dbdocs 0.19.0 → 1.0.0

package/README.md

@@ -119,10 +119,13 @@ login to dbdocs
 
 ```bash
 USAGE
-  $ dbdocs login
+  $ dbdocs login [--legacy]
+
+FLAGS
+  --legacy  Use legacy login methods: Email OTP or Google/GitHub with manual token copy
 
 DESCRIPTION
-  login with your dbdocs credentials
+  login to dbdocs
 ```
 
 ## `dbdocs logout`

package/oclif.manifest.json

@@ -123,8 +123,15 @@
     "login": {
       "aliases": [],
       "args": {},
-      "description": "login to dbdocs\nlogin with your dbdocs credentials\n",
-      "flags": {},
+      "description": "login to dbdocs",
+      "flags": {
+        "legacy": {
+          "description": "Use legacy login methods: Email OTP or Google/GitHub with manual token copy",
+          "name": "legacy",
+          "allowNo": false,
+          "type": "boolean"
+        }
+      },
       "hasDynamicHelp": false,
       "hiddenAliases": [],
       "id": "login",
@@ -379,5 +386,5 @@
       ]
     }
   },
-  "version": "0.19.0"
+  "version": "1.0.0"
 }

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "dbdocs",
-  "version": "0.19.0",
+  "version": "1.0.0",
   "author": "@holistics",
   "bin": {
     "dbdocs": "./bin/run"
   },
   "dependencies": {
-    "@dbml/connector": "5.3.0",
-    "@dbml/core": "5.3.0",
+    "@dbml/connector": "5.3.1",
+    "@dbml/core": "5.3.1",
     "@oclif/core": "1.26.2",
     "@oclif/plugin-help": "6.2.32",
     "axios": "^1.12.0",

package/src/assets/callback-error.html

@@ -0,0 +1,109 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>dbdocs CLI - Authentication Failed</title>
+    <style>
+      * {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+
+      body {
+        font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        min-height: 100vh;
+        background: #f9fafb;
+      }
+
+      .container {
+        background: white;
+        border-radius: 6px;
+        border: 1px solid #eff0f3;
+        box-shadow: 0 10px 15px -3px rgb(0 0 0 / 0.1), 0 4px 6px -4px rgb(0 0 0 / 0.1);
+        padding: 32px;
+        width: 100%;
+        max-width: 400px;
+        text-align: center;
+      }
+
+      .logo-container {
+        margin-bottom: 16px;
+      }
+
+      .logo {
+        height: 48px;
+      }
+
+      h1 {
+        color: #ff4f46;
+        font-size: 24px;
+        font-weight: 600;
+        margin-bottom: 20px;
+      }
+
+      .error-box {
+        background: #ffeef1;
+        border: 1px solid #fea5a6;
+        border-radius: 6px;
+        padding: 16px;
+        text-align: left;
+      }
+
+      .error-title {
+        font-weight: 600;
+        color: #ff4f46;
+        margin-bottom: 8px;
+        font-size: 16px;
+      }
+
+      .error-message {
+        font-size: 14px;
+        color: #ff4f46;
+        line-height: 1.5;
+      }
+
+      p {
+        color: #718096;
+        line-height: 1.6;
+        font-size: 15px;
+      }
+
+      strong {
+        color: #2d3748;
+      }
+
+      .footer {
+        margin-top: 24px;
+        padding-top: 24px;
+        border-top: 1px solid #e2e8f0;
+        color: #a0aec0;
+        font-size: 13px;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <div class="logo-container">
+        <svg class="logo" width="155" height="155" viewBox="0 0 155 155" fill="none" xmlns="http://www.w3.org/2000/svg">
+          <path d="M155 29C155 12.9837 142.016 0 126 0H29C12.9837 0 0 12.9837 0 29V126C0 142.016 12.9837 155 29 155H126C142.016 155 155 142.016 155 126V29Z" fill="#0246CC"/>
+          <path d="M77.5 54.6521C102.065 54.6521 121.978 47.8098 121.978 39.3694C121.978 30.929 102.065 24.0867 77.5 24.0867C52.9354 24.0867 33.0218 30.929 33.0218 39.3694C33.0218 47.8098 52.9354 54.6521 77.5 54.6521Z" fill="white"/>
+          <path d="M33.0399 76.4867V91.6759C33.0399 96.6868 50.3603 103.965 77.5001 103.965C104.64 103.965 121.96 96.6868 121.96 91.6759V76.4867C112.817 82.4469 95.0968 85.5314 77.5001 85.5314C59.9034 85.5314 42.1828 82.4469 33.0399 76.4867Z" fill="#287EFF"/>
+          <path d="M33.0399 50.5847V67.5282C33.0399 72.5391 50.3603 79.8172 77.5001 79.8172C104.64 79.8172 121.96 72.5391 121.96 67.5282V50.5847C113.453 57.1317 97.1229 61.3837 77.5001 61.3837C57.8772 61.3837 41.5476 57.1317 33.0399 50.5847Z" fill="#96C0FF"/>
+          <path d="M33.0399 101.065V116.254C33.0399 121.265 50.3603 128.543 77.5001 128.543C104.64 128.543 121.96 121.265 121.96 116.254V101.065C112.817 107.025 95.0968 110.11 77.5001 110.11C59.9034 110.11 42.1828 107.025 33.0399 101.065Z" fill="#0258ED"/>
+        </svg>
+      </div>
+
+      <h1>Authentication Failed</h1>
+
+      <div class="error-box">
+        <p class="error-title">Invalid redirect URL</p>
+        <p class="error-message">The authentication callback could not be completed.</p>
+      </div>
+    </div>
+  </body>
+</html>

