@zoobbe/cli 1.1.0 → 1.2.0

package/README.md

@@ -13,11 +13,10 @@ Requires Node.js 18 or later.
 ## Quick Start
 
 ```bash
-# Authenticate with your API key
-zoobbe auth login --token zb_live_xxxxx
+# Login via browser (recommended)
+zoobbe auth login
 
-# Or point to a self-hosted instance
-zoobbe config set apiUrl https://your-instance.com
+# Or authenticate directly with an API key
 zoobbe auth login --token zb_live_xxxxx
 
 # Set your active workspace
@@ -31,13 +30,35 @@ zoobbe card list --board <board-id>
 
 ## Authentication
 
-Generate an API key from your workspace settings at **Settings > API Keys**, then:
+### Browser Login (Recommended)
+
+Simply run `zoobbe auth login` — the CLI opens your browser where you authorize access. The token is sent back automatically via a secure localhost callback.
+
+```bash
+$ zoobbe auth login
+  Opening browser for authentication...
+  ✓ Logged in as Akash M
+```
+
+If the browser doesn't open or the callback times out after 2 minutes, the CLI falls back to a manual paste prompt.
+
+### Direct Token Login
+
+You can also pass an API key directly. Generate one from **Settings > API Keys** in your workspace:
 
 ```bash
 zoobbe auth login --token zb_live_your_api_key_here
 ```
 
-Check your login status:
+### Self-Hosted Instances
+
+For self-hosted Zoobbe instances, set your API URL first:
+
+```bash
+zoobbe auth login --url https://api.your-instance.com
+```
+
+### Auth Commands
 
 ```bash
 zoobbe auth whoami     # Show current user
@@ -158,15 +179,6 @@ zoobbe b ls              # Same as: zoobbe board list
 zoobbe c ls -b <id>      # Same as: zoobbe card list --board <id>
 ```
 
-## Self-Hosted
-
-For self-hosted Zoobbe instances, set your API URL before logging in:
-
-```bash
-zoobbe config set apiUrl https://your-instance.com
-zoobbe auth login --token zb_live_xxxxx
-```
-
 ## License
 
 MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zoobbe/cli",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Zoobbe CLI - Manage boards, cards, and projects from the terminal",
   "main": "src/index.js",
   "bin": {

package/src/commands/auth.js

@@ -1,10 +1,181 @@
 const { Command } = require('commander');
 const chalk = require('chalk');
+const http = require('http');
+const crypto = require('crypto');
 const inquirer = require('inquirer');
 const config = require('../lib/config');
 const client = require('../lib/client');
 const { success, error, info } = require('../lib/output');
 
+const LOGIN_TIMEOUT = 120_000; // 2 minutes
+
+/**
+ * Start a temporary localhost HTTP server to receive the OAuth callback.
+ * Returns a promise that resolves with the API key token.
