@zibby/cli 0.1.5

package/src/auth/cli-login.js

@@ -0,0 +1,406 @@
+/**
+ * CLI Login Flow
+ * Implements OAuth device flow for CLI authentication
+ */
+
+import chalk from 'chalk';
+import ora from 'ora';
+import { spawn } from 'child_process';
+import { getApiUrl } from '../config/environments.js';
+import { 
+  saveSessionToken, 
+  saveUserInfo, 
+  getSessionToken, 
+  getUserInfo,
+  clearSession 
+} from '../config/config.js';
+
+/**
+ * Open URL in default browser (safe: no shell interpolation)
+ */
+function openBrowser(url) {
+  const platform = process.platform;
+  
+  try {
+    let cmd, args;
+    if (platform === 'darwin') {
+      cmd = 'open';
+      args = [url];
+    } else if (platform === 'win32') {
+      cmd = 'cmd';
+      args = ['/c', 'start', '', url];
+    } else {
+      cmd = 'xdg-open';
+      args = [url];
+    }
+    spawn(cmd, args, { detached: true, stdio: 'ignore' }).unref();
+    return true;
+  } catch (_error) {
+    return false;
+  }
+}
+
+/**
+ * Check if user is already logged in
+ */
+export function checkExistingSession() {
+  const token = getSessionToken();
+  const user = getUserInfo();
+  
+  if (token && user) {
+    return { loggedIn: true, user, token };
+  }
+  
+  return { loggedIn: false };
+}
+
+/**
+ * Initiate CLI login flow
+ */
+export async function loginCli() {
+  try {
+    console.log(chalk.cyan('\n🔐 Initiating login...\n'));
+
+    // Check if already logged in
+    const existingSession = checkExistingSession();
+    if (existingSession.loggedIn) {
+      console.log(chalk.green('✅ Already logged in!'));
+      console.log(chalk.gray(`User: ${existingSession.user.email}`));
+      console.log(chalk.gray(`Name: ${existingSession.user.name}\n`));
+      
+      // Ask if user wants to continue with existing session
+      const { createInterface } = await import('readline');
+      const rl = createInterface({
+        input: process.stdin,
+        output: process.stdout,
+      });
+      
+      return new Promise((resolve, reject) => {
+        // Handle Ctrl+C gracefully
+        const cleanup = () => {
+          rl.close();
+          if (process.stdin.isTTY) {
+            process.stdin.setRawMode(false);
+          }
+        };
+        
+        const sigintHandler = () => {
+          console.log(chalk.yellow('\n\n⚠️  Login cancelled\n'));
+          cleanup();
+          process.exit(0);
+        };
+        
+        process.on('SIGINT', sigintHandler);
+        
+        rl.question(chalk.yellow('Continue with this session? (Y/n): '), async (answer) => {
+          process.removeListener('SIGINT', sigintHandler);
+          cleanup();
+          
+          try {
+            if (answer.toLowerCase() === 'n' || answer.toLowerCase() === 'no') {
+              console.log(chalk.gray('Starting new login...\n'));
+              const result = await performLogin();
+              resolve(result);
+            } else {
+              console.log(chalk.green('Using existing session.\n'));
+              resolve({ success: true, ...existingSession });
+            }
+          } catch (err) {
+            reject(err);
+          }
+        });
+      });
+    }
+
+    // No existing session, start login flow
+    return await performLogin();
+  } catch (err) {
+    console.error(chalk.red('\n❌ Login failed:', err.message));
+    return { success: false, error: err.message };
+  }
+}
+
+/**
+ * Perform the actual login flow
+ */
+async function performLogin() {
+  const apiUrl = getApiUrl();
+    // Step 1: Request device code from backend
+    const spinner = ora('Requesting login code...').start();
+    
+    const initResponse = await fetch(`${apiUrl}/cli/login/initiate`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+    });
+
+    if (!initResponse.ok) {
+      spinner.fail('Failed to request login code');
+      const errorData = await initResponse.json();
+      throw new Error(errorData.error || 'Failed to initiate login');
+    }
+
+    const { deviceCode, userCode: _userCode, verificationUrl, expiresIn, interval } = await initResponse.json();
+    spinner.succeed('Login code generated');
+
