huntr-cli 1.0.9

package/src/config/clerk-session-manager.ts

@@ -0,0 +1,263 @@
+import keytar from 'keytar';
+import https from 'https';
+
+const SERVICE_NAME = 'huntr-cli';
+const ACCOUNT_SESSION_COOKIE = 'clerk-session-cookie';  // __session value
+const ACCOUNT_SESSION_ID = 'clerk-session-id';           // sess_...
+const ACCOUNT_CLIENT_UAT = 'clerk-client-uat';          // __client_uat value (optional)
+const ACCOUNT_EXTRA_COOKIES = 'clerk-extra-cookies';    // JSON map of clerk-domain cookies
+
+const CLERK_HOST = 'clerk.huntr.co';
+
+/**
+ * Manages Clerk session-based JWT refresh for the Huntr CLI.
+ *
+ * Modern Clerk architecture (v5+):
+ *   - __session cookie  : stores the short-lived session JWT (60s exp).
+ *                         The cookie itself has a long expiry (1 year);
+ *                         Clerk JS updates its *value* via FAPI silently.
+ *   - __client_uat      : Unix timestamp of last client update — not a credential.
+ *
+ * To refresh from outside a browser, we POST the __session value to Clerk's
+ * FAPI tokens endpoint. Clerk validates the session and returns a fresh JWT.
+ *
+ * Endpoint:
+ *   POST https://clerk.huntr.co/v1/client/sessions/{sessionId}/tokens
+ *   Cookie: __session=<value>
+ *   Response: { jwt: "ey..." }
+ *
+ * The __session value must be re-extracted from the browser periodically
+ * (roughly every few weeks, when Clerk rotates the underlying session).
+ * For daily use it persists fine.
+ */
+export class ClerkSessionManager {
+  // ── storage ──────────────────────────────────────────────────────────────
+
+  async saveSession(
+    sessionCookieValue: string,
+    sessionId: string,
+    clientUat?: string,
+    extraCookies?: Record<string, string>,
+  ): Promise<void> {
+    await keytar.setPassword(SERVICE_NAME, ACCOUNT_SESSION_COOKIE, sessionCookieValue);
+    await keytar.setPassword(SERVICE_NAME, ACCOUNT_SESSION_ID, sessionId);
+    if (clientUat) {
+      await keytar.setPassword(SERVICE_NAME, ACCOUNT_CLIENT_UAT, clientUat);
+    }
+    if (extraCookies && Object.keys(extraCookies).length > 0) {
+      await keytar.setPassword(SERVICE_NAME, ACCOUNT_EXTRA_COOKIES, JSON.stringify(extraCookies));
+    }
+  }
+
+  async getSessionCookie(): Promise<string | null> {
+    return keytar.getPassword(SERVICE_NAME, ACCOUNT_SESSION_COOKIE);
+  }
+
+  async getSessionId(): Promise<string | null> {
+    return keytar.getPassword(SERVICE_NAME, ACCOUNT_SESSION_ID);
+  }
+
+  async getClientUat(): Promise<string | null> {
+    return keytar.getPassword(SERVICE_NAME, ACCOUNT_CLIENT_UAT);
+  }
+
+  async getExtraCookies(): Promise<Record<string, string>> {
+    const raw = await keytar.getPassword(SERVICE_NAME, ACCOUNT_EXTRA_COOKIES);
+    if (!raw) return {};
+    try {
+      const parsed = JSON.parse(raw) as Record<string, unknown>;
+      const out: Record<string, string> = {};
+      for (const [k, v] of Object.entries(parsed)) {
+        if (typeof v === 'string' && v.length > 0) out[k] = v;
+      }
+      return out;
+    } catch {
+      return {};
+    }
+  }
+
+  async clearSession(): Promise<void> {
+    await keytar.deletePassword(SERVICE_NAME, ACCOUNT_SESSION_COOKIE);
+    await keytar.deletePassword(SERVICE_NAME, ACCOUNT_SESSION_ID);
+    await keytar.deletePassword(SERVICE_NAME, ACCOUNT_CLIENT_UAT);
+    await keytar.deletePassword(SERVICE_NAME, ACCOUNT_EXTRA_COOKIES);
+  }
+
+  async hasSession(): Promise<boolean> {
+    const cookie = await this.getSessionCookie();
+    const sessionId = await this.getSessionId();
+    return !!(cookie && sessionId);
+  }
+
+  // ── token refresh ─────────────────────────────────────────────────────────
+
+  /**
+   * Returns a fresh Clerk JWT by POSTing to the Clerk FAPI tokens endpoint
+   * using the stored __session cookie value.
