alpic 0.0.0-dev.ff063bb → 0.0.0-dev.ff13ae5

package/dist/lib/archive.js

@@ -1,11 +1,11 @@
 import { execSync } from "node:child_process";
 import { existsSync, mkdtempSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
-import { join, resolve } from "node:path";
+import { join } from "node:path";
 import { create as tarCreate } from "tar";
 const GIT_FILES_MAX_BUFFER = 10 * 1024 * 1024;
-function isGitRepository(dir) {
-    return existsSync(join(resolve(dir), ".git"));
+function isGitRepository() {
+    return existsSync(join(process.cwd(), ".git"));
 }
 export function ensureGitAvailable() {
     try {
@@ -15,10 +15,8 @@ export function ensureGitAvailable() {
         throw new Error("Git is required to deploy. Please install git and ensure it is available in your PATH.");
     }
 }
-export function getGitFiles(deployDir) {
-    const dir = resolve(deployDir);
+export function getGitFiles() {
     const output = execSync("git ls-files -z --cached --others --exclude-standard -- .", {
-        cwd: dir,
         encoding: "utf8",
         maxBuffer: GIT_FILES_MAX_BUFFER,
     });
@@ -28,27 +26,25 @@ export function getGitFiles(deployDir) {
     }
     return files;
 }
-export function getFilesToPack(deployDir) {
-    const dir = resolve(deployDir);
-    if (isGitRepository(dir)) {
-        return getGitFiles(deployDir);
+export function getFilesToPack() {
+    if (isGitRepository()) {
+        return getGitFiles();
     }
     ensureGitAvailable();
-    execSync("git init", { cwd: dir });
+    execSync("git init", { stdio: "ignore" });
     try {
-        return getGitFiles(deployDir);
+        return getGitFiles();
     }
     finally {
-        rmSync(join(dir, ".git"), { recursive: true });
+        rmSync(join(process.cwd(), ".git"), { recursive: true, force: true });
     }
 }
-export async function createTarArchive(files, deployDir) {
+export async function createTarArchive(files) {
     const tmpDir = mkdtempSync(join(tmpdir(), "alpic-deploy-"));
     const archivePath = join(tmpDir, "source.tar.gz");
     await tarCreate({
         gzip: true,
         file: archivePath,
-        cwd: deployDir,
     }, files);
     return { tmpDir, archivePath };
 }

package/dist/lib/archive.js.map

@@ -1 +1 @@
-{"version":3,"file":"archive.js","sourceRoot":"","sources":["../../src/lib/archive.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,KAAK,CAAC;AAE1C,MAAM,oBAAoB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAE9C,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,IAAI,CAAC;QACH,QAAQ,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,wFAAwF,CAAC,CAAC;IAC5G,CAAC;AACH,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,SAAiB;IAC3C,MAAM,GAAG,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,QAAQ,CAAC,2DAA2D,EAAE;QACnF,GAAG,EAAE,GAAG;QACR,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,oBAAoB;KAChC,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+FAA+F,CAAC,CAAC;IACnH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,SAAiB;IAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAC/B,IAAI,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,WAAW,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;IACD,kBAAkB,EAAE,CAAC;IACrB,QAAQ,CAAC,UAAU,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;IACnC,IAAI,CAAC;QACH,OAAO,WAAW,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAe,EAAE,SAAiB;IACvE,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,CAAC,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAClD,MAAM,SAAS,CACb;QACE,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,WAAW;QACjB,GAAG,EAAE,SAAS;KACf,EACD,KAAK,CACN,CAAC;IACF,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;AACjC,CAAC"}
+{"version":3,"file":"archive.js","sourceRoot":"","sources":["../../src/lib/archive.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,KAAK,CAAC;AAE1C,MAAM,oBAAoB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAE9C,SAAS,eAAe;IACtB,OAAO,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,IAAI,CAAC;QACH,QAAQ,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,wFAAwF,CAAC,CAAC;IAC5G,CAAC;AACH,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,MAAM,MAAM,GAAG,QAAQ,CAAC,2DAA2D,EAAE;QACnF,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,oBAAoB;KAChC,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+FAA+F,CAAC,CAAC;IACnH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,IAAI,eAAe,EAAE,EAAE,CAAC;QACtB,OAAO,WAAW,EAAE,CAAC;IACvB,CAAC;IACD,kBAAkB,EAAE,CAAC;IACrB,QAAQ,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC1C,IAAI,CAAC;QACH,OAAO,WAAW,EAAE,CAAC;IACvB,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAe;IACpD,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,CAAC,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAClD,MAAM,SAAS,CACb;QACE,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,WAAW;KAClB,EACD,KAAK,CACN,CAAC;IACF,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;AACjC,CAAC"}

