carto-cli 0.1.0-rc.1

package/dist/auth-oauth.js

@@ -0,0 +1,485 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AUTH_CONFIGS = exports.M2M_AUTH_CONFIGS = exports.DEFAULT_AUTH_ENVIRONMENT = void 0;
+exports.parseEnvironment = parseEnvironment;
+exports.getAccountsUrl = getAccountsUrl;
+exports.getAuthConfig = getAuthConfig;
+exports.generateCodeVerifier = generateCodeVerifier;
+exports.generateCodeChallenge = generateCodeChallenge;
+exports.generatePKCEChallenge = generatePKCEChallenge;
+exports.generateState = generateState;
+exports.buildAuthorizationUrl = buildAuthorizationUrl;
+exports.getAuth0OrganizationIdByName = getAuth0OrganizationIdByName;
+exports.exchangeCodeForToken = exchangeCodeForToken;
+exports.decodeJWT = decodeJWT;
+exports.getTokenExpiration = getTokenExpiration;
+exports.getTokenIssuedAt = getTokenIssuedAt;
+exports.isTokenExpired = isTokenExpired;
+exports.getTokenLifetime = getTokenLifetime;
+exports.getTokenTimeRemaining = getTokenTimeRemaining;
+exports.shouldWarnExpiration = shouldWarnExpiration;
+exports.formatTimeRemaining = formatTimeRemaining;
+exports.getM2MAuthConfig = getM2MAuthConfig;
+exports.exchangeM2MCredentialsForToken = exchangeM2MCredentialsForToken;
+const crypto_1 = require("crypto");
+const https_1 = require("https");
+// Default authentication environment when --env flag is not provided
+exports.DEFAULT_AUTH_ENVIRONMENT = 'production';
+exports.M2M_AUTH_CONFIGS = {
+    'production': {
+        domain: 'auth.carto.com',
+        audience: 'carto-cloud-native-api'
+    },
+    'staging': {
+        domain: 'auth.stag.carto.com',
+        audience: 'carto-cloud-native-api'
+    },
+    'local': {
+        domain: 'auth.local.carto.com',
+        audience: 'carto-cloud-native-api'
+    },
+    'dedicated': {
+        domain: 'auth.dev.carto.com',
+        audience: 'carto-cloud-native-api'
+    }
+};
+// Environment configurations
+// Note: dedicated-XX environments share the same auth domain but have different accounts URLs
+exports.AUTH_CONFIGS = {
+    'local': {
+        domain: 'auth.local.carto.com',
+        clientId: '6EPxnXidfZZicawFOZ4Vw35bI5ONSmnP',
+        audience: 'carto-cloud-native-api'
+    },
+    'dedicated': {
+        domain: 'auth.dev.carto.com',
+        clientId: 'mBhNaKPjgpiCr92t1ljs5NVn2ODrev7p',
+        audience: 'carto-cloud-native-api'
+    },
+    'staging': {
+        domain: 'auth.stag.carto.com',
+        clientId: 'SezYkOlDCEiX46j6ljkKW2BbyNqKq82G',
+        audience: 'carto-cloud-native-api'
+    },
+    'production': {
+        domain: 'auth.carto.com',
+        clientId: '6eeVNUr9Ss2u3h972UPShWFRbKbkZHSR',
+        audience: 'carto-cloud-native-api'
+    }
+};
+/**
+ * Parse environment string to extract type and dedicated ID
+ * Examples: "dedicated-01" -> {type: "dedicated", dedicatedId: "01"}
+ *           "production" -> {type: "production"}
+ */
+function parseEnvironment(env) {
+    // Match dedicated-NN pattern
+    const dedicatedMatch = env.match(/^dedicated-(\d+)$/);
+    if (dedicatedMatch) {
+        return {
+            type: 'dedicated',
+            dedicatedId: dedicatedMatch[1]
+        };
+    }
+    // Check if it's a known base environment
+    if (env === 'local' || env === 'staging' || env === 'production') {
+        return { type: env };
+    }
+    // If user provides bare "dedicated", throw error
+    if (env === 'dedicated') {
+        throw new Error('Environment "dedicated" requires a specific ID. Use format: dedicated-01, dedicated-02, etc.');
+    }
+    throw new Error(`Unknown environment: ${env}. Valid formats: local, staging, production, dedicated-NN`);
+}
+/**
+ * Get accounts API URL for the specified environment
+ *
+ * @param env Environment string (e.g., "dedicated-26", "production")
+ * @returns Accounts API base URL
+ */
+function getAccountsUrl(env) {
+    const parsed = parseEnvironment(env);
+    switch (parsed.type) {
+        case 'dedicated':
+            // Pattern: https://accounts-{N}.dev.app.carto.com
+            return `https://accounts-${parsed.dedicatedId}.dev.app.carto.com`;
+        case 'local':
+            return 'http://localhost:8000';
+        case 'staging':
+            return 'https://accounts.stag.app.carto.com';
+        case 'production':
