npm - cloudron - Versions diffs - 7.1.2 → 8.0.0 - Mend

cloudron 7.1.2 → 8.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cloudron",
-  "version": "7.1.2",
+  "version": "8.0.0",
   "license": "MIT",
   "description": "Cloudron Commandline Tool",
   "type": "module",

package/src/helper.js CHANGED Viewed

@@ -1,9 +1,6 @@
-import crypto from 'crypto';
 import fs from 'fs';
-import http from 'http';
 import open from 'open';
 import path from 'path';
-import readline from 'readline';
 import safe from '@cloudron/safetydance';
 import superagent from '@cloudron/superagent';
 import util from 'util';
@@ -72,109 +69,60 @@ function parseChangelog(file, version) {
 async function performOidcLogin(adminFqdn, { rejectUnauthorized = true } = {}) {
     const OIDC_CLIENT_ID = 'cid-cli';
-    const OIDC_CLIENT_SECRET = 'notused';
     const OIDC_PROVIDER = `https://${adminFqdn}`;
-    const OIDC_CALLBACK_URL = 'http://localhost:1312/callback';
-    // Discover OIDC endpoints
     const discoveryRequest = superagent.get(`${OIDC_PROVIDER}/.well-known/openid-configuration`).timeout(60000);
     if (!rejectUnauthorized) discoveryRequest.disableTLSCerts();
     const discoveryResponse = await discoveryRequest;
-    const { authorization_endpoint, token_endpoint } = discoveryResponse.body;
-    // Generate PKCE code_verifier and code_challenge (S256)
-    const codeVerifier = crypto.randomBytes(32).toString('base64url');
-    const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
-    // Generate state for CSRF protection
-    const state = crypto.randomBytes(16).toString('hex');
-    // Build authorization URL
-    const authUrl = new URL(authorization_endpoint);
-    authUrl.searchParams.set('response_type', 'code');
-    authUrl.searchParams.set('client_id', OIDC_CLIENT_ID);
-    authUrl.searchParams.set('redirect_uri', OIDC_CALLBACK_URL);
-    authUrl.searchParams.set('state', state);
-    authUrl.searchParams.set('scope', 'openid');
-    authUrl.searchParams.set('code_challenge', codeChallenge);
-    authUrl.searchParams.set('code_challenge_method', 'S256');
-    // Start local HTTP server and wait for the OIDC callback
-    const code = await new Promise((resolve, reject) => {
-        const server = http.createServer((req, res) => {
-            const url = new URL(req.url, 'http://localhost:1312');
-            if (url.pathname !== '/callback') {
-                res.writeHead(404);
-                res.end('Not found');
-                return;
-            }
-            const error = url.searchParams.get('error');
-            if (error) {
-                const description = url.searchParams.get('error_description') || error;
-                res.writeHead(200, { 'Content-Type': 'text/html' });
-                res.end('<html><body><h1>Login failed</h1><p>' + description + '</p><p>You can close this window.</p></body></html>');
-                server.close();
-                reject(new Error(`OIDC login failed: ${description}`));
-                return;
-            }
-            const receivedState = url.searchParams.get('state');
-            if (receivedState !== state) {
-                res.writeHead(400, { 'Content-Type': 'text/html' });
-                res.end('<html><body><h1>Login failed</h1><p>State mismatch.</p></body></html>');
-                server.close();
-                reject(new Error('OIDC state mismatch'));
-                return;
-            }
-            const receivedCode = url.searchParams.get('code');
-            const successHtml = fs.readFileSync(path.join(import.meta.dirname, 'login-success.html'), 'utf8');
-            res.writeHead(200, { 'Content-Type': 'text/html' });
-            res.end(successHtml);
-            server.close();
-            resolve(receivedCode);
-        });
-        // without the host ip, it will listen on :: . on mac, which has dual stack disabled, it will listen on ipv6 only
-        server.listen(1312, '127.0.0.1', () => {
-            // console.log('Login at:');
-            // console.log(authUrl.toString());
-            const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-            rl.question('Press ENTER to authenticate using the browser...', () => {
-                rl.close();
-                open(authUrl.toString());
-            });
-        });
-        server.on('error', (err) => {
-            reject(new Error(`Failed to start local server: ${err.message}`));
-        });
-        // Timeout after 2 minutes so the CLI doesn't hang indefinitely
-        setTimeout(() => {
-            server.close();
-            reject(new Error('Login timed out after 2 minutes'));
-        }, 120000);
-    });
-    // Exchange authorization code for access token
-    const tokenBody = new URLSearchParams({
-        grant_type: 'authorization_code',
-        code,
-        redirect_uri: OIDC_CALLBACK_URL,
-        client_id: OIDC_CLIENT_ID,
-        client_secret: OIDC_CLIENT_SECRET,
-        code_verifier: codeVerifier,
-    }).toString();
-    const tokenRequest = superagent.post(token_endpoint)
+    const { device_authorization_endpoint, token_endpoint } = discoveryResponse.body;
+    if (!device_authorization_endpoint) throw new Error('Server does not support device flow. Please update your Cloudron.');
+    const deviceRequest = superagent.post(device_authorization_endpoint)
         .timeout(60000)
         .set('Content-Type', 'application/x-www-form-urlencoded')
-        .send(tokenBody);
-    if (!rejectUnauthorized) tokenRequest.disableTLSCerts();
-    const tokenResponse = await tokenRequest;
+        .send(new URLSearchParams({ client_id: OIDC_CLIENT_ID, scope: 'openid' }).toString());
+    if (!rejectUnauthorized) deviceRequest.disableTLSCerts();
+    const deviceResponse = await deviceRequest;
+    const { device_code, user_code, verification_uri_complete, verification_uri, interval: pollInterval = 5 } = deviceResponse.body;
+    console.log(`\nOpen ${verification_uri_complete || verification_uri} in a browser and enter code: ${user_code}\n`);
+    // try to open browser automatically
+    safe(open(verification_uri_complete || verification_uri));
+    const startTime = Date.now();
+    const timeout = 600000; // 10 minutes
+    while (Date.now() - startTime < timeout) {
+        await new Promise((resolve) => setTimeout(resolve, pollInterval * 1000));
+        const tokenRequest = superagent.post(token_endpoint)
+            .timeout(60000)
+            .ok(() => true)
+            .set('Content-Type', 'application/x-www-form-urlencoded')
+            .send(new URLSearchParams({
+                grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+                device_code,
+                client_id: OIDC_CLIENT_ID,
+            }).toString());
+        if (!rejectUnauthorized) tokenRequest.disableTLSCerts();
+        const tokenResponse = await tokenRequest;
+        if (tokenResponse.status === 200) return tokenResponse.body.access_token;
+        const error = tokenResponse.body.error;
+        if (error === 'authorization_pending') continue;
+        if (error === 'slow_down') {
+            await new Promise((resolve) => setTimeout(resolve, 5000));
+            continue;
+        }
+        throw new Error(tokenResponse.body.error_description || error);
+    }
-    return tokenResponse.body.access_token;
+    throw new Error('Login timed out');
 }
 export {

