instant-cli 1.0.22 → 1.0.23-branch-cli-codex-update.25390498340.1

package/src/commands/auth/client/add.ts

@@ -1,5 +1,4 @@
 import { Effect, Match, Option, Schema } from 'effect';
-import { FileSystem } from '@effect/platform';
 import type { authClientAddDef, OptsFromCommand } from '../../../index.ts';
 import { BadArgsError } from '../../../errors.ts';
 import { GlobalOpts } from '../../../context/globalOpts.ts';
@@ -7,7 +6,6 @@ import {
   optOrPrompt,
   optOrPromptBoolean,
   runUIEffect,
-  stripFirstBlankLine,
   validateRequired,
 } from '../../../lib/ui.ts';
 import {
@@ -15,6 +13,8 @@ import {
   findName,
   getClientNameAndProvider,
   getOrCreateProvider,
+  GoogleAppTypeSchema,
+  OAuthClient,
 } from '../../../lib/oauth.ts';
 import {
   DEFAULT_OAUTH_CALLBACK_URL,
@@ -24,6 +24,7 @@ import {
   APPLE_AUTHORIZATION_ENDPOINT,
   APPLE_DISCOVERY_ENDPOINT,
   APPLE_TOKEN_ENDPOINT,
+  clerkDomainFromPublishableKey,
   LINKEDIN_AUTHORIZATION_ENDPOINT,
   LINKEDIN_DISCOVERY_ENDPOINT,
   LINKEDIN_TOKEN_ENDPOINT,
@@ -32,6 +33,24 @@ import { UI } from '../../../ui/index.ts';
 import chalk from 'chalk';
 import boxen from 'boxen';
 import { link } from '../../../logging.ts';
+import {
+  appleKeyIdPrompt,
+  applePrivateKeyFilePrompt,
+  appleServicesIdPrompt,
+  appleTeamIdPrompt,
+  clerkPublishableKeyPrompt,
+  clientIdPrompt,
+  clientSecretPrompt,
+  firebaseDiscoveryEndpoint,
+  firebaseProjectIdPrompt,
+  getFlag,
+  hasAnyFlag,
+  isTrueFlag,
+  readPrivateKeyFile,
+  redirectSetupMessages,
+  redirectUriPrompt,
+  validateFirebaseProjectId,
+} from './shared.ts';
 
 export const ClientTypeSchema = Schema.Literal(
   'google',
@@ -42,12 +61,13 @@ export const ClientTypeSchema = Schema.Literal(
   'firebase',
 );
 
-const GoogleAppTypeSchema = Schema.Literal(
-  'web',
-  'ios',
-  'android',
-  'button-for-web',
-);
+const googleConsoleUrl =
+  'https://console.developers.google.com/apis/credentials';
+const githubDeveloperUrl = 'https://github.com/settings/developers';
+const linkedinDeveloperUrl = 'https://www.linkedin.com/developers/apps';
+const optionalRedirectPrompt = redirectUriPrompt({
+  heading: 'Custom redirect URI (optional):',
+});
 
 const selectGoogleAppType = (value: unknown) =>
   Effect.gen(function* () {
@@ -96,10 +116,159 @@ const selectGoogleAppType = (value: unknown) =>
     );
   });
 
+const selectGoogleCredentialMode = Effect.fn(function* () {
+  return yield* runUIEffect(
+    new UI.Select({
+      options: [
+        {
+          label:
+            'Use dev credentials' +
+            chalk.dim(' (works on localhost and Expo, no Google setup)'),
+          value: 'dev' as const,
+        },
+        {
+          label:
+            'Use my own credentials' +
+            chalk.dim(' (client ID and secret from Google Console)'),
+          value: 'custom' as const,
+        },
+      ],
+      promptText: 'Select Google credential mode:',
+      modifyOutput: UI.modifiers.piped([
+        UI.modifiers.topPadding,
+        UI.modifiers.dimOnComplete,
+      ]),
+      defaultValue: 'dev' as const,
+    }),
+  ).pipe(
+    Effect.catchTag('UIError', (e) =>
+      BadArgsError.make({ message: `UI error: ${e.message}` }),
+    ),
+  );
+});
+
+const resolveGoogleCredentialMode = Effect.fn(function* ({
+  appType,
+  opts,
+}: {
+  appType: typeof GoogleAppTypeSchema.Type;
+  opts: Record<string, unknown>;
+}): Effect.fn.Return<'custom' | 'dev', BadArgsError, GlobalOpts> {
+  const { yes } = yield* GlobalOpts;
+  const devCredentialsFlag = isTrueFlag(getFlag(opts, 'dev-credentials'));
+  const hasProvidedSomeCustomCredentials = hasAnyFlag(opts, [
+    'client-id',
+    'client-secret',
+    'custom-redirect-uri',
+  ]);
+
+  if (devCredentialsFlag && appType !== 'web') {
+    return yield* BadArgsError.make({
+      message:
+        '--dev-credentials is only supported for --app-type web. Native Google clients need credentials from Google.',
+    });
+  }
+
+  if (devCredentialsFlag && hasProvidedSomeCustomCredentials) {
+    return yield* BadArgsError.make({
+      message:
+        '--dev-credentials cannot be combined with --client-id, --client-secret, or --custom-redirect-uri.',
+    });
+  }
+
+  if (appType !== 'web') {
+    return 'custom';
+  }
+
+  if (hasProvidedSomeCustomCredentials) {
+    return 'custom';
+  }
+
+  if (devCredentialsFlag) {
+    return 'dev';
+  }
+
+  if (yes) {
+    return 'dev';
+  }
+
+  return yield* selectGoogleCredentialMode();
+});
+
+const printGoogleDevCredentialsClient = Effect.fn(function* ({
+  appType,
+  client,
+}: {
+  appType: typeof GoogleAppTypeSchema.Type;
+  client: typeof OAuthClient.Type;
+}) {
+  yield* Effect.log(
+    boxen(
+      [
+        `Google OAuth client created: ${client.client_name}`,
+        `App type: ${appType}`,
+        `Credentials: Instant dev credentials`,
+        `ID: ${client.id}`,
+        '',
+        'No Google Console setup required.',
+        'Works on localhost and Expo during development.',
+        '',
+        chalk.bold('Ready for production? Run:'),
+        `  instant-cli auth client update --name ${client.client_name} --client-id <id> --client-secret <secret>`,
+      ].join('\n'),
+      { dimBorder: true, padding: { right: 1, left: 1 } },
+    ),
+  );
+});
+
+const printGoogleCustomCredentialsClient = Effect.fn(function* ({
+  appType,
+  client,
+  clientId,
+  customRedirectUri,
+  redirectUri,
+}: {
+  appType: typeof GoogleAppTypeSchema.Type;
+  client: typeof OAuthClient.Type;
+  clientId: string | undefined;
+  customRedirectUri: string | undefