cyymall-cli 0.1.0 → 0.1.1

package/src/commands/apiCall.js

@@ -1,149 +1,149 @@
-"use strict";
-
-const config = require("../config");
-const http = require("../http");
-const biz = require("../biz");
-
-/**
- * Parse repeated --query key=value
- * @param {string[]} queryArgs
- */
-function parseQueryPairs(queryArgs) {
-  const q = {};
-  if (!queryArgs || !queryArgs.length) return q;
-  for (const pair of queryArgs) {
-    const i = pair.indexOf("=");
-    if (i <= 0) continue;
-    const k = pair.slice(0, i).trim();
-    const v = pair.slice(i + 1);
-    q[k] = v;
-  }
-  return q;
-}
-
-function appendQuery(url, queryObj) {
-  const keys = Object.keys(queryObj);
-  if (!keys.length) return url;
-  const u = new URL(url);
-  for (const k of keys) {
-    u.searchParams.set(k, queryObj[k]);
-  }
-  return u.toString();
-}
-
-/**
- * Shared executor for CLI and HTTP serve mode.
- * @param {object} opts
- */
-async function executeApiCall(opts) {
-  const {
-    method,
-    module: moduleKey,
-    path: pathSuffix,
-    bodyJson,
-    bodyFile,
-    bodyObj,
-    query: queryArgs,
-    queryObj: queryObjIn,
-    noAuth,
-    header: headerPairs,
-  } = opts;
-
-  let bodyStr = null;
-  if (bodyFile) {
-    const fs = require("fs");
-    bodyStr = fs.readFileSync(bodyFile, "utf8");
-  } else if (bodyObj != null) {
-    bodyStr = JSON.stringify(bodyObj);
-  } else if (bodyJson != null && bodyJson !== "") {
-    bodyStr = bodyJson;
-  }
-
-  if (bodyStr && method === "GET") {
-    return { error: "GET request should not use body; use query only.", exitCode: 1 };
-  }
-
-  let url = http.moduleUrl(moduleKey, pathSuffix);
-  const queryObj =
-    queryObjIn && typeof queryObjIn === "object"
-      ? queryObjIn
-      : parseQueryPairs(queryArgs || []);
-  url = appendQuery(url, queryObj);
-
-  /** @type {Record<string,string>} */
-  let headers = {};
-
-  if (!noAuth) {
-    const cfg = config.loadConfig();
-    headers = /** @type {Record<string,string>} */ (
-      http.buildAuthHeaders(cfg)
-    );
-  } else {
-    headers = /** @type {Record<string,string>} */ (http.buildAuthHeaders(null));
-  }
-
-  const extras = headerPairs || [];
-  for (const h of extras) {
-    const idx = h.indexOf(":");
-    if (idx > 0) {
-      const hk = h.slice(0, idx).trim();
-      const hv = h.slice(idx + 1).trim();
-      headers[hk] = hv;
-    }
-  }
-
-  if (method === "GET" || method === "HEAD") {
-    delete headers["Content-Type"];
-  } else if (bodyStr) {
-    headers["Content-Type"] = headers["Content-Type"] || "application/json;charset=UTF-8";
-  }
-
-  const { ok, status, json } = await http.request(url, {
-    method,
-    headers,
-    body: bodyStr,
-  });
-
-  const bizOk = ok && (json == null || biz.isBizSuccess(json));
-  const envelopeSuccess = bizOk;
-  const traceId = `local-${require("crypto").randomBytes(8).toString("hex")}`;
-  const message =
-    json && typeof json === "object" && "msg" in json
-      ? String(/** @type {{msg?:string}} */ (json).msg)
-      : ok
-        ? "success"
-        : `HTTP ${status}`;
-
-  const envelope = {
-    success: envelopeSuccess,
-    code: envelopeSuccess ? "OK" : "UPSTREAM_ERROR",
-    message,
-    data: { upstream: json, httpStatus: status },
-    traceId,
-  };
-
-  return { envelope, exitCode: envelopeSuccess ? 0 : 2 };
-}
-
-/**
- * @param {import('commander').OptionValues} opts
- */
-async function runApiCall(opts) {
-  if (opts.bodyJson && opts.method === "GET") {
-    console.error("cyy: GET request should not use body; use --query instead.");
-    process.exit(1);
-  }
-  const merged = {
-    ...opts,
-    noAuth: Boolean(opts.noAuth ?? opts.bare),
-  };
-  const result = await executeApiCall(merged);
-  if (result.error) {
-    console.error(`cyy: ${result.error}`);
-    process.exit(result.exitCode ?? 1);
-  }
-  console.log(JSON.stringify(result.envelope, null, 2));
-  process.exit(result.exitCode ?? 1);
-}
-
-module.exports = { runApiCall, executeApiCall, parseQueryPairs };
+"use strict";
+
+const config = require("../config");
+const http = require("../http");
+const biz = require("../biz");
+
+/**