+            return 'https://accounts.app.carto.com';
+        default:
+            throw new Error(`Unable to determine accounts URL for environment: ${env}`);
+    }
+}
+/**
+ * Get OAuth config for authentication
+ *
+ * Environment selection priority:
+ * 1. Explicit environment override (e.g., dedicated-01, production)
+ * 2. CARTO_AUTH_ENV environment variable
+ * 3. Default: production
+ *
+ * @param envOverride Optional environment override
+ */
+function getAuthConfig(envOverride) {
+    const env = envOverride || process.env.CARTO_AUTH_ENV || exports.DEFAULT_AUTH_ENVIRONMENT;
+    // Parse environment to get the base type
+    const parsed = parseEnvironment(env);
+    // Return config for the base type
+    const config = exports.AUTH_CONFIGS[parsed.type];
+    if (!config) {
+        throw new Error(`No authentication config found for environment type: ${parsed.type}`);
+    }
+    return config;
+}
+/**
+ * Generate PKCE code verifier (random string)
+ * RFC 7636: 43-128 characters, unreserved characters [A-Z] [a-z] [0-9] - . _ ~
+ */
+function generateCodeVerifier() {
+    const buffer = (0, crypto_1.randomBytes)(32);
+    return base64URLEncode(buffer);
+}
+/**
+ * Generate PKCE code challenge from verifier
+ * RFC 7636: BASE64URL(SHA256(ASCII(code_verifier)))
+ */
+function generateCodeChallenge(verifier) {
+    const hash = (0, crypto_1.createHash)('sha256').update(verifier).digest();
+    return base64URLEncode(hash);
+}
+/**
+ * Base64 URL-safe encoding (no padding)
+ */
+function base64URLEncode(buffer) {
+    return buffer.toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}
+/**
+ * Generate PKCE challenge pair
+ */
+function generatePKCEChallenge() {
+    const verifier = generateCodeVerifier();
+    const challenge = generateCodeChallenge(verifier);
+    return { verifier, challenge };
+}
+/**
+ * Generate random state parameter for CSRF protection
+ */
+function generateState() {
+    return base64URLEncode((0, crypto_1.randomBytes)(32));
+}
+/**
+ * Build OAuth authorization URL
+ */
+function buildAuthorizationUrl(config, redirectUri, codeChallenge, state, auth0OrganizationId) {
+    const params = new URLSearchParams({
+        response_type: 'code',
+        client_id: config.clientId,
+        redirect_uri: redirectUri,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+        state: state,
+        audience: config.audience,
+        scope: 'openid profile email read:current_user update:current_user read:connections write:connections read:maps write:maps read:account admin:account',
+        prompt: 'login' // Force credential entry every time
+    });
+    // Add Auth0 organization parameter if provided (for SSO login)
+    // Note: this is Auth0's organization ID, not CARTO's organization ID (ac_xxxxx)
+    if (auth0OrganizationId) {
+        params.append('organization', auth0OrganizationId);
+    }
+    return `https://${config.domain}/authorize?${params.toString()}`;
+}
+/**
+ * Get Auth0 organization ID by CARTO organization name
+ * Returns null if organization doesn't have SSO configured
+ */
+async function getAuth0OrganizationIdByName(accountsUrl, organizationName) {
+    return new Promise((resolve, reject) => {
+        const url = new URL(`${accountsUrl}/accounts/${encodeURIComponent(organizationName)}/auth0_org_id`);
+        const request = (0, https_1.request)({
+            hostname: url.hostname,
+            path: url.pathname,
+            headers: { 'Accept': 'application/json' }
+        }, (res) => {
+            let data = '';
+            res.on('data', (chunk) => { data += chunk; });
+            res.on('end', () => {
+                if (res.statusCode !== 200) {
+                    reject(new Error(`Organization not found: ${organizationName}`));
+                    return;
+                }
+                try {
+                    const parsed = JSON.parse(data);
+                    resolve(parsed.auth0orgId || null);
+                }
+                catch (err) {
+                    reject(new Error(`Failed to parse response: ${err.message}`));
+                }
+            });
+        });
+        request.on('error', (err) => {
+            reject(new Error(`Failed to fetch organization: ${err.message}`));
+        });
+        request.end();
+    });
+}