+   */
+  async getFreshToken(): Promise<string> {
+    const sessionCookie = await this.getSessionCookie();
+    const sessionId = await this.getSessionId();
+    const clientUat = await this.getClientUat();
+    const extraCookies = await this.getExtraCookies();
+
+    if (!sessionCookie || !sessionId) {
+      throw new Error(
+        'No Clerk session stored. Run:\n' +
+        '  huntr config set-session <__session-cookie-value>\n' +
+        'See "huntr config set-session --help" for instructions.',
+      );
+    }
+
+    return this.fetchToken(sessionCookie, sessionId, clientUat, extraCookies);
+  }
+
+  async refreshFromProvidedSession(
+    sessionCookieValue: string,
+    sessionId: string,
+    clientUat?: string | null,
+    extraCookies?: Record<string, string>,
+  ): Promise<string> {
+    return this.fetchToken(sessionCookieValue, sessionId, clientUat, extraCookies);
+  }
+
+  private fetchToken(
+    sessionCookieValue: string,
+    sessionId: string,
+    clientUat?: string | null,
+    extraCookies: Record<string, string> = {},
+  ): Promise<string> {
+    return new Promise((resolve, reject) => {
+      // Match the exact request Clerk JS makes (version pinned to what huntr.co loads)
+      const path = `/v1/client/sessions/${sessionId}/tokens?_clerk_js_version=4.73.14`;
+      // Strip any "__session=" prefix if user pasted it with the name
+      const raw = sessionCookieValue.startsWith('__session=')
+        ? sessionCookieValue.slice('__session='.length)
+        : sessionCookieValue;
+      // Send all cookies Clerk expects, matching browser credentials:include behaviour
+      const uat = clientUat && clientUat.trim() ? clientUat.trim() : '1';
+      const cookieParts = [`__session=${raw}`, `__client_uat=${uat}`];
+      for (const [name, value] of Object.entries(extraCookies)) {
+        if (!value || name === '__session' || name === '__client_uat') continue;
+        if (!/^[A-Za-z0-9_.-]+$/.test(name)) continue;
+        cookieParts.push(`${name}=${value}`);
+      }
+      const cookieHeader = cookieParts.join('; ');
+
+      const options = {
+        hostname: CLERK_HOST,
+        path,
+        method: 'POST',
+        headers: {
+          'Cookie': cookieHeader,
+          'Content-Type': 'application/x-www-form-urlencoded',
+          'Content-Length': '0',
+          'Accept': 'application/json',
+          'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36',
+          'Origin': 'https://huntr.co',
+          'Referer': 'https://huntr.co/',
+          'sec-fetch-site': 'same-site',
+          'sec-fetch-mode': 'cors',
+          'sec-fetch-dest': 'empty',
+        },
+      };
+
+      const req = https.request(options, (res) => {
+        let body = '';
+        res.on('data', (chunk: Buffer) => { body += chunk.toString(); });
+        res.on('end', async () => {
+          if (res.statusCode === 200 || res.statusCode === 201) {
+            try {
+              const data = JSON.parse(body);
+              // Clerk FAPI response: { object: 'token', jwt: '...' }
+                const token = data.jwt ?? data.token ?? data.object?.jwt;
+                if (!token) {
+                  reject(new Error(`Unexpected Clerk response: ${body.substring(0, 300)}`));
+                } else {
+                  // Clerk may rotate __session on refresh via Set-Cookie.
+                  // Persisting it prevents "works once, fails later" behavior.
