@wilm-ai/wilma-cli 1.3.1 → 1.4.0

package/README.md

@@ -71,11 +71,25 @@ wilma update
 wilma config clear
 ```
 
+## MFA (Multi-Factor Authentication)
+
+If your Wilma account has MFA/TOTP enabled:
+
+**Interactive (recommended):** Run `wilma` and choose "Save TOTP secret for automatic login" when prompted. Paste your base32 key or `otpauth://` URI from your authenticator app. Future logins auto-authenticate.
+
+**Non-interactive:** Pass the secret directly:
+```bash
+wilma schedule list --totp-secret <base32-key> --json
+wilma schedule list --totp-secret 'otpauth://totp/...' --json
+```
+
+If you've saved your TOTP secret via interactive setup, `--totp-secret` is not needed.
+
 ## Config
 Local config is stored in `~/.config/wilmai/config.json` (or `$XDG_CONFIG_HOME/wilmai/config.json`).
 Use `wilma config clear` to remove it. Override with `WILMAI_CONFIG_PATH`.
 
 ## Notes
-- Credentials are stored with lightweight obfuscation for convenience.
+- Credentials and TOTP secrets are stored with lightweight obfuscation for convenience.
 - For multi-child accounts, you can pass `--student <id|name>` or `--all-students`.
 - All list commands support `--json` for agent-friendly structured output.

package/dist/config.d.ts

@@ -4,6 +4,7 @@ export interface StoredProfile {
     tenantName?: string | null;
     username: string;
     passwordObfuscated: string;
+    totpSecretObfuscated?: string | null;
     students?: {
         studentNumber: string;
         name: string;

package/dist/index.js

@@ -55,7 +55,7 @@ async function main() {
     await runInteractive(config);
     await showUpdateNotice(updateCheck);
 }
-async function chooseProfile(config) {
+async function chooseProfile(config, onMfa, onStoredProfileResolved) {
     if (config.profiles.length) {
         const choices = config.profiles.map((p) => ({
             value: p.id,
@@ -74,6 +74,7 @@ async function chooseProfile(config) {
             if (!stored) {
                 throw new Error("Stored profile not found");
             }
+            onStoredProfileResolved?.(stored);
             const secret = revealSecret(stored.passwordObfuscated);
             if (!secret) {
                 throw new Error("Stored password could not be decoded");
@@ -82,7 +83,7 @@ async function chooseProfile(config) {
                 baseUrl: stored.tenantUrl,
                 username: stored.username,
                 password: secret,
-            });
+            }, onMfa);
             if (!selectedStudent) {
                 return null;
             }
@@ -113,7 +114,7 @@ async function chooseProfile(config) {
         username,
         password: passwordValue,
     };
-    const students = await WilmaClient.listStudents(profileBase);
+    const students = await WilmaClient.listStudents(profileBase, onMfa);
     const student = await chooseStudent(students);
     if (!student)
         return null;
@@ -134,16 +135,18 @@ async function chooseProfile(config) {
     };
     config.profiles = config.profiles.filter((p) => p.id !== stored.id).concat(stored);
     config.lastProfileId = stored.id;
+    onStoredProfileResolved?.(stored);
     await saveConfig(config);
     return finalProfile;
 }
 async function runInteractive(config) {
+    const mfaState = { storedProfile: undefined };
+    const interactiveMfa = createInteractiveMfaCallback(() => mfaState.storedProfile, () => saveConfig(config));
     while (true) {
-        const profile = await chooseProfile(config);
+        const profile = await chooseProfile(config, interactiveMfa, (sp) => { mfaState.storedProfile = sp; });
         if (!profile) {
             return;
         }
-        const interactiveMfa = createInteractiveMfaCallback();
         const client = await WilmaClient.login(profile, interactiveMfa);
         let nextAction = await selectOrCancel({
             message: "What do you want to view?",
@@ -334,9 +337,9 @@ async function chooseStudent(students) {
         return null;
     return students.find((s) => s.studentNumber === selected) ?? null;
 }
