
+                  scopes_granted?: string[];
+                } | null = null;
+
+                while (Date.now() < deadline) {
+                  await new Promise((r) => setTimeout(r, pollIntervalMs));
+
+                  const currentEntries = await fetchActiveConnections(
+                    client,
+                    provider,
+                    cmd,
+                    { silent: true },
+                  );
+                  if (!currentEntries) continue;
+
+                  const found = currentEntries.find(
+                    (e) => !snapshotIds.has(e.id),
+                  );
+                  if (found) {
+                    newConnection = found;
+                    break;
+                  }
+                }
+
+                if (newConnection) {
+                  // Success — new connection found
+                  if (jsonMode) {
+                    writeOutput(cmd, {
+                      ok: true,
+                      provider: provider,
+                      connectionId: newConnection.id,
+                      accountLabel: newConnection.account_label ?? null,
+                      scopesGranted: newConnection.scopes_granted ?? [],
+                    });
+                  } else {
+                    const label = newConnection.account_label
+                      ? ` as ${newConnection.account_label}`
+                      : "";
+                    process.stdout.write(`Connected to ${provider}${label}\n`);
+                  }
                 } else {
-                  const label = newConnection.account_label
-                    ? ` as ${newConnection.account_label}`
-                    : "";
-                  process.stdout.write(`Connected to ${providerKey}${label}\n`);
+                  // Timeout — authorization may still be in progress
+                  if (jsonMode) {
+                    writeOutput(cmd, {
+                      ok: true,
+                      deferred: true,
+                      provider: provider,
+                      connectUrl: result.connect_url,
+                      message:
+                        "Authorization may still be in progress. Check with 'assistant oauth status <provider>'.",
+                    });
+                  } else {
+                    process.stdout.write(
+                      `Timed out waiting for authorization. It may still be in progress.\n` +
+                        `Check with: assistant oauth status ${provider}\n`,
+                    );
+                  }
                 }
               } else {
-                // Timeout — authorization may still be in progress
+                // No --open-browser: output the connect URL
                 if (jsonMode) {
                   writeOutput(cmd, {
                     ok: true,
                     deferred: true,
-                    provider: providerKey,
                     connectUrl: result.connect_url,
-                    message:
-                      "Authorization may still be in progress. Check with 'assistant oauth status <provider>'.",
+                    provider: provider,
                   });
                 } else {
-                  process.stdout.write(
-                    `Timed out waiting for authorization. It may still be in progress.\n` +
-                      `Check with: assistant oauth status ${providerKey}\n`,
-                  );
+                  process.stdout.write(result.connect_url + "\n");
                 }
               }
-            } else {
-              // No --open-browser: output the connect URL
-              if (jsonMode) {
-                writeOutput(cmd, {
-                  ok: true,
-                  deferred: true,
-                  connectUrl: result.connect_url,
-                  provider: providerKey,
-                });
-              } else {
-                process.stdout.write(result.connect_url + "\n");
-              }
+            } finally {
+              redirectServer?.cleanup();
             }
           } else {
             // =============================================================
             // BYO PATH
             // =============================================================
 
-            // a. Resolve service alias (already done above via resolveService)
-            const resolvedServiceKey = providerKey;
-
-            // b. Resolve client credentials from the DB
+            // a. Resolve client credentials from the DB
             const dbApp = opts.clientId
-              ? getAppByProviderAndClientId(resolvedServiceKey, opts.clientId)
-              : getMostRecentAppByProvider(resolvedServiceKey);
+              ? getAppByProviderAndClientId(provider, opts.clientId)
+              : getMostRecentAppByProvider(provider);
 
             let clientId = opts.clientId;
             let clientSecret: string | undefined;
@@ -285,7 +324,7 @@ Examples:
             } else if (opts.clientId) {
               // --client-id was explicitly provided but no matching app exists
               writeError(
-                `No registered app found for "${resolvedServiceKey}" with client ID "${opts.clientId}". ` +
+                `No registered app found for "${provider}" with client ID "${opts.clientId}". ` +
                   `Register one with 'assistant oauth apps upsert'.`,
               );
               return;
@@ -294,7 +333,7 @@ Examples:
             // c. Validate client_id exists
             if (!clientId) {
               writeError(
-                `No client_id found for "${resolvedServiceKey}". ` +
+                `No client_id found for "${provider}". ` +
                   `Register one with 'assistant oauth apps upsert'.`,
               );
               return;
@@ -302,18 +341,11 @@ Examples:
 
             // d. Check if client_secret is required but missing
             if (clientSecret === undefined) {
-              const behavior = getProviderBehavior(resolvedServiceKey);
-
-              const requiresSecret =
-                behavior?.setup?.requiresClientSecret ??
-                !!(
-                  providerRow?.tokenEndpointAuthMethod ||
-                  providerRow?.extraParams
-                );
+              const requiresSecret = !!providerRow?.requiresClientSecret;
 
               if (requiresSecret) {
                 writeError(
-                  `client_secret is required for ${resolvedServiceKey} but not found. ` +
+                  `client_secret is required for ${provider} but not found. ` +
                     `Store it with 'assistant oauth apps upsert --client-secret'.`,
                 );
                 return;
@@ -346,7 +378,7 @@ Examples:
                 });
               } else {
                 process.stdout.write(
-                  `\nAuthorize with ${resolvedServiceKey}:\n\n${result.authUrl}\n\nThe connection will complete automatically once you authorize.\n`,
+                  `\nAuthorize with ${provider}:\n\n${result.authUrl}\n\nThe connection will complete automatically once you authorize.\n`,
                 );
               }
               return;
@@ -360,7 +392,7 @@ Examples:
                 accountInfo: result.accountInfo,
               });
             } else {
-              const msg = `Connected to ${resolvedServiceKey}${result.accountInfo ? ` as ${result.accountInfo}` : ""}`;
+              const msg = `Connected to ${provider}${result.accountInfo ? ` as ${result.accountInfo}` : ""}`;
               process.stdout.write(msg + "\n");
             }
           }