package/src/assets/callback-success.html

@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>dbdocs CLI - Completing Authentication</title>
+    <style>
+      * {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+
+      body {
+        font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        min-height: 100vh;
+        background: #f9fafb;
+      }
+
+      .container {
+        background: white;
+        border-radius: 6px;
+        border: 1px solid #eff0f3;
+        box-shadow: 0 10px 15px -3px rgb(0 0 0 / 0.1), 0 4px 6px -4px rgb(0 0 0 / 0.1);
+        padding: 32px;
+        width: 100%;
+        max-width: 400px;
+        text-align: center;
+      }
+
+      .logo-container {
+        margin-bottom: 16px;
+      }
+
+      .logo {
+        height: 48px;
+      }
+
+      h1 {
+        color: #048cff;
+        font-size: 24px;
+        font-weight: 600;
+        margin-bottom: 16px;
+      }
+
+      p {
+        color: #323740;
+        line-height: 1.6;
+        font-size: 14px;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <div class="logo-container">
+        <svg class="logo" width="155" height="155" viewBox="0 0 155 155" fill="none" xmlns="http://www.w3.org/2000/svg">
+          <path d="M155 29C155 12.9837 142.016 0 126 0H29C12.9837 0 0 12.9837 0 29V126C0 142.016 12.9837 155 29 155H126C142.016 155 155 142.016 155 126V29Z" fill="#0246CC"/>
+          <path d="M77.5 54.6521C102.065 54.6521 121.978 47.8098 121.978 39.3694C121.978 30.929 102.065 24.0867 77.5 24.0867C52.9354 24.0867 33.0218 30.929 33.0218 39.3694C33.0218 47.8098 52.9354 54.6521 77.5 54.6521Z" fill="white"/>
+          <path d="M33.0399 76.4867V91.6759C33.0399 96.6868 50.3603 103.965 77.5001 103.965C104.64 103.965 121.96 96.6868 121.96 91.6759V76.4867C112.817 82.4469 95.0968 85.5314 77.5001 85.5314C59.9034 85.5314 42.1828 82.4469 33.0399 76.4867Z" fill="#287EFF"/>
+          <path d="M33.0399 50.5847V67.5282C33.0399 72.5391 50.3603 79.8172 77.5001 79.8172C104.64 79.8172 121.96 72.5391 121.96 67.5282V50.5847C113.453 57.1317 97.1229 61.3837 77.5001 61.3837C57.8772 61.3837 41.5476 57.1317 33.0399 50.5847Z" fill="#96C0FF"/>
+          <path d="M33.0399 101.065V116.254C33.0399 121.265 50.3603 128.543 77.5001 128.543C104.64 128.543 121.96 121.265 121.96 116.254V101.065C112.817 107.025 95.0968 110.11 77.5001 110.11C59.9034 110.11 42.1828 107.025 33.0399 101.065Z" fill="#0258ED"/>
+        </svg>
+      </div>
+
+      <h1>Completing Authentication</h1>
+
+      <p>You can close this window and return to your terminal to continue.</p>
+    </div>
+  </body>
+</html>

