@yahoo/uds 1.2.0 → 1.3.0

package/cli/README.md

@@ -128,6 +128,27 @@ Any file added to commands/codemod will be available in prompt land.
 uds codemod
 ```
 
+### Login
+
+The `uds login` command is used to authenticate the user to the CLI. We use
+Google's OAuth2 flow, which is the same login flow used by the [Configurator](/docs/getting-started/using-configurator) and the documentation site. Logging in to the CLI helps us identify and track CLI usage and metrics.
+
+#### Flags
+
+| Flag       | Description                               | Default | Required |
+| ---------- | ----------------------------------------- | ------- | -------- |
+| `skipAuth` | Skip auth checks (for CI/CD environments) | `false` |          |
+
+**Example:**
+
+```shell
+uds login
+uds login --skipAuth
+
+# Sign out current user.
+uds logout
+```
+
 ### Expo (WIP)
 
 The `uds expo` command is for building and launching React Native apps using Expo.

package/cli/cli.ts

@@ -2,25 +2,48 @@
 // Start bluebun to run the correct CLI command
 import { parseArgs } from 'node:util';
 
-import { run } from 'bluebun';
+import { getFeatureFlags } from '@yahoo/uds/flags';
+import { print, red, run } from 'bluebun';
 
-function main() {
+import { getAuthenticatedUser } from './utils/auth';
+
+async function main() {
   // We need to pass the path from Node to the Bun binaries
   // because there's an issue where the Bun binaries struggle to resolve
-  const { values } = parseArgs({
+  const { values, positionals } = parseArgs({
     args: Bun.argv,
     options: {
       commandsPath: {
         type: 'string',
       },
+      skipAuth: {
+        type: 'boolean',
+        default: false,
+      },
     },
     strict: false,
     allowPositionals: true,
   });
 
+  const cliPath = values.commandsPath!.toString();
+  const isLoginCmd = positionals.includes('login');
+  const { useCLIAuth } = getFeatureFlags();
+
+  if (useCLIAuth && !values.skipAuth && !isLoginCmd) {
+    const user = await getAuthenticatedUser(cliPath);
+    if (!user) {
+      print(
+        red(
+          '🚨 Sign-in required. Please run `uds login` and use a @yahooinc.com email during sign-in.',
+        ),
+      );
+      return;
+    }
+  }
+
   run({
     name: 'uds',
-    cliPath: values.commandsPath!.toString(),
+    cliPath,
   });
 }
 

package/cli/commands/login.ts

@@ -0,0 +1,28 @@
+import { magenta, print, red } from 'bluebun';
+
+import { login } from '../utils/auth';
+
+export default {
+  name: 'login',
+  description: '👤 Log in to UDS CLI',
+  alias: ['auth'],
+  run: async () => {
+    try {
+      const user = await login();
+      if (user) {
+        print(magenta(`🔒 Logged in as ${user.email}`));
+      }
+    } catch (error) {
+      if (error instanceof Error) {
+        print(red(error.message));
+      } else {
+        print(
+          red(
+            `❌ An error occurred while logging in. Please ask in the #uds-ask channel for support.`,
+          ),
+        );
+        process.exitCode = 1;
+      }
+    }
+  },
+};

package/cli/commands/logout.ts

@@ -0,0 +1,24 @@
+import { magenta, print, red } from 'bluebun';
+
+import { logout } from '../utils/auth';
+
+export default {
+  name: 'logout',
+  description: '👤 Sign out of UDS CLI',
+  run: async () => {
+    try {
+      await logout();
+      print(magenta('👋 You have been logged out.'));
+    } catch (error) {
+      if (error instanceof Error) {
+        print(red(error.message));
+      } else {
+        print(
+          red(
+            `❌ An error occurred while logging out. Please ask in the #uds-ask channel for support.`,
+          ),
+        );
+      }
+    }
+  },
+};

package/cli/commands/uds.ts

@@ -1,5 +1,6 @@
 import { print, type Props, red } from 'bluebun';
 
+import { getAuthenticatedUser } from '../utils/auth';
 import { getCommandHelp } from '../utils/getCommandHelp';
 
 export default {
@@ -9,6 +10,8 @@ export default {
     if (props.first) {
       print(red(`Unknown command: ${props.first}`));
     }
-    await getCommandHelp(props);
+    const user = await getAuthenticatedUser();
