agent-messenger 2.9.0 → 2.10.1

package/src/platforms/webex/commands/auth.test.ts

@@ -3,7 +3,9 @@ import * as childProcess from 'node:child_process'
 
 import { WebexClient } from '../client'
 import { WebexCredentialManager } from '../credential-manager'
-import { loginAction, logoutAction, statusAction } from './auth'
+import { WebexTokenExtractor } from '../token-extractor'
+import { WebexError } from '../types'
+import { extractAction, loginAction, logoutAction, statusAction } from './auth'
 
 describe('auth commands', () => {
   let consoleSpy: ReturnType<typeof spyOn>
@@ -208,6 +210,125 @@ describe('auth commands', () => {
     })
   })
 
+  describe('extractAction', () => {
+    test('passes deviceUrl and tokenType to client.login', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue({
+        accessToken: 'extracted-token-at-least-twenty-chars',
+        refreshToken: 'refresh-token',
+        expiresAt: Date.now() + 3600000,
+        deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/test-device-id',
+        userId: 'user-1',
+      })
+      const loginSpy = protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+
+      await extractAction({ pretty: false })
+
+      expect(loginSpy).toHaveBeenCalledWith({
+        token: 'extracted-token-at-least-twenty-chars',
+        deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/test-device-id',
+        tokenType: 'extracted',
+      })
+    })
+
+    test('attempts refresh when token is expired', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue({
+        accessToken: 'expired-token-at-least-twenty-chars-',
+        refreshToken: 'valid-refresh-token',
+        expiresAt: Date.now() - 7200000,
+      })
+      const refreshSpy = protoSpy(WebexCredentialManager.prototype, 'refreshToken').mockResolvedValue({
+        accessToken: 'refreshed-token-at-least-twenty-ch',
+        refreshToken: 'new-refresh',
+        expiresAt: Date.now() + 3600000,
+      })
+      const loginSpy = protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+
+      await extractAction({ pretty: false })
+
+      expect(refreshSpy).toHaveBeenCalled()
+      expect(loginSpy).toHaveBeenCalledWith(expect.objectContaining({ token: 'refreshed-token-at-least-twenty-ch' }))
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.authenticated).toBe(true)
+      expect(output.refreshed).toBe(true)
+    })
+
+    test('reports expired token with actionable hint when refresh fails', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue({
+        accessToken: 'expired-token-at-least-twenty-chars-',
+        refreshToken: 'bad-refresh-token',
+        expiresAt: Date.now() - 7200000,
+      })
+      protoSpy(WebexCredentialManager.prototype, 'refreshToken').mockResolvedValue(null)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockRejectedValue(new WebexError('Unauthorized', 'http_401'))
+      const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await extractAction({ pretty: false })
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.error).toContain('expired')
+      expect(output.hint).toContain('web.webex.com')
+      expect(output.hint).toContain('not webex.com')
+      expect(exitSpy).toHaveBeenCalledWith(1)
+    })
+
+    test('rethrows non-auth errors even when token is expired', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue({
+        accessToken: 'expired-token-at-least-twenty-chars-',
+        refreshToken: 'bad-refresh-token',
+        expiresAt: Date.now() - 7200000,
+      })
+      protoSpy(WebexCredentialManager.prototype, 'refreshToken').mockResolvedValue(null)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockRejectedValue(new Error('Network error'))
+      protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await extractAction({ pretty: false })
+
+      const lastCall = consoleErrorSpy.mock.calls[consoleErrorSpy.mock.calls.length - 1]?.[0] as string | undefined
+      if (lastCall) {
+        const output = JSON.parse(lastCall)
+        expect(output.error).toContain('Network error')
+      }
+    })
+
+    test('rethrows non-expiry auth errors', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue({
+        accessToken: 'valid-token-at-least-twenty-chars-xx',
+        expiresAt: Date.now() + 3600000,
+      })
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockRejectedValue(new Error('Network error'))
+      protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await extractAction({ pretty: false })
+
+      const lastCall = consoleErrorSpy.mock.calls[consoleErrorSpy.mock.calls.length - 1]?.[0] as string | undefined
+      if (lastCall) {
+        const output = JSON.parse(lastCall)
+        expect(output.error).toContain('Network error')
+      }
+    })
+
+    test('outputs no token found when extract returns null', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue(null)
+      const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await extractAction({ pretty: false })
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.error).toContain('No Webex token found')
+      expect(exitSpy).toHaveBeenCalledWith(1)
+    })
+  })
+
   describe('logoutAction', () => {
     test('clears credentials when authenticated', async () => {
       protoSpy(WebexCredentialManager.prototype, 'loadConfig').mockResolvedValue({

