fastpass-cli 0.2.0 → 0.2.2

package/README.md

@@ -1,6 +1,6 @@
 # fastpass
 
-A CLI for rapdily configuring [Cloudflare Access](https://www.cloudflare.com/products/zero-trust/access/) — add authentication to internal apps without touching your application code. Creates Access Applications, Identity Providers, and policies via the Cloudflare API.
+A CLI for rapidly configuring [Cloudflare Access](https://www.cloudflare.com/products/zero-trust/access/) — add authentication to internal apps without touching your application code. Creates Access Applications, Identity Providers, and policies via the Cloudflare API.
 
 **Requirements:** Node 18+, Cloudflare account with the domain on your account, Cloudflare Zero Trust (Access) enabled.
 
@@ -60,12 +60,9 @@ Options:
 
 ## Credentials
 
-fastpass needs Cloudflare API access. It checks, in order:
+fastpass needs a Cloudflare API token via the `CLOUDFLARE_API_TOKEN` environment variable.
 
-1. `CLOUDFLARE_API_TOKEN` environment variable
-2. Wrangler OAuth token from `~/.wrangler/config/default.toml` (from `npx wrangler login`)
-
-**Recommended:** Use an API token with:
+Create an API token with:
 
 - **Access: Organizations, Identity Providers, and Groups** — Edit
 - **Access: Apps and Policies** — Edit
@@ -80,8 +77,6 @@ export CLOUDFLARE_API_TOKEN="your-token"
 export CLOUDFLARE_ACCOUNT_ID="your-account-id"
 ```
 
-**Note:** Wrangler’s OAuth token typically does not include Access scopes. If `wrangler login` works for Workers but fastpass fails with permission errors, use a dedicated API token with the permissions above.
-
 **Logs:** The `logs` and `status` commands fetch access events. If they fail, your token may need **Access: Audit Logs** — Read.
 
 ## Prerequisites

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastpass-cli",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "Cloudflare Access in 60 seconds.",
   "type": "module",
   "bin": {

package/src/auth.js

@@ -1,36 +1,21 @@
-import { readFile } from 'node:fs/promises';
-import { homedir } from 'node:os';
-import { join } from 'node:path';
 import pc from 'picocolors';
 import { spin } from './ui.js';
 
 /**
  * Resolve Cloudflare credentials.
  *
- * Priority:
- *  1. CLOUDFLARE_API_TOKEN env var
- *  2. Wrangler OAuth token from ~/.wrangler/config/default.toml
- *
- * Account ID:
- *  1. CLOUDFLARE_ACCOUNT_ID env var
- *  2. Fetched from /accounts API
+ * Token:    CLOUDFLARE_API_TOKEN env var
+ * Account:  CLOUDFLARE_ACCOUNT_ID env var, or fetched from /accounts API
  */
 export async function getCredentials() {
   const s = spin('Checking Cloudflare credentials');
 
-  let token = process.env.CLOUDFLARE_API_TOKEN;
-
-  if (!token) {
-    s.text = 'Checking Cloudflare credentials (trying wrangler)';
-    token = await tryWranglerToken();
-  }
+  const token = process.env.CLOUDFLARE_API_TOKEN;
 
   if (!token) {
     s.fail('No Cloudflare credentials found');
     console.error('');
-    console.error(`  ${pc.bold('How to fix — pick one:')}`);
-    console.error('');
-    console.error(`  ${pc.cyan('1.')} Set an API token (recommended):`);
+    console.error(`  ${pc.bold('Set an API token:')}`);
     console.error('');
     console.error(`     ${pc.bold('export CLOUDFLARE_API_TOKEN=<your-token>')}`);
     console.error('');
@@ -39,10 +24,6 @@ export async function getCredentials() {
     console.error(`       ${pc.dim('•')} Access: Organizations, Identity Providers, and Groups — Edit`);
     console.error(`       ${pc.dim('•')} Access: Apps and Policies — Edit`);
     console.error('');
-    console.error(`  ${pc.cyan('2.')} Log in with wrangler:`);
-    console.error('');
-    console.error(`     ${pc.bold('npx wrangler login')}`);
-    console.error('');
     process.exit(1);
   }
 
@@ -54,28 +35,10 @@ export async function getCredentials() {
   }
 
   s.succeed('Credentials OK');
+  console.log('');
   return { token, accountId };
 }
 
-async function tryWranglerToken() {
-  try {
-    const configPath = join(homedir(), '.wrangler', 'config', 'default.toml');
-    const content = await readFile(configPath, 'utf-8');
-    const match = content.match(/^oauth_token\s*=\s*"(.+)"/m);
-    if (match?.[1]) {
-      // Check if token is expired
-      const expMatch = content.match(/^expiration_time\s*=\s*"(.+)"/m);
-      if (expMatch?.[1] && new Date(expMatch[1]) < new Date()) {
-        return null; // expired
-      }
-      return match[1];
-    }
-  } catch {
-    // config file not found — wrangler not logged in
-  }
-  return null;
-}
-
 async function fetchAccountId(token) {
   const res = await fetch('https://api.cloudflare.com/client/v4/accounts?per_page=5', {
     headers: { Authorization: `Bearer ${token}` },

package/src/cli.js

@@ -1,6 +1,10 @@
+import { createRequire } from 'node:module';
 import { Command } from 'commander';
 import pc from 'picocolors';
 import { getCredentials } from './auth.js';
+
+const require = createRequire(import.meta.url);
+const { version } = require('../package.json');
 import { createApi } from './api.js';