package/src/commands/login.js

@@ -1,4 +1,4 @@
-const { Command } = require('@oclif/core');
+const { Command, Flags } = require('@oclif/core');
 const open = require('open');
 const inquirer = require('inquirer').default;
 const axios = require('axios');
@@ -7,7 +7,12 @@ const netrc = require('netrc-parser').default;
 const { vars } = require('../vars');
 const { isValidEmail } = require('../validators/email');
 const { isValidOtp } = require('../validators/otp');
-const { LOGIN_METHODS } = require('../utils/constants');
+const { LOGIN_METHODS, LOGIN_STRATEGIES, PORTAL_ERROR_CODES, PORTAL_LOGIN_CONFIGS } = require('../utils/constants');
+const { initAuthClient } = require('../services/auth/portal');
+const { sleep } = require('../utils/helper');
+const { openUrlInExternalBrowser } = require('../utils/browser');
+
+const TIMEOUT_BEFORE_OPEN_BROWSER_MS = 500;
 
 async function askForOtp (spinner, shortLivedToken, email) {
   const cliSpinner = spinner;
@@ -69,10 +74,106 @@ async function loginViaEmail (spinner) {
   return token;
 }
 
+function getPortalErrorMessage(errorCode, errorDescription = '') {
+  // If we have errorDescription, use it (this is the main display)
+  if (errorDescription) return errorDescription;
+
+  // Otherwise, fallback to default mapped messages
+  const errorMessages = {
+    [PORTAL_ERROR_CODES.loginTimeout]: 'Login timed out after 5 minutes. Please try again.',
+    [PORTAL_ERROR_CODES.loginCancelled]: 'Login cancelled.',
+    [PORTAL_ERROR_CODES.stateMismatch]: 'Security validation failed. Please try again.',
+    [PORTAL_ERROR_CODES.invalidCallback]: 'Invalid authentication callback received. Please try again.',
+    [PORTAL_ERROR_CODES.exchangeFailed]: 'Failed to exchange authorization code. Please try again.',
+    [PORTAL_ERROR_CODES.loopbackServerError]: 'Failed to start callback server. Please try again.',
+    [PORTAL_ERROR_CODES.unknownError]: 'Login failed. Please try again.',
+  };
+
+  return errorMessages[errorCode] || 'An unexpected error occurred. Please try again.';
+}
+
 class LoginCommand extends Command {
-  async run () {
-    const spinner = ora({});
+  /**
+   * Detect which login strategy to use
+   * Priority: CLI flag > env var > default (portal)
+   * @param {boolean} legacyFlag - The --legacy flag value
+   * @param {string} loginStrategy - The login strategy from environment variable
+   * @returns {'portal' | 'legacy'}
+   */
+  detectStrategy (legacyFlag, loginStrategy) {
+    if (legacyFlag) return LOGIN_STRATEGIES.legacy;
+
+    return loginStrategy;
+  }
+
+  /**
+   * Execute portal login flow (OAuth 2.0 with PKCE)
+   * @param {ora.Ora} spinner - The ora spinner instance
+   * @returns {Promise<string>} Access token
+   * @throws {Error} If login fails (after displaying error to user)
+   */
+  async executePortalLogin (spinner) {
+    let authClient = null;
+
+    try {
+      this.log('Preparing authentication...');
+
+      authClient = await initAuthClient({
+        loginUrl: vars.loginUrl,
+        loginApiUrl: vars.loginApiUrl,
+        clientId: PORTAL_LOGIN_CONFIGS.clientId,
+      });
+
+      const loginUrl = authClient.getLoginUrl();
+
+      spinner.text = 'Attempting to open authentication page in your browser...';
+      spinner.start();
+
+      try {
+        await sleep(TIMEOUT_BEFORE_OPEN_BROWSER_MS);
+        await openUrlInExternalBrowser(loginUrl);
+
+        spinner.succeed();
+      } catch (err) {
+        spinner.warn();
+        spinner.warn(`Could not open browser automatically. Please navigate to:\n${loginUrl}`);
+      }
+
+      spinner.text = 'Waiting for authentication... (Press CTRL+C to cancel)';
+      spinner.start();
+
+      const { accessToken } = await authClient.obtainTokens();
+
+      spinner.text = 'Authentication successful';
+      spinner.succeed();
+
+      return accessToken;
+    } catch (error) {
+      const errorMessage = error.code
+        ? getPortalErrorMessage(error.code, error.errorDescription)
+        : `Login failed: ${error.message || 'Unknown error'}`;
+
+      this.error(errorMessage);
+    } finally {
+      // Always cleanup
+      if (authClient) {
+        authClient.cleanup();
+      }
+    }
+  }
+
+  /**
+   * Execute legacy login flow (Email OTP or Social)
+   * @param {ora.Ora} spinner - The ora spinner instance
+   * @returns {Promise<string>} Access token
+   * @throws {Error} If login fails (after displaying error to user)
+   */
+  async executeLegacyLogin (spinner) {
     try {
+      // Show deprecation warning
+      this.warn('⚠️ You are using the legacy login. You can remove the --legacy flag for automatic browser authentication.');
+
+      // Prompt for login method
       const loginMethodAnswer = await inquirer.prompt([
         {
           type: 'rawlist',
@@ -103,69 +204,138 @@ class LoginCommand extends Command {
         authToken = answer.authToken;
       }
 