+ * Parse repeated --query key=value
+ * @param {string[]} queryArgs
+ */
+function parseQueryPairs(queryArgs) {
+  const q = {};
+  if (!queryArgs || !queryArgs.length) return q;
+  for (const pair of queryArgs) {
+    const i = pair.indexOf("=");
+    if (i <= 0) continue;
+    const k = pair.slice(0, i).trim();
+    const v = pair.slice(i + 1);
+    q[k] = v;
+  }
+  return q;
+}
+
+function appendQuery(url, queryObj) {
+  const keys = Object.keys(queryObj);
+  if (!keys.length) return url;
+  const u = new URL(url);
+  for (const k of keys) {
+    u.searchParams.set(k, queryObj[k]);
+  }
+  return u.toString();
+}
+
+/**
+ * Shared executor for CLI and HTTP serve mode.
+ * @param {object} opts
+ */
+async function executeApiCall(opts) {
+  const {
+    method,
+    module: moduleKey,
+    path: pathSuffix,
+    bodyJson,
+    bodyFile,
+    bodyObj,
+    query: queryArgs,
+    queryObj: queryObjIn,
+    noAuth,
+    header: headerPairs,
+  } = opts;
+
+  let bodyStr = null;
+  if (bodyFile) {
+    const fs = require("fs");
+    bodyStr = fs.readFileSync(bodyFile, "utf8");
+  } else if (bodyObj != null) {
+    bodyStr = JSON.stringify(bodyObj);
+  } else if (bodyJson != null && bodyJson !== "") {
+    bodyStr = bodyJson;
+  }
+
+  if (bodyStr && method === "GET") {
+    return { error: "GET request should not use body; use query only.", exitCode: 1 };
+  }
+
+  let url = http.moduleUrl(moduleKey, pathSuffix);
+  const queryObj =
+    queryObjIn && typeof queryObjIn === "object"
+      ? queryObjIn
+      : parseQueryPairs(queryArgs || []);
+  url = appendQuery(url, queryObj);
+
+  /** @type {Record<string,string>} */
+  let headers = {};
+
+  if (!noAuth) {
+    const cfg = config.loadConfig();
+    headers = /** @type {Record<string,string>} */ (
+      http.buildAuthHeaders(cfg)
+    );
+  } else {
+    headers = /** @type {Record<string,string>} */ (http.buildAuthHeaders(null));
+  }
+
+  const extras = headerPairs || [];
+  for (const h of extras) {
+    const idx = h.indexOf(":");
+    if (idx > 0) {
+      const hk = h.slice(0, idx).trim();
+      const hv = h.slice(idx + 1).trim();
+      headers[hk] = hv;
+    }
+  }
+
+  if (method === "GET" || method === "HEAD") {
+    delete headers["Content-Type"];
+  } else if (bodyStr) {
+    headers["Content-Type"] = headers["Content-Type"] || "application/json;charset=UTF-8";
+  }
+
+  const { ok, status, json } = await http.request(url, {
+    method,
+    headers,
+    body: bodyStr,
+  });
+
+  const bizOk = ok && (json == null || biz.isBizSuccess(json));
+  const envelopeSuccess = bizOk;
+  const traceId = `local-${require("crypto").randomBytes(8).toString("hex")}`;
+  const message =
+    json && typeof json === "object" && "msg" in json
+      ? String(/** @type {{msg?:string}} */ (json).msg)
+      : ok
+        ? "success"
+        : `HTTP ${status}`;
+
+  const envelope = {
+    success: envelopeSuccess,
+    code: envelopeSuccess ? "OK" : "UPSTREAM_ERROR",
+    message,
+    data: { upstream: json, httpStatus: status },
+    traceId,
+  };
+
+  return { envelope, exitCode: envelopeSuccess ? 0 : 2 };
+}
+
+/**
+ * @param {import('commander').OptionValues} opts
+ */
+async function runApiCall(opts) {
+  if (opts.bodyJson && opts.method === "GET") {
+    console.error("cyy: GET request should not use body; use --query instead.");
+    process.exit(1);
+  }
+  const merged = {
+    ...opts,
+    noAuth: Boolean(opts.noAuth ?? opts.bare),
+  };
+  const result = await executeApiCall(merged);
+  if (result.error) {
+    console.error(`cyy: ${result.error}`);
+    process.exit(result.exitCode ?? 1);
+  }
+  console.log(JSON.stringify(result.envelope, null, 2));
+  process.exit(result.exitCode ?? 1);
+}
+
+module.exports = { runApiCall, executeApiCall, parseQueryPairs };

package/src/commands/auth.js

@@ -1,16 +1,77 @@
-"use strict";
+"use strict";
 
 const crypto = require("crypto");
+const readline = require("readline/promises");
+const { stdin: input, stdout: output } = require("process");
 const config = require("../config");
 const http = require("../http");
 const biz = require("../biz");
+const encrypt = require("../encrypt");
 
