estatehelm 1.0.3 → 1.0.4

package/dist/index.js

@@ -1475,80 +1475,6 @@ function isPortAvailable(port) {
     server.on("error", () => resolve(false));
   });
 }
-function waitForCallback(port) {
-  return new Promise((resolve, reject) => {
-    const server = http.createServer((req, res) => {
-      const url = new URL(req.url || "/", `http://127.0.0.1:${port}`);
-      const sessionToken = url.searchParams.get("session_token");
-      const error = url.searchParams.get("error");
-      const errorDescription = url.searchParams.get("error_description");
-      if (error) {
-        res.writeHead(400, { "Content-Type": "text/html" });
-        res.end(`
-          <!DOCTYPE html>
-          <html>
-          <head>
-            <title>Authentication Failed</title>
-            <style>
-              body { font-family: system-ui, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #fef2f2; }
-              .card { background: white; padding: 2rem; border-radius: 1rem; box-shadow: 0 10px 25px rgba(0,0,0,0.1); text-align: center; max-width: 400px; }
-              h1 { color: #dc2626; margin: 0 0 0.5rem; }
-              p { color: #6b7280; margin: 0.5rem 0; }
-              .error { font-family: monospace; background: #f3f4f6; padding: 0.5rem; border-radius: 0.25rem; font-size: 0.875rem; }
-            </style>
-          </head>
-          <body>
-            <div class="card">
-              <h1>Authentication Failed</h1>
-              <p>${errorDescription || error || "An error occurred during authentication."}</p>
-              <p class="error">${error}</p>
-            </div>
-          </body>
-          </html>
-        `);
-        server.close();
-        reject(new Error(errorDescription || error || "Authentication failed"));
-        return;
-      }
-      if (sessionToken) {
-        res.writeHead(200, { "Content-Type": "text/html" });
-        res.end(`
-          <!DOCTYPE html>
-          <html>
-          <head>
-            <title>CLI Authentication Successful</title>
-            <style>
-              body { font-family: system-ui, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: linear-gradient(115deg, #fff1be 28%, #ee87cb 70%, #b060ff 100%); }
-              .card { background: white; padding: 2rem; border-radius: 1rem; box-shadow: 0 10px 25px rgba(0,0,0,0.1); text-align: center; }
-              h1 { color: #059669; margin: 0 0 0.5rem; }
-              p { color: #6b7280; margin: 0; }
-            </style>
-          </head>
-          <body>
-            <div class="card">
-              <h1>\u2713 Authentication Successful</h1>
-              <p>You can close this window and return to your terminal.</p>
-            </div>
-          </body>
-          </html>
-        `);
-        server.close();
-        resolve(sessionToken);
-      } else {
-        res.writeHead(404, { "Content-Type": "text/plain" });
-        res.end("Not found");
-      }
-    });
-    server.listen(port, "127.0.0.1", () => {
-      console.log(`Callback server listening on http://127.0.0.1:${port}`);
-    });
-    server.on("error", reject);
-    setTimeout(() => {
-      server.close();
-      reject(new Error("Authentication timed out. Please try again."));
-    }, 5 * 60 * 1e3);
-  });
-}
 function createApiClient(token) {
   return new ApiClient({
     baseUrl: API_BASE_URL,
@@ -1618,9 +1544,20 @@ async function decryptDeviceCredentials(encryptedPayload) {
   );
   return new Uint8Array(plaintext);
 }
-async function createNativeLoginFlow(returnTo) {
-  const url = `${KRATOS_URL}/self-service/login/api?return_to=${encodeURIComponent(returnTo)}`;
-  const response = await fetch(url, {
+function generatePKCE() {
+  const verifierBytes = crypto.getRandomValues(new Uint8Array(32));
+  const verifier = base64Encode(verifierBytes).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const hashBuffer = crypto.subtle.digestSync ? crypto.subtle.digestSync("SHA-256", data) : null;
+  const cryptoNode = require("crypto");
+  const hash = cryptoNode.createHash("sha256").update(verifier).digest();
+  const challenge = hash.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  return { verifier, challenge };
+}
+var GOOGLE_CLIENT_ID = "51644152299-ikanidsebtsn6sukgk0sg1hq5h95k2h6.apps.googleusercontent.com";
+async function createNativeLoginFlow() {
+  const response = await fetch(`${KRATOS_URL}/self-service/login/api`, {
     method: "GET",
     headers: { Accept: "application/json" }
   });
@@ -1629,14 +1566,10 @@ async function createNativeLoginFlow(returnTo) {
     throw new Error(`Failed to create login flow: ${response.status} - ${error}`);
   }
   const flow = await response.json();
-  return {
-    flowId: flow.id,
-    flowUrl: flow.request_url || `${KRATOS_URL}/self-service/login?flow=${flow.id}`
-  };
+  return flow.id;
 }
-async function initiateOidcFlow(flowId, provider = "google") {
-  const url = `${KRATOS_URL}/self-service/login?flow=${flowId}`;
-  const response = await fetch(url, {
+async function submitIdTokenToKratos(flowId, idToken, provider = "google") {
+  const response = await fetch(`${KRATOS_URL}/self-service/login?flow=${flowId}`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
@@ -1644,46 +1577,120 @@ async function initiateOidcFlow(flowId, provider = "google") {
     },
     body: JSON.stringify({
       method: "oidc",
-      provider
-    }),
-    redirect: "manual"
-    // Don't follow redirects
+      provider,
+      id_token: idToken
+    })
   });
-  if (response.status === 422) {
-    const data = await response.json();
-    const redirectUrl = data.redirect_browser_to;