+    const notes = user ? `🔒 Logged in as ${user.email}` : undefined;
+    await getCommandHelp({ ...props, notes });
   },
 };

package/cli/env.d.ts

@@ -14,6 +14,11 @@ declare module 'bun' {
     EXPO_USE_METRO_WORKSPACE_ROOT?: string;
     EXPO_BUNDLE_APP?: string;
     ESLINT_USE_FLAT_CONFIG?: string;
+    /** UDS purge command - which color and scale modes to keep */
     ENABLED_SCALE_AND_COLOR_MODES?: string;
+    /** UDS config id */
+    UDS_ID?: string;
+    /** UDS sync command - filename to write the config output */
+    UDS_OUT_FILE?: string;
   }
 }

package/cli/exec.ts

@@ -28,7 +28,7 @@ const detectPlatform = () => {
     });
   } else {
     throw new Error(
-      'Unsupported platform 😢, pleaes reach out to the UDS team for support #uds-ask.',
+      'Unsupported platform 😢, please reach out to the UDS team for support #uds-ask.',
     );
   }
 };

package/cli/preload.ts

@@ -44,3 +44,19 @@ mock.module('@yahoo/uds/tailwind/purger', () => ({
     Button: '',
   },
 }));
+
+mock.module('googleapis', () => ({
+  google: {
+    auth: {
+      OAuth2: mock(() => {}).mockImplementation(() => ({
+        getToken: () => Promise.resolve({ tokens: 'test' }),
+        setCredentials: mock(() => {}),
+      })),
+    },
+    oauth2: () => ({
+      userinfo: {
+        get: () => Promise.resolve({ data: { email: 'foo@yahooinc.com' } }),
+      },
+    }),
+  },
+}));

package/cli/uds-cli

@@ -2,9 +2,9 @@
 
 // Note: This file is generated, do not edit directly! Edit exec.ts instead. 
 // cli/exec.ts
-import {execFileSync} from "child_process";
+import { execFileSync } from "child_process";
 import path from "path";
-import {fileURLToPath} from "url";
+import { fileURLToPath } from "url";
 
 // cli/consts.ts
 var SUPPORTED_BUN_PLATFORMS = ["linux-x64-baseline", "darwin-arm64-baseline"];
@@ -23,7 +23,7 @@ var detectPlatform = () => {
       stdio: "inherit"
     });
   } else {
-    throw new Error("Unsupported platform \uD83D\uDE22, pleaes reach out to the UDS team for support #uds-ask.");
+    throw new Error("Unsupported platform \uD83D\uDE22, please reach out to the UDS team for support #uds-ask.");
   }
 };
 detectPlatform();

package/cli/utils/auth.test.ts

@@ -0,0 +1,107 @@
+import path from 'node:path';
+
+import { afterAll, describe, expect, it, mock } from 'bun:test';
+import http from 'http';
+// eslint-disable-next-line n/no-unpublished-import
+import httpMocks from 'node-mocks-http';
+
+import {
+  getAuthenticatedUser,
+  isYahooEmployee,
+  login,
+  logout,
+  onRequestHandler,
+  type User,
+} from './auth';
+
+const __dirname = path.resolve(import.meta.dir);
+const filepath = path.resolve(__dirname, '.uds/user.json');
+
+const writeCache = async (filePath: string, user: User) => {
+  return Bun.write(filePath, JSON.stringify(user));
+};
+
+describe('auth', () => {
+  describe('isYahooEmployee', () => {
+    it('does not return a user on first use', async () => {
+      expect(isYahooEmployee({ email: 'user@yahooinc.com' })).toBe(true);
+      expect(isYahooEmployee({ email: 'user@test.com' })).toBe(false);
+    });
+  });
+
+  describe('getAuthenticatedUser', () => {
+    it('does not return a user on first use', async () => {
+      expect(await getAuthenticatedUser(__dirname)).toBeUndefined();
+    });
+
+    it('reads user info from cache when one exists', async () => {
+      const user: User = { email: 'user@yahooinc.com', name: 'User' };
+      await writeCache(filepath, user);
+      const userInfo = await getAuthenticatedUser(__dirname);
+      expect(userInfo).toEqual(user);
+    });
+
+    it('resets user when non @yahooinc.com email is used', async () => {
+      await writeCache(filepath, { email: 'user@test.com', name: 'User' });
+      expect(await Bun.file(filepath).exists()).toBeTrue();
+      const userInfo = await getAuthenticatedUser(__dirname);
+      expect(userInfo).toBeUndefined();
+      expect(await Bun.file(filepath).exists()).toBeFalse();
+    });
+  });
+
+  describe('getAuthenticatedClient', () => {
+    // mock.module('open', () => ({}));
+    const mockServer = Object.assign(Object.create(http.Server.prototype), {