+ */
+function waitForCallback(state, webUrl) {
+  return new Promise((resolve, reject) => {
+    let resolved = false;
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url, `http://127.0.0.1`);
+
+      if (url.pathname !== '/callback') {
+        res.writeHead(404);
+        res.end('Not found');
+        return;
+      }
+
+      // Prevent duplicate callbacks
+      if (resolved) {
+        res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
+        res.end(errorPage('Already authenticated.'));
+        return;
+      }
+
+      const token = url.searchParams.get('token');
+      const returnedState = url.searchParams.get('state') || '';
+
+      // Timing-safe CSRF state validation
+      const stateMatch = returnedState.length === state.length &&
+        crypto.timingSafeEqual(Buffer.from(returnedState), Buffer.from(state));
+      if (!stateMatch) {
+        res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
+        res.end(errorPage('State mismatch. Please try logging in again from the CLI.'));
+        return;
+      }
+
+      if (!token || !/^zb_live_[a-zA-Z0-9_\-]{16,}$/.test(token)) {
+        res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
+        res.end(errorPage('Invalid token received. Please try again.'));
+        return;
+      }
+
+      // Send success page and resolve
+      resolved = true;
+      res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+      res.end(successPage());
+
+      server.close();
+      resolve(token);
+    });
+
+    // Listen on random available port
+    server.listen(0, '127.0.0.1', () => {
+      const port = server.address().port;
+      const authUrl = `${webUrl}/cli/auth?state=${encodeURIComponent(state)}&port=${port}`;
+
+      info('Opening browser for authentication...');
+      info(`If it doesn't open, visit: ${chalk.underline(authUrl)}`);
+
+      require('open')(authUrl).catch(() => {});
+    });
+
+    server.on('error', (err) => {
+      reject(new Error(`Failed to start auth server: ${err.message}`));
+    });
+
+    // Timeout — shut down and fall back to manual
+    const timeout = setTimeout(() => {
+      server.close();
+      reject(new Error('TIMEOUT'));
+    }, LOGIN_TIMEOUT);
+
+    // Clean up timeout if resolved
+    const origResolve = resolve;
+    resolve = (val) => {
+      clearTimeout(timeout);
+      origResolve(val);
+    };
+  });
+}
+
+function pageStyles() {
+  return `
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: "DM Sans", -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      display: flex; align-items: center; justify-content: center;
+      min-height: 100vh; background: #181717; color: rgba(255,255,255,0.8);
+    }
+    .card {
+      text-align: center; background: #181717; padding: 48px 40px;
+      border-radius: 12px; border: 1px solid #242526;
+      box-shadow: 0 4px 24px rgba(0,0,0,0.3); max-width: 420px; width: 90%;
+    }
+    .icon { font-size: 48px; margin-bottom: 20px; }
+    .icon-success { color: #10b981; }
+    .icon-error { color: #ef4444; }
+    h1 { font-size: 20px; font-weight: 600; margin: 0 0 8px; }
+    .subtitle { color: #9aa0a6; font-size: 14px; line-height: 1.5; }
+    .hint { color: #6c757d; font-size: 12px; margin-top: 16px; }
+    .brand { color: #0966ff; font-weight: 600; }
+  `;
+}
+
+function successPage() {
+  return `<!DOCTYPE html>
+<html><head><title>Zoobbe CLI — Authorized</title>
+<style>${pageStyles()}</style></head>
+<body>
+<div class="card">
+  <div class="icon icon-success">&#10003;</div>
+  <h1>Authorization Successful</h1>
+  <p class="subtitle">Your CLI is now connected to <span class="brand">Zoobbe</span>.</p>
+  <p class="hint">You can close this tab and return to the terminal.</p>
+</div>
+</body></html>`;
+}
+
+function escapeHtml(str) {
+  return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+}
+
+function errorPage(message) {
+  return `<!DOCTYPE html>
+<html><head><title>Zoobbe CLI — Error</title>
+<style>${pageStyles()}</style></head>
+<body>
+<div class="card">
+  <div class="icon icon-error">&#10007;</div>
+  <h1 style="color:#ef4444">Authorization Failed</h1>
+  <p class="subtitle">${escapeHtml(message)}</p>
+  <p class="hint">Please return to the terminal and try again.</p>
+</div>
+</body></html>`;
+}
+
+/**
+ * Verify the API key and store user info.
+ */
+async function verifyAndStore(apiKey) {
+  config.set('apiKey', apiKey);
+
+  const userData = await client.get('/users/me');
+  const user = userData.user || userData.data || userData;
+
+  config.set('userId', user._id || user.id || '');
+  config.set('userName', user.name || user.userName || '');
+  config.set('email', user.email || '');
+
+  return user;
+}
+
+/**
+ * Manual paste fallback when browser callback times out.
