@youkno/edge-cli 1.20.2314

package/src/lib/auth.ts

@@ -0,0 +1,527 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { spawn } from "node:child_process";
+import http from "node:http";
+
+import { EffectiveConfig } from "./types";
+
+const AUTH_DIR = process.env.EDGE_CLI_AUTH_DIR
+    ? path.resolve(process.env.EDGE_CLI_AUTH_DIR)
+    : path.join(os.homedir(), ".edge-cli-auth");
+const AUTH_FILE = path.join(AUTH_DIR, "accounts.json");
+const DEFAULT_DEVICE_NAME = "edge-cli";
+
+type AuthAccount = {
+    accessToken: string;
+    refreshToken?: string;
+    accessExpEpoch?: number;
+    refreshExpEpoch?: number;
+};
+
+type ScopeData = {
+    default?: string;
+    accounts: Record<string, AuthAccount>;
+};
+
+type AuthDb = {
+    scopes: Record<string, ScopeData>;
+};
+
+type TokenResponse = {
+    accessToken: string;
+    refreshToken?: string;
+    accessTokenExpiresInSec?: number;
+    refreshTokenExpiresInSec?: number;
+};
+
+function scopeKey(cfg: EffectiveConfig): string {
+    return `${cfg.product}/${cfg.env}`;
+}
+
+function ensureAuthDir(): void {
+    if (!fs.existsSync(AUTH_DIR)) {
+        fs.mkdirSync(AUTH_DIR, { recursive: true, mode: 0o700 });
+    }
+}
+
+function readDb(): AuthDb {
+    ensureAuthDir();
+    if (!fs.existsSync(AUTH_FILE)) {
+        return { scopes: {} };
+    }
+    try {
+        const raw = fs.readFileSync(AUTH_FILE, "utf8");
+        const parsed = JSON.parse(raw) as AuthDb;
+        if (!parsed.scopes || typeof parsed.scopes !== "object") {
+            return { scopes: {} };
+        }
+        return parsed;
+    } catch {
+        return { scopes: {} };
+    }
+}
+
+function writeDb(db: AuthDb): void {
+    ensureAuthDir();
+    fs.writeFileSync(AUTH_FILE, `${JSON.stringify(db, null, 2)}\n`, { mode: 0o600 });
+}
+
+function getScope(db: AuthDb, cfg: EffectiveConfig): ScopeData {
+    const key = scopeKey(cfg);
+    if (!db.scopes[key]) {
+        db.scopes[key] = { default: "", accounts: {} };
+    }
+    if (!db.scopes[key].accounts) {
+        db.scopes[key].accounts = {};
+    }
+    return db.scopes[key];
+}
+
+function nowEpoch(): number {
+    return Math.floor(Date.now() / 1000);
+}
+
+export function listLogins(cfg: EffectiveConfig): Array<{ email: string; isDefault: boolean }> {
+    const db = readDb();
+    const scope = getScope(db, cfg);
+    return Object.keys(scope.accounts)
+        .sort((a, b) => a.localeCompare(b))
+        .map((email) => ({ email, isDefault: scope.default === email }));
+}
+
+export function setDefaultLogin(cfg: EffectiveConfig, email: string): void {
+    const db = readDb();
+    const scope = getScope(db, cfg);
+    if (!scope.accounts[email]) {
+        throw new Error(`Account not found for ${cfg.product}/${cfg.env}: ${email}`);
+    }
+    scope.default = email;
+    writeDb(db);
+}
+
+function authStateHeader(cfg: EffectiveConfig): string {
+    return `${cfg.product}.${cfg.env}`;
+}
+
+function authDeviceId(): string {
+    return `edge-cli:${os.hostname() || "unknown-host"}`;
+}
+
+function decodeJwtPayload(token: string): Record<string, unknown> {
+    const parts = token.split(".");
+    if (parts.length < 2) {
+        return {};
+    }
+    const b64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const pad = b64.length % 4 === 0 ? "" : "=".repeat(4 - (b64.length % 4));
+    const decoded = Buffer.from(b64 + pad, "base64").toString("utf8");
+    try {
+        return JSON.parse(decoded) as Record<string, unknown>;
+    } catch {
+        return {};
+    }
+}
+
+function extractEmailFromToken(accessToken: string): string {
+    const payload = decodeJwtPayload(accessToken);
+    const email = payload.email;
+    if (typeof email === "string" && email.trim()) {
+        return email.trim();
+    }
+    return "unknown@local";
+}
+
+function getAuthHeaderFromOverride(auth?: string): string | undefined {
+    if (!auth) {
+        return undefined;
+    }
+    return `Basic ${Buffer.from(auth).toString("base64")}`;
+}
+
+async function requestTokenEndpoint(
+    cfg: EffectiveConfig,
+    endpoint: "exchange" | "refresh" | "logout",
+    payload: Record<string, unknown>
+): Promise<TokenResponse | undefined> {
+    const url = `${cfg.baseUrl.replace(/\/$/, "")}/api/v1/auth/${endpoint}`;