-      spinner.text = 'Validate token';
-      spinner.start();
+      return authToken;
+    } catch (error) {
+      // Handle legacy-specific errors
+      let errorMessage = error.message || 'Login failed. Please try again.';
+
+      if (error.response) {
+        const { error: apiError } = error.response.data;
+        switch (apiError.name) {
+          case 'OtpInvalidError':
+            errorMessage = 'Invalid OTP. Please login again.';
+            break;
+
+          case 'OtpUsedError':
+            errorMessage = 'OTP used recently. Please login again after couple minutes.';
+            break;
+
+          case 'EmailDeliveryFailedError':
+            errorMessage = 'Email delivery failed. Please login again.';
+            break;
+
+          default:
+            errorMessage = error.message || 'Login failed. Please try again.';
+            break;
+        }
+      }
+
+      this.error(errorMessage);
+    }
+  }
+
+  /**
+   * Verify token with API
+   * @param {string} token - Access token to verify
+   * @returns {Promise<object>} User account object
+   * @throws {Error} If token is invalid
+   */
+  async verifyToken (token) {
+    try {
       const { data: { account } } = await axios.get(`${vars.apiUrl}/account`, {
         headers: {
-          Authorization: authToken,
+          Authorization: token,
           'Authorization-Method': 'login',
         },
       });
+
+      return account;
+    } catch (error) {
+      if (error.response) {
+        const { error: apiError } = error.response.data;
+        switch (apiError.name) {
+          case 'TokenExpiredError':
+            throw new Error('Your token has expired. Please login again.');
+
+          case 'InvalidAuthToken':
+            throw new Error('Invalid token. Please login again.');
+
+          default:
+            throw new Error('Failed to verify token. Please try again.');
+        }
+      }
+
+      throw error;
+    }
+  }
+
+  /**
+   * Store token to ~/.netrc file
+   * @param {string} token - Access token to store
+   * @param {object} user - User account object with email
+   * @returns {Promise<void>}
+   */
+  async storeToken (token, user) {
+    const { apiHost } = vars;
+    await netrc.load();
+
+    const previousEntry = netrc.machines[apiHost];
+    if (!previousEntry) {
+      netrc.machines[apiHost] = {};
+    }
+
+    netrc.machines[apiHost].login = user.email;
+    netrc.machines[apiHost].password = token;
+    await netrc.save();
+  }
+
+  async run () {
+    const { flags } = await this.parse(LoginCommand);
+    const spinner = ora({});
+
+    try {
+      // 1. Detect strategy
+      const strategy = this.detectStrategy(flags.legacy, vars.loginStrategy);
+
+      // 2. Execute strategy (returns token)
+      let accessToken;
+      if (strategy === LOGIN_STRATEGIES.legacy) {
+        accessToken = await this.executeLegacyLogin(spinner);
+      } else {
+        accessToken = await this.executePortalLogin(spinner);
+      }
+
+      // 3. Verify token
+      spinner.text = 'Validate token';
+      spinner.start();
+      const user = await this.verifyToken(accessToken);
       spinner.succeed();
 
