@zegazone_mcp/mcp 2.0.0

package/scripts/oauth-pair.mjs

@@ -0,0 +1,226 @@
+#!/usr/bin/env node
+/**
+ * One-time OAuth PKCE pairing: opens the Zegazone app, receives the authorization
+ * code on a loopback callback, exchanges it for access + refresh tokens, and
+ * writes ~/.zegazone-mcp/credentials.json (or ZEGA_CREDENTIALS_PATH).
+ *
+ * Env:
+ *   ZEGA_API_BASE        (required) e.g. https://api.zegaphone.com
+ *   ZEGA_APP_BASE        optional, default https://www.zegazone.com
+ *   ZEGA_OAUTH_CLIENT_ID optional, default openclaw
+ *   ZEGA_CREDENTIALS_PATH optional override for the JSON file path
+ *   ZEGA_TIMEOUT_MS      optional, default 30000
+ */
+
+import crypto from "node:crypto";
+import fs from "node:fs/promises";
+import http from "node:http";
+import path from "node:path";
+import os from "node:os";
+import { spawn } from "node:child_process";
+
+const apiBase = (process.env.ZEGA_API_BASE ?? "").trim().replace(/\/+$/, "");
+// Production web app is deployed at www (app subdomain may be unset on Vercel → DEPLOYMENT_NOT_FOUND).
+const appBase = (process.env.ZEGA_APP_BASE ?? "https://www.zegazone.com").trim().replace(/\/+$/, "");
+const clientId = (process.env.ZEGA_OAUTH_CLIENT_ID ?? "openclaw").trim() || "openclaw";
+const timeoutMs = Number(process.env.ZEGA_TIMEOUT_MS ?? "30000") || 30000;
+
+const SCOPE = "collections:read collections:write media:read media:write";
+
+function credentialsPath() {
+  const e = process.env.ZEGA_CREDENTIALS_PATH?.trim();
+  return e ? path.resolve(e) : path.join(os.homedir(), ".zegazone-mcp", "credentials.json");
+}
+
+function base64url(buf) {
+  return buf
+    .toString("base64")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+}
+
+function randomVerifier() {
+  return base64url(crypto.randomBytes(32));
+}
+
+function challengeS256(verifier) {
+  return base64url(crypto.createHash("sha256").update(verifier).digest());
+}
+
+function randomState() {
+  return base64url(crypto.randomBytes(16));
+}
+
+function openBrowser(url) {
+  const plat = process.platform;
+  const detached = { detached: true, stdio: "ignore" };
+  if (plat === "win32") {
+    // Avoid cmd.exe `start`: `&` in the URL is treated as a command separator and the browser
+    // opens a truncated link (often only ?oauth=1), causing "Invalid OAuth request" on the app.
+    spawn("rundll32", ["url.dll,FileProtocolHandler", url], detached).unref();
+  } else if (plat === "darwin") {
+    spawn("open", [url], detached).unref();
+  } else {
+    spawn("xdg-open", [url], detached).unref();
+  }
+}
+
+async function postToken(body) {
+  const controller = new AbortController();
+  const t = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch(`${apiBase}/functions/v1/thirdparty-oauth-token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body,
+      signal: controller.signal,
+    });
+    const parsed = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      throw new Error(`Token exchange failed (${res.status}): ${JSON.stringify(parsed)}`);
+    }
+    const access_token = typeof parsed.access_token === "string" ? parsed.access_token : "";
+    const refresh_token = typeof parsed.refresh_token === "string" ? parsed.refresh_token : "";
+    const expires_in = typeof parsed.expires_in === "number" ? parsed.expires_in : 3600;
+    if (!access_token || !refresh_token) {
+      throw new Error(`Token response missing tokens: ${JSON.stringify(parsed)}`);
+    }
+    return { access_token, refresh_token, expires_in };
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+async function writeCredentials(filePath, tokens) {
+  const access_expires_at_ms = Date.now() + Math.max(0, tokens.expires_in) * 1000;
+  const doc = {
+    version: 1,
+    client_id: clientId,
+    refresh_token: tokens.refresh_token,
+    access_token: tokens.access_token,
+    access_expires_at_ms,
+  };
+  await fs.mkdir(path.dirname(filePath), { recursive: true });