+    const response = await fetch(url, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            "X-edge-state": authStateHeader(cfg)
+        },
+        body: JSON.stringify(payload)
+    });
+
+    if (!response.ok) {
+        const body = await response.text();
+        throw new Error(`Auth ${endpoint} failed (${response.status}): ${body}`);
+    }
+
+    if (endpoint === "logout") {
+        return undefined;
+    }
+
+    return (await response.json()) as TokenResponse;
+}
+
+async function authExchangeFirebaseToken(cfg: EffectiveConfig, firebaseToken: string): Promise<TokenResponse> {
+    const resp = await requestTokenEndpoint(cfg, "exchange", {
+        firebaseToken,
+        deviceId: authDeviceId(),
+        deviceName: DEFAULT_DEVICE_NAME
+    });
+    if (!resp?.accessToken) {
+        throw new Error("Token exchange did not return accessToken");
+    }
+    return resp;
+}
+
+async function authRefreshToken(cfg: EffectiveConfig, refreshToken: string): Promise<TokenResponse> {
+    const resp = await requestTokenEndpoint(cfg, "refresh", {
+        refreshToken,
+        deviceId: authDeviceId(),
+        deviceName: DEFAULT_DEVICE_NAME
+    });
+    if (!resp?.accessToken) {
+        throw new Error("Token refresh did not return accessToken");
+    }
+    return resp;
+}
+
+async function authLogoutRefreshToken(cfg: EffectiveConfig, refreshToken: string): Promise<void> {
+    await requestTokenEndpoint(cfg, "logout", { refreshToken });
+}
+
+export async function logout(cfg: EffectiveConfig, email?: string): Promise<string> {
+    const db = readDb();
+    const scope = getScope(db, cfg);
+    const target = email ?? scope.default;
+    if (!target) {
+        throw new Error(`No account to logout for ${cfg.product}/${cfg.env}`);
+    }
+    const account = scope.accounts[target];
+    if (!account) {
+        throw new Error(`Account not found for ${cfg.product}/${cfg.env}: ${target}`);
+    }
+
+    if (account.refreshToken) {
+        try {
+            await authLogoutRefreshToken(cfg, account.refreshToken);
+        } catch {
+            // best effort
+        }
+    }
+
+    delete scope.accounts[target];
+    if (scope.default === target) {
+        const left = Object.keys(scope.accounts).sort((a, b) => a.localeCompare(b));
+        scope.default = left[0] ?? "";
+    }
+    writeDb(db);
+    return target;
+}
+
+function storeTokens(cfg: EffectiveConfig, email: string, tokenResp: TokenResponse): void {
+    const db = readDb();
+    const scope = getScope(db, cfg);
+    const now = nowEpoch();
+
+    scope.accounts[email] = {
+        accessToken: tokenResp.accessToken,
+        refreshToken: tokenResp.refreshToken,
+        accessExpEpoch: now + (tokenResp.accessTokenExpiresInSec ?? 0),
+        refreshExpEpoch: tokenResp.refreshToken ? now + (tokenResp.refreshTokenExpiresInSec ?? 0) : 0
+    };
+    scope.default = email;
+    writeDb(db);
+}
+
+function parseCallbackQuery(queryString: string): {
+    email?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    firebaseToken?: string;
+    code?: string;
+} {
+    const query = queryString.startsWith("?") ? queryString.slice(1) : queryString;
+    const params = new URLSearchParams(query);
+    const read = (...keys: string[]) => {
+        for (const k of keys) {
+            const value = params.get(k);
+            if (value) {
+                return value;
+            }
+        }
+        return undefined;
+    };
+
+    return {
+        email: read("email", "user", "username", "userEmail"),
+        accessToken: read("accessToken", "access_token", "jwt", "token"),
+        refreshToken: read("refreshToken", "refresh_token"),
+        firebaseToken: read("firebaseToken", "firebase_token", "idToken", "id_token"),
+        code: read("code", "authCode")
+    };
+}
+
+function openBrowser(url: string): boolean {
+    const platform = process.platform;
+    let command: string;
+    let args: string[];
+
+    if (platform === "darwin") {
+        command = "open";
+        args = [url];
+    } else if (platform === "win32") {
+        command = "cmd";
+        args = ["/c", "start", "", url];
+    } else {
+        command = "xdg-open";
+        args = [url];
+    }
+