+      listen: mock(),
+      on: mock(),
+      close: mock(),
+    });
+    const resolve = mock();
+    const reject = mock();
+
+    it('returns error when no code is on callback url', async () => {
+      const request = httpMocks.createRequest({ method: 'GET', url: '/oauth2callback' });
+      const response = httpMocks.createResponse();
+      await onRequestHandler.bind(mockServer)(request, response, resolve, reject);
+      expect(response._getData()).toInclude('no code parameter');
+    });
+
+    it('can successfully login in user', async () => {
+      const request = httpMocks.createRequest({ method: 'GET', url: '/oauth2callback?code=123' });
+      const response = httpMocks.createResponse();
+      await onRequestHandler.bind(mockServer)(request, response, resolve, reject);
+      expect(response._getData()).toInclude('Authentication successful!');
+      expect(resolve).toHaveBeenCalled();
+    });
+  });
+
+  describe('logout', () => {
+    it('removes the user cache', async () => {
+      await writeCache(filepath, { email: 'user@yahooinc.com', name: 'User' });
+      expect(await Bun.file(filepath).exists()).toBeTrue();
+      await logout(filepath);
+      expect(await Bun.file(filepath).exists()).toBeFalse();
+    });
+  });
+
+  describe('login', () => {
+    afterAll(async () => {
+      await logout(); // cleanup
+    });
+
+    const mockFunc = mock(() => Promise.resolve({ email: 'foo@yahooinc.com' }));
+
+    mock.module('./auth', () => ({
+      getAuthenticatedClient: mockFunc,
+    }));
+
+    it('uses cache when user previously logged in', async () => {
+      // Test multiple calls to login
+      await login();
+      await login();
+      await login();
+      expect(mockFunc).toHaveBeenCalledTimes(1);
+    });
+  });
+});

package/cli/utils/auth.ts

@@ -0,0 +1,158 @@
+import { unlink } from 'node:fs/promises';
+import path from 'node:path';
+
+import { print, red } from 'bluebun';
+import Bun from 'bun';
+import { Auth, google, oauth2_v2 } from 'googleapis';
+import http from 'http';
+import open from 'open';
+
+import clientSecrets from './client_secrets.json';
+
+const { redirect_uris, client_id, client_secret } = clientSecrets.web;
+const REDIRECT_URL = redirect_uris[0];
+const { port: PORT, origin: BASE_URL } = new URL(REDIRECT_URL);
+
+const cacheFilePath = '.uds/user.json';
+const DEFAULT_CLI_PATH = path.resolve(import.meta.dir, '..');
+const CACHED_USER_FILE = path.resolve(DEFAULT_CLI_PATH, cacheFilePath);
+
+// Credentials can be found in https://console.cloud.google.com/apis/credentials/oauthclient/700524957090-6uju02gp6i0rlm3p17nt1v6vbrretfka.apps.googleusercontent.com?project=uds-poc.
+const oauth2Client = new google.auth.OAuth2(client_id, client_secret, REDIRECT_URL);
+
+type User = oauth2_v2.Schema$Userinfo;
+
+function isYahooEmployee(user?: User) {
+  return user?.email?.endsWith('@yahooinc.com');
+}
+
+async function onRequestHandler(
+  this: http.Server,
+  req: http.IncomingMessage,
+  res: http.ServerResponse,
+  resolve: (value: typeof oauth2Client) => void,
+  reject: (reason?: unknown) => void,
+) {
+  try {
+    const code = new URL(req.url || '', BASE_URL).searchParams.get('code');
+    if (!code) {
+      res.end('There was no code parameter on the url.');
+      this.close();
+      return;
+    }
+
+    res.end('Authentication successful! You can close this window.');
+
+    this.close();
+
+    const { tokens } = await oauth2Client.getToken(code);
+    oauth2Client.setCredentials(tokens);
+
+    resolve(oauth2Client);
+  } catch (e) {
+    reject(e);
+  }
+}
+
+async function getAuthenticatedClient(): Promise<Auth.OAuth2Client> {
+  return new Promise((resolve, reject) => {
+    const authorizeUrl = oauth2Client.generateAuthUrl({
+      access_type: 'offline',
+      scope: [
+        'https://www.googleapis.com/auth/userinfo.profile',
+        'https://www.googleapis.com/auth/userinfo.email',
+      ].join(' '),
+      hd: 'yahooinc.com',
+      include_granted_scopes: true,
+    });
+
+    // TODO: If port (3000) is already in use, this will fail.
