instant-cli 1.0.21-branch-cli-codex.25190871505.1 → 1.0.21-branch-cli-codex-update.25190875900.1

package/dist/commands/auth/client/update.js

@@ -0,0 +1,587 @@
+import { Effect } from 'effect';
+import { FileSystem } from '@effect/platform';
+import { BadArgsError } from "../../../errors.js";
+import { GlobalOpts } from "../../../context/globalOpts.js";
+import { optOrPrompt, runUIEffect, validateRequired } from "../../../lib/ui.js";
+import { findClientByIdOrName, getAppsAuth, updateOAuthClient, } from "../../../lib/oauth.js";
+import { UI } from "../../../ui/index.js";
+import { DEFAULT_OAUTH_CALLBACK_URL } from '@instantdb/platform';
+import chalk from 'chalk';
+import boxen from 'boxen';
+import { link } from "../../../logging.js";
+const camelize = (flag) => flag.replace(/-([a-z])/g, (_, c) => c.toUpperCase());
+const getFlag = (opts, flag) => opts[flag] ?? opts[camelize(flag)];
+const hasFlag = (opts, flag) => getFlag(opts, flag) !== undefined;
+const hasAnyFlag = (opts, flags) => flags.some((flag) => hasFlag(opts, flag));
+const isTrueFlag = (value) => value === true || value === 'true';
+const metaString = (client, key) => {
+    if (!client.meta || typeof client.meta !== 'object')
+        return undefined;
+    const value = client.meta[key];
+    return typeof value === 'string' ? value : undefined;
+};
+const promptFlag = (opts, flag, params) => Effect.gen(function* () {
+    const value = getFlag(opts, flag);
+    if (value === undefined && !params.promptIf)
+        return undefined;
+    return yield* optOrPrompt(value, {
+        simpleName: `--${flag}`,
+        required: params.required ?? params.promptIf,
+        skipIf: false,
+        prompt: params.prompt,
+    });
+});
+const clientIdPrompt = (provider) => ({
+    prompt: `Client ID: ${chalk.dim(`(from ${provider})`)}`,
+    validate: validateRequired,
+    modifyOutput: UI.modifiers.piped([
+        UI.modifiers.topPadding,
+        UI.modifiers.dimOnComplete,
+    ]),
+});
+const clientSecretPrompt = (provider) => ({
+    prompt: `Client Secret: ${chalk.dim(`(from ${provider})`)}`,
+    validate: validateRequired,
+    sensitive: true,
+    modifyOutput: UI.modifiers.piped([
+        UI.modifiers.topPadding,
+        UI.modifiers.dimOnComplete,
+    ]),
+});
+const makeRedirectPrompt = (heading) => ({
+    prompt: '',
+    placeholder: 'https://yoursite.com/oauth/callback',
+    modifyOutput: UI.modifiers.piped([
+        (output, status) => {
+            if (status === 'idle') {
+                return (`\n${heading}
+${chalk.dim('With a custom redirect URI, users will see "Redirecting to yoursite.com..." for a more branded experience.')}
+${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all query parameters preserved.`)}\n\n` +
+                    output.replace(/^\n/, ''));
+            }
+            return `\n${heading}\n${output.replace(/^\n/, '')}`;
+        },
+        UI.modifiers.dimOnComplete,
+    ]),
+});
+const redirectPrompt = makeRedirectPrompt('Custom redirect URI (optional):');
+const newRedirectPrompt = makeRedirectPrompt('New redirect URI:');
+const readPrivateKeyFile = Effect.fn('readPrivateKeyFile')(function* (path) {
+    const fs = yield* FileSystem.FileSystem;
+    const normalizedPath = process.platform === 'win32' ? path : path.replace(/\\(.)/g, '$1');
+    const contents = yield* fs.readFileString(normalizedPath, 'utf8').pipe(Effect.mapError((e) => new BadArgsError({
+        message: `Could not read private key file at ${normalizedPath}: ${e.message}`,
+    })));
+    const trimmed = contents.trim();
+    if (!trimmed) {
+        return yield* BadArgsError.make({
+            message: `Private key file at ${normalizedPath} is empty.`,
+        });
+    }
+    return trimmed;
+});
+const resolveClient = Effect.fn(function* (params) {
+    if (params.id && params.name) {
+        return yield* BadArgsError.make({
+            message: 'Cannot specify both --id and --name',
+        });
+    }
+    if (params.id) {
+        const match = params.clients.find((client) => client.id === params.id);
+        if (!match) {