+/**
+ * Exchange authorization code for access token
+ */
+async function exchangeCodeForToken(config, code, codeVerifier, redirectUri) {
+    const tokenEndpoint = `https://${config.domain}/oauth/token`;
+    const body = new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: config.clientId,
+        code: code,
+        code_verifier: codeVerifier,
+        redirect_uri: redirectUri
+    }).toString();
+    return new Promise((resolve, reject) => {
+        const url = new URL(tokenEndpoint);
+        const options = {
+            hostname: url.hostname,
+            port: url.port,
+            path: url.pathname,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                'Content-Length': Buffer.byteLength(body)
+            }
+        };
+        const req = (0, https_1.request)(options, (res) => {
+            let data = '';
+            res.on('data', (chunk) => {
+                data += chunk;
+            });
+            res.on('end', () => {
+                try {
+                    const result = JSON.parse(data);
+                    if (res.statusCode === 200) {
+                        resolve(result);
+                    }
+                    else {
+                        reject(new Error(result.error_description || result.error || 'Token exchange failed'));
+                    }
+                }
+                catch (err) {
+                    reject(new Error('Failed to parse token response: ' + data));
+                }
+            });
+        });
+        req.on('error', (err) => {
+            reject(err);
+        });
+        req.write(body);
+        req.end();
+    });
+}
+/**
+ * Extract tenant info from ID token (JWT)
+ * Note: This is a simple JWT decode without verification
+ * The token is already validated by Auth0
+ */
+function decodeJWT(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            throw new Error('Invalid JWT format');
+        }
+        const payload = parts[1];
+        const decoded = Buffer.from(payload, 'base64').toString('utf-8');
+        return JSON.parse(decoded);
+    }
+    catch (err) {
+        throw new Error('Failed to decode JWT: ' + err.message);
+    }
+}
+/**
+ * Get token expiration timestamp from JWT
+ * @param token JWT token string
+ * @returns Unix timestamp (seconds) or null if not found/invalid
+ */
+function getTokenExpiration(token) {
+    try {
+        const payload = decodeJWT(token);
+        return payload.exp || null;
+    }
+    catch (err) {
+        return null;
+    }
+}
+/**
+ * Get token issued at timestamp from JWT
+ * @param token JWT token string
+ * @returns Unix timestamp (seconds) or null if not found/invalid
+ */
+function getTokenIssuedAt(token) {
+    try {
+        const payload = decodeJWT(token);
+        return payload.iat || null;
+    }
+    catch (err) {
+        return null;
+    }
+}
+/**
+ * Check if token is expired
+ * @param token JWT token string
+ * @returns true if expired, false if valid or cannot determine
+ */
+function isTokenExpired(token) {
+    const exp = getTokenExpiration(token);
+    if (!exp)
+        return false; // Cannot determine, assume valid
+    const now = Math.floor(Date.now() / 1000);
+    return exp < now;
+}
+/**
+ * Get token lifetime in seconds (from issued at to expiration)
+ * @param token JWT token string
+ * @returns Lifetime in seconds or null if cannot determine
+ */
+function getTokenLifetime(token) {
+    const exp = getTokenExpiration(token);
+    const iat = getTokenIssuedAt(token);
+    if (!exp || !iat)
+        return null;
+    return exp - iat;
+}
+/**
+ * Get time remaining until token expiration
+ * @param token JWT token string
+ * @returns Seconds remaining (negative if expired), or null if cannot determine
+ */
+function getTokenTimeRemaining(token) {
+    const exp = getTokenExpiration(token);
+    if (!exp)
+        return null;
+    const now = Math.floor(Date.now() / 1000);
+    return exp - now;
+}
+/**
+ * Check if token should show expiration warning (< 10% of lifetime remaining)
+ * @param token JWT token string
+ * @returns true if should warn, false otherwise
+ */
+function shouldWarnExpiration(token) {
+    const lifetime = getTokenLifetime(token);
+    const remaining = getTokenTimeRemaining(token);