package/dist/lib/auth/auth.d.ts

@@ -0,0 +1,2 @@
+export declare function getApiToken(): Promise<string | undefined>;
+export declare function isAuthenticated(): Promise<boolean>;

package/dist/lib/auth/auth.js

@@ -0,0 +1,21 @@
+import { oAuthClient } from "./oauth/client.js";
+export async function getApiToken() {
+    const token = process.env.ALPIC_API_KEY ?? (await oAuthClient.getValidAccessToken())?.access_token;
+    return token;
+}
+export async function isAuthenticated() {
+    const isAuthenticatedViaApiKey = hasApiKey();
+    if (isAuthenticatedViaApiKey)
+        return true;
+    const isAuthenticatedViaOAuth = await hasValidAccessToken();
+    if (isAuthenticatedViaOAuth)
+        return true;
+    return false;
+}
+function hasApiKey() {
+    return process.env.ALPIC_API_KEY !== undefined;
+}
+async function hasValidAccessToken() {
+    return (await oAuthClient.getValidAccessToken()) !== null;
+}
+//# sourceMappingURL=auth.js.map

package/dist/lib/auth/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/lib/auth/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,MAAM,WAAW,CAAC,mBAAmB,EAAE,CAAC,EAAE,YAAY,CAAC;IAEnG,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,wBAAwB,GAAG,SAAS,EAAE,CAAC;IAC7C,IAAI,wBAAwB;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,uBAAuB,GAAG,MAAM,mBAAmB,EAAE,CAAC;IAC5D,IAAI,uBAAuB;QAAE,OAAO,IAAI,CAAC;IAEzC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,SAAS,CAAC;AACjD,CAAC;AAED,KAAK,UAAU,mBAAmB;IAChC,OAAO,CAAC,MAAM,WAAW,CAAC,mBAAmB,EAAE,CAAC,KAAK,IAAI,CAAC;AAC5D,CAAC"}

package/dist/lib/auth/oauth/client.d.ts

@@ -0,0 +1,28 @@
+import * as openid from "openid-client";
+import { type Credentials } from "../../global-store.js";
+export declare class OAuthClient {
+    private config;
+    initialize: Promise<void>;
+    constructor();
+    getValidAccessToken(): Promise<Credentials | null>;
+    fetchUserInfo(credentials: Credentials): Promise<openid.UserInfoResponse>;
+    refreshAccessToken(credentials: Credentials): Promise<Credentials>;
+    prepareOAuthConfig(): Promise<{
+        authorizeUrl: URL;
+        state: string;
+        nonce: string;
+        codeVerifier: string;
+    }>;
+    exchangeAuthorizationCode({ url, codeVerifier, state, nonce, }: {
+        url: URL;
+        codeVerifier: string;
+        state: string;
+        nonce: string;
+    }): Promise<openid.TokenEndpointResponse & openid.TokenEndpointResponseHelpers>;
+    getExpiresAt(expires_in: number): number;
+    private loadConfig;
+    private fetchOAuthProtectedResourceConfig;
+    private getConfig;
+    private isAccessTokenExpired;
+}
+export declare const oAuthClient: OAuthClient;