+            return yield* BadArgsError.make({
+                message: `OAuth client not found: ${params.id}`,
+            });
+        }
+        return match;
+    }
+    if (params.name) {
+        const match = params.clients.find((client) => client.client_name === params.name);
+        if (!match) {
+            return yield* BadArgsError.make({
+                message: `OAuth client not found: ${params.name}`,
+            });
+        }
+        return match;
+    }
+    if (params.yes) {
+        return yield* BadArgsError.make({ message: 'Must specify --id or --name' });
+    }
+    if (params.clients.length === 0) {
+        return yield* BadArgsError.make({
+            message: 'No OAuth clients found for this app.',
+        });
+    }
+    return yield* runUIEffect(new UI.Select({
+        options: params.clients.map((client) => ({
+            label: client.client_name +
+                (client.use_shared_credentials
+                    ? chalk.dim(' (dev credentials)')
+                    : '') +
+                chalk.dim(` (${client.id})`),
+            value: client,
+        })),
+        promptText: 'Select a client to update:',
+        modifyOutput: UI.modifiers.piped([UI.modifiers.dimOnComplete]),
+    })).pipe(Effect.catchTag('UIError', (e) => BadArgsError.make({ message: `UI error: ${e.message}` })));
+});
+const selectUpdateAction = Effect.fn(function* (options) {
+    return yield* runUIEffect(new UI.Select({
+        options,
+        promptText: 'What do you want to update?',
+        modifyOutput: UI.modifiers.piped([UI.modifiers.dimOnComplete]),
+    })).pipe(Effect.catchTag('UIError', (e) => BadArgsError.make({ message: `UI error: ${e.message}` })));
+});
+const updateGoogleToDevCredentials = Effect.fn(function* (client) {
+    const response = yield* updateOAuthClient({
+        oauthClientId: client.id,
+        useSharedCredentials: true,
+        redirectTo: null,
+    });
+    yield* Effect.log(boxen([
+        `Google OAuth client updated: ${response.client.client_name}`,
+        'Credentials: Instant dev credentials',
+        `ID: ${response.client.id}`,
+        '',
+        'No Google Console setup required.',
+        'Works on localhost and Expo during development.',
+    ].join('\n'), { dimBorder: true, padding: { right: 1, left: 1 } }));
+});
+const handleGoogleUpdate = Effect.fn(function* (opts, client) {
+    const { yes } = yield* GlobalOpts;
+    const consoleUrl = link('https://console.developers.google.com/apis/credentials');
+    const appType = metaString(client, 'appType');
+    const isWeb = appType === 'web' || appType === undefined;
+    const devCredentialsFlag = isTrueFlag(getFlag(opts, 'dev-credentials'));
+    const hasCustomCredentialFlag = hasAnyFlag(opts, [
+        'client-id',
+        'client-secret',
+        'custom-redirect-uri',
+    ]);
+    if (!isWeb) {
+        if (devCredentialsFlag) {
+            return yield* BadArgsError.make({
+                message: '--dev-credentials is only supported for Google web clients.',
+            });
+        }
+        if (hasFlag(opts, 'client-secret') ||
+            hasFlag(opts, 'custom-redirect-uri')) {
+            return yield* BadArgsError.make({
+                message: '--client-secret and --custom-redirect-uri are only supported for Google web clients.',
+            });
+        }
+    }
+    if (devCredentialsFlag && hasCustomCredentialFlag) {
+        return yield* BadArgsError.make({
+            message: '--dev-credentials cannot be combined with --client-id, --client-secret, or --custom-redirect-uri.',
+        });
+    }
+    if (isWeb && devCredentialsFlag) {
+        return yield* updateGoogleToDevCredentials(client);
+    }
+    const hasAnyUpdateFlag = hasAnyFlag(opts, [
+        'client-id',
+        'client-secret',
+        'custom-redirect-uri',
+        'dev-credentials',
+    ]);
+    if (yes && !hasAnyUpdateFlag) {
+        return yield* BadArgsError.make({
+            message: 'Must specify at least one of --client-id, --client-secret, --custom-redirect-uri, or --dev-credentials.',
