gamedev 0.2.1 → 0.2.3

package/app-server/cliAuth.js

@@ -1,5 +1,3 @@
-import crypto from 'crypto'
-import http from 'http'
 import { spawn } from 'child_process'
 
 import { joinUrl, normalizeWorldAdminBaseUrl } from './helpers.js'
@@ -58,138 +56,6 @@ export async function fetchCliAuthStatus({ worldUrl, authToken }) {
   return data
 }
 
-function createCallbackServer({ worldId, worldUrl, state, timeoutMs = 10 * 60 * 1000 } = {}) {
-  const expectedState = typeof state === 'string' && state.trim() ? state.trim() : crypto.randomUUID()
-  let settled = false
-  let timeoutId = null
-  let server = null
-  let startupResolve = null
-  let startupReject = null
-  let startupState = 'pending'
-  const startup = new Promise((resolve, reject) => {
-    startupResolve = resolve
-    startupReject = reject
-  })
-
-  const close = async () => {
-    if (!server) return
-    const target = server
-    server = null
-    await new Promise(resolve => target.close(() => resolve()))
-  }
-
-  const result = new Promise((resolve, reject) => {
-    server = http.createServer(async (req, res) => {
-      res.setHeader('Access-Control-Allow-Origin', '*')
-      res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS')
-      res.setHeader('Access-Control-Allow-Headers', 'Content-Type')
-      if (req.method === 'OPTIONS') {
-        res.statusCode = 204
-        res.end()
-        return
-      }
-
-      if (req.method !== 'POST' || req.url !== '/callback') {
-        res.statusCode = 404
-        res.end('Not found')
-        return
-      }
-
-      const chunks = []
-      req.on('data', chunk => {
-        chunks.push(chunk)
-      })
-      req.on('error', async error => {
-        if (settled) return
-        settled = true
-        clearTimeout(timeoutId)
-        res.statusCode = 500
-        res.end(JSON.stringify({ error: 'callback_read_failed' }))
-        await close()
-        reject(error instanceof Error ? error : createError('callback_read_failed'))
-      })
-      req.on('end', async () => {
-        let payload
-        try {
-          payload = JSON.parse(Buffer.concat(chunks).toString('utf8') || '{}')
-        } catch {
-          res.statusCode = 400
-          res.end(JSON.stringify({ error: 'invalid_payload' }))
-          return
-        }
-
-        const receivedState = typeof payload?.state === 'string' ? payload.state.trim() : ''
-        const authToken = typeof payload?.authToken === 'string' ? payload.authToken.trim() : ''
-        const receivedWorldId = typeof payload?.worldId === 'string' ? payload.worldId.trim() : ''
-        const receivedWorldUrl = typeof payload?.worldUrl === 'string' ? payload.worldUrl.trim() : ''
-
-        if (!authToken || !receivedState || receivedState !== expectedState) {
-          res.statusCode = 400
-          res.end(JSON.stringify({ error: 'invalid_callback_state' }))
-          return
-        }
-        if (worldId && receivedWorldId && receivedWorldId !== worldId) {
-          res.statusCode = 409
-          res.end(JSON.stringify({ error: 'world_id_mismatch' }))
-          return
-        }
-        if (worldUrl && receivedWorldUrl && normalizeWorldAdminBaseUrl(receivedWorldUrl) !== normalizeWorldAdminBaseUrl(worldUrl)) {
-          res.statusCode = 409
-          res.end(JSON.stringify({ error: 'world_url_mismatch' }))
-          return
-        }
-
-        settled = true
-        clearTimeout(timeoutId)
-        res.statusCode = 200
-        res.setHeader('Content-Type', 'application/json')
-        res.end(JSON.stringify({ ok: true }))
-        await close()
-        resolve(payload)
-      })
-    })
-
-    server.listen(0, '127.0.0.1', () => {
-      if (startupState === 'pending') {
-        startupState = 'ready'
-        startupResolve()
-      }
-      timeoutId = setTimeout(async () => {
-        if (settled) return
-        settled = true
-        await close()
-        reject(createError('auth_timeout', 'Timed out waiting for browser authentication'))
-      }, timeoutMs)
-    })
-
-    server.on('error', async error => {
-      if (startupState === 'pending') {
-        startupState = 'failed'
-        startupReject(error instanceof Error ? error : createError('callback_server_failed'))
-      }
-      if (settled) return
-      settled = true
-      clearTimeout(timeoutId)
-      await close()
-      reject(error instanceof Error ? error : createError('callback_server_failed'))
-    })
-  })
-
-  return {
-    state: expectedState,
-    async getCallbackUrl() {
-      await startup
-      const address = server.address()
-      if (!address || typeof address === 'string') {
-        throw createError('callback_server_failed')
-      }
-      return `http://127.0.0.1:${address.port}/callback`
-    },
-    result,
-    close,
-  }
-}
-
 async function launchBrowser(url) {
   const commands =
     process.platform === 'darwin'
@@ -218,9 +84,7 @@ async function launchBrowser(url) {
 export function buildCliAuthUrl({
   worldUrl,
   worldId,
-  callbackUrl,
   sessionId,
-  state,
   requiredCapability = 'builder',
 } = {}) {
   const normalizedWorldUrl = normalizeWorldAdminBaseUrl(worldUrl)
@@ -228,10 +92,8 @@ export function buildCliAuthUrl({
     throw createError('invalid_world_url', 'Invalid world URL')
   }
   const url = new URL(joinUrl(normalizedWorldUrl, '/auth/cli'))
-  if (callbackUrl) url.searchParams.set('callback', callbackUrl)
   if (sessionId) url.searchParams.set('session', sessionId)
   if (worldId) url.searchParams.set('worldId', worldId)
-  if (state) url.searchParams.set('state', state)
   url.searchParams.set('required', normalizeCapability(requiredCapability))
   return url.toString()
 }
@@ -254,12 +116,6 @@ async function createRemoteCliAuthSession({ worldUrl, worldId, requiredCapabilit
   })
   const data = await response.json().catch(() => null)
   if (!response.ok) {
-    if (response.status === 404 || response.status === 405) {
-      throw createError('cli_auth_session_unsupported', 'World does not support server-mediated CLI auth sessions', {
-        status: response.status,
-        data,
-      })
-    }
     throw createError(
       data?.error || `session_create_failed:${response.status}`,
       data?.message || 'Failed to create CLI auth session',
@@ -333,7 +189,7 @@ async function openCliAuthUrl(authUrl, { log = console } = {}) {
   log?.log?.('Opening browser for world auth...')
 }
 