+                  await this.persistRotatedSessionCookie(res.headers['set-cookie'], sessionId, raw, uat, extraCookies);
+                  resolve(token as string);
+                }
+            } catch {
+              reject(new Error(`Failed to parse Clerk response: ${body.substring(0, 300)}`));
+            }
+          } else if (res.statusCode === 401 || res.statusCode === 403) {
+            reject(new Error(
+              `Clerk session expired or invalid (HTTP ${res.statusCode}).\n` +
+              'Re-extract your __session cookie from the browser:\n' +
+              '  DevTools → Application → Cookies → https://huntr.co → __session → Value\n' +
+              'Then run: huntr config set-session <new-value>',
+            ));
+          } else {
+            reject(new Error(
+              `Clerk token refresh failed: HTTP ${res.statusCode}\n${body.substring(0, 300)}`,
+            ));
+          }
+        });
+      });
+
+      req.on('error', (err: Error) =>
+        reject(new Error(`Network error refreshing token: ${err.message}`)),
+      );
+      req.end();
+    });
+  }
+
+  private async persistRotatedSessionCookie(
+    setCookie: string | string[] | undefined,
+    sessionId: string,
+    currentSessionCookie: string,
+    clientUat?: string,
+    extraCookies: Record<string, string> = {},
+  ): Promise<void> {
+    if (!setCookie) return;
+    const cookies = Array.isArray(setCookie) ? setCookie : [setCookie];
+    let sessionCookie: string = currentSessionCookie;
+    let rotatedUat = clientUat;
+    const rotatedExtras: Record<string, string> = { ...extraCookies };
+
+    for (const header of cookies) {
+      const firstPair = header.split(';', 1)[0] ?? '';
+      const idx = firstPair.indexOf('=');
+      if (idx <= 0) continue;
+      const name = firstPair.slice(0, idx);
+      const value = firstPair.slice(idx + 1);
+      if (!value) continue;
+
+      if (name === '__session') {
+        sessionCookie = value;
+      } else if (name === '__client_uat') {
+        rotatedUat = value;
+      } else if (/^[A-Za-z0-9_.-]+$/.test(name)) {
+        rotatedExtras[name] = value;
+      }
+    }
+
+    await this.saveSession(sessionCookie, sessionId, rotatedUat, rotatedExtras);
+  }
+
+  // ── session-id extraction ─────────────────────────────────────────────────
+
+  /**
+   * Extracts the Clerk session ID (sess_...) from a __session JWT value.
+   * The __session cookie value IS a JWT; its payload contains `sid`.
+   */
+  static extractSessionId(sessionJwt: string): string | null {
+    try {
+      const raw = sessionJwt.startsWith('__session=')
+        ? sessionJwt.slice('__session='.length)
+        : sessionJwt;
+
+      const parts = raw.split('.');
+      if (parts.length < 2) return null;
+
+      const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf-8'));
+      const sid = payload.sid ?? payload.session_id;
+      if (typeof sid === 'string' && sid.startsWith('sess_')) return sid;
+    } catch {
+      // fall through
+    }
+    return null;
+  }
+}

package/src/config/config-manager.ts

@@ -0,0 +1,56 @@
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+
+export interface HuntrConfig {
+  apiToken?: string;
+}
+
+export class ConfigManager {
+  private configDir: string;
+  private configPath: string;
+
+  constructor() {
+    this.configDir = path.join(os.homedir(), '.huntr');
+    this.configPath = path.join(this.configDir, 'config.json');
+  }
+
+  private ensureConfigDir(): void {
+    if (!fs.existsSync(this.configDir)) {
+      fs.mkdirSync(this.configDir, { recursive: true });
+    }
+  }
+
+  getConfig(): HuntrConfig {
+    try {
+      if (fs.existsSync(this.configPath)) {
+        const content = fs.readFileSync(this.configPath, 'utf-8');
+        return JSON.parse(content);
+      }
+    } catch (error) {
+      // Return empty config if file doesn't exist or is invalid
+    }
+    return {};
+  }
+
+  setConfig(config: HuntrConfig): void {
+    this.ensureConfigDir();
+    fs.writeFileSync(this.configPath, JSON.stringify(config, null, 2));
+  }
+
+  getToken(): string | undefined {
+    return this.getConfig().apiToken;
+  }
+
+  setToken(token: string): void {
+    const config = this.getConfig();