+        });
+    }
+    const switchingFromShared = Boolean(client.use_shared_credentials);
+    if (!hasAnyUpdateFlag && !yes) {
+        yield* Effect.log(`\nCurrent mode: ${switchingFromShared
+            ? chalk.bold('Instant dev credentials')
+            : 'custom credentials'}`);
+        if (!switchingFromShared) {
+            const action = yield* selectUpdateAction([
+                { label: 'Rotate credentials', value: 'rotate' },
+                {
+                    label: 'Switch to Instant dev credentials' +
+                        chalk.dim(' (localhost and Expo, no Google setup)'),
+                    value: 'dev-credentials',
+                },
+                { label: 'Update redirect URI', value: 'redirect' },
+            ]);
+            if (action === 'dev-credentials') {
+                return yield* updateGoogleToDevCredentials(client);
+            }
+            if (action === 'redirect') {
+                const redirectTo = yield* promptFlag(opts, 'custom-redirect-uri', {
+                    promptIf: true,
+                    required: true,
+                    prompt: newRedirectPrompt,
+                });
+                const response = yield* updateOAuthClient({
+                    oauthClientId: client.id,
+                    redirectTo,
+                });
+                yield* Effect.log(boxen([
+                    `Google OAuth client updated: ${response.client.client_name}`,
+                    `ID: ${response.client.id}`,
+                    `Redirect URI: ${redirectTo}`,
+                ].join('\n'), { dimBorder: true, padding: { right: 1, left: 1 } }));
+                return;
+            }
+        }
+    }
+    const promptCredentials = !hasAnyUpdateFlag && !yes;
+    const clientId = yield* promptFlag(opts, 'client-id', {
+        promptIf: promptCredentials || (switchingFromShared && !hasFlag(opts, 'client-id')),
+        required: promptCredentials || switchingFromShared,
+        prompt: clientIdPrompt(consoleUrl),
+    });
+    const clientSecret = yield* promptFlag(opts, 'client-secret', {
+        promptIf: isWeb &&
+            (promptCredentials ||
+                (switchingFromShared && !hasFlag(opts, 'client-secret'))),
+        required: isWeb && (promptCredentials || switchingFromShared),
+        prompt: clientSecretPrompt(consoleUrl),
+    });
+    const customRedirectUri = isWeb
+        ? yield* promptFlag(opts, 'custom-redirect-uri', {
+            promptIf: switchingFromShared && promptCredentials,
+            required: false,
+            prompt: redirectPrompt,
+        })
+        : undefined;
+    const redirectTo = switchingFromShared
+        ? customRedirectUri || client.redirect_to || DEFAULT_OAUTH_CALLBACK_URL
+        : customRedirectUri;
+    const response = yield* updateOAuthClient({
+        oauthClientId: client.id,
+        clientId,
+        clientSecret,
+        redirectTo,
+        useSharedCredentials: switchingFromShared ? false : undefined,
+    });
+    const lines = [
+        `Google OAuth client updated: ${response.client.client_name}`,
+        'Credentials: custom',
+        `ID: ${response.client.id}`,
+    ];
+    if (switchingFromShared) {
+        lines.push('', 'This client no longer uses Instant dev credentials.');
+    }
+    if (isWeb && redirectTo) {
+        lines.push('', chalk.bold(`Add this redirect URI in Google Console:\n${redirectTo}`));
+    }
+    yield* Effect.log(boxen(lines.join('\n'), {
+        dimBorder: true,
+        padding: { right: 1, left: 1 },
+    }));
+});
+const handleClientIdSecretUpdate = Effect.fn(function* (params) {
+    const { yes } = yield* GlobalOpts;
+    const hasAnyUpdateFlag = hasAnyFlag(params.opts, [
+        'client-id',
+        'client-secret',
+        'custom-redirect-uri',
+    ]);
+    if (yes && !hasAnyUpdateFlag) {
+        return yield* BadArgsError.make({
+            message: 'Must specify at least one of --client-id, --client-secret, or --custom-redirect-uri.',
+        });
+    }
+    let promptCredentials = false;