+ */
+async function manualLogin() {
+  info('Falling back to manual entry...');
+  const answers = await inquirer.prompt([{
+    type: 'input',
+    name: 'apiKey',
+    message: 'Paste your API key:',
+    validate: v => v.startsWith('zb_live_') ? true : 'Invalid API key format (should start with zb_live_)',
+  }]);
+  return answers.apiKey;
+}
+
+// ─── Commands ────────────────────────────────────────────────
+
 const auth = new Command('auth')
   .description('Authentication commands');
 
@@ -16,47 +187,52 @@ auth
   .action(async (options) => {
     try {
       if (options.url) {
-        config.set('apiUrl', options.url);
+        try {
+          const parsed = new URL(options.url);
+          const isLocal = ['localhost', '127.0.0.1', '::1', '[::1]'].includes(parsed.hostname);
+          if (parsed.protocol !== 'https:' && !isLocal) {
+            return error('API URL must use HTTPS. Only localhost is allowed over HTTP.');
+          }
+          config.set('apiUrl', options.url);
+        } catch {
+          return error('Invalid URL format.');
+        }
       }
 
       let apiKey = options.token;
 
       if (!apiKey) {
-        // Interactive login — open browser for auth
+        // Try automatic browser callback flow
+        const state = crypto.randomBytes(16).toString('hex');
+
+        // Resolve the frontend URL before opening the browser
+        const apiUrl = config.get('apiUrl').replace(/\/$/, '');
+        let webUrl = config.getWebUrl();
         try {
-          const open = require('open');
-          const apiUrl = config.get('apiUrl');
-          const authUrl = `${apiUrl.replace('api.', '')}/cli/auth`;
-          info(`Opening browser for authentication...`);
-          info(`If it doesn't open, visit: ${chalk.underline(authUrl)}`);
-          await open(authUrl);
-        } catch {
-          // open may fail in headless environments
-        }
+          const cfgRes = await fetch(`${apiUrl}/v1/cli/config`);
+          if (cfgRes.ok) {
+            const cfgData = await cfgRes.json();
+            if (cfgData.webUrl) webUrl = cfgData.webUrl;
+          }
+        } catch { /* use derived webUrl as fallback */ }
 
-        const answers = await inquirer.prompt([{
-          type: 'input',
-          name: 'apiKey',
-          message: 'Paste your API key:',
-          validate: v => v.startsWith('zb_live_') ? true : 'Invalid API key format (should start with zb_live_)',
-        }]);
-        apiKey = answers.apiKey;
+        try {
+          apiKey = await waitForCallback(state, webUrl);
+        } catch (err) {
+          if (err.message === 'TIMEOUT') {
+            // Browser flow timed out — fall back to manual paste
+            apiKey = await manualLogin();
+          } else {
+            throw err;
+          }
+        }
       }
 
-      if (!apiKey.startsWith('zb_live_')) {
+      if (!apiKey || !apiKey.startsWith('zb_live_')) {
         return error('Invalid API key format. Keys start with "zb_live_".');
       }
 
-      config.set('apiKey', apiKey);
-
-      // Verify the key works
-      const userData = await client.get('/users/me');
-      const user = userData.user || userData.data || userData;
-
-      config.set('userId', user._id || user.id || '');
-      config.set('userName', user.name || user.userName || '');
-      config.set('email', user.email || '');
-
+      const user = await verifyAndStore(apiKey);
       success(`Logged in as ${chalk.bold(user.name || user.email)}`);
     } catch (err) {
       config.set('apiKey', '');
@@ -107,7 +283,7 @@ auth
   .action(() => {
     const apiKey = config.get('apiKey');
     if (apiKey) {
-      success(`Authenticated (key: ${apiKey.substring(0, 16)}...)`);