package/dist/lib/auth/oauth/client.js

@@ -0,0 +1,110 @@
+import * as openid from "openid-client";
+import { env } from "../../../env.js";
+import { globalStore } from "../../global-store.js";
+import { LOOPBACK_HOST, LOOPBACK_PORT } from "./constants.js";
+const SCOPES = ["openid", "email", "profile"];
+export class OAuthClient {
+    config = null;
+    initialize;
+    constructor() {
+        this.initialize = this.loadConfig();
+    }
+    async getValidAccessToken() {
+        await this.initialize;
+        const stored = globalStore.getCredentials();
+        if (!stored) {
+            return null;
+        }
+        if (this.isAccessTokenExpired(stored)) {
+            try {
+                return await this.refreshAccessToken(stored);
+            }
+            catch {
+                return null;
+            }
+        }
+        return stored;
+    }
+    async fetchUserInfo(credentials) {
+        return openid.fetchUserInfo(await this.getConfig(), credentials.access_token, credentials.sub);
+    }
+    async refreshAccessToken(credentials) {
+        if (!credentials.refresh_token) {
+            throw new Error("No refresh token available");
+        }
+        const response = await openid.refreshTokenGrant(await this.getConfig(), credentials.refresh_token);
+        const refreshed = {
+            access_token: response.access_token,
+            refresh_token: response.refresh_token ?? credentials.refresh_token,
+            expires_at: this.getExpiresAt(response.expires_in ?? 0),
+            sub: credentials.sub,
+        };
+        globalStore.saveCredentials(refreshed);
+        return refreshed;
+    }
+    async prepareOAuthConfig() {
+        await this.initialize;
+        if (!this.config) {
+            throw new Error("Config not loaded");
+        }
+        const codeVerifier = openid.randomPKCECodeVerifier();
+        const codeChallenge = await openid.calculatePKCECodeChallenge(codeVerifier);
+        const state = openid.randomState();
+        const nonce = openid.randomNonce();
+        const callbackUrl = new URL(`http://${LOOPBACK_HOST}:${LOOPBACK_PORT}/callback`);
+        const authorizeUrl = openid.buildAuthorizationUrl(this.config, {
+            redirect_uri: callbackUrl.toString(),
+            scope: SCOPES.join(" "),
+            code_challenge: codeChallenge,
+            code_challenge_method: "S256",
+            state,
+            nonce,
+        });
+        return { authorizeUrl, state, nonce, codeVerifier };
+    }
+    async exchangeAuthorizationCode({ url, codeVerifier, state, nonce, }) {
+        return await openid.authorizationCodeGrant(await this.getConfig(), url, {
+            pkceCodeVerifier: codeVerifier,
+            expectedState: state,
+            expectedNonce: nonce,
+        });
+    }
+    getExpiresAt(expires_in) {
+        return expires_in !== undefined ? Math.floor(Date.now() / 1000) + expires_in : Date.now() / 1000 + 3600;
+    }
+    async loadConfig() {
+        const protectedResourceConfig = await this.fetchOAuthProtectedResourceConfig();
+        const issuer = protectedResourceConfig.authorization_servers[0];
+        if (!issuer) {
+            throw new Error("No authorization server in OAuth protected resource config");
+        }
+        const issuerUrl = new URL(issuer);
+        try {
+            this.config = await openid.discovery(issuerUrl, env.ALPIC_COGNITO_CLIENT_ID);
+        }
+        catch {
+            throw new Error("Failed to discover OAuth config");
+        }
+    }
+    async fetchOAuthProtectedResourceConfig() {
+        const baseUrl = env.ALPIC_API_BASE_URL;
+        const response = await fetch(`${baseUrl}/.well-known/oauth-protected-resource`);
+        if (!response.ok) {
+            throw new Error(`Failed to load service config from ${baseUrl} (${response.status} ${response.statusText})`);
+        }
+        return (await response.json());
+    }
+    async getConfig() {
+        await this.initialize;
+        if (!this.config) {
+            throw new Error("Config not loaded");
+        }
+        return this.config;
+    }
+    isAccessTokenExpired(credentials) {
+        const EXPIRATION_WINDOW_IN_SECONDS = 300;
+        return Date.now() / 1000 + EXPIRATION_WINDOW_IN_SECONDS >= credentials.expires_at;
+    }
+}
+export const oAuthClient = new OAuthClient();
+//# sourceMappingURL=client.js.map