+    let promptRedirect = false;
+    if (!hasAnyUpdateFlag && !yes) {
+        const action = yield* selectUpdateAction([
+            { label: 'Rotate credentials', value: 'rotate' },
+            { label: 'Update redirect URI', value: 'redirect' },
+        ]);
+        promptCredentials = action === 'rotate';
+        promptRedirect = action === 'redirect';
+    }
+    const clientId = yield* promptFlag(params.opts, 'client-id', {
+        promptIf: promptCredentials,
+        required: promptCredentials,
+        prompt: clientIdPrompt(link(params.providerUrl)),
+    });
+    const clientSecret = yield* promptFlag(params.opts, 'client-secret', {
+        promptIf: promptCredentials,
+        required: promptCredentials,
+        prompt: clientSecretPrompt(link(params.providerUrl)),
+    });
+    const customRedirectUri = yield* promptFlag(params.opts, 'custom-redirect-uri', {
+        promptIf: promptRedirect,
+        required: promptRedirect,
+        prompt: promptRedirect ? newRedirectPrompt : redirectPrompt,
+    });
+    const response = yield* updateOAuthClient({
+        oauthClientId: params.client.id,
+        clientId,
+        clientSecret,
+        redirectTo: customRedirectUri,
+    });
+    yield* Effect.log(boxen([
+        `${params.providerLabel} OAuth client updated: ${response.client.client_name}`,
+        `ID: ${response.client.id}`,
+    ].join('\n'), { dimBorder: true, padding: { right: 1, left: 1 } }));
+});
+const handleAppleUpdate = Effect.fn(function* (opts, client) {
+    const { yes } = yield* GlobalOpts;
+    const webFlags = [
+        'team-id',
+        'key-id',
+        'private-key-file',
+        'custom-redirect-uri',
+    ];
+    const updateFlags = ['services-id', ...webFlags];
+    const hasAnyUpdateFlag = hasAnyFlag(opts, updateFlags);
+    if (yes && !hasAnyUpdateFlag) {
+        return yield* BadArgsError.make({
+            message: 'Must specify at least one of --services-id, --team-id, --key-id, --private-key-file, or --custom-redirect-uri.',
+        });
+    }
+    const existingWeb = Boolean(metaString(client, 'teamId') ||
+        metaString(client, 'keyId') ||
+        client.redirect_to);
+    const promptAll = !hasAnyUpdateFlag && !yes;
+    const configureWeb = promptAll
+        ? yield* runUIEffect(new UI.Confirmation({
+            promptText: 'Configure web redirect flow? ' +
+                chalk.dim('(requires Team ID, Key ID, and a .p8 private key from Apple)'),
+            defaultValue: existingWeb,
+        })).pipe(Effect.catchTag('UIError', (e) => BadArgsError.make({ message: `UI error: ${e.message}` })))
+        : hasAnyFlag(opts, webFlags);
+    const servicesId = yield* promptFlag(opts, 'services-id', {
+        promptIf: promptAll,
+        required: promptAll,
+        prompt: {
+            prompt: `Services ID ${chalk.dim(`(from ${link('https://developer.apple.com/account/resources/identifiers/list/serviceId')})`)}`,
+            validate: validateRequired,
+            modifyOutput: UI.modifiers.piped([
+                UI.modifiers.topPadding,
+                UI.modifiers.dimOnComplete,
+            ]),
+        },
+    });
+    const teamId = configureWeb
+        ? yield* promptFlag(opts, 'team-id', {
+            promptIf: promptAll,
+            required: promptAll,
+            prompt: {
+                prompt: `Team ID ${chalk.dim(`(from ${link('https://developer.apple.com/account#MembershipDetailsCard')})`)}`,
+                validate: validateRequired,
+                modifyOutput: UI.modifiers.piped([
+                    UI.modifiers.topPadding,
+                    UI.modifiers.dimOnComplete,
+                ]),
+            },
+        })
+        : undefined;
+    const keyId = configureWeb
+        ? yield* promptFlag(opts, 'key-id', {
+            promptIf: promptAll,
+            required: promptAll,
+            prompt: {
+                prompt: `Key ID ${chalk.dim(`(from ${link('https://developer.apple.com/account/resources/authkeys/list')})`)}`,
+                validate: validateRequired,