-async function runLoopbackBrowserCliAuth({
+export async function runBrowserCliAuth({
   rootDir = process.cwd(),
   worldUrl,
   worldId,
@@ -341,89 +197,33 @@ async function runLoopbackBrowserCliAuth({
   timeoutMs,
   log = console,
 } = {}) {
-  const callback = createCallbackServer({
+  const session = await createRemoteCliAuthSession({
+    worldUrl,
+    worldId,
+    requiredCapability,
+  })
+  const authUrl = buildCliAuthUrl({
+    worldUrl,
     worldId,
+    sessionId: session.sessionId,
+    requiredCapability,
+  })
+  await openCliAuthUrl(authUrl, { log })
+  const payload = await waitForRemoteCliAuthSession({
     worldUrl,
+    sessionId: session.sessionId,
     timeoutMs,
   })
-  try {
-    const callbackUrl = await callback.getCallbackUrl()
-    const authUrl = buildCliAuthUrl({
-      worldUrl,
-      worldId,
-      callbackUrl,
-      state: callback.state,
-      requiredCapability,
-    })
-
-    await openCliAuthUrl(authUrl, { log })
-
-    const payload = await callback.result
-    const entry = writeProjectAuthEntry(rootDir, {
-      worldUrl: payload.worldUrl || worldUrl,
-      worldId: payload.worldId || worldId,
-      authToken: payload.authToken,
-      userId: payload?.user?.id || null,
-      userName: payload?.user?.name || null,
-    })
-    return {
-      entry,
-      capabilities: payload?.capabilities || null,
-    }
-  } finally {
-    await callback.close().catch(() => {})
-  }
-}
-
-export async function runBrowserCliAuth({
-  rootDir = process.cwd(),
-  worldUrl,
-  worldId,
-  requiredCapability = 'builder',
-  timeoutMs,
-  log = console,
-} = {}) {
-  try {
-    const session = await createRemoteCliAuthSession({
-      worldUrl,
-      worldId,
-      requiredCapability,
-    })
-    const authUrl = buildCliAuthUrl({
-      worldUrl,
-      worldId,
-      sessionId: session.sessionId,
-      requiredCapability,
-    })
-    await openCliAuthUrl(authUrl, { log })
-    const payload = await waitForRemoteCliAuthSession({
-      worldUrl,
-      sessionId: session.sessionId,
-      timeoutMs,
-    })
-    const entry = writeProjectAuthEntry(rootDir, {
-      worldUrl: payload.worldUrl || worldUrl,
-      worldId: payload.worldId || worldId,
-      authToken: payload.authToken,
-      userId: payload?.user?.id || null,
-      userName: payload?.user?.name || null,
-    })
-    return {
-      entry,
-      capabilities: payload?.capabilities || null,
-    }
-  } catch (error) {
-    if (error?.code === 'cli_auth_session_unsupported') {
-      return runLoopbackBrowserCliAuth({
-        rootDir,
-        worldUrl,
-        worldId,
-        requiredCapability,
-        timeoutMs,
-        log,
-      })
-    }
-    throw error
+  const entry = writeProjectAuthEntry(rootDir, {
+    worldUrl: payload.worldUrl || worldUrl,
+    worldId: payload.worldId || worldId,
+    authToken: payload.authToken,
+    userId: payload?.user?.id || null,
+    userName: payload?.user?.name || null,
+  })
+  return {
+    entry,
+    capabilities: payload?.capabilities || null,
   }
 }
 