-function sha256Hex(s) {
-  return crypto.createHash("sha256").update(s, "utf8").digest("hex");
+/**
+ * `/app/auth/ua/*` responses (e.g. sendCodeV2, registerMember/v2): raw wire -> decryptResponse ->
+ * JSON.parse -> optional parsedJsonAfterHybridEnvelopeDecrypt, same order as App.
+ *
+ * @param {string} [rawWireText]
+ * @param {unknown} jsonAfterParse
+ * @param {string} clientPkForDecrypt
+ * @returns {unknown}
+ */
+function plainBizJsonFromSendCodeWire(rawWireText, jsonAfterParse, clientPkForDecrypt) {
+  let wire =
+    typeof rawWireText === "string" && rawWireText.trim()
+      ? rawWireText.trim()
+      : jsonAfterParse &&
+          typeof jsonAfterParse === "object" &&
+          jsonAfterParse !== null &&
+          !Array.isArray(jsonAfterParse) &&
+          Object.prototype.hasOwnProperty.call(jsonAfterParse, "_raw") &&
+          typeof /** @type {{ _raw?: unknown }} */ (jsonAfterParse)._raw === "string"
+        ? String(/** @type {{ _raw: string }} */ (jsonAfterParse)._raw).trim()
+        : "";
+
+  if (
+    !wire &&
+    jsonAfterParse != null &&
+    typeof jsonAfterParse === "object" &&
+    !Array.isArray(jsonAfterParse) &&
+    encrypt.looksLikeHybridEnvelope(jsonAfterParse)
+  ) {
+    try {
+      wire = JSON.stringify(jsonAfterParse);
+    } catch {
+      wire = "";
+    }
+  }
+
+  if (wire) {
+    const decryptedText = encrypt.decryptResponse(wire, clientPkForDecrypt);
+    try {
+      const obj = decryptedText ? JSON.parse(decryptedText) : null;
+      if (obj != null && typeof obj === "object" && !Array.isArray(obj)) {
+        const out = encrypt.looksLikeHybridEnvelope(obj)
+          ? encrypt.parsedJsonAfterHybridEnvelopeDecrypt(obj, clientPkForDecrypt)
+          : obj;
+        if (!encrypt.looksLikeHybridEnvelope(out)) {
+          return out;
+        }
+      }
+    } catch {
+      // fall through to parsed-json fallback
+    }
+  }
+
+  if (jsonAfterParse != null && typeof jsonAfterParse === "object" && !Array.isArray(jsonAfterParse)) {
+    return encrypt.looksLikeHybridEnvelope(jsonAfterParse)
+      ? encrypt.parsedJsonAfterHybridEnvelopeDecrypt(jsonAfterParse, clientPkForDecrypt)
+      : jsonAfterParse;
+  }
+
+  return jsonAfterParse;
 }
 
 /**
- * Login `data` may use `token` (Android LoginBean / Gson), `appToken`, or `accessToken`.
+ * Login `data` may use `token`, `appToken`, or `accessToken`.
  * @param {Record<string, unknown>|null|undefined} data
  */
 function pickLoginToken(data) {
@@ -20,30 +81,131 @@ function pickLoginToken(data) {
   return v != null ? String(v) : "";
 }
 