+      // 4. Store token
       spinner.text = 'Save credential';
       spinner.start();
-      const { apiHost } = vars;
-      await netrc.load();
-      const previousEntry = netrc.machines[apiHost];
-      if (!previousEntry) {
-        netrc.machines[apiHost] = {};
-      }
-      netrc.machines[apiHost].login = account.email;
-      netrc.machines[apiHost].password = authToken;
-      await netrc.save();
+      await this.storeToken(accessToken, user);
       spinner.succeed();
 
       this.log('\nDone.');
-    } catch (err) {
+    } catch (error) {
+      // Cleanup spinner if still running
       if (spinner.isSpinning) {
         spinner.fail();
       }
-      let message = err.message || 'Something wrong :( Please try again.';
-      if (err.response) {
-        const { error } = err.response.data;
-        switch (error.name) {
-          case 'TokenExpiredError':
-            message = 'Your token has expired. Please login again.';
-            break;
-
-          case 'InvalidAuthToken':
-            message = 'Invalid token. Please login again.';
-            break;
 
-          case 'OtpInvalidError':
-            message = 'Invalid OTP. Please login again.';
-            break;
-
-          case 'OtpUsedError':
-            message = 'OTP used recently. Please login again after couple minutes.';
-            break;
-
-          case 'EmailDeliveryFailedError':
-            message = 'Email delivery failed. Please login again.';
-            break;
-
-          default:
-            break;
-        }
-      }
-      this.error(message);
+      this.error(error.message || 'Something wrong. Please try again.');
     }
   }
 }
 
-LoginCommand.description = `login to dbdocs
-login with your dbdocs credentials
-`;
+LoginCommand.description = 'login to dbdocs';
+
+LoginCommand.flags = {
+  legacy: Flags.boolean({
+    description: 'Use legacy login methods: Email OTP or Google/GitHub with manual token copy',
+    default: false,
+  }),
+};
 
 module.exports = LoginCommand;

package/src/errors/BaseError.js

@@ -0,0 +1,10 @@
+class BaseError extends Error {
+  constructor(message, code) {
+    super(message);
+    Error.captureStackTrace(this);
+
+    this.code = code;
+  }
+}
+
+module.exports = BaseError;

package/src/errors/common-errors.js

@@ -0,0 +1,12 @@
+const BaseError = require('./BaseError');
+
+class PortalAuthenticationError extends BaseError {
+  constructor(code, errorDescription = '') {
+    super(code, code); // Base message is just the code (internal use)
+    this.errorDescription = errorDescription; // This is the main display message
+  }
+}
+
+module.exports = {
+  PortalAuthenticationError,
+};