package/dist/lib/auth/oauth/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../../src/lib/auth/oauth/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AAExC,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AACtC,OAAO,EAAoB,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE9D,MAAM,MAAM,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;AAU9C,MAAM,OAAO,WAAW;IACd,MAAM,GAAgC,IAAI,CAAC;IACnD,UAAU,CAAgB;IAE1B;QACE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,mBAAmB;QACvB,MAAM,IAAI,CAAC,UAAU,CAAC;QACtB,MAAM,MAAM,GAAG,WAAW,CAAC,cAAc,EAAE,CAAC;QAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAC/C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,WAAwB;QAC1C,OAAO,MAAM,CAAC,aAAa,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,EAAE,WAAW,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC;IACjG,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,WAAwB;QAC/C,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,EAAE,WAAW,CAAC,aAAa,CAAC,CAAC;QAEnG,MAAM,SAAS,GAAgB;YAC7B,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,aAAa,EAAE,QAAQ,CAAC,aAAa,IAAI,WAAW,CAAC,aAAa;YAClE,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,CAAC;YACvD,GAAG,EAAE,WAAW,CAAC,GAAG;SACrB,CAAC;QAEF,WAAW,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QACvC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,kBAAkB;QACtB,MAAM,IAAI,CAAC,UAAU,CAAC;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,CAAC,sBAAsB,EAAE,CAAC;QACrD,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,YAAY,CAAC,CAAC;QAC5E,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,UAAU,aAAa,IAAI,aAAa,WAAW,CAAC,CAAC;QAEjF,MAAM,YAAY,GAAG,MAAM,CAAC,qBAAqB,CAAC,IAAI,CAAC,MAAM,EAAE;YAC7D,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE;YACpC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACvB,cAAc,EAAE,aAAa;YAC7B,qBAAqB,EAAE,MAAM;YAC7B,KAAK;YACL,KAAK;SACN,CAAC,CAAC;QAEH,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;IACtD,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,EAC9B,GAAG,EACH,YAAY,EACZ,KAAK,EACL,KAAK,GAMN;QACC,OAAO,MAAM,MAAM,CAAC,sBAAsB,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,EAAE,GAAG,EAAE;YACtE,gBAAgB,EAAE,YAAY;YAC9B,aAAa,EAAE,KAAK;YACpB,aAAa,EAAE,KAAK;SACrB,CAAC,CAAC;IACL,CAAC;IAED,YAAY,CAAC,UAAkB;QAC7B,OAAO,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;IAC1G,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,MAAM,uBAAuB,GAAG,MAAM,IAAI,CAAC,iCAAiC,EAAE,CAAC;QAC/E,MAAM,MAAM,GAAG,uBAAuB,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QAChE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAC/E,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,iCAAiC;QAC7C,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;QACvC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,uCAAuC,CAAC,CAAC;QAChF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,sCAAsC,OAAO,KAAK,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,GAAG,CAAC,CAAC;QAC/G,CAAC;QACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiC,CAAC;IACjE,CAAC;IAEO,KAAK,CAAC,SAAS;QACrB,MAAM,IAAI,CAAC,UAAU,CAAC;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAEO,oBAAoB,CAAC,WAAwB;QACnD,MAAM,4BAA4B,GAAG,GAAG,CAAC;QACzC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,4BAA4B,IAAI,WAAW,CAAC,UAAU,CAAC;IACpF,CAAC;CACF;AAED,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC"}

package/dist/lib/auth/oauth/constants.d.ts

@@ -0,0 +1,2 @@
+export declare const LOOPBACK_HOST = "127.0.0.1";
+export declare const LOOPBACK_PORT = 38472;