+    if (!lifetime || !remaining)
+        return false;
+    if (remaining <= 0)
+        return false; // Already expired, not just warning
+    const threshold = lifetime * 0.1; // 10% of lifetime
+    return remaining < threshold;
+}
+/**
+ * Format seconds into human-readable time string
+ * @param seconds Time in seconds (can be negative for expired)
+ * @returns Formatted string like "2 hours", "30 minutes", "EXPIRED 3 hours ago"
+ */
+function formatTimeRemaining(seconds) {
+    const absSeconds = Math.abs(seconds);
+    const isExpired = seconds < 0;
+    let timeStr;
+    if (absSeconds < 60) {
+        timeStr = `${absSeconds} second${absSeconds !== 1 ? 's' : ''}`;
+    }
+    else if (absSeconds < 3600) {
+        const mins = Math.floor(absSeconds / 60);
+        timeStr = `${mins} minute${mins !== 1 ? 's' : ''}`;
+    }
+    else if (absSeconds < 86400) {
+        const hours = Math.floor(absSeconds / 3600);
+        timeStr = `${hours} hour${hours !== 1 ? 's' : ''}`;
+    }
+    else {
+        const days = Math.floor(absSeconds / 86400);
+        timeStr = `${days} day${days !== 1 ? 's' : ''}`;
+    }
+    return isExpired ? `EXPIRED ${timeStr} ago` : timeStr;
+}
+/**
+ * Get M2M authentication config for the specified environment
+ *
+ * @param envOverride Optional environment override
+ */
+function getM2MAuthConfig(envOverride) {
+    const env = envOverride || process.env.CARTO_AUTH_ENV || exports.DEFAULT_AUTH_ENVIRONMENT;
+    const parsed = parseEnvironment(env);
+    const config = exports.M2M_AUTH_CONFIGS[parsed.type];
+    if (!config) {
+        throw new Error(`M2M authentication config not found for environment: ${parsed.type}`);
+    }
+    return config;
+}
+/**
+ * Exchange M2M client credentials for access token
+ * Uses OAuth2 client_credentials grant
+ *
+ * @param config M2M authentication configuration
+ * @param clientId M2M OAuth client ID
+ * @param clientSecret M2M OAuth client secret
+ * @returns Token response with access_token, expires_in, token_type
+ */
+async function exchangeM2MCredentialsForToken(config, clientId, clientSecret) {
+    const tokenEndpoint = `https://${config.domain}/oauth/token`;
+    // Build form-urlencoded body per CARTO docs
+    const body = new URLSearchParams({
+        grant_type: 'client_credentials',
+        client_id: clientId,
+        client_secret: clientSecret,
+        audience: config.audience
+    }).toString();
+    return new Promise((resolve, reject) => {
+        const url = new URL(tokenEndpoint);
+        const options = {
+            hostname: url.hostname,
+            port: url.port,
+            path: url.pathname,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                'Content-Length': Buffer.byteLength(body)
+            }
+        };
+        const req = (0, https_1.request)(options, (res) => {
+            let data = '';
+            res.on('data', (chunk) => {
+                data += chunk;
+            });
+            res.on('end', () => {
+                try {
+                    const result = JSON.parse(data);
+                    if (res.statusCode === 200) {
+                        resolve(result);
+                    }
+                    else {
+                        // Provide user-friendly error messages
+                        let errorMessage = result.error_description || result.error || 'M2M authentication failed';
+                        if (errorMessage.includes('Unauthorized')) {
+                            errorMessage = 'Invalid M2M credentials. Please check your client_id and client_secret.';
+                        }
+                        else if (errorMessage.includes('access_denied')) {
+                            errorMessage = 'Access denied. Ensure your M2M OAuth client is properly configured.';
+                        }
+                        reject(new Error(errorMessage));
+                    }
+                }
+                catch (err) {
+                    reject(new Error('Failed to parse M2M authentication response'));
+                }
+            });
+        });
+        req.on('error', (err) => {
+            reject(new Error(`M2M authentication request failed: ${err.message}`));
+        });
+        req.write(body);
+        req.end();
+    });
+}