 import { protect } from './commands/protect.js';
 import { list } from './commands/list.js';
@@ -15,7 +19,7 @@ export function run() {
   program
     .name('fastpass-cli')
     .description('Cloudflare Access in 60 seconds.')
-    .version('0.2.0');
+    .version(version);
 
   // Default action (no subcommand) — run the protect wizard
   program

package/src/commands/protect.js

@@ -1,10 +1,10 @@
 import pc from 'picocolors';
-import { input, select } from '@inquirer/prompts';
+import { input, select, confirm } from '@inquirer/prompts';
 import { getTeamName } from '../auth.js';
 import { ensureEmailOtp } from '../idp/email-otp.js';
 import { ensureGitHub } from '../idp/github.js';
 import { ensureGoogle } from '../idp/google.js';
-import { handleApiError } from '../api.js';
+import { handleApiError, ApiError } from '../api.js';
 import { spin, withSpinner } from '../ui.js';
 
 const AUTH_CHOICES = {
@@ -33,6 +33,16 @@ export async function protect(api, opts = {}) {
 
     // Validate domain exists in CF
     await withSpinner('Verifying domain...', () => validateDomain(api, domain.trim()));
+    console.log('');
+
+    // Check if domain is already protected
+    const existing = await checkExistingApp(api, domain.trim());
+    if (existing) {
+      console.log(`\n  ${pc.yellow('This domain is already protected by Access.')}\n`);
+      console.log(`  Run ${pc.cyan(`fastpass inspect ${domain.trim()}`)} to view its configuration.`);
+      console.log(`  Run ${pc.cyan(`fastpass remove ${domain.trim()}`)} to remove it first.\n`);
+      return;
+    }
 
     // Parse auth methods: comma-separated string from CLI, or single interactive choice
     const authMethods = opts.auth
@@ -48,9 +58,11 @@ export async function protect(api, opts = {}) {
         process.exit(1);
       }
     }
+    console.log('');
 
     // Resolve who gets access
     const { include, includeType } = await resolveAccess(opts.allow);
+    console.log('');
 
     // Get team name for OAuth callback URLs
     const teamName = await withSpinner('Fetching team info', () => getTeamName(api));
@@ -71,6 +83,28 @@ export async function protect(api, opts = {}) {
     // Build the policy include rules
     const policyInclude = buildIncludeRules(include, includeType);
 
+    // Describe access for the summary
+    const accessLabel = describeAccess(include, includeType);
+
+    // Show confirmation summary (skip when all CLI flags provided)
+    const allFlagsProvided = opts.domain && opts.auth && opts.allow;
+    if (!allFlagsProvided) {
+      console.log(`  ${pc.bold('Domain:')}  ${domain.trim()}`);
+      console.log(`  ${pc.bold('Login:')}   ${authMethods.map((m) => AUTH_CHOICES[m].label.split(' (')[0]).join(', ')}`);
+      console.log(`  ${pc.bold('Access:')}  ${accessLabel}`);
+      console.log('');
+
+      const ok = await confirm({
+        message: 'Create this Access application?',
+        default: true,
+      });
+
+      if (!ok) {
+        console.log(pc.dim('  Cancelled.\n'));
+        return;
+      }
+    }
+
     // Create the access application with an inline policy
     const s = spin(`Creating Access application for ${pc.bold(domain.trim())}...`);
 
@@ -91,7 +125,20 @@ export async function protect(api, opts = {}) {
       ],
     };
 
-    const { result: app } = await api.post('/access/apps', appBody);
+    let app;
+    try {
+      const { result } = await api.post('/access/apps', appBody);
+      app = result;
+    } catch (err) {
+      s.fail(`Failed to create Access application for ${pc.bold(domain.trim())}`);
+      if (err instanceof ApiError && err.message.includes('application_already_exists')) {
+        console.log(`\n  ${pc.yellow('This domain is already protected by Access.')}\n`);
+        console.log(`  Run ${pc.cyan(`fastpass inspect ${domain.trim()}`)} to view its configuration.`);
+        console.log(`  Run ${pc.cyan(`fastpass remove ${domain.trim()}`)} to remove it first.\n`);
+        return;
+      }
+      throw err;
+    }
 
     s.succeed(`Protected ${pc.bold(domain.trim())}`);
     console.log('');
@@ -182,6 +229,36 @@ export async function resolveAccess(allowFlag) {
   }
 }
 
+export async function checkExistingApp(api, domain) {
+  const s = spin('Checking for existing application...');
+  try {
+    const { result } = await api.get('/access/apps');
+    const match = result?.find(
+      (app) => app.type === 'self_hosted' && app.domain === domain,
+    );
+    s.stop();
+    return match || null;
+  } catch {
+    s.stop();
+    return null;
+  }
+}
+
+function describeAccess(include, includeType) {
+  switch (includeType) {
+    case 'emails':
+      return include.join(', ');
+    case 'domain':
+      return `*@${include[0]}`;
+    case 'github_org':
+      return `GitHub org: ${include[0]}`;
+    case 'everyone':
+      return 'Everyone (any logged-in user)';
+    default:
+      return 'Everyone';
+  }
+}
+
 export function buildIncludeRules(include, includeType) {
   switch (includeType) {
     case 'emails':