-async function login(phone, password) {
+function buildTraceId() {
+  return `local-${crypto.randomBytes(8).toString("hex")}`;
+}
+
+function extractBizMessage(json, fallback) {
+  return json && typeof json === "object" && "msg" in json
+    ? String(/** @type {{msg?:string}} */ (json).msg || fallback)
+    : fallback;
+}
+
+function buildHybridAuthBody(plainBody, headers) {
+  if (!encrypt.encryptEnvConfigured()) {
+    return plainBody;
+  }
+  headers.encrypte = "true";
+  const { serverPublicKey } = encrypt.resolveEncryptKeys();
+  const hy = encrypt.hybridEncrypt(plainBody, serverPublicKey);
+  return encrypt.hybridEncryptResultToJson(hy);
+}
+
+function decryptAuthBizJson(rawWireText, jsonAfterParse) {
+  const { clientPrivateKey } = encrypt.resolveEncryptKeys();
+  if (!clientPrivateKey) return jsonAfterParse;
+  return plainBizJsonFromSendCodeWire(
+    typeof rawWireText === "string" ? rawWireText : "",
+    jsonAfterParse,
+    clientPrivateKey,
+  );
+}
+
+async function requestSmsCode(phone) {
+  const url = http.moduleUrl("DEFAULT", "/app/auth/ua/sendCodeV2");
+  const headers = /** @type {Record<string,string>} */ (http.buildDefaultHeaders());
+  const plainBody = JSON.stringify({ phone, objectCode: "3" });
+  const body = buildHybridAuthBody(plainBody, headers);
+
+  const { ok, status, json: jsonAfterParse, rawWireText } = await http.request(url, {
+    method: "POST",
+    headers,
+    body,
+    decryptHybridResponse: false,
+    includeRawWireText: true,
+  });
+
+  const json = decryptAuthBizJson(rawWireText, jsonAfterParse);
+
+  if (!ok) {
+    const msg = extractBizMessage(json, `send login code failed (HTTP ${status})`);
+    console.error(`cyy: ${msg}`);
+    if (json != null) console.error(JSON.stringify(json, null, 2));
+    process.exit(2);
+  }
+
+  if (json == null) {
+    console.error(`cyy: send login code returned empty response body (HTTP ${status}); SMS delivery is not confirmed`);
+    process.exit(2);
+  }
+
+  if (!biz.isBizSuccess(json)) {
+    const msg = extractBizMessage(json, "send login code failed");
+    console.error(`cyy: ${msg}`);
+    if (ok && json != null && typeof json === "object" && encrypt.looksLikeHybridEnvelope(json)) {
+      console.error(
+        "cyy: response is still hybrid-encrypted (decrypt failed). The gateway encrypted with a client public key that does not match the bundled private key, or Base64 fields were truncated. The CLI now only uses bundled keys from embeddedCyyKeys.js. Set CYY_ENCRYPT_DEBUG=1 for RSA/AES diagnostics. See app-api-cli-spec.md section 3.1.",
+      );
+    }
+    console.error(JSON.stringify(json, null, 2));
+    process.exit(2);
+  }
+
+  return { status, json };
+}
+
+async function sendCode(phone) {
+  const { status, json } = await requestSmsCode(phone);
+  const traceId = buildTraceId();
+  console.log(
+    JSON.stringify(
+      {
+        success: true,
+        code: "OK",
+        message: "code sent",
+        data: {
+          phone,
+          objectCode: "3",
+          httpStatus: status,
+          upstream: json,
+        },
+        traceId,
+      },
+      null,
+      2,
+    ),
+  );
+  process.exit(0);
+}
+
+async function loginWithCode(phone, code) {
   const url = http.moduleUrl("DEFAULT", "/app/auth/ua/registerMember/v2");
-  const headers = /** @type {Record<string,string>} */ (http.buildAuthHeaders(null));
-  const body = JSON.stringify({
+  const headers = /** @type {Record<string,string>} */ (http.buildDefaultHeaders());
+  const plainBody = JSON.stringify({
     phone,
     objectCode: "3",
-    password: sha256Hex(password),
-    passwordLoginFlag: true,
-    onKeyLoginFlag: false,
+    password: "",
+    passwordLoginFlag: false,
+    onKeyLoginFlag: true,
+    smsCode: code,
     wxOpenid: "",
   });
+  const body = buildHybridAuthBody(plainBody, headers);
 
-  const { ok, json } = await http.request(url, {
+  const { ok, json: jsonAfterParse, rawWireText } = await http.request(url, {
     method: "POST",
     headers,
     body,
+    decryptHybridResponse: false,
+    includeRawWireText: true,
   });
 
+  const json = decryptAuthBizJson(rawWireText, jsonAfterParse);
+
   if (!ok || !biz.isBizSuccess(json)) {
-    const msg =
-      json && typeof json === "object" && "msg" in json
-        ? String(/** @type {{msg?:string}} */ (json).msg)
-        : "login failed";
+    const msg = extractBizMessage(json, "login failed");
     console.error(`cyy: ${msg}`);
+    if (json != null) console.error(JSON.stringify(json, null, 2));
     process.exit(2);
   }
 
@@ -74,7 +236,7 @@ async function login(phone, password) {
 
   config.saveConfig(saved);
 
-  const traceId = `local-${crypto.randomBytes(8).toString("hex")}`;
+  const traceId = buildTraceId();
   console.log(
     JSON.stringify(
       {
@@ -98,10 +260,35 @@ async function login(phone, password) {
   process.exit(0);
 }
 