+    try {
+        const child = spawn(command, args, { stdio: "ignore", detached: true });
+        child.unref();
+        return true;
+    } catch {
+        return false;
+    }
+}
+
+function startAuthListener(timeoutSec: number): Promise<{ redirectUrl: string; callback: Promise<string> }> {
+    const tokenKeys = new Set([
+        "accessToken",
+        "access_token",
+        "jwt",
+        "token",
+        "refreshToken",
+        "refresh_token",
+        "firebaseToken",
+        "firebase_token",
+        "idToken",
+        "id_token",
+        "code",
+        "authCode"
+    ]);
+
+    return new Promise((resolve, reject) => {
+        let callbackResolved = false;
+        let callbackSettled = false;
+        let startupSettled = false;
+        let callbackResolve: (query: string) => void = () => {};
+        let callbackReject: (error: Error) => void = () => {};
+        const callback = new Promise<string>((res, rej) => {
+            callbackResolve = res;
+            callbackReject = rej;
+        });
+
+        const server = http.createServer((req, res) => {
+            const reqUrl = new URL(req.url ?? "/", "http://127.0.0.1");
+            const hasToken = Array.from(reqUrl.searchParams.keys()).some((k) => tokenKeys.has(k));
+
+            if (hasToken) {
+                callbackResolved = true;
+                clearTimeout(timeout);
+                res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+                res.end("<html><body><h3>Authentication successful.</h3>You can close this tab.</body></html>");
+                const query = reqUrl.search;
+                server.close(() => {
+                    if (!callbackSettled) {
+                        callbackSettled = true;
+                        callbackResolve(query);
+                    }
+                });
+                return;
+            }
+
+            res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+            res.end(`<html><body><h3>Completing authentication...</h3>
+<script>
+const hash = window.location.hash ? window.location.hash.substring(1) : "";
+if (hash && !window.location.search) {
+  window.location.replace(window.location.pathname + "?" + hash);
+}
+</script>
+You can close this tab.</body></html>`);
+        });
+
+        const timeout = setTimeout(() => {
+            if (!callbackResolved) {
+                server.close(() => {
+                    if (!callbackSettled) {
+                        callbackSettled = true;
+                        callbackReject(new Error("Authentication timed out or callback not received."));
+                    }
+                });
+            }
+        }, timeoutSec * 1000);
+
+        let redirectUrl = "";
+        server.listen(0, "127.0.0.1", () => {
+            const address = server.address();
+            if (!address || typeof address === "string") {
+                clearTimeout(timeout);
+                server.close(() => {
+                    if (!startupSettled) {
+                        startupSettled = true;
+                        reject(new Error("Unable to acquire callback listener port."));
+                    }
+                });
+                return;
+            }
+            redirectUrl = `http://127.0.0.1:${address.port}/callback`;
+            if (!startupSettled) {
+                startupSettled = true;
+                resolve({ redirectUrl, callback });
+            }
+        });
+    });
+}
+
+export async function login(cfg: EffectiveConfig): Promise<string> {
+    if (!cfg.consoleBaseUrl) {
+        throw new Error(`No console URL configured for ${cfg.product}/${cfg.env}.`);
+    }
+
+    const listener = await startAuthListener(180);
+    const redirectUrl = listener.redirectUrl;
+
+    const loginUrl = new URL(`${cfg.consoleBaseUrl.replace(/\/$/, "")}/admin/sign-in`);
+    loginUrl.searchParams.set("redirect_url", redirectUrl);
+    loginUrl.searchParams.set("redirectUrl", redirectUrl);
+    loginUrl.searchParams.set("redirect_uri", redirectUrl);
+
+    process.stdout.write("Opening browser for authentication...\n");
+    process.stdout.write(`Login URL: ${loginUrl.toString()}\n`);
+    if (!openBrowser(loginUrl.toString())) {