package/app-server/commands.js

@@ -260,14 +260,14 @@ export class HyperfyCLI {
     return process.env.HYPERFY_TARGET_CONFIRM === 'true'
   }
 
-  async _connectAdminClient() {
+  async _connectAdminClient({ requiredCapability = 'builder' } = {}) {
     this._requireWorldUrl()
     this._requireWorldId()
     const auth = await ensureProjectAuth({
       rootDir: this.rootDir,
       worldUrl: this.worldUrl,
       worldId: this.worldId,
-      requiredCapability: 'builder',
+      requiredCapability,
       interactive: process.stdin.isTTY,
       log: console,
     })
@@ -411,7 +411,7 @@ export class HyperfyCLI {
 
     console.log(`🚀 Deploying app: ${appName}`)
 
-    const server = await this._connectAdminClient()
+    const server = await this._connectAdminClient({ requiredCapability: 'deploy' })
     try {
       if (!options.dryRun && !options.yes && this._shouldConfirmDeployTarget()) {
         const target = process.env.HYPERFY_TARGET ? ` "${process.env.HYPERFY_TARGET}"` : ''
@@ -452,7 +452,7 @@ export class HyperfyCLI {
 
   async rollback(snapshotId) {
     console.log(`⏪ Rolling back deploy snapshot...`)
-    const server = await this._connectAdminClient()
+    const server = await this._connectAdminClient({ requiredCapability: 'deploy' })
     try {
       const owner = `hyperfy-cli:${process.env.HYPERFY_TARGET || 'default'}:${process.pid}`
       const lock = await server.client.acquireDeployLock({ owner })
@@ -486,7 +486,7 @@ export class HyperfyCLI {
 
   async status() {
     console.log(`📊 Admin Status`)
-    const server = await this._connectAdminClient()
+    const server = await this._connectAdminClient({ requiredCapability: 'builder' })
     try {
       const snapshot = await server.client.getSnapshot()
       const blueprints = Array.isArray(snapshot?.blueprints) ? snapshot.blueprints.length : 0
@@ -572,7 +572,7 @@ export class HyperfyCLI {
       return false
     }
 