package/src/platforms/webex/commands/auth.ts

@@ -8,6 +8,7 @@ import { getWebexAppCredentials } from '../app-config'
 import { WebexClient } from '../client'
 import { WebexCredentialManager } from '../credential-manager'
 import { WebexTokenExtractor } from '../token-extractor'
+import { WebexError } from '../types'
 
 interface ResolvedCredentials {
   clientId: string
@@ -142,7 +143,8 @@ export async function statusAction(options: { pretty?: boolean }): Promise<void>
 
 export async function extractAction(options: { pretty?: boolean; debug?: boolean }): Promise<void> {
   try {
-    const extractor = new WebexTokenExtractor(undefined, options.debug ? (msg) => debug(`[debug] ${msg}`) : undefined)
+    const debugLog = options.debug ? (msg: string) => debug(`[debug] ${msg}`) : undefined
+    const extractor = new WebexTokenExtractor(undefined, debugLog)
 
     if (options.debug) {
       debug('[debug] Searching browser profiles for Webex tokens...')
@@ -155,7 +157,7 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
         formatOutput(
           {
             error:
-              'No Webex token found in any browser. Make sure you are logged in to web.webex.com in Chrome, Edge, Arc, or Brave.',
+              'No Webex token found in any browser. Make sure you are logged in at https://web.webex.com (not webex.com) in Chrome, Edge, Arc, or Brave.',
             hint: 'Run "auth login" for OAuth Device Grant flow, or --debug for more info.',
           },
           options.pretty,
@@ -165,30 +167,83 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
       return
     }
 
-    const client = await new WebexClient().login({ token: extracted.accessToken })
-    const person = await client.testAuth()
+    const isExpired = extracted.expiresAt != null && extracted.expiresAt > 0 && extracted.expiresAt < Date.now()
+    if (isExpired && options.debug) {
+      const agoMs = Date.now() - extracted.expiresAt!
+      const agoHours = Math.round(agoMs / 3_600_000)
+      debugLog?.(`Token expired ${agoHours > 0 ? `${agoHours}h ago` : 'recently'}.`)
+    }
+
+    let activeToken = extracted.accessToken
+    let refreshedConfig: { accessToken: string; refreshToken: string; expiresAt: number } | null = null
+
+    if (isExpired && extracted.refreshToken) {
+      debugLog?.('Attempting token refresh...')
+      const credManager = new WebexCredentialManager()
+      const { clientId, clientSecret } = getWebexAppCredentials()
+      refreshedConfig = await credManager.refreshToken(extracted.refreshToken, clientId, clientSecret)
+      if (refreshedConfig) {
+        debugLog?.('Token refreshed successfully.')
+        activeToken = refreshedConfig.accessToken
+      } else {
+        debugLog?.('Token refresh failed. Will attempt validation with expired token.')
+      }
+    }
+
+    const client = await new WebexClient().login({
+      token: activeToken,
+      deviceUrl: extracted.deviceUrl,
+      tokenType: 'extracted',
+    })
+
+    let person: { id: string; displayName: string; emails: string[] } | null = null
+    try {
+      const result = await client.testAuth()
+      if (result.id) {
+        person = { id: result.id, displayName: result.displayName, emails: result.emails }
+      }
+    } catch (authError) {
+      const isAuthFailure =
+        authError instanceof WebexError && (authError.code === 'http_401' || authError.code === 'http_403')
+      if (isExpired && isAuthFailure) {
+        console.log(
+          formatOutput(
+            {
+              error: 'Extracted browser token is expired and could not be refreshed.',
+              hint: 'Log in at https://web.webex.com (not webex.com) in your browser, then run "auth extract" again. Or use "auth login" for OAuth Device Grant flow.',
+            },
+            options.pretty,
+          ),
+        )
+        process.exit(1)
+        return
+      }
+      throw authError
+    }
 
     const credManager = new WebexCredentialManager()
     await credManager.saveConfig({
-      accessToken: extracted.accessToken,
-      refreshToken: extracted.refreshToken ?? '',
-      expiresAt: extracted.expiresAt ?? 0,
+      accessToken: activeToken,
+      refreshToken: refreshedConfig?.refreshToken ?? extracted.refreshToken ?? '',
+      expiresAt: refreshedConfig?.expiresAt ?? extracted.expiresAt ?? 0,
       tokenType: 'extracted',
       deviceUrl: extracted.deviceUrl,
       userId: extracted.userId,
       encryptionKeys: extracted.encryptionKeys ? Object.fromEntries(extracted.encryptionKeys) : undefined,
     })
 
