npm - cloudron - Versions diffs - 7.1.2 → 8.0.1 - Mend

cloudron 7.1.2 → 8.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/bin/cloudron CHANGED Viewed

@@ -91,7 +91,7 @@ const buildCommand = program.command('build').description('Build using the build
     .option('--build-service-url <url>', 'Build service URL')
     .option('--build-service-token <token>', 'Build service token');
-buildCommand.command('build', { isDefault: true })
+const buildBuildCommand = buildCommand.command('build', { isDefault: true })
     .description('Build an app')
     .option('--build-arg <namevalue>', 'Build arg passed to docker. Can be used multiple times', collectBuildArgs, [])
     .option('-f, --file <dockerfile>', 'Name of the Dockerfile')
@@ -137,6 +137,11 @@ buildCommand.command('status')
     .option('--id <buildid>', 'Build ID')
     .action(buildActions.status);
+buildCommand.addHelpText('after', (ctx) => {
+    const header = '\nDefault subcommand `build` (same as `cloudron build build`; used when no subcommand is given):\n\n';
+    return header + buildBuildCommand.helpInformation({ error: ctx.error });
+});
 backupCommand.command('create')
     .description('Create new app backup')
     .option('--site <siteid>', 'App id')

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cloudron",
-  "version": "7.1.2",
+  "version": "8.0.1",
   "license": "MIT",
   "description": "Cloudron Commandline Tool",
   "type": "module",

package/src/actions.js CHANGED Viewed

@@ -347,6 +347,7 @@ async function login(adminFqdn, localOptions, cmd) {
         if (semver.gte(response.body.version, '9.1.0')) {
             token = await performOidcLogin(adminFqdn, { rejectUnauthorized });
+            if (!token) process.exit(1);
         } else {
             const username = options.username || await readline.question('Username: ', {});
             const password = options.password || await readline.question('Password: ', { noEchoBack: true });