+                modifyOutput: UI.modifiers.piped([
+                    UI.modifiers.topPadding,
+                    UI.modifiers.dimOnComplete,
+                ]),
+            },
+        })
+        : undefined;
+    const privateKeyPath = configureWeb
+        ? yield* promptFlag(opts, 'private-key-file', {
+            promptIf: promptAll,
+            required: promptAll,
+            prompt: {
+                prompt: `Path to .p8 private key file ${chalk.dim('(downloaded from Apple)')}`,
+                validate: validateRequired,
+                modifyOutput: UI.modifiers.piped([
+                    UI.modifiers.topPadding,
+                    UI.modifiers.dimOnComplete,
+                ]),
+            },
+        })
+        : undefined;
+    const privateKey = privateKeyPath
+        ? yield* readPrivateKeyFile(privateKeyPath)
+        : undefined;
+    const customRedirectUri = configureWeb
+        ? yield* promptFlag(opts, 'custom-redirect-uri', {
+            promptIf: promptAll,
+            required: false,
+            prompt: redirectPrompt,
+        })
+        : undefined;
+    const meta = {};
+    if (teamId)
+        meta.teamId = teamId;
+    if (keyId)
+        meta.keyId = keyId;
+    const response = yield* updateOAuthClient({
+        oauthClientId: client.id,
+        clientId: servicesId,
+        clientSecret: privateKey,
+        redirectTo: configureWeb && privateKey
+            ? customRedirectUri || client.redirect_to || DEFAULT_OAUTH_CALLBACK_URL
+            : customRedirectUri,
+        meta: Object.keys(meta).length ? meta : undefined,
+    });
+    yield* Effect.log(boxen([
+        `Apple OAuth client updated: ${response.client.client_name}`,
+        `ID: ${response.client.id}`,
+    ].join('\n'), { dimBorder: true, padding: { right: 1, left: 1 } }));
+});
+const handleClerkUpdate = Effect.fn(function* (opts, client) {
+    const { yes } = yield* GlobalOpts;
+    const publishableKey = yield* promptFlag(opts, 'publishable-key', {
+        promptIf: !yes && !hasFlag(opts, 'publishable-key'),
+        required: true,
+        prompt: {
+            prompt: `Clerk publishable key ${chalk.dim(`(from ${link('https://dashboard.clerk.com/last-active?path=api-keys')})`)}`,
+            placeholder: 'pk_********************************************************',
+            validate: (val) => {
+                if (!val)
+                    return 'Publishable key is required';
+                if (!val.startsWith('pk_')) {
+                    return 'Invalid publishable key. It should start with "pk_".';
+                }
+            },
+            modifyOutput: UI.modifiers.piped([
+                UI.modifiers.topPadding,
+                UI.modifiers.dimOnComplete,
+            ]),
+        },
+    });
+    if (!publishableKey) {
+        return yield* BadArgsError.make({
+            message: 'Missing required value for --publishable-key',
+        });
+    }
+    const domain = domainFromClerkKey(publishableKey);
+    if (!domain) {
+        return yield* BadArgsError.make({
+            message: 'Invalid publishable key. Could not extract domain.',
+        });
+    }
+    const response = yield* updateOAuthClient({
+        oauthClientId: client.id,
+        discoveryEndpoint: `https://${domain}/.well-known/openid-configuration`,
+        meta: { clerkPublishableKey: publishableKey },
+    });
+    yield* Effect.log(boxen([
+        `Clerk OAuth client updated: ${response.client.client_name}`,
+        `ID: ${response.client.id}`,
+        `Clerk Domain: https://${domain}`,
+    ].join('\n'), { dimBorder: true, padding: { right: 1, left: 1 } }));
+});
+const handleFirebaseUpdate = Effect.fn(function* (opts, client) {
+    const { yes } = yield* GlobalOpts;
+    const projectId = yield* promptFlag(opts, 'project-id', {
+        promptIf: !yes && !hasFlag(opts, 'project-id'),
+        required: true,
+        prompt: {
+            prompt: `Firebase project ID: (From Project Settings page on ${link('https://console.firebase.google.com/')})`,
+            validate: validateFirebaseProjectId,