+    // Step 2: Display instructions to user
+    console.log('');
+    console.log(chalk.cyan('╔════════════════════════════════════════╗'));
+    console.log(chalk.cyan('║') + chalk.white.bold('     Complete login in your browser     ') + chalk.cyan('║'));
+    console.log(chalk.cyan('╚════════════════════════════════════════╝'));
+    console.log('');
+    console.log(chalk.white('Opening browser to login page...'));
+    console.log(chalk.gray(`Code expires in ${Math.floor(expiresIn / 60)} minutes`));
+    console.log('');
+
+    // Step 3: Open browser to /connect page with device code
+    const opened = await openBrowser(verificationUrl);
+    if (!opened) {
+      console.log(chalk.yellow('⚠️  Could not open browser automatically.'));
+      console.log(chalk.white('Please open this URL manually: ') + chalk.blue(verificationUrl));
+      console.log('');
+    }
+
+    // Step 4: Poll for authorization
+    const pollSpinner = ora('Waiting for authorization...').start();
+    
+    const pollInterval = (interval || 3) * 1000;
+    const maxAttempts = Math.floor(expiresIn / (interval || 3));
+    let attempts = 0;
+    let cancelled = false;
+
+    // Handle Ctrl+C during polling
+    const sigintHandler = () => {
+      cancelled = true;
+      pollSpinner.stop();
+      console.log(chalk.yellow('\n\n⚠️  Login cancelled\n'));
+      process.exit(0);
+    };
+    
+    process.on('SIGINT', sigintHandler);
+
+    try {
+      while (attempts < maxAttempts && !cancelled) {
+        await sleep(pollInterval);
+        attempts++;
+
+        const pollResponse = await fetch(`${apiUrl}/cli/login/poll`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ deviceCode }),
+        });
+
+        if (pollResponse.status === 202) {
+          continue;
+        }
+
+        if (!pollResponse.ok) {
+          pollSpinner.fail('Authorization failed');
+          const errorData = await pollResponse.json();
+          throw new Error(errorData.error || 'Authorization failed');
+        }
+
+        const result = await pollResponse.json();
+
+        if (result.status === 'authorized') {
+          pollSpinner.succeed(chalk.white('Authorization successful!'));
+          
+          // Save session locally
+          saveSessionToken(result.token);
+          saveUserInfo(result.user);
+
+          console.log('');
+          console.log(chalk.gray(`User: ${result.user.email}`));
+          console.log(chalk.gray(`Session saved to: ~/.zibby/config.json\n`));
+
+          return { 
+            success: true, 
+            loggedIn: true, 
+            user: result.user, 
+            token: result.token 
+          };
+        }
+
+        if (result.status === 'denied') {
+          pollSpinner.fail('Authorization denied');
+          throw new Error('User denied authorization');
+        }
+      }
+
+      pollSpinner.fail('Login timeout');
+      throw new Error('Login timed out - please try again');
+    } finally {
+      process.removeListener('SIGINT', sigintHandler);
+    }
+}
+
+/**
+ * Logout - clear saved session
+ */
+export function logoutCli() {
+  const existingSession = checkExistingSession();
+  
+  if (!existingSession.loggedIn) {
+    console.log(chalk.yellow('\n⚠️  Not logged in.\n'));
+    return;
+  }
+
+  clearSession();
+  console.log(chalk.green('✔') + chalk.white(' Logged out successfully!'));
+  console.log(chalk.gray('Session cleared from ~/.zibby/config.json\n'));
+}
+
+/**
+ * Show current login status with detailed information
+ */
+export async function showLoginStatus(options = {}) {
+  const existingSession = checkExistingSession();
+  const envToken = process.env.ZIBBY_USER_TOKEN;
+  const apiUrl = getApiUrl();
+  const token = envToken || existingSession.token;
+
+  // JSON output for scripts
+  if (options.json) {
+    const status = {
+      authenticated: !!(existingSession.loggedIn || envToken),
+      user: existingSession.user || null,
+      tokenSource: envToken ? 'environment' : (existingSession.token ? 'session' : null),
+      tokenType: envToken ? 'PAT' : (existingSession.token ? 'JWT' : null),
+      apiUrl,
+      configPath: existingSession.loggedIn ? '~/.zibby/config.json' : null