-    const server = await this._connectAdminClient()
+    const server = await this._connectAdminClient({ requiredCapability: 'deploy' })
     try {
       const result = await server.resolveSyncConflict(id, { use })
       if (result?.alreadyResolved) {
@@ -592,7 +592,7 @@ export class HyperfyCLI {
   }
 
   async syncResolveInteractive() {
-    const server = await this._connectAdminClient()
+    const server = await this._connectAdminClient({ requiredCapability: 'deploy' })
     try {
       const summary = await server.promptAndResolveSyncConflicts()
       if (!summary?.prompted && summary?.remaining > 0) {

package/bin/gamedev.mjs

@@ -486,7 +486,7 @@ async function startCommand(args = []) {
       rootDir: projectDir,
       worldUrl: env.WORLD_URL,
       worldId: env.WORLD_ID,
-      requiredCapability: 'builder',
+      requiredCapability: 'deploy',
       interactive: process.stdin.isTTY,
       log: console,
     })
@@ -584,7 +584,7 @@ async function appServerCommand(args = []) {
       rootDir: projectDir,
       worldUrl: env.WORLD_URL,
       worldId: env.WORLD_ID,
-      requiredCapability: 'builder',
+      requiredCapability: 'deploy',
       interactive: process.stdin.isTTY,
       log: console,
     })
@@ -848,12 +848,12 @@ async function syncCommand(args) {
   return runSyncCommand({ command, args: commandArgs, rootDir: projectDir, helpPrefix: 'gamedev sync' })
 }
 
-async function connectAdminServer({ worldUrl, worldId, rootDir }) {
+async function connectAdminServer({ worldUrl, worldId, rootDir, requiredCapability = 'builder' }) {
   const auth = await ensureProjectAuth({
     rootDir,
     worldUrl,
     worldId,
-    requiredCapability: 'builder',
+    requiredCapability,
     interactive: process.stdin.isTTY,
     log: console,
   })
@@ -976,12 +976,18 @@ async function worldCommand(args) {
 
     let server
     try {
-      server = await connectAdminServer({ worldUrl, worldId, rootDir: projectDir })
       if (action === 'export') {
+        server = await connectAdminServer({ worldUrl, worldId, rootDir: projectDir })
         const includeBuiltScripts = actionArgs.includes('--include-built-scripts')
         await server.exportWorldToDisk(undefined, { includeBuiltScripts })
         console.log('✅ World export complete')
       } else {
+        server = await connectAdminServer({
+          worldUrl,
+          worldId,
+          rootDir: projectDir,
+          requiredCapability: 'deploy',
+        })
         await server.importWorldFromDisk()
         console.log('✅ World import complete')
       }

package/build/index.js

@@ -63145,17 +63145,13 @@ async function createStandaloneGuestSession({
   };
 }
 function buildCliAuthPage({
-  callbackUrl,
   sessionId,
-  state,
   worldId,
   requiredCapability = "builder",
   publicAuthUrl = null
 } = {}) {
   const config = JSON.stringify({
-    callbackUrl: normalizeString2(callbackUrl),
     sessionId: normalizeString2(sessionId),
-    state: normalizeString2(state),
     worldId: normalizeString2(worldId),
     requiredCapability: normalizeString2(requiredCapability) || "builder",
     publicAuthUrl: hasValue2(publicAuthUrl) ? publicAuthUrl.trim() : null
@@ -63544,18 +63540,6 @@ function buildCliAuthPage({
         return !!capabilities?.builder
       }
 