package/src/helper.js CHANGED Viewed

@@ -1,9 +1,6 @@
-import crypto from 'crypto';
 import fs from 'fs';
-import http from 'http';
 import open from 'open';
 import path from 'path';
-import readline from 'readline';
 import safe from '@cloudron/safetydance';
 import superagent from '@cloudron/superagent';
 import util from 'util';
@@ -72,109 +69,62 @@ function parseChangelog(file, version) {
 async function performOidcLogin(adminFqdn, { rejectUnauthorized = true } = {}) {
     const OIDC_CLIENT_ID = 'cid-cli';
-    const OIDC_CLIENT_SECRET = 'notused';
     const OIDC_PROVIDER = `https://${adminFqdn}`;
-    const OIDC_CALLBACK_URL = 'http://localhost:1312/callback';
-    // Discover OIDC endpoints
     const discoveryRequest = superagent.get(`${OIDC_PROVIDER}/.well-known/openid-configuration`).timeout(60000);
     if (!rejectUnauthorized) discoveryRequest.disableTLSCerts();
     const discoveryResponse = await discoveryRequest;
-    const { authorization_endpoint, token_endpoint } = discoveryResponse.body;
-    // Generate PKCE code_verifier and code_challenge (S256)
-    const codeVerifier = crypto.randomBytes(32).toString('base64url');
-    const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
-    // Generate state for CSRF protection
-    const state = crypto.randomBytes(16).toString('hex');
-    // Build authorization URL
-    const authUrl = new URL(authorization_endpoint);
-    authUrl.searchParams.set('response_type', 'code');
-    authUrl.searchParams.set('client_id', OIDC_CLIENT_ID);
-    authUrl.searchParams.set('redirect_uri', OIDC_CALLBACK_URL);
-    authUrl.searchParams.set('state', state);
-    authUrl.searchParams.set('scope', 'openid');
-    authUrl.searchParams.set('code_challenge', codeChallenge);
-    authUrl.searchParams.set('code_challenge_method', 'S256');
-    // Start local HTTP server and wait for the OIDC callback
-    const code = await new Promise((resolve, reject) => {
-        const server = http.createServer((req, res) => {
-            const url = new URL(req.url, 'http://localhost:1312');
-            if (url.pathname !== '/callback') {
-                res.writeHead(404);
-                res.end('Not found');
-                return;
-            }
-            const error = url.searchParams.get('error');
-            if (error) {
-                const description = url.searchParams.get('error_description') || error;
-                res.writeHead(200, { 'Content-Type': 'text/html' });
-                res.end('<html><body><h1>Login failed</h1><p>' + description + '</p><p>You can close this window.</p></body></html>');
-                server.close();
-                reject(new Error(`OIDC login failed: ${description}`));
-                return;
-            }
-            const receivedState = url.searchParams.get('state');
-            if (receivedState !== state) {
-                res.writeHead(400, { 'Content-Type': 'text/html' });
-                res.end('<html><body><h1>Login failed</h1><p>State mismatch.</p></body></html>');
-                server.close();
-                reject(new Error('OIDC state mismatch'));
-                return;
-            }
-            const receivedCode = url.searchParams.get('code');
-            const successHtml = fs.readFileSync(path.join(import.meta.dirname, 'login-success.html'), 'utf8');
-            res.writeHead(200, { 'Content-Type': 'text/html' });
-            res.end(successHtml);
-            server.close();
-            resolve(receivedCode);
-        });
-        // without the host ip, it will listen on :: . on mac, which has dual stack disabled, it will listen on ipv6 only
-        server.listen(1312, '127.0.0.1', () => {
-            // console.log('Login at:');
-            // console.log(authUrl.toString());
-            const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-            rl.question('Press ENTER to authenticate using the browser...', () => {
-                rl.close();
-                open(authUrl.toString());
-            });
-        });
-        server.on('error', (err) => {
-            reject(new Error(`Failed to start local server: ${err.message}`));
-        });
-        // Timeout after 2 minutes so the CLI doesn't hang indefinitely
-        setTimeout(() => {
-            server.close();
-            reject(new Error('Login timed out after 2 minutes'));
-        }, 120000);
-    });
-    // Exchange authorization code for access token
-    const tokenBody = new URLSearchParams({
-        grant_type: 'authorization_code',
-        code,
-        redirect_uri: OIDC_CALLBACK_URL,
-        client_id: OIDC_CLIENT_ID,
-        client_secret: OIDC_CLIENT_SECRET,
-        code_verifier: codeVerifier,
-    }).toString();
-    const tokenRequest = superagent.post(token_endpoint)
+    const { device_authorization_endpoint, token_endpoint } = discoveryResponse.body;
+    if (!device_authorization_endpoint) throw new Error('Server does not support device flow. Please update your Cloudron.');
+    const deviceRequest = superagent.post(device_authorization_endpoint)
         .timeout(60000)
         .set('Content-Type', 'application/x-www-form-urlencoded')
-        .send(tokenBody);
-    if (!rejectUnauthorized) tokenRequest.disableTLSCerts();
-    const tokenResponse = await tokenRequest;
+        .send(new URLSearchParams({ client_id: OIDC_CLIENT_ID, scope: 'openid' }).toString());
+    if (!rejectUnauthorized) deviceRequest.disableTLSCerts();
+    const deviceResponse = await deviceRequest;
+    const { device_code, user_code, verification_uri_complete, verification_uri, interval: pollInterval = 5 } = deviceResponse.body;
+    console.log(`\nOpen ${verification_uri_complete || verification_uri} in a browser and confirm code: ${user_code}\n`);
+    // try to open browser automatically
+    safe(open(verification_uri_complete || verification_uri));
+    const startTime = Date.now();
+    const timeout = 600000; // 10 minutes
+    while (Date.now() - startTime < timeout) {
+        await new Promise((resolve) => setTimeout(resolve, pollInterval * 1000));
+        const tokenRequest = superagent.post(token_endpoint)
+            .timeout(60000)
+            .ok(() => true)
+            .set('Content-Type', 'application/x-www-form-urlencoded')
+            .send(new URLSearchParams({
+                grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+                device_code,
+                client_id: OIDC_CLIENT_ID,
+            }).toString());
+        if (!rejectUnauthorized) tokenRequest.disableTLSCerts();
+        const tokenResponse = await tokenRequest;
+        if (tokenResponse.status === 200) return tokenResponse.body.access_token;
+        const error = tokenResponse.body.error;
+        if (error === 'authorization_pending') continue;
+        if (error === 'slow_down') {
+            await new Promise((resolve) => setTimeout(resolve, 5000));
+            continue;
+        }
+        console.log('Login failed. Try again.');
+        return null;
+    }
-    return tokenResponse.body.access_token;
+    console.log('Login timed out. Try again.');
+    return null;
 }
 export {

package/src/login-success.html DELETED Viewed

@@ -1,61 +0,0 @@
-<html>
-<head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <title>Authentication successful</title>
-    <style>
-        * { margin: 0; padding: 0; box-sizing: border-box; }
-        body {
-            font-family: Inter, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
-            min-height: 100vh;
-            display: flex;
-            align-items: center;
-            justify-content: center;
-            background: #f3f4f6;
-            color: #333;
-        }
-        .card {
-            text-align: center;
-            background: #fff;
-            border-radius: 4px;
-            padding: 48px 40px;
-            box-shadow: 0 2px 5px rgba(0,0,0,.1);
-        }
-        .icon {
-            width: 64px; height: 64px;
-            margin: 0 auto 24px;
-            background: #1a76bf21;
-            border-radius: 50%;
-            display: flex;
-            align-items: center;
-            justify-content: center;
-        }
-        .icon svg { width: 32px; height: 32px; color: #1a76bf; }
-        h1 { font-size: 22px; font-weight: 600; margin-bottom: 8px; }
-        p  { font-size: 15px; color: #666; line-height: 1.5; }
-        @media (prefers-color-scheme: dark) {
-          body {
-            background-color: black;
-            color: white;
-          }
-          .card {
-            background: #15181f;
-          }
-          p {
-            color: #aaa;
-          }
-        }
-    </style>
-</head>
-<body>
-    <div class="card">
-        <div class="icon">
-            <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
-                <polyline points="20 6 9 17 4 12"/>
-            </svg>
-        </div>
-        <h1>Authentication successful</h1>
-        <p>You can close this tab and return to your command line.</p>
-    </div>
-</body>
-</html>