package/src/login-success.html DELETED Viewed

@@ -1,61 +0,0 @@
-<html>
-<head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <title>Authentication successful</title>
-    <style>
-        * { margin: 0; padding: 0; box-sizing: border-box; }
-        body {
-            font-family: Inter, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
-            min-height: 100vh;
-            display: flex;
-            align-items: center;
-            justify-content: center;
-            background: #f3f4f6;
-            color: #333;
-        }
-        .card {
-            text-align: center;
-            background: #fff;
-            border-radius: 4px;
-            padding: 48px 40px;
-            box-shadow: 0 2px 5px rgba(0,0,0,.1);
-        }
-        .icon {
-            width: 64px; height: 64px;
-            margin: 0 auto 24px;
-            background: #1a76bf21;
-            border-radius: 50%;
-            display: flex;
-            align-items: center;
-            justify-content: center;
-        }
-        .icon svg { width: 32px; height: 32px; color: #1a76bf; }
-        h1 { font-size: 22px; font-weight: 600; margin-bottom: 8px; }
-        p  { font-size: 15px; color: #666; line-height: 1.5; }
-        @media (prefers-color-scheme: dark) {
-          body {
-            background-color: black;
-            color: white;
-          }
-          .card {
-            background: #15181f;
-          }
-          p {
-            color: #aaa;
-          }
-        }
-    </style>
-</head>
-<body>
-    <div class="card">
-        <div class="icon">
-            <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
-                <polyline points="20 6 9 17 4 12"/>
-            </svg>
-        </div>
-        <h1>Authentication successful</h1>
-        <p>You can close this tab and return to your command line.</p>
-    </div>
-</body>
-</html>