-    console.log(
-      formatOutput(
-        {
-          user: { id: person.id, displayName: person.displayName, emails: person.emails },
-          authenticated: true,
-          tokenType: 'extracted',
-        },
-        options.pretty,
-      ),
-    )
+    const output: Record<string, unknown> = {
+      authenticated: true,
+      tokenType: 'extracted',
+    }
+    if (refreshedConfig) {
+      output['refreshed'] = true
+    }
+    if (person) {
+      output['user'] = person
+    }
+
+    console.log(formatOutput(output, options.pretty))
   } catch (error) {
     handleError(error as Error)
   }

package/src/platforms/webex/credential-manager.test.ts

@@ -291,6 +291,69 @@ describe('WebexCredentialManager', () => {
     expect(loaded?.clientSecret).toBe('my-client-secret')
   })
 
+  test('getToken tries refresh for expired extracted tokens', async () => {
+    const originalFetch = globalThis.fetch
+    globalThis.fetch = mock(() =>
+      Promise.resolve(
+        new Response(
+          JSON.stringify({
+            access_token: 'refreshed-extracted-token',
+            refresh_token: 'new-refresh',
+            expires_in: 3600,
+          }),
+          { status: 200 },
+        ),
+      ),
+    ) as typeof fetch
+
+    await credManager.saveConfig({
+      accessToken: 'expired-extracted-token',
+      refreshToken: 'extracted-refresh',
+      expiresAt: Date.now() - 1000,
+      tokenType: 'extracted',
+    })
+
+    const token = await credManager.getToken()
+    expect(token).toBe('refreshed-extracted-token')
+
+    const config = await credManager.loadConfig()
+    expect(config?.tokenType).toBe('extracted')
+    expect(config?.accessToken).toBe('refreshed-extracted-token')
+
+    globalThis.fetch = originalFetch
+  })
+
+  test('getToken returns expired extracted token when refresh fails', async () => {
+    const originalFetch = globalThis.fetch
+    globalThis.fetch = mock(() =>
+      Promise.resolve(new Response('{"error":"invalid_grant"}', { status: 400 })),
+    ) as typeof fetch
+
+    await credManager.saveConfig({
+      accessToken: 'expired-extracted-token',
+      refreshToken: 'bad-refresh',
+      expiresAt: Date.now() - 1000,
+      tokenType: 'extracted',
+    })
+
+    const token = await credManager.getToken()
+    expect(token).toBe('expired-extracted-token')
+
+    globalThis.fetch = originalFetch
+  })
+
+  test('getToken returns non-expired extracted token without refresh', async () => {
+    await credManager.saveConfig({
+      accessToken: 'valid-extracted-token',
+      refreshToken: 'refresh',
+      expiresAt: Date.now() + 3600000,
+      tokenType: 'extracted',
+    })
+
+    const token = await credManager.getToken()
+    expect(token).toBe('valid-extracted-token')
+  })
+
   test('loadConfig backward compat — old config without clientId/clientSecret', async () => {
     // Write raw JSON without clientId/clientSecret fields
     const credPath = join(tempDir, 'webex-credentials.json')

package/src/platforms/webex/credential-manager.ts

@@ -45,16 +45,33 @@ export class WebexCredentialManager {
     const config = await this.loadConfig()
     if (!config) return null
 
-    if (config.tokenType === 'manual' || config.tokenType === 'extracted') {
+    if (config.tokenType === 'manual') {
       return config.accessToken
     }
 
-    if (config.expiresAt < Date.now() + 5 * 60 * 1000) {
+    const isExpired = config.expiresAt > 0 && config.expiresAt < Date.now() + 5 * 60 * 1000
+
+    if (config.tokenType === 'extracted') {
+      if (isExpired && config.refreshToken) {
+        const builtinCreds = getWebexAppCredentials()
+        const refreshed = await this.refreshToken(config.refreshToken, builtinCreds.clientId, builtinCreds.clientSecret)
+        if (refreshed) {
+          await this.saveConfig({ ...config, ...refreshed, tokenType: 'extracted' })
+          return refreshed.accessToken
+        }
+      }
+      return config.accessToken
+    }
+
+    if (isExpired) {
       const builtinCreds = getWebexAppCredentials()
       const resolvedClientId = clientId ?? config.clientId ?? builtinCreds.clientId
       const resolvedClientSecret = clientSecret ?? config.clientSecret ?? builtinCreds.clientSecret
       const refreshed = await this.refreshToken(config.refreshToken, resolvedClientId, resolvedClientSecret)
-      if (refreshed) return refreshed.accessToken
+      if (refreshed) {
+        await this.saveConfig({ ...config, ...refreshed })
+        return refreshed.accessToken
+      }
       return null
     }
 