package/dist/lib/auth/oauth/constants.js

@@ -0,0 +1,3 @@
+export const LOOPBACK_HOST = "127.0.0.1";
+export const LOOPBACK_PORT = 38472;
+//# sourceMappingURL=constants.js.map

package/dist/lib/auth/oauth/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../src/lib/auth/oauth/constants.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,aAAa,GAAG,WAAW,CAAC;AACzC,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,CAAC"}

package/dist/lib/auth/oauth/server/assets/authorize.html

@@ -0,0 +1,195 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Sign in to Alpic</title>
+    <link
+      href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&family=Mozilla+Text:wght@200..700&display=swap"
+      rel="stylesheet"
+    />
+    <style>
+      *,
+      *::before,
+      *::after {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+
+      :root {
+        --midnight: #051413;
+      }
+
+      body {
+        font-family: "Inter", system-ui, sans-serif;
+        background-color: var(--midnight);
+        min-height: 100vh;
+        display: flex;
+        background-image: url("/assets/alpic-mountain.png");
+        background-repeat: no-repeat;
+        background-position: right bottom;
+        background-size: auto;
+        padding: 64px;
+      }
+
+      .card {
+        background: #fff;
+        border-radius: 2px;
+        padding: 48px;
+        width: 50%;
+        min-height: calc(100vh - 128px);
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        justify-content: center;
+      }
+
+      h1 {
+        font-family: "Mozilla Text", system-ui, sans-serif;
+        font-weight: 400;
+        font-size: 48px;
+        color: var(--midnight);
+        margin-bottom: 8px;
+      }
+
+      .subtitle {
+        font-size: 20px;
+        color: var(--midnight);
+        margin-bottom: 32px;
+      }
+
+      .buttons {
+        display: flex;
+        flex-direction: column;
+        gap: 12px;
+      }
+
+      .btn {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        gap: 8px;
+        height: 48px;
+        width: 256px;
+        padding: 0 16px;
+        border-radius: 2px;
+        border: 1px solid var(--midnight);
+        font-family: "Inter", system-ui, sans-serif;
+        font-size: 16px;
+        font-weight: 500;
+        cursor: pointer;
+        transition: background 0.15s;
+      }
+
+      .btn:focus-visible {
+        outline: none;
+        box-shadow: 0 0 0 2px var(--midnight);
+      }
+
+      .btn svg {
+        width: 20px;
+        height: 20px;
+        flex-shrink: 0;
+      }
+
+      .btn-github {
+        background: var(--midnight);
+        color: #fff;
+      }
+      .btn-github svg {
+        fill: #fff;
+      }
+      .btn-github:hover {
+        background: rgba(5, 20, 19, 0.9);
+      }
+
+      .btn-google {
+        background: #fff;
+        color: var(--midnight);
+      }
+      .btn-google svg {
+        fill: var(--midnight);
+      }
+      .btn-google:hover {
+        background: rgba(5, 20, 19, 0.1);
+      }
+
+      .btn-loading {
+        opacity: 0.7;
+        pointer-events: none;
+        cursor: default;
+        transition: opacity 0.2s;
+      }
+      .spinner {
+        width: 20px;
+        height: 20px;
+        animation: spin 0.8s linear infinite;
+      }
+      @keyframes spin {
+        to {
+          transform: rotate(360deg);
+        }
+      }
+
+      @media (max-width: 768px) {
+        body {
+          padding: 16px;
+        }
+        .card {
+          width: 100%;
+          height: auto;
+          padding: 24px;
+        }
+        h1 {
+          font-size: 36px;
+        }
+        .subtitle {
+          font-size: 18px;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Welcome to Alpic</h1>
+      <p class="subtitle">Sign in to use Alpic CLI</p>
+      <div class="buttons">
+        <button class="btn btn-github" onclick="login('Github', this)" type="button">
+          <svg viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+            <title>GitHub</title>
+            <path
+              d="M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12"
+            />
+          </svg>
+          Sign in with GitHub
+        </button>
+        <button class="btn btn-google" onclick="login('google', this)" type="button">
+          <svg viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+            <title>Google</title>
+            <path
+              d="M12.48 10.92v3.28h7.84c-.24 1.84-.853 3.187-1.8 4.133-1.147 1.147-2.933 2.4-6.04 2.4-4.827 0-8.6-3.893-8.6-8.72s3.773-8.72 8.6-8.72c2.6 0 4.507 1.027 5.907 2.347l2.307-2.307C18.747 1.44 16.133 0 12.48 0 5.867 0 .307 5.387.307 12s5.56 12 12.173 12c3.573 0 6.267-1.173 8.373-3.36 2.16-2.16 2.84-5.213 2.84-7.667 0-.76-.053-1.467-.173-2.053H12.48z"
+            />
+          </svg>
+          Sign in with Google
+        </button>
+      </div>
+    </div>
+    <script>
+      var loaderSvg =
+        '<svg class="spinner" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M12 2v4"/><path d="m16.2 7.8 2.9-2.9"/><path d="M18 12h4"/><path d="m16.2 16.2 2.9 2.9"/><path d="M12 18v4"/><path d="m4.9 19.1 2.9-2.9"/><path d="M2 12h4"/><path d="m4.9 4.9 2.9 2.9"/></svg>';
+      // biome-ignore lint/correctness/noUnusedVariables: The function is used within the buttons onclick handlers
+      function login(provider, btn) {
+        const icon = btn.querySelector("svg");
+        const wrap = document.createElement("div");
+        wrap.innerHTML = loaderSvg;
+        icon.replaceWith(wrap.firstChild);
+        btn.classList.add("btn-loading");
+        btn.disabled = true;
+        const url = new URL("%AUTH_BASE_URL%");
+        url.searchParams.set("identity_provider", provider);
+        window.location.href = url.toString();
+      }
+    </script>
+  </body>
+</html>

