@xano/cli 1.0.3-beta.6 → 1.0.3-beta.7

package/README.md

@@ -46,8 +46,19 @@ These warnings are layer 1 of broader push-safety work; ephemeral sandbox enviro
 xano auth
 xano auth --origin https://custom.xano.com
 xano auth --insecure                         # Skip TLS verification (self-signed certs)
+xano auth --no-browser                       # Headless login (no local callback server)
 ```
 
+The default flow starts a temporary callback server on `127.0.0.1` and waits
+for the browser to redirect back to it. On remote/SSH sessions, Docker
+containers, or locked-down networks where the browser can't reach the CLI's
+loopback address, use `--no-browser`: the CLI prints a login URL, you open it
+in any browser, and paste back the code it displays. No local server required.
+
+If you can't run `xano auth` at all, you can always create a profile manually
+with a Metadata API token from the Xano dashboard — see
+[Profiles](#profiles) below.
+
 ### Profiles
 
 Profiles store your Xano credentials and default workspace settings.

package/dist/commands/auth/index.d.ts

@@ -5,6 +5,7 @@ export default class Auth extends Command {
     static flags: {
         config: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         insecure: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        'no-browser': import("@oclif/core/interfaces").BooleanFlag<boolean>;
         origin: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
     };
     run(): Promise<void>;
@@ -12,6 +13,7 @@ export default class Auth extends Command {
     private fetchBranches;
     private fetchInstances;
     private fetchWorkspaces;
+    private promptForToken;
     private promptProfileName;
     private saveProfile;
     private selectBranch;

package/dist/commands/auth/index.js

@@ -1,4 +1,3 @@
-import { ExitPromptError } from '@inquirer/core';
 import { Command, Flags } from '@oclif/core';
 import inquirer from 'inquirer';
 import * as yaml from 'js-yaml';
@@ -20,6 +19,10 @@ Authenticated as John Doe (john@example.com)
 Profile 'default' created successfully!`,
         `$ xano auth --origin https://custom.xano.com
 Opening browser for Xano login at https://custom.xano.com...`,
+        `$ xano auth --no-browser
+To authenticate, open the following URL in any browser:
+  https://app.xano.com/login?dest=cli&display=code
+? Paste the code shown in your browser: ****`,
     ];
     static flags = {
         config: Flags.string({
@@ -33,6 +36,10 @@ Opening browser for Xano login at https://custom.xano.com...`,
             default: false,
             description: 'Skip TLS certificate verification (for self-signed certificates)',
         }),
+        'no-browser': Flags.boolean({
+            default: false,
+            description: 'Headless login: print a URL and paste back the code shown in the browser, instead of starting a local callback server (use on remote/SSH/Docker hosts where 127.0.0.1 is not reachable from the browser)',
+        }),
         origin: Flags.string({
             char: 'o',
             default: 'https://app.xano.com',
@@ -48,7 +55,9 @@ Opening browser for Xano login at https://custom.xano.com...`,
         try {
             // Step 1: Get token via browser auth
             this.log('Starting authentication flow...');
-            const token = await this.startAuthServer(flags.origin);
+            const token = flags['no-browser']
+                ? await this.promptForToken(flags.origin)
+                : await this.startAuthServer(flags.origin);
             // Step 2: Validate token and get user info
             this.log('');
             this.log('Validating authentication...');
@@ -113,7 +122,10 @@ Opening browser for Xano login at https://custom.xano.com...`,
             process.exit(0);
         }
         catch (error) {
-            if (error instanceof ExitPromptError) {
+            // Ctrl+C at an inquirer prompt throws ExitPromptError. Match on the name
+            // rather than `instanceof`: inquirer bundles its own copy of
+            // @inquirer/core, so the thrown class won't match an imported one.
+            if (error?.name === 'ExitPromptError') {
                 this.log('Authentication cancelled.');
                 return;
             }
@@ -196,6 +208,34 @@ Opening browser for Xano login at https://custom.xano.com...`,
             return [];
         }
     }
+    async promptForToken(origin) {
+        // Headless flow: no local callback server. The login page, when opened
+        // without a `callback` param, renders the access token on screen for the
+        // user to copy. We point the browser there (best-effort) and prompt for
+        // the pasted code.
+        const authUrl = `${origin}/login?dest=cli&display=code`;
+        this.log('To authenticate, open the following URL in any browser:');
+        this.log('');
+        this.log(`  ${authUrl}`);
+        this.log('');
+        try {
+            await open(authUrl);
+        }
+        catch {
+            // Best-effort only; the URL is already printed above for manual use.
+        }
+        const { token } = await inquirer.prompt([
+            {
+                message: 'Paste the code shown in your browser',
+                name: 'token',
+                type: 'password',
+                validate(input) {
+                    return input.trim() === '' ? 'A code is required' : true;
+                },
+            },
+        ]);
+        return token.trim();
+    }
     async promptProfileName() {
         const { profileName } = await inquirer.prompt([
             {