package/src/services/auth/portal/index.js

@@ -0,0 +1,206 @@
+const { randomBytes, createHash } = require('crypto');
+const axios = require('axios');
+const { startLoopbackServer } = require('./server');
+const { PORTAL_ERROR_CODES, PORTAL_LOGIN_CONFIGS } = require('../../../utils/constants');
+const { PortalAuthenticationError } = require('../../../errors/common-errors');
+
+const STATE_BYTES_LENGTH = 32;
+const CODE_VERIFIER_BYTES_LENGTH = 32;
+
+const generateLoginState = () => randomBytes(STATE_BYTES_LENGTH).toString('base64url');
+
+const generateCodeVerifier = () => randomBytes(CODE_VERIFIER_BYTES_LENGTH).toString('base64url');
+
+/**
+ *
+ * @param {string} codeVerifier
+ * @returns {string}
+ */
+const generateCodeChallenge = (codeVerifier) => {
+  const hash = createHash('sha256');
+  hash.update(codeVerifier);
+
+  return hash.digest().toString('base64url');
+};
+
+/**
+ * Build portal login URL with OAuth parameters
+ * @param {{ baseUrl: string, redirectUri: string, codeChallenge: string, state: string, clientId: string }} params
+ * @returns {URL}
+ */
+const generateLoginUrl = (params) => {
+  const {
+    baseUrl,
+    redirectUri,
+    codeChallenge,
+    state,
+    clientId,
+  } = params;
+
+  const url = new URL('/login', baseUrl);
+  url.searchParams.set('client_id', clientId);
+  url.searchParams.set('redirect_uri', redirectUri);
+  url.searchParams.set('response_type', 'code');
+  url.searchParams.set('code_challenge', codeChallenge);
+  url.searchParams.set('state', state);
+  url.searchParams.set('prompt', 'select_account');
+
+  return url;
+};
+
+/**
+ * Exchange authorization code for access token
+ * @param {{ apiHost: string, code: string, codeVerifier: string, redirectUri: string, clientId: string }} params
+ * @returns {Promise<{ accessToken: string }>}
+ * @throws {PortalAuthenticationError} with code 'EXCHANGE_FAILED'
+ */
+async function exchangeCodeForToken(params) {
+  const { apiHost, code, codeVerifier, redirectUri, clientId } = params;
+
+  try {
+    const { data } = await axios.post(`${apiHost}/portal/auth/token`, {
+      grantType: 'authorization_code',
+      redirectUri,
+      clientId,
+      code,
+      codeVerifier,
+    });
+
+    return data;
+  } catch (error) {
+    if (axios.isAxiosError(error)) {
+      // We let the description be empty since there is a mapping function that has a fallback for it
+      let description = '';
+      if (axios.isAxiosError(error)) {
+        if (error.response) {
+          description = error.response.data?.message || '';
+        } else {
+          description = error.message || '';
+        }
+      } else {
+        description = error.message || '';
+      }
+
+      throw new PortalAuthenticationError(
+        PORTAL_ERROR_CODES.exchangeFailed,
+        description,
+      );
+    }
+
+    throw new PortalAuthenticationError(
+      PORTAL_ERROR_CODES.exchangeFailed,
+      error.message || '',
+    );
+  }
+}
+
+/**
+ * Initialize OAuth client for portal login
+ * Returns a client object with methods to get login URL and exchange token
+ *
+ * @param {{ loginUrl: string, loginApiUrl: string, clientId: string }} options
+ * @returns {Promise<{
+ *   getLoginUrl: () => string,
+ *   obtainTokens: () => Promise<{ accessToken: string }>,
+ *   cleanup: () => void
+ * }>}
+ */
+async function initAuthClient(options) {
+  const { loginUrl, loginApiUrl, clientId } = options;
+
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = generateCodeChallenge(codeVerifier);
+  const state = generateLoginState();
+
+  // Start loopback server with configuration
+  const { port, close: closeLoopbackServer, loginCompletePromise } = await startLoopbackServer({
+    address: PORTAL_LOGIN_CONFIGS.loopbackServer.address,
+    port: PORTAL_LOGIN_CONFIGS.loopbackServer.autoAssignedPort,
+  });
+
+  const redirectUri = `http://${PORTAL_LOGIN_CONFIGS.loopbackServer.address}:${port}/callback`;
+
+  const portalLoginUrl = generateLoginUrl({
+    baseUrl: loginUrl,
+    redirectUri,
+    codeChallenge,
+    state,
+    clientId,
+  });
+
+  const getLoginUrl = () => portalLoginUrl.toString();
+
+  const obtainTokens = async () => {
+    let timeoutId;
+    let sigintHandler;
+
+    try {
+      // Prevent infinite waiting for the browser response
+      const timeoutPromise = new Promise((_, reject) => {
+        timeoutId = setTimeout(() => {
+          reject(
+            new PortalAuthenticationError(PORTAL_ERROR_CODES.loginTimeout)
+          )
+        }, PORTAL_LOGIN_CONFIGS.loginTimeoutMs);
+      });
+
+      // Create cancellation promise for user termination (Ctrl+C)
+      const cancellationPromise = new Promise((_, reject) => {
+        sigintHandler = () => {
+          reject(
+            new PortalAuthenticationError(PORTAL_ERROR_CODES.loginCancelled)
+          );
+        };
+        process.once('SIGINT', sigintHandler);
+      });
+
+      const { code, state: returnedState } = await Promise.race([
+        loginCompletePromise,
+        timeoutPromise,
+        cancellationPromise,
+      ]);
+
+      // Validate state to prevent CSRF attacks
+      if (state !== returnedState) {
+        throw new PortalAuthenticationError(PORTAL_ERROR_CODES.stateMismatch);
+      }
+
+      // Exchange authorization code for access token
+      const { accessToken } = await exchangeCodeForToken({
+        apiHost: loginApiUrl,
+        code,
+        codeVerifier,
+        redirectUri,
+        clientId,
+      });
+
+      return { accessToken };
+    } catch (error) {
+      if (error instanceof PortalAuthenticationError) throw error;
+
+      throw new PortalAuthenticationError(
+        PORTAL_ERROR_CODES.unknownError,
+        error.message || '',
+      );
+    } finally {
+      // Cleanup resources
+      if (timeoutId) {
+        clearTimeout(timeoutId);
+      }
+      if (sigintHandler) {
+        process.removeListener('SIGINT', sigintHandler);
+      }
+      closeLoopbackServer();
+    }
+  };
+
+  return {
+    getLoginUrl,
+    obtainTokens,
+    cleanup: () => { closeLoopbackServer() },
+  };
+}
+
+module.exports = {
+  initAuthClient,
+};