@@ -82,14 +99,11 @@ export class WebexCredentialManager {
         expires_in: number
       }
 
-      const config: WebexConfig = {
+      return {
         accessToken: data.access_token,
         refreshToken: data.refresh_token,
         expiresAt: Date.now() + data.expires_in * 1000,
-      }
-
-      await this.saveConfig(config)
-      return config
+      } satisfies Pick<WebexConfig, 'accessToken' | 'refreshToken' | 'expiresAt'>
     } catch {
       return null
     }

package/src/platforms/webex/encryption.test.ts

@@ -0,0 +1,54 @@
+import { describe, expect, test } from 'bun:test'
+
+import * as jose from 'node-jose'
+
+import { WebexEncryptionService } from './encryption'
+
+const decodeJweHeader = (jwe: string): Record<string, unknown> => {
+  const [header = ''] = jwe.split('.')
+  const padded = header + '='.repeat((4 - (header.length % 4)) % 4)
+  const json = Buffer.from(padded, 'base64url').toString('utf8')
+  return JSON.parse(json) as Record<string, unknown>
+}
+
+const createKeyring = async (keyUri: string) => {
+  const keystore = jose.JWK.createKeyStore()
+  const key = await keystore.generate('oct', 256, { alg: 'A256GCM' })
+  const jwk = key.toJSON(true)
+  const rawKeys = new Map<string, string>()
+  rawKeys.set(keyUri, JSON.stringify({ jwk }))
+  return new WebexEncryptionService(rawKeys)
+}
+
+describe('WebexEncryptionService', () => {
+  const keyUri = 'kms://kms-aore.wbx2.com/keys/7819829b-5e0d-4139-9cad-1b6fe7aee533'
+
+  test('encryptText emits JWE with alg, enc, and kid JOSE headers', async () => {
+    const service = await createKeyring(keyUri)
+
+    const jwe = await service.encryptText(keyUri, 'hello world')
+
+    expect(jwe).not.toBeNull()
+    const header = decodeJweHeader(jwe as string)
+    expect(header.alg).toBe('dir')
+    expect(header.enc).toBe('A256GCM')
+    expect(header.kid).toBe(keyUri)
+  })
+
+  test('encryptText returns null when key is unknown', async () => {
+    const service = await createKeyring(keyUri)
+
+    const jwe = await service.encryptText('kms://other/keys/missing', 'hello')
+
+    expect(jwe).toBeNull()
+  })
+
+  test('decryptText round-trips plaintext encrypted by encryptText', async () => {
+    const service = await createKeyring(keyUri)
+
+    const jwe = await service.encryptText(keyUri, 'round trip')
+    const plaintext = await service.decryptText(keyUri, jwe as string)
+
+    expect(plaintext).toBe('round trip')
+  })
+})

package/src/platforms/webex/encryption.ts

@@ -30,9 +30,11 @@ export class WebexEncryptionService {
     if (!key) return null
 
     try {
+      // Webex desktop/web clients auto-tombstone edit activities whose JWE is missing
+      // `kid` — they can't resolve the KMS key and treat the activity as malformed.
       return await jose.JWE.createEncrypt(
         { format: 'compact', contentAlg: 'A256GCM' },
-        { key, header: { alg: 'dir' }, reference: null },
+        { key, header: { alg: 'dir', kid: keyUri }, reference: null },
       ).final(plaintext, 'utf8')
     } catch {
       return null

package/src/platforms/webex/ensure-auth.ts

@@ -11,7 +11,11 @@ export async function ensureWebexAuth(): Promise<void> {
       const token = await credManager.getToken(config.clientId, config.clientSecret)
       if (token) {
         const client = new WebexClient()
-        await client.login({ token })
+        await client.login({
+          token,
+          deviceUrl: config.deviceUrl,
+          tokenType: config.tokenType,
+        })
         await client.testAuth()
         return
       }
@@ -22,7 +26,11 @@ export async function ensureWebexAuth(): Promise<void> {
     if (!extracted) return
 
     const client = new WebexClient()
-    await client.login({ token: extracted.accessToken })
+    await client.login({
+      token: extracted.accessToken,
+      deviceUrl: extracted.deviceUrl,
+      tokenType: 'extracted',
+    })
     await client.testAuth()
 
     await credManager.saveConfig({

package/src/platforms/webex/token-extractor.test.ts

@@ -216,12 +216,41 @@ describe('WebexTokenExtractor', () => {
       expect(result).not.toBeNull()
     })
 