+  const tmp = `${filePath}.${process.pid}.tmp`;
+  await fs.writeFile(tmp, `${JSON.stringify(doc, null, 2)}\n`, { encoding: "utf8", mode: 0o600 });
+  await fs.rename(tmp, filePath);
+}
+
+function buildAuthorizeUrl(redirectUri, codeChallenge, state) {
+  const u = new URL(`${appBase}/`);
+  u.searchParams.set("oauth", "1");
+  u.searchParams.set("client_id", clientId);
+  u.searchParams.set("redirect_uri", redirectUri);
+  u.searchParams.set("code_challenge", codeChallenge);
+  u.searchParams.set("code_challenge_method", "S256");
+  u.searchParams.set("scope", SCOPE);
+  u.searchParams.set("state", state);
+  return u.toString();
+}
+
+async function main() {
+  if (!apiBase) {
+    console.error("Set ZEGA_API_BASE (e.g. https://api.zegaphone.com)");
+    process.exit(1);
+  }
+
+  const verifier = randomVerifier();
+  const challenge = challengeS256(verifier);
+  const state = randomState();
+  const credPath = credentialsPath();
+
+  const server = http.createServer();
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(0, "127.0.0.1", resolve);
+  });
+
+  const addr = server.address();
+  if (!addr || typeof addr === "string") {
+    console.error("Could not bind loopback server");
+    process.exit(1);
+  }
+
+  const redirectUri = `http://127.0.0.1:${addr.port}/callback`;
+  const authorizeUrl = buildAuthorizeUrl(redirectUri, challenge, state);
+
+  const done = new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      reject(new Error("Timed out waiting for browser callback (10 minutes)"));
+    }, 10 * 60_000);
+
+    server.on("request", async (req, res) => {
+      const url = new URL(req.url ?? "/", `http://127.0.0.1:${addr.port}`);
+      if (url.pathname !== "/callback") {
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Not found");
+        return;
+      }
+
+      const code = url.searchParams.get("code") ?? "";
+      const returnedState = url.searchParams.get("state") ?? "";
+      const err = url.searchParams.get("error");
+
+      if (err) {
+        res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(`<p>Authorization error: ${err}</p><p>You can close this tab.</p>`);
+        clearTimeout(timer);
+        server.close();
+        reject(new Error(`OAuth error: ${err}`));
+        return;
+      }
+
+      if (!code || returnedState !== state) {
+        res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+        res.end("<p>Invalid callback (missing code or state mismatch).</p>");
+        clearTimeout(timer);
+        server.close();
+        reject(new Error("Invalid OAuth callback"));
+        return;
+      }
+
+      try {
+        const tokens = await postToken(
+          JSON.stringify({
+            grant_type: "authorization_code",
+            client_id: clientId,
+            code,
+            redirect_uri: redirectUri,
+            code_verifier: verifier,
+          }),
+        );
+        await writeCredentials(credPath, tokens);
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(
+          "<p>Connected. You can close this tab and return to the terminal.</p>",
+        );
+        clearTimeout(timer);
+        server.close();
+        resolve(tokens);
+      } catch (e) {
+        res.writeHead(500, { "Content-Type": "text/html; charset=utf-8" });
+        res.end("<p>Token exchange failed. See terminal output.</p>");
+        clearTimeout(timer);
+        server.close();
+        reject(e);
+      }
+    });
+  });
+
+  console.error("Opening browser for Zegazone login…");
+  console.error(`If it does not open, visit:\n${authorizeUrl}\n`);
+  openBrowser(authorizeUrl);
+
+  try {
+    await done;
+    console.error(`Saved credentials to ${credPath}`);
+    console.error("You can start the MCP server; remove ZEGA_ACCESS_TOKEN from mcp.json if you still have it.");
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    console.error(msg);
+    process.exit(1);
+  }
+}
+
+main();