package/src/services/auth/portal/server.js

@@ -0,0 +1,106 @@
+const fs = require('fs');
+const path = require('path');
+const { createServer } = require('http');
+
+const { PortalAuthenticationError } = require('../../../errors/common-errors');
+const { PORTAL_ERROR_CODES } = require('../../../utils/constants');
+
+// Load HTML templates once at module load
+const errorHtml = fs.readFileSync(path.join(__dirname, '../../../assets', 'callback-error.html'), 'utf-8');
+const successHtml = fs.readFileSync(path.join(__dirname, '../../../assets', 'callback-success.html'), 'utf-8');
+
+const DEFAULT_HTTP_HEADERS = {
+  'Content-Type': 'text/html; charset=utf-8',
+};
+
+/**
+ * Start a local HTTP loopback server to receive OAuth callback
+ * @param {Object} options - Server configuration options
+ * @param {string} options.address - Address to bind to (default: '127.0.0.1')
+ * @param {number} options.port - Port to listen on (0 = auto-assign)
+ * @returns {Promise<{ port: number, loginCompletePromise: Promise<{code: string, state: string}>, close: Function }>}
+ */
+const startLoopbackServer = ({ address, port } = {}) => {
+  return new Promise((resolve, reject) => {
+    let isServerClosed = false;
+    let loginResolve = null;
+    let loginReject = null;
+
+    const loginCompletePromise = new Promise((res, rej) => {
+      loginResolve = res;
+      loginReject = rej;
+    });
+
+    const server = createServer();
+
+    const closeServer = () => {
+      if (!isServerClosed && server) {
+        isServerClosed = true;
+
+        // The success or error page could keep the connection alive and prevent the server from closing
+        // So we need to close all connections before closing the server
+        server.closeAllConnections();
+        server.close();
+      }
+    };
+
+    server.on('error', (err) => {
+      closeServer();
+      reject(
+        new PortalAuthenticationError(
+          PORTAL_ERROR_CODES.loopbackServerError,
+          err.message || '',
+        )
+      );
+    });
+
+    server.on('request', (req, res) => {
+      const reqUrl = new URL(req.url, `http://${req.headers.host}`);
+
+      const { pathname } = reqUrl;
+      switch (pathname) {
+        case '/callback': {
+          const code = reqUrl.searchParams.get('code');
+          const state = reqUrl.searchParams.get('state');
+
+          if (!code || !state) {
+            res.writeHead(400, DEFAULT_HTTP_HEADERS);
+            res.end(errorHtml);
+
+            closeServer();
+            loginReject(new PortalAuthenticationError(PORTAL_ERROR_CODES.invalidCallback));
+            return;
+          }
+
+          res.writeHead(200, DEFAULT_HTTP_HEADERS);
+          res.end(successHtml);
+
+          loginResolve({ code, state });
+          break;
+        }
+        default: {
+          res.writeHead(404, DEFAULT_HTTP_HEADERS);
+          res.end();
+          closeServer();
+          loginReject(new PortalAuthenticationError(
+            PORTAL_ERROR_CODES.invalidCallback,
+          ));
+          return;
+        }
+      }
+    });
+
+    // Listen on specified address and port
+    server.listen(port, address, () => {
+      resolve({
+        port: server.address().port,
+        loginCompletePromise,
+        close: closeServer,
+      });
+    });
+  });
+};
+
+module.exports = {
+  startLoopbackServer,
+};

package/src/user_data.json

@@ -1 +1 @@
-{"BUILD_COUNT":1}
+{"BUILD_COUNT":2}

package/src/utils/browser.js

@@ -0,0 +1,13 @@
+const open = require('open');
+/**
+ * Open URL in default browser
+ * @param {string} url - URL to open
+ * @returns {Promise<void>}
+ */
+const openUrlInExternalBrowser = async (url) => {
+  await open(url, { wait: false });
+};
+
+module.exports = {
+  openUrlInExternalBrowser,
+};

package/src/utils/constants.js

@@ -43,6 +43,37 @@ const HOST_CONFIG_STATUS = {
   inactive: 'inactive',
 };
 