+    config.apiToken = token;
+    this.setConfig(config);
+  }
+
+  clearToken(): void {
+    const config = this.getConfig();
+    delete config.apiToken;
+    this.setConfig(config);
+  }
+}

package/src/config/keychain-manager.ts

@@ -0,0 +1,30 @@
+import keytar from 'keytar';
+
+const SERVICE_NAME = 'huntr-cli';
+const ACCOUNT_NAME = 'api-token';
+
+export class KeychainManager {
+  async getToken(): Promise<string | null> {
+    try {
+      return await keytar.getPassword(SERVICE_NAME, ACCOUNT_NAME);
+    } catch (error) {
+      return null;
+    }
+  }
+
+  async setToken(token: string): Promise<void> {
+    try {
+      await keytar.setPassword(SERVICE_NAME, ACCOUNT_NAME, token);
+    } catch (error) {
+      throw new Error('Failed to save token to keychain');
+    }
+  }
+
+  async deleteToken(): Promise<boolean> {
+    try {
+      return await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+    } catch (error) {
+      return false;
+    }
+  }
+}

package/src/config/token-capture.ts

@@ -0,0 +1,233 @@
+import * as http from 'http';
+import * as path from 'path';
+import * as os from 'os';
+import { TokenManager } from './token-manager';
+
+export class TokenCaptureServer {
+  private server: http.Server | null = null;
+  private tokenManager: TokenManager;
+  private htmlPath: string;
+
+  constructor(tokenManager: TokenManager) {
+    this.tokenManager = tokenManager;
+    this.htmlPath = path.join(os.tmpdir(), 'huntr-token-capture.html');
+  }
+
+  async start(port: number = 17432): Promise<string> {
+    return new Promise((resolve, reject) => {
+      this.server = http.createServer(async (req, res) => {
+        // Enable CORS for file:// protocol
+        res.setHeader('Access-Control-Allow-Origin', '*');
+        res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+
+        if (req.method === 'OPTIONS') {
+          res.writeHead(200);
+          res.end();
+          return;
+        }
+
+        // Serve the HTML page
+        if (req.method === 'GET' && req.url === '/') {
+          res.writeHead(200, { 'Content-Type': 'text/html' });
+          res.end(this.getHtmlPage(port));
+          return;
+        }
+
+        if (req.method === 'POST' && req.url === '/token') {
+          let body = '';
+
+          req.on('data', chunk => {
+            body += chunk.toString();
+          });
+
+          req.on('end', async () => {
+            try {
+              const data = JSON.parse(body);
+              const token = data.token;
+
+              if (!token) {
+                res.writeHead(400, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ ok: false, error: 'No token provided' }));
+                return;
+              }
+
+              // Save token to config file
+              await this.tokenManager.saveToken(token, 'config');
+
+              const sessionId = `session_${Date.now()}`;
+
+              res.writeHead(200, { 'Content-Type': 'application/json' });
+              res.end(JSON.stringify({ ok: true, sessionId }));
+
+              console.log('\n✓ Token captured and saved!');
+              console.log('You can now use the CLI without --token flag.');
+
+              // Close server after successful capture
+              setTimeout(() => {
+                this.stop();
+                process.exit(0);
+              }, 100);
+
+            } catch (error) {
+              res.writeHead(500, { 'Content-Type': 'application/json' });
+              res.end(JSON.stringify({ ok: false, error: 'Internal server error' }));
+            }
+          });
+        } else {
+          res.writeHead(404);
+          res.end('Not found');
+        }
+      });
+
+      this.server.on('error', (error: any) => {
+        if (error.code === 'EADDRINUSE') {
+          reject(new Error(`Port ${port} is already in use`));
+        } else {
+          reject(error);
+        }
+      });
+
+      this.server.listen(port, () => {
+        resolve(`http://127.0.0.1:${port}`);
+      });
+    });
+  }
+
+  stop() {
+    if (this.server) {
+      this.server.close();
+      this.server = null;
+    }
+  }
+
+  private getHtmlPage(port: number): string {