-async function chooseStudentFromProfile(stored, baseProfile) {
+async function chooseStudentFromProfile(stored, baseProfile, onMfa) {
     let students = [];
-    const fresh = await WilmaClient.listStudents(baseProfile);
+    const fresh = await WilmaClient.listStudents(baseProfile, onMfa);
     if (fresh.length) {
         students = fresh;
         stored.students = fresh.map((s) => ({ studentNumber: s.studentNumber, name: s.name }));
@@ -379,7 +382,15 @@ async function handleCommand(args, config) {
     const profile = await getProfileForCommandNonInteractive(config, flags);
     if (!profile)
         return;
-    const mfaCallback = createNonInteractiveMfaCallback(flags.totpSecret);
+    // Use --totp-secret flag, or fall back to stored TOTP secret from config
+    let totpSecret = flags.totpSecret;
+    if (!totpSecret) {
+        const stored = config.profiles.find((p) => p.id === config.lastProfileId);
+        if (stored?.totpSecretObfuscated) {
+            totpSecret = revealSecret(stored.totpSecretObfuscated) ?? undefined;
+        }
+    }
+    const mfaCallback = createNonInteractiveMfaCallback(totpSecret);
     const client = await WilmaClient.login(profile, mfaCallback);
     if (command === "kids") {
         const students = await getStudentsForCommand(profile, config);
@@ -1279,13 +1290,56 @@ async function selectOrCancel(opts, clearScreen = true) {
         process.stdin.removeListener("keypress", onKeypress);
     }
 }
-function createInteractiveMfaCallback() {
+function createInteractiveMfaCallback(getStoredProfile, saveProfile) {
+    let lastCode = null;
+    let lastCodeTime = 0;
     return async (_formkey) => {
+        // TOTP codes are valid for 30s; reuse if within the same window
+        const now = Math.floor(Date.now() / 30000);
+        if (lastCode && now === lastCodeTime) {
+            return lastCode;
+        }
+        // If a TOTP secret is stored, auto-generate
+        const stored = getStoredProfile?.();
+        if (stored?.totpSecretObfuscated) {
+            const secret = revealSecret(stored.totpSecretObfuscated);
+            if (secret) {
+                const code = generateTOTP(parseTotpSecret(secret));
+                lastCode = code;
+                lastCodeTime = now;
+                return code;
+            }
+        }
+        const choice = await select({
+            message: "MFA required. Choose how to authenticate:",
+            choices: [
+                { value: "code", name: "Enter one-time code from authenticator app" },
+                { value: "secret", name: "Save TOTP secret for automatic login" },
+            ],
+        });
+        if (choice === "secret") {
+            const secretInput = await input({
+                message: "Paste TOTP secret (base32 key or otpauth:// URI)",
+            });
+            if (!secretInput)
+                throw new Error("MFA cancelled");
+            const secret = parseTotpSecret(secretInput.trim());
+            // Save to config
+            if (stored && saveProfile) {
+                stored.totpSecretObfuscated = obfuscateSecret(secretInput.trim());
+                await saveProfile();
+            }
+            const code = generateTOTP(secret);
+            lastCode = code;
+            lastCodeTime = now;
+            return code;
+        }
         const code = await input({ message: "Enter MFA code from authenticator app" });
-        if (!code) {
+        if (!code)
             throw new Error("MFA cancelled");
-        }
-        return code.trim();
+        lastCode = code.trim();
+        lastCodeTime = now;
+        return lastCode;
     };
 }
 function createNonInteractiveMfaCallback(totpSecret) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wilm-ai/wilma-cli",
-  "version": "1.3.1",
+  "version": "1.4.0",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -10,7 +10,7 @@
   },
   "dependencies": {
     "@inquirer/prompts": "^5.3.8",
-    "@wilm-ai/wilma-client": "^1.2.1"
+    "@wilm-ai/wilma-client": "^1.3.0"
   },
   "devDependencies": {
     "typescript": "^5.6.3"