package/dist/lib/auth/oauth/server/assets/callback.html

@@ -0,0 +1,88 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Sign in to Alpic</title>
+    <link
+      href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&family=Mozilla+Text:wght@200..700&display=swap"
+      rel="stylesheet"
+    />
+    <style>
+      *,
+      *::before,
+      *::after {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+
+      :root {
+        --midnight: #051413;
+      }
+
+      body {
+        font-family: "Inter", system-ui, sans-serif;
+        background-color: var(--midnight);
+        min-height: 100vh;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        padding: 64px;
+      }
+
+      .card {
+        background: #fff;
+        border-radius: 2px;
+        padding: 48px;
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        justify-content: center;
+      }
+
+      .message {
+        text-align: center;
+      }
+
+      .message-title {
+        font-size: 28px;
+        color: var(--midnight);
+        display: block;
+      }
+
+      .message-sub {
+        display: block;
+        margin-top: 0.5em;
+        color: #6b7280;
+      }
+
+      .message.error .message-title {
+        color: #b91c1c;
+      }
+
+      .message.error .message-sub {
+        display: none;
+      }
+
+      @media (max-width: 768px) {
+        body {
+          padding: 16px;
+        }
+        .card {
+          width: 100%;
+          height: auto;
+          padding: 24px;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <p class="message __CALLBACK_STATUS__">
+        <span class="message-title">__CALLBACK_TITLE__</span>
+        <span class="message-sub">__CALLBACK_SUB__</span>
+      </p>
+    </div>
+  </body>
+</html>

package/dist/lib/auth/oauth/server/index.d.ts

@@ -0,0 +1,8 @@
+import type { Credentials } from "../../../global-store.js";
+export declare const getLoginPageUrl: () => string;
+export declare const listenToOAuthCallback: ({ state, nonce, codeVerifier, authorizeUrl, }: {
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    authorizeUrl?: string;
+}) => Promise<Credentials>;