+            modifyOutput: UI.modifiers.piped([
+                UI.modifiers.topPadding,
+                UI.modifiers.dimOnComplete,
+            ]),
+        },
+    });
+    const validationError = validateFirebaseProjectId(projectId ?? '');
+    if (validationError) {
+        return yield* BadArgsError.make({ message: validationError });
+    }
+    const response = yield* updateOAuthClient({
+        oauthClientId: client.id,
+        discoveryEndpoint: firebaseDiscoveryEndpoint(projectId),
+    });
+    yield* Effect.log(boxen([
+        `Firebase OAuth client updated: ${response.client.client_name}`,
+        `ID: ${response.client.id}`,
+        `Firebase Project ID: ${projectId}`,
+    ].join('\n'), { dimBorder: true, padding: { right: 1, left: 1 } }));
+});
+export const authClientUpdateCmd = Effect.fn(function* (opts) {
+    const { yes } = yield* GlobalOpts;
+    const id = getFlag(opts, 'id');
+    const name = getFlag(opts, 'name');
+    const { auth, client } = id || name
+        ? yield* findClientByIdOrName({ id, name })
+        : {
+            auth: yield* getAppsAuth(),
+            client: undefined,
+        };
+    const resolvedClient = client ??
+        (yield* resolveClient({
+            yes,
+            clients: (auth.oauth_clients ?? []),
+        }));
+    const provider = (auth.oauth_service_providers ?? []).find((entry) => entry.id === resolvedClient.provider_id);
+    if (!provider) {
+        return yield* BadArgsError.make({
+            message: `OAuth provider not found for client: ${resolvedClient.client_name}`,
+        });
+    }
+    switch (provider.provider_name) {
+        case 'google':
+            return yield* handleGoogleUpdate(opts, resolvedClient);
+        case 'github':
+            return yield* handleClientIdSecretUpdate({
+                opts,
+                client: resolvedClient,
+                providerLabel: 'GitHub',
+                providerUrl: 'https://github.com/settings/developers',
+            });
+        case 'linkedin':
+            return yield* handleClientIdSecretUpdate({
+                opts,
+                client: resolvedClient,
+                providerLabel: 'LinkedIn',
+                providerUrl: 'https://www.linkedin.com/developers/apps',
+            });
+        case 'apple':
+            return yield* handleAppleUpdate(opts, resolvedClient);
+        case 'clerk':
+            return yield* handleClerkUpdate(opts, resolvedClient);
+        case 'firebase':
+            return yield* handleFirebaseUpdate(opts, resolvedClient);
+        default:
+            return yield* BadArgsError.make({
+                message: `Updating ${provider.provider_name} OAuth clients is not supported.`,
+            });
+    }
+}, Effect.catchTag('BadArgsError', (e) => Effect.gen(function* () {
+    yield* Effect.logError(e.message);
+    yield* Effect.log(chalk.dim('hint: run `instant-cli auth client update --help` for available arguments'));
+})));
+function domainFromClerkKey(key) {
+    try {
+        const parts = key.split('_');
+        const domainPartB64 = parts[parts.length - 1];
+        const domainPart = base64Decode(domainPartB64);
+        return domainPart.replace('$', '');
+    }
+    catch {
+        return null;
+    }
+}
+function base64Decode(s) {
+    try {
+        return Buffer.from(s, 'base64').toString('utf-8');
+    }
+    catch {
+        return Buffer.from(s, 'base64url').toString('utf-8');
+    }
+}
+function validateFirebaseProjectId(value) {
+    const projectIdRegex = /^[a-z][a-z0-9-]{4,28}[a-z0-9]$/;
+    if (!value)
+        return 'Project ID is required';
+    if (!projectIdRegex.test(value)) {
+        return 'Invalid Firebase project ID. It must be 6-30 characters, start with a lowercase letter, contain only lowercase letters, digits, and hyphens, and not end with a hyphen.';
+    }
+}
+function firebaseDiscoveryEndpoint(projectId) {
+    return `https://securetoken.google.com/${encodeURIComponent(projectId)}/.well-known/openid-configuration`;
+}
+//# sourceMappingURL=update.js.map