+      success(`Authenticated (key: ${apiKey.substring(0, 10)}...)`);
       info(`API URL: ${config.get('apiUrl')}`);
       if (config.get('activeWorkspaceName')) {
         info(`Workspace: ${config.get('activeWorkspaceName')}`);

package/src/commands/board.js

@@ -89,8 +89,7 @@ board
   .action(async (nameOrId) => {
     try {
       const open = require('open');
-      const apiUrl = config.get('apiUrl');
-      const baseUrl = apiUrl.replace('api.', '');
+      const baseUrl = config.getWebUrl();
       const workspaceName = config.get('activeWorkspaceName');
 
       // Try to find the board to get its shortId

package/src/commands/page.js

@@ -67,8 +67,7 @@ page
   .action(async (pageId) => {
     try {
       const open = require('open');
-      const apiUrl = config.get('apiUrl');
-      const baseUrl = apiUrl.replace('api.', '');
+      const baseUrl = config.getWebUrl();
       await open(`${baseUrl}/page/${pageId}`);
       success('Opened page in browser');
     } catch (err) {

package/src/commands/workspace.js

@@ -41,9 +41,10 @@ workspace
   });
 
 workspace
-  .command('switch <nameOrId>')
+  .command('switch <nameOrId...>')
   .description('Set the active workspace')
-  .action(async (nameOrId) => {
+  .action(async (nameOrIdParts) => {
+    const nameOrId = nameOrIdParts.join(' ');
     try {
       const data = await withSpinner('Fetching workspaces...', () =>
         client.get('/workspaces/me')

package/src/lib/client.js

@@ -26,6 +26,12 @@ class ZoobbeClient {
   async request(method, path, body = null) {
     this.ensureAuth();
 
+    // Reject path traversal attempts (check decoded form too)
+    const decoded = decodeURIComponent(path);
+    if (decoded.includes('..') || decoded.includes('//') || /\x00/.test(decoded)) {
+      throw new Error('Invalid request path');
+    }
+
     const url = `${this.baseUrl}/v1${path}`;
     const options = {
       method,

package/src/lib/config.js

@@ -1,13 +1,22 @@
 const Conf = require('conf');
 const path = require('path');
 const os = require('os');
+const fs = require('fs');
+
+const configDir = path.join(os.homedir(), '.zoobbe');
+
+// Ensure config directory exists with restricted permissions (owner-only)
+if (!fs.existsSync(configDir)) {
+  fs.mkdirSync(configDir, { mode: 0o700, recursive: true });
+}
 
 const config = new Conf({
   projectName: 'zoobbe',
-  cwd: path.join(os.homedir(), '.zoobbe'),
+  cwd: configDir,
   schema: {
     apiKey: { type: 'string', default: '' },
     apiUrl: { type: 'string', default: 'https://api.zoobbe.com' },
+    webUrl: { type: 'string', default: '' },
     activeWorkspace: { type: 'string', default: '' },
     activeWorkspaceName: { type: 'string', default: '' },
     format: { type: 'string', enum: ['table', 'json', 'plain'], default: 'table' },
@@ -17,4 +26,31 @@ const config = new Conf({
   },
 });
 
+// Lock down the config file (owner read/write only)
+try {
+  fs.chmodSync(config.path, 0o600);
+} catch {
+  // Ignore if chmod fails (e.g., Windows)
+}
+
+/**
+ * Get the frontend web URL. Uses webUrl config if set,
+ * otherwise derives from apiUrl (api.zoobbe.com → zoobbe.com).
+ */
+config.getWebUrl = function () {
+  const explicit = this.get('webUrl');
+  if (explicit) return explicit.replace(/\/$/, '');
+  const apiUrl = this.get('apiUrl').replace(/\/$/, '');
+  try {
+    const url = new URL(apiUrl);
+    // For production: api.zoobbe.com → zoobbe.com
+    if (url.hostname.startsWith('api.')) {
+      url.hostname = url.hostname.slice(4);
+      return url.toString().replace(/\/$/, '');
+    }
+  } catch { /* ignore */ }
+  // Fallback: return apiUrl as-is (backend /cli/auth redirect handles it)
+  return apiUrl;
+};
+
 module.exports = config;