+const LOGIN_STRATEGIES = {
+  legacy: 'legacy',
+  portal: 'portal',
+};
+
+/**
+ * Portal authentication error codes
+ * Used for OAuth 2.0 flow errors
+ */
+const PORTAL_ERROR_CODES = {
+  loginTimeout: 'LOGIN_TIMEOUT',
+  loginCancelled: 'LOGIN_CANCELLED',
+  stateMismatch: 'STATE_MISMATCH',
+  invalidCallback: 'INVALID_CALLBACK',
+  exchangeFailed: 'EXCHANGE_FAILED',
+  loopbackServerError: 'LOOPBACK_SERVER_ERROR',
+  unknownError: 'UNKNOWN_ERROR',
+};
+
+const PORTAL_LOGIN_CONFIGS = {
+  clientId: 'dbdocs-cli',
+  loginTimeoutMs: 5 * 60 * 1000, // 5 minutes
+  loopbackServer: {
+    // It's recommended to use 127.0.0.1 instead of localhost since the localhost can be overriden on the host machine
+    // See https://www.rfc-editor.org/rfc/rfc8252#section-8.3
+    address: '127.0.0.1',
+    // For node http server, port 0 means the OS will assign a random one
+    autoAssignedPort: 0,
+  },
+};
+
 module.exports = {
   PROJECT_GENERAL_ACCESS_TYPE,
   PROJECT_SHARING_TEXT,
@@ -52,4 +83,7 @@ module.exports = {
   WINDOW_FILE_PATH_REGEX,
   UNIX_FILE_PATH_REGEX,
   HOST_CONFIG_STATUS,
+  LOGIN_STRATEGIES,
+  PORTAL_ERROR_CODES,
+  PORTAL_LOGIN_CONFIGS,
 };

package/src/utils/helper.js

@@ -15,8 +15,15 @@ const parseProjectName = (projectName) => {
 
 const getProjectUrl = (hostUrl, orgName, projectUrl) => `${hostUrl}/${encodeURIComponent(orgName)}/${projectUrl}`;
 
+const sleep = async (miliseconds) => new Promise((resolve) => {
+  setTimeout(() => {
+    resolve(undefined);
+  }, miliseconds);
+});
+
 module.exports = {
   getIsPublicValueFromBuildFlag,
   getProjectUrl,
   parseProjectName,
+  sleep,
 };

package/src/vars.js

@@ -1,3 +1,5 @@
+const { LOGIN_STRATEGIES } = require("./utils/constants");
+
 /* eslint-disable class-methods-use-this */
 class Vars {
   get host () {
@@ -23,6 +25,19 @@ class Vars {
   get envApiHost () {
     return process.env.DBDOCS_API_HOST;
   }
+
+  get loginStrategy () {
+    const envLoginStrategy = process.env.DBDOCS_LOGIN_STRATEGY || '';
+    return Object.values(LOGIN_STRATEGIES).includes(envLoginStrategy) ? envLoginStrategy : LOGIN_STRATEGIES.portal;
+  }
+
+  get loginUrl () {
+    return process.env.DBDOCS_LOGIN_URL || 'https://dbdiagram.io';
+  }
+
+  get loginApiUrl () {
+    return process.env.DBDOCS_LOGIN_API_URL || this.apiUrl;
+  }
 }
 
 module.exports.Vars = Vars;

package/src/vars.js.staging

@@ -1,3 +1,5 @@
+const { LOGIN_STRATEGIES } = require("./utils/constants");
+
 /* eslint-disable class-methods-use-this */
 // Copied from `vars.js` and replace the 5th and 9th lines with staging's endpoints
 class Vars {
@@ -24,6 +26,19 @@ class Vars {
   get envApiHost () {
     return process.env.DBDOCS_API_HOST;
   }
+
+  get loginStrategy () {
+    const envLoginStrategy = process.env.DBDOCS_LOGIN_STRATEGY || '';
+    return Object.values(LOGIN_STRATEGIES).includes(envLoginStrategy) ? envLoginStrategy : LOGIN_STRATEGIES.portal;
+  }
+
+  get loginUrl () {
+    return process.env.DBDOCS_LOGIN_URL || 'https://staging.dbdiagram.io';
+  }
+
+  get loginApiUrl () {
+    return process.env.DBDOCS_LOGIN_API_URL || this.apiUrl;
+  }
 }
 
 module.exports.Vars = Vars;