+    // Setup https://www.npmjs.com/package/find-free-ports, but that won't
+    // play well with the pre-configured redirect_uris in the Google Cloud Console.
+    const server = http
+      .createServer()
+      .listen(PORT, async () => {
+        const childProcess = await open(authorizeUrl, { wait: false });
+        childProcess.unref();
+      })
+      .on('request', (req, res) => onRequestHandler.call(server, req, res, resolve, reject))
+      .on('error', (err: NodeJS.ErrnoException) => {
+        if (err.code && err.code.includes('EADDRINUSE')) {
+          print(
+            red(`🚨 Port ${PORT} already in use. Cannot start local server to handle OAuth flow.`),
+          );
+          server.close();
+        }
+      });
+  });
+}
+
+async function logout(cachePath?: string) {
+  // 1. TODO: Revoke token access
+  try {
+    // 2. Remove cached user data.
+    return await unlink(cachePath ?? CACHED_USER_FILE);
+  } catch {
+    // noop
+  }
+}
+
+/**
+ * Takes the user through the OAuth2 flow, creating a server for the oauth callback.
+ * If the user has previously authenticated, it returns the cached user.
+ * @returns
+ */
+async function login() {
+  let user = await getAuthenticatedUser();
+  // Authenticate if there's no user cached.
+  if (!user) {
+    try {
+      const auth = await getAuthenticatedClient();
+      const oauth2 = google.oauth2({ version: 'v2', auth });
+      user = (await oauth2.userinfo.get()).data;
+      await Bun.write(CACHED_USER_FILE, JSON.stringify(user, null, 2));
+    } catch (err) {
+      console.error('Error:', err);
+    }
+  }
+
+  return user;
+}
+
+/**
+ * The authenticated user or undefined if the user is not authenticated.
+ * @param cliPath Root folder of cli commands. Defaults to 'packages/uds/cli'.
+ * Note: this is only needed when calling this method in cli.ts. The compiled
+ * platform-specific binaries create a virtual file system and we need
+ * to forward the package libPath from exec.ts.
+ * @returns user info
+ */
+async function getAuthenticatedUser(cliPath = DEFAULT_CLI_PATH): Promise<User | undefined> {
+  try {
+    const cachePath = path.resolve(cliPath, cacheFilePath);
+    const file = Bun.file(cachePath);
+    const user = await file.json();
+
+    if (isYahooEmployee(user)) {
+      return user;
+    }
+
+    await logout(cachePath); // remove cached user.
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code !== 'ENOENT') {
+      console.error(err);
+    }
+  }
+
+  return undefined;
+}
+
+export {
+  getAuthenticatedClient,
+  getAuthenticatedUser,
+  isYahooEmployee,
+  login,
+  logout,
+  onRequestHandler,
+  type User,
+};

package/cli/utils/secrets.ts

@@ -0,0 +1,40 @@
+import path from 'node:path';
+
+// eslint-disable-next-line n/no-unpublished-import
+import { loadEnvConfig } from '@next/env';
+import { $ } from 'bun';
+
+loadEnvConfig(process.cwd());
+
+const secretsFile = path.resolve(import.meta.dir, 'client_secrets.json');
+const encryptedFilename = `${secretsFile}.enc`;
+
+async function encrypt() {
+  await $`openssl enc -aes-256-cbc -in ${secretsFile} -out ${encryptedFilename}`;
+}
+
+async function decrypt() {
+  const f = Bun.file(secretsFile);
+  if (!(await f.exists())) {
+    await $`openssl enc -aes-256-cbc -in ${encryptedFilename} -out ${secretsFile} -d -pass env:UDS_CLI_SECRETS_PW`;
+  }
+}
+
+async function main() {
+  if (!process.env.UDS_CLI_SECRETS_PW) {
+    console.error('Please set UDS_CLI_SECRETS_PW env variable. The password is in LastPass.');
+    process.exitCode = 1;
+    return;
+  }
+
+  const cmd = Bun.argv[2];
+  if (cmd === 'encrypt') {
+    await encrypt();
+    console.log(`Secrets file encrypted to ${encryptedFilename}`);
+  } else if (cmd === 'decrypt') {
+    await decrypt();
+    console.log(`Secrets file saved to ${secretsFile}`);
+  }
+}
+
+main();

package/cli/utils/types.ts

@@ -17,3 +17,11 @@ export type SyncOptions = {
   /** Enable watch mode? */
   watch?: boolean;
 };
+
+export type LoginOptions = {
+  /**
+   * Opt-out of authentication. Typically used in a CI/CD environment.
+   * @default false
+   */
+  skipAuth?: boolean;
+};