+async function promptCode() {
+  const rl = readline.createInterface({ input, output });
+  try {
+    const answer = await rl.question("Enter SMS verification code: ");
+    return String(answer || "").trim();
+  } finally {
+    rl.close();
+  }
+}
+
+async function login(phone, code) {
+  if (code) {
+    await loginWithCode(phone, code);
+    return;
+  }
+
+  await requestSmsCode(phone);
+  const smsCode = await promptCode();
+  if (!smsCode) {
+    console.error("cyy: verification code is required");
+    process.exit(1);
+  }
+  await loginWithCode(phone, smsCode);
+}
+
 async function whoami() {
   const cfg = config.loadConfig();
   if (!cfg?.token) {
-    console.error("cyy: not logged in. Run: cyy auth login --phone ... --password ...");
+    console.error("cyy: not logged in. Run: cyy auth login --phone ...");
     process.exit(1);
   }
   const url = http.moduleUrl("DEFAULT", "/member/getInfo/V2");
@@ -113,7 +300,7 @@ async function whoami() {
     body: null,
   });
 
-  const traceId = `local-${crypto.randomBytes(8).toString("hex")}`;
+  const traceId = buildTraceId();
   const success = ok && biz.isBizSuccess(json);
   console.log(
     JSON.stringify(
@@ -131,4 +318,4 @@ async function whoami() {
   process.exit(success ? 0 : 2);
 }
 
-module.exports = { login, whoami };
+module.exports = { login, loginWithCode, sendCode, whoami };

package/src/commands/cart.js

@@ -1,55 +1,55 @@
-"use strict";
-
-const fs = require("fs");
-const crypto = require("crypto");
-const http = require("../http");
-const config = require("../config");
-const biz = require("../biz");
-
-/**
- * @param {{ bodyFile?: string, bodyJson?: string }} opts
- */
-async function add(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in.");
-    process.exit(1);
-  }
-
-  let raw = opts.bodyJson;
-  if (opts.bodyFile) {
-    raw = fs.readFileSync(opts.bodyFile, "utf8");
-  }
-  if (!raw) {
-    console.error("cyy: provide --body-file or --body-json");
-    process.exit(1);
-  }
-
-  const url = http.moduleUrl("ORDER", "/app/order/cart");
-  const headers = /** @type {Record<string,string>} */ (http.buildAuthHeaders(cfg));
-
-  const { ok, json } = await http.request(url, {
-    method: "POST",
-    headers,
-    body: raw,
-  });
-
-  const traceId = `local-${crypto.randomBytes(8).toString("hex")}`;
-  const success = ok && biz.isBizSuccess(json);
-  console.log(
-    JSON.stringify(
-      {
-        success,
-        code: success ? "OK" : "UPSTREAM_ERROR",
-        message: success ? "success" : "cart failed",
-        data: { upstream: json },
-        traceId,
-      },
-      null,
-      2,
-    ),
-  );
-  process.exit(success ? 0 : 2);
-}
-
-module.exports = { add };
+"use strict";
+
+const fs = require("fs");
+const crypto = require("crypto");
+const http = require("../http");
+const config = require("../config");
+const biz = require("../biz");
+
+/**
+ * @param {{ bodyFile?: string, bodyJson?: string }} opts
+ */
+async function add(opts) {
+  const cfg = config.loadConfig();
+  if (!cfg?.token) {
+    console.error("cyy: not logged in.");
+    process.exit(1);
+  }
+
+  let raw = opts.bodyJson;
+  if (opts.bodyFile) {
+    raw = fs.readFileSync(opts.bodyFile, "utf8");
+  }
+  if (!raw) {
+    console.error("cyy: provide --body-file or --body-json");
+    process.exit(1);
+  }
+
+  const url = http.moduleUrl("ORDER", "/app/order/cart");
+  const headers = /** @type {Record<string,string>} */ (http.buildAuthHeaders(cfg));
+
+  const { ok, json } = await http.request(url, {
+    method: "POST",
+    headers,
+    body: raw,
+  });
+
+  const traceId = `local-${crypto.randomBytes(8).toString("hex")}`;
+  const success = ok && biz.isBizSuccess(json);
+  console.log(
+    JSON.stringify(
+      {
+        success,
+        code: success ? "OK" : "UPSTREAM_ERROR",
+        message: success ? "success" : "cart failed",
+        data: { upstream: json },
+        traceId,
+      },
+      null,
+      2,
+    ),
+  );
+  process.exit(success ? 0 : 2);
+}
+
+module.exports = { add };