-      function validateCallbackUrl(value) {
-        try {
-          const parsed = new URL(value)
-          const hostname = parsed.hostname
-          if (!hostname) return null
-          if (hostname !== '127.0.0.1' && hostname !== 'localhost' && hostname !== '::1') return null
-          return parsed.toString()
-        } catch {
-          return null
-        }
-      }
-
       async function fetchStatus(token) {
         const response = await fetch(\`\${apiBaseUrl()}/auth/cli/status\`, {
           headers: {
@@ -63613,47 +63597,24 @@ function buildCliAuthPage({
         return token
       }
 
-      async function submitToken(token, status) {
-        if (config.sessionId) {
-          const response = await fetch(\`\${apiBaseUrl()}/auth/cli/session/\${encodeURIComponent(config.sessionId)}\`, {
-            method: 'POST',
-            headers: {
-              'content-type': 'application/json',
-              accept: 'application/json',
-            },
-            body: JSON.stringify({
-              worldUrl: worldRootUrl(),
-              authToken: token,
-            }),
-          })
-          if (!response.ok) {
-            const payload = await response.json().catch(() => null)
-            throw new Error(payload?.error || 'session_complete_failed')
-          }
-          return
+      async function submitToken(token) {
+        if (!config.sessionId) {
+          throw new Error('Invalid session id')
         }
-
-        const callbackUrl = validateCallbackUrl(config.callbackUrl)
-        if (!callbackUrl) {
-          throw new Error('Invalid callback URL')
-        }
-        const response = await fetch(callbackUrl, {
+        const response = await fetch(\`\${apiBaseUrl()}/auth/cli/session/\${encodeURIComponent(config.sessionId)}\`, {
           method: 'POST',
           headers: {
             'content-type': 'application/json',
+            accept: 'application/json',
           },
           body: JSON.stringify({
-            state: config.state,
-            worldId: status?.worldId || config.worldId || '',
             worldUrl: worldRootUrl(),
             authToken: token,
-            user: status?.user || null,
-            capabilities: status?.capabilities || null,
           }),
         })
         if (!response.ok) {
           const payload = await response.json().catch(() => null)
-          throw new Error(payload?.error || 'callback_failed')
+          throw new Error(payload?.error || 'session_complete_failed')
         }
       }
 
@@ -63695,7 +63656,7 @@ function buildCliAuthPage({
               'success'
             )
             setHint('Permission confirmed. The CLI is storing this world token locally.', 'success')
-            await submitToken(token, status)
+            await submitToken(token)
             clearInterval(polling)
             setTimeout(() => {
               window.close()
@@ -65234,21 +65195,17 @@ async function handleCliAuthPage(req, reply) {
   if (!isRuntimeReady(runtimeState)) {
     return sendRuntimeNotReady2(reply, runtimeState, { html: true });
   }
-  const callbackUrl = typeof req.query?.callback === "string" ? req.query.callback.trim() : "";
   const sessionId = typeof req.query?.session === "string" ? req.query.session.trim() : "";
-  const state = typeof req.query?.state === "string" ? req.query.state.trim() : "";
   const worldId = typeof req.query?.worldId === "string" ? req.query.worldId.trim() : resolveBoundWorldId() || "";
   const requiredCapability = typeof req.query?.required === "string" ? req.query.required.trim() : "builder";
-  if (!sessionId && (!callbackUrl || !state)) {
+  if (!sessionId) {
     return reply.code(400).type("text/html").send(
-      "<!doctype html><html><body>Missing session or callback parameters.</body></html>"
+      "<!doctype html><html><body>Missing session.</body></html>"
     );
   }
   reply.type("text/html").send(
     buildCliAuthPage({
-      callbackUrl,
       sessionId,
-      state,
       worldId,
       requiredCapability,
       publicAuthUrl: process.env.PUBLIC_AUTH_URL || null