-    test('returns first valid token and stops scanning', async () => {
+    test('prefers token with latest expiry across profiles', async () => {
       const dir1 = createLevelDBDir(tempDir, 'Default')
       const dir2 = createLevelDBDir(tempDir, 'Profile 1')
 
-      const token1 = makeWebexStorageJson({ accessToken: 'first-valid-token-longer-than-twenty-chars' })
-      const token2 = makeWebexStorageJson({ accessToken: 'second-valid-token-longer-than-twenty-chars' })
+      const expiredToken = makeWebexStorageJson({
+        accessToken: 'expired-token-longer-than-twenty-chars-xx',
+        expires: Date.now() - 3600000,
+      })
+      const freshToken = makeWebexStorageJson({
+        accessToken: 'fresh-token-longer-than-twenty-chars-xxx',
+        expires: Date.now() + 3600000,
+      })
+
+      writeFileSync(join(dir1, '000003.log'), expiredToken)
+      writeFileSync(join(dir2, '000003.log'), freshToken)
+
+      const extractor = new WebexTokenExtractor('darwin', undefined, tempDir)
+      const result = await extractor.extract()
+
+      expect(result!.accessToken).toBe('fresh-token-longer-than-twenty-chars-xxx')
+    })
+
+    test('returns first token when all have same expiry', async () => {
+      const dir1 = createLevelDBDir(tempDir, 'Default')
+      const dir2 = createLevelDBDir(tempDir, 'Profile 1')
+
+      const expires = Date.now() + 3600000
+      const token1 = makeWebexStorageJson({
+        accessToken: 'first-valid-token-longer-than-twenty-chars',
+        expires,
+      })
+      const token2 = makeWebexStorageJson({
+        accessToken: 'second-valid-token-longer-than-twenty-chars',
+        expires,
+      })
 
       writeFileSync(join(dir1, '000003.log'), token1)
       writeFileSync(join(dir2, '000003.log'), token2)

package/src/platforms/webex/token-extractor.ts

@@ -160,25 +160,46 @@ export class WebexTokenExtractor {
       return null
     }
 
+    let best: { token: ExtractedWebexToken; source: string } | null = null
+
     for (const leveldbDir of profileDirs) {
       this.debug(`Scanning: ${leveldbDir}`)
 
       const result = (await this.scanViaClassicLevelCopy(leveldbDir)) ?? this.scanRawFiles(leveldbDir)
 
       if (result?.token) {
-        this.debug(`Found token in: ${leveldbDir}`)
-
         const token = result.token
         if (result.encryptionKeys.size > 0) {
           token.encryptionKeys = result.encryptionKeys
         }
 
-        return token
+        this.debug(
+          `Found token in: ${leveldbDir} (expires: ${token.expiresAt ? new Date(token.expiresAt).toISOString() : 'unknown'}, length: ${token.accessToken.length})`,
+        )
+
+        if (!best || this.isTokenFresher(token, best.token)) {
+          best = { token, source: leveldbDir }
+        }
       }
     }
 
-    this.debug('No Webex tokens found in any browser profile')
-    return null
+    if (!best) {
+      this.debug('No Webex tokens found in any browser profile')
+      return null
+    }
+
+    this.debug(`Selected token from: ${best.source}`)
+    return best.token
+  }
+
+  private isTokenFresher(candidate: ExtractedWebexToken, current: ExtractedWebexToken): boolean {
+    const candidateExpiry = candidate.expiresAt ?? 0
+    const currentExpiry = current.expiresAt ?? 0
+    if (candidateExpiry > 0 && currentExpiry > 0) {
+      return candidateExpiry > currentExpiry
+    }
+    if (candidateExpiry > 0 && currentExpiry === 0) return true
+    return false
   }
 
   private async scanViaClassicLevelCopy(dbPath: string): Promise<ScanResult | null> {