+        process.stdout.write("Open this URL in your browser to continue:\n");
+        process.stdout.write(`${loginUrl.toString()}\n`);
+    }
+
+    const query = await listener.callback;
+    const parsed = parseCallbackQuery(query);
+
+    if (parsed.code) {
+        throw new Error("Authentication callback returned code-based response, exchange not implemented.");
+    }
+
+    let tokenResp: TokenResponse | undefined;
+    if (parsed.firebaseToken) {
+        tokenResp = await authExchangeFirebaseToken(cfg, parsed.firebaseToken);
+    } else if (parsed.accessToken) {
+        tokenResp = {
+            accessToken: parsed.accessToken,
+            refreshToken: parsed.refreshToken,
+            accessTokenExpiresInSec: 3600,
+            refreshTokenExpiresInSec: parsed.refreshToken ? 2_592_000 : 0
+        };
+    }
+
+    if (!tokenResp?.accessToken) {
+        throw new Error("Authentication callback did not include usable token data.");
+    }
+
+    const email = parsed.email ?? extractEmailFromToken(tokenResp.accessToken);
+    storeTokens(cfg, email, tokenResp);
+    return email;
+}
+
+async function validateAccessToken(cfg: EffectiveConfig, accessToken: string): Promise<boolean> {
+    const url = new URL(`${cfg.baseUrl.replace(/\/$/, "")}/shell`);
+    url.searchParams.set("cmd", "help");
+
+    const response = await fetch(url, {
+        method: "GET",
+        headers: {
+            "X-edge-state": authStateHeader(cfg),
+            Authorization: `Bearer ${accessToken}`
+        }
+    });
+    return response.status === 200 || response.status === 204;
+}
+
+async function refreshDefaultToken(cfg: EffectiveConfig): Promise<string | undefined> {
+    const db = readDb();
+    const scope = getScope(db, cfg);
+    const email = scope.default;
+    if (!email) {
+        return undefined;
+    }
+    const account = scope.accounts[email];
+    if (!account?.refreshToken) {
+        return undefined;
+    }
+
+    const refreshed = await authRefreshToken(cfg, account.refreshToken);
+    const merged: TokenResponse = {
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken || account.refreshToken,
+        accessTokenExpiresInSec: refreshed.accessTokenExpiresInSec,
+        refreshTokenExpiresInSec: refreshed.refreshTokenExpiresInSec
+    };
+    storeTokens(cfg, email, merged);
+    return merged.accessToken;
+}
+
+export async function resolveAccessToken(cfg: EffectiveConfig, forceRefresh = false): Promise<string> {
+    const override = getAuthHeaderFromOverride(cfg.auth);
+    if (override) {
+        throw new Error("Cannot derive JWT token when --auth basic credentials are used.");
+    }
+
+    const db = readDb();
+    const scope = getScope(db, cfg);
+    const email = scope.default;
+    if (!email) {
+        throw new Error(`No JWT session for ${cfg.product}/${cfg.env}. Run 'edge-cli login'.`);
+    }
+    const account = scope.accounts[email];
+    if (!account?.accessToken) {
+        throw new Error(`No access token for ${email}. Run 'edge-cli login'.`);
+    }
+
+    let accessToken = account.accessToken;
+    const expiry = account.accessExpEpoch ?? 0;
+    const now = nowEpoch();
+
+    if (forceRefresh && account.refreshToken) {
+        const refreshed = await refreshDefaultToken(cfg);
+        if (refreshed) {
+            return refreshed;
+        }
+    }
+
+    if (expiry > 0 && expiry <= now + 60 && account.refreshToken) {
+        try {
+            const refreshed = await refreshDefaultToken(cfg);
+            if (refreshed) {
+                accessToken = refreshed;
+            }
+        } catch {
+            // continue with existing token
+        }
+    }
+
+    if (!(await validateAccessToken(cfg, accessToken)) && account.refreshToken) {
+        const refreshed = await refreshDefaultToken(cfg);
+        if (refreshed) {
+            accessToken = refreshed;
+        }
+    }
+
+    return accessToken;
+}
+
+export async function resolveAuthHeader(cfg: EffectiveConfig): Promise<string> {
+    const override = getAuthHeaderFromOverride(cfg.auth);
+    if (override) {
+        return override;
+    }
+    const accessToken = await resolveAccessToken(cfg);
+    return `Bearer ${accessToken}`;
+}
+
+export { getAuthHeaderFromOverride };