-    if (redirectUrl) {
-      return redirectUrl;
-    }
-    throw new Error("No redirect URL in OIDC response");
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({}));
+    throw new Error(
+      error.error?.message || error.ui?.messages?.[0]?.text || `Kratos login failed: ${response.status}`
+    );
   }
-  if (response.ok) {
-    const data = await response.json();
-    if (data.session_token) {
-      return data.session_token;
-    }
+  const result = await response.json();
+  if (!result.session_token) {
+    throw new Error("No session_token in Kratos response");
   }
-  const error = await response.text();
-  throw new Error(`Failed to initiate OIDC flow: ${response.status} - ${error}`);
+  return result.session_token;
+}
+async function exchangeCodeForTokens(code, codeVerifier, redirectUri) {
+  const response = await fetch("https://oauth2.googleapis.com/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      client_id: GOOGLE_CLIENT_ID,
+      code,
+      code_verifier: codeVerifier,
+      grant_type: "authorization_code",
+      redirect_uri: redirectUri
+    })
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({}));
+    throw new Error(error.error_description || error.error || "Token exchange failed");
+  }
+  const tokens = await response.json();
+  if (!tokens.id_token) {
+    throw new Error("No id_token in Google response");
+  }
+  return {
+    idToken: tokens.id_token,
+    accessToken: tokens.access_token
+  };
+}
+function waitForOAuthCallback(port) {
+  return new Promise((resolve, reject) => {
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url || "/", `http://127.0.0.1:${port}`);
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      if (error) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(`
+          <!DOCTYPE html>
+          <html>
+          <head><title>Authentication Failed</title>
+          <style>body{font-family:system-ui;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#fef2f2}.card{background:white;padding:2rem;border-radius:1rem;box-shadow:0 10px 25px rgba(0,0,0,0.1);text-align:center}h1{color:#dc2626}</style></head>
+          <body><div class="card"><h1>Authentication Failed</h1><p>${url.searchParams.get("error_description") || error}</p></div></body>
+          </html>
+        `);
+        server.close();
+        reject(new Error(url.searchParams.get("error_description") || error));
+        return;
+      }
+      if (code) {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(`
+          <!DOCTYPE html>
+          <html>
+          <head><title>Authentication Successful</title>
+          <style>body{font-family:system-ui;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:linear-gradient(115deg,#fff1be 28%,#ee87cb 70%,#b060ff 100%)}.card{background:white;padding:2rem;border-radius:1rem;box-shadow:0 10px 25px rgba(0,0,0,0.1);text-align:center}h1{color:#059669}</style></head>
+          <body><div class="card"><h1>\u2713 Authentication Successful</h1><p>You can close this window and return to your terminal.</p></div></body>
+          </html>
+        `);
+        server.close();
+        resolve(code);
+        return;
+      }
+      res.writeHead(404);
+      res.end();
+    });
+    server.listen(port, "127.0.0.1");
+    server.on("error", reject);
+    setTimeout(() => {
+      server.close();
+      reject(new Error("Authentication timed out"));
+    }, 5 * 60 * 1e3);
+  });
 }
 async function login() {
   console.log("\nEstateHelm Login");
   console.log("================\n");
-  console.log("Starting authentication server...");
-  const port = await findAvailablePort();
-  const callbackUrl = `http://127.0.0.1:${port}/callback`;
   console.log("Creating login flow...");
-  const { flowId } = await createNativeLoginFlow(callbackUrl);
-  console.log("Initiating OAuth flow...");
-  const oauthUrl = await initiateOidcFlow(flowId, "google");
-  console.log(`
-Opening browser for Google authentication...`);
-  console.log(`If the browser doesn't open, visit: ${oauthUrl}
+  const flowId = await createNativeLoginFlow();
+  const port = await findAvailablePort();
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+  const { verifier, challenge } = generatePKCE();
+  const authUrl = new URL("https://accounts.google.com/o/oauth2/v2/auth");
+  authUrl.searchParams.set("client_id", GOOGLE_CLIENT_ID);
+  authUrl.searchParams.set("redirect_uri", redirectUri);
+  authUrl.searchParams.set("response_type", "code");
+  authUrl.searchParams.set("scope", "openid email profile");
+  authUrl.searchParams.set("code_challenge", challenge);
+  authUrl.searchParams.set("code_challenge_method", "S256");
+  authUrl.searchParams.set("access_type", "offline");
+  console.log("\nOpening browser for Google authentication...");
+  console.log(`If the browser doesn't open, visit:
+${authUrl.toString()}
 `);
-  const callbackPromise = waitForCallback(port);
-  await (0, import_open.default)(oauthUrl);
+  const codePromise = waitForOAuthCallback(port);
+  await (0, import_open.default)(authUrl.toString());
   console.log("Waiting for authentication...");
-  const sessionToken = await callbackPromise;
+  const code = await codePromise;
+  console.log("Exchanging authorization code...");
+  const { idToken } = await exchangeCodeForTokens(code, verifier, redirectUri);
+  console.log("Completing authentication...");
+  const sessionToken = await submitIdTokenToKratos(flowId, idToken, "google");
   console.log("Authentication successful!");
   console.log(`Token: ${sanitizeToken(sessionToken)}`);
   await saveBearerToken(sessionToken);