package/dist/lib/auth/oauth/server/index.js

@@ -0,0 +1,102 @@
+import * as p from "@clack/prompts";
+import { readFile } from "node:fs/promises";
+import { createServer } from "node:http";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { oAuthClient } from "../client.js";
+import { LOOPBACK_HOST, LOOPBACK_PORT } from "../constants.js";
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const ASSETS_DIR = path.join(__dirname, "assets");
+const createCallbackServer = ({ state, nonce, codeVerifier, authorizeUrl, onSuccess, onError, }) => createServer(async (req, res) => {
+    const url = req.url ?? "/";
+    const pathname = url.split("?")[0] ?? "/";
+    if (pathname === "/login") {
+        try {
+            const htmlPath = path.join(ASSETS_DIR, "authorize.html");
+            let html = await readFile(htmlPath, "utf-8");
+            if (authorizeUrl) {
+                html = html.replace(/%AUTH_BASE_URL%/g, authorizeUrl);
+            }
+            res.writeHead(200, { "Content-Type": "text/html", Connection: "close" });
+            res.end(html);
+            return;
+        }
+        catch (e) {
+            p.log.error(e instanceof Error ? e.message : String(e));
+            res.writeHead(500).end();
+            return;
+        }
+    }
+    if (pathname === "/assets/alpic-mountain.png") {
+        const filePath = path.join(ASSETS_DIR, "alpic-mountain.png");
+        const content = await readFile(filePath);
+        res.writeHead(200, { "Content-Type": "image/png", Connection: "close" });
+        res.end(content);
+        return;
+    }
+    if (!url.startsWith("/callback")) {
+        res.writeHead(404).end();
+        return;
+    }
+    try {
+        const tokens = await oAuthClient.exchangeAuthorizationCode({
+            url: new URL(url, `http://${req.headers.host}`),
+            codeVerifier,
+            state,
+            nonce,
+        });
+        const sub = tokens.claims()?.sub;
+        if (!sub || !tokens.refresh_token) {
+            throw new Error("ID token did not contain sub");
+        }
+        const stored = {
+            access_token: tokens.access_token,
+            refresh_token: tokens.refresh_token,
+            expires_at: oAuthClient.getExpiresAt(tokens.expires_in ?? 0),
+            sub,
+        };
+        p.log.success("✅ Authentication successful");
+        const successHtmlPath = path.join(ASSETS_DIR, "callback.html");
+        let html = await readFile(successHtmlPath, "utf-8");
+        html = html
+            .replace(/__CALLBACK_STATUS__/g, "success")
+            .replace(/__CALLBACK_TITLE__/g, "You are logged in")
+            .replace(/__CALLBACK_SUB__/g, "You can close this page.");
+        res.writeHead(200, { "Content-Type": "text/html", Connection: "close" });
+        res.end(html);
+        onSuccess(stored);
+    }
+    catch (e) {
+        p.log.error(e instanceof Error ? e.message : String(e));
+        const callbackHtmlPath = path.join(ASSETS_DIR, "callback.html");
+        let html = await readFile(callbackHtmlPath, "utf-8");
+        html = html
+            .replace(/__CALLBACK_STATUS__/g, "error")
+            .replace(/__CALLBACK_TITLE__/g, "An error occurred. You can close this page.")
+            .replace(/__CALLBACK_SUB__/g, "");
+        res.writeHead(500, { "Content-Type": "text/html", Connection: "close" });
+        res.end(html);
+        onError(e instanceof Error ? e : new Error(String(e)));
+    }
+});
+export const getLoginPageUrl = () => `http://${LOOPBACK_HOST}:${LOOPBACK_PORT}/login`;
+export const listenToOAuthCallback = ({ state, nonce, codeVerifier, authorizeUrl, }) => {
+    return new Promise((resolve, reject) => {
+        const callbackServer = createCallbackServer({
+            state,
+            nonce,
+            codeVerifier,
+            authorizeUrl,
+            onSuccess: (storedToken) => {
+                callbackServer.close();
+                resolve(storedToken);
+            },
+            onError: (err) => {
+                callbackServer.close();
+                reject(err);
+            },
+        });
+        callbackServer.listen(LOOPBACK_PORT, LOOPBACK_HOST);
+    });
+};
+//# sourceMappingURL=index.js.map