+    };
+
+    // Verify token
+    if (token) {
+      try {
+        const fetch = (await import('node-fetch')).default;
+        const response = await fetch(`${apiUrl}/projects`, {
+          headers: { 'Authorization': `Bearer ${token}` }
+        });
+        
+        status.tokenValid = response.ok;
+        if (response.ok) {
+          const data = await response.json();
+          status.projectCount = (data.projects || []).length;
+        }
+      } catch (error) {
+        status.tokenValid = false;
+        status.error = error.message;
+      }
+    } else {
+      status.tokenValid = false;
+    }
+
+    console.log(JSON.stringify(status, null, 2));
+    return;
+  }
+
+  // Human-readable output
+  console.log('');
+  
+  if (!existingSession.loggedIn && !envToken) {
+    console.log(chalk.yellow('⚠️  Not authenticated'));
+    console.log('');
+    console.log(chalk.white('To authenticate:'));
+    console.log(chalk.gray('  Local:  zibby login'));
+    console.log(chalk.gray('  CI/CD:  Set ZIBBY_USER_TOKEN env variable\n'));
+    return;
+  }
+
+  console.log(chalk.green('✅ Authenticated'));
+  console.log('');
+  
+  // User Details
+  console.log(chalk.bold.white('User Details:'));
+  if (existingSession.user) {
+    console.log(chalk.gray(`  Email:     ${existingSession.user.email}`));
+    if (existingSession.user.userId) {
+      console.log(chalk.gray(`  User ID:   ${existingSession.user.userId}`));
+    }
+    if (existingSession.user.name) {
+      console.log(chalk.gray(`  Name:      ${existingSession.user.name}`));
+    }
+  } else if (envToken) {
+    console.log(chalk.gray('  (User details not available with PAT token)'));
+  }
+  console.log('');
+  
+  // Token Source
+  console.log(chalk.bold.white('Token Source:'));
+  if (envToken) {
+    console.log(chalk.gray('  Type:      Personal Access Token (PAT)'));
+    console.log(chalk.gray('  Location:  ZIBBY_USER_TOKEN environment variable'));
+    console.log(chalk.gray(`  Preview:   ${envToken.substring(0, 8)}••••`));
+  } else {
+    console.log(chalk.gray('  Type:      Session Token (JWT)'));
+    console.log(chalk.gray('  Location:  ~/.zibby/config.json'));
+    if (existingSession.token) {
+      console.log(chalk.gray(`  Preview:   ${existingSession.token.substring(0, 8)}••••`));
+    }
+  }
+  console.log('');
+  
+  // Verify token by fetching projects
+  if (token) {
+    try {
+      const oraSpinner = (await import('ora')).default;
+      const fetch = (await import('node-fetch')).default;
+      
+      const spinner = oraSpinner('Verifying authentication...').start();
+      
+      const response = await fetch(`${apiUrl}/projects`, {
+        headers: {
+          'Authorization': `Bearer ${token}`,
+        },
+      });
+      
+      if (response.ok) {
+        const data = await response.json();
+        const projectCount = (data.projects || []).length;
+        spinner.succeed(chalk.white('Token verified'));
+        console.log(chalk.gray(`  Projects:  ${projectCount} accessible`));
+      } else {
+        spinner.fail(chalk.white('Token verification failed'));
+        console.log(chalk.yellow(`  Status:    Invalid or expired (HTTP ${response.status})`));
+      }
+    } catch (error) {
+      console.log(chalk.yellow(`  Status:    Could not verify (${error.message})`));
+    }
+  }
+  
+  console.log('');
+  console.log(chalk.gray('💡 Run \'zibby list\' to see your projects'));
+  console.log('');
+}
+
+/**
+ * Validate current session token
+ */
+export async function validateSession() {
+  const token = getSessionToken();
+  if (!token) {
+    return { valid: false };
+  }
+
+  const apiUrl = getApiUrl();
+
+  try {
+    // Try to make an authenticated request to verify token
+    const response = await fetch(`${apiUrl}/projects`, {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+
+    if (response.ok) {
+      return { valid: true };
+    }
+
+    // Token invalid or expired, clear it
+    clearSession();
+    return { valid: false };
+  } catch {
+    return { valid: false };
+  }
+}
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}