+    return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Huntr Token Capture</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+      max-width: 600px;
+      margin: 50px auto;
+      padding: 20px;
+      background: #f5f5f5;
+    }
+    .container {
+      background: white;
+      padding: 30px;
+      border-radius: 8px;
+      box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+    }
+    h1 { color: #333; margin-top: 0; }
+    .step {
+      margin: 20px 0;
+      padding: 15px;
+      background: #f8f9fa;
+      border-left: 4px solid #007bff;
+      border-radius: 4px;
+    }
+    code {
+      background: #e9ecef;
+      padding: 2px 6px;
+      border-radius: 3px;
+      font-family: 'Monaco', 'Courier New', monospace;
+      font-size: 14px;
+    }
+    .snippet {
+      background: #2d2d2d;
+      color: #f8f8f2;
+      padding: 15px;
+      border-radius: 4px;
+      margin: 10px 0;
+      overflow-x: auto;
+      font-family: 'Monaco', 'Courier New', monospace;
+      font-size: 13px;
+      cursor: pointer;
+    }
+    .snippet:hover { background: #3d3d3d; }
+    .success { color: #28a745; font-weight: bold; }
+    .error { color: #dc3545; }
+    button {
+      background: #007bff;
+      color: white;
+      border: none;
+      padding: 10px 20px;
+      border-radius: 4px;
+      cursor: pointer;
+      font-size: 14px;
+    }
+    button:hover { background: #0056b3; }
+    #status { margin-top: 20px; font-weight: bold; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>🎯 Huntr Token Capture</h1>
+    
+    <div class="step">
+      <strong>Step 1:</strong> Open <a href="https://huntr.co" target="_blank">huntr.co</a> and log in
+    </div>
+    
+    <div class="step">
+      <strong>Step 2:</strong> Open DevTools Console (F12 or Cmd+Option+J)
+    </div>
+    
+    <div class="step">
+      <strong>Step 3:</strong> Run this in the Huntr console:
+      <div class="snippet" onclick="copySnippet()" title="Click to copy">
+(async()=>{var t=await window.Clerk.session.getToken({skipCache:true});window.opener?.postMessage({type:'HUNTR_TOKEN',token:t},'http://127.0.0.1:${port}');window.close();console.log('✓ Token sent!')})();
+      </div>
+      <small style="color: #666;">Click to copy, or click button below</small>
+    </div>
+    
+    <button onclick="openHuntr()">Open Huntr & Capture Token</button>
+    
+    <div id="status"></div>
+  </div>
+  
+  <script>
+    let huntrWindow = null;
+    
+    function copySnippet() {
+      const text = \`(async()=>{var t=await window.Clerk.session.getToken({skipCache:true});window.opener?.postMessage({type:'HUNTR_TOKEN',token:t},'http://127.0.0.1:${port}');window.close();console.log('✓ Token sent!')})();\`;
+      navigator.clipboard.writeText(text).then(() => {
+        document.getElementById('status').innerHTML = '<span class="success">✓ Copied! Now paste in Huntr Console</span>';
+      });
+    }
+    
+    function openHuntr() {
+      huntrWindow = window.open('https://huntr.co', 'huntr', 'width=800,height=600');
+      document.getElementById('status').innerHTML = '<span style="color: #666;">Waiting for token from Huntr window...</span>';
+    }
+    
+    window.addEventListener('message', async (event) => {
+      if (event.origin !== 'https://huntr.co') return;
+      if (event.data.type === 'HUNTR_TOKEN' && event.data.token) {
+        document.getElementById('status').innerHTML = '<span style="color: #666;">Sending token to CLI...</span>';
+        
+        try {
+          const response = await fetch('http://127.0.0.1:${port}/token', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ token: event.data.token })
+          });
+          
+          if (response.ok) {
+            document.getElementById('status').innerHTML = '<span class="success">✓ Token captured! You can close this window.</span>';
+            setTimeout(() => window.close(), 2000);
+          } else {
+            document.getElementById('status').innerHTML = '<span class="error">Error saving token</span>';
+          }
+        } catch (error) {
+          document.getElementById('status').innerHTML = '<span class="error">Error: ' + error.message + '</span>';
+        }
+      }
+    });
+  </script>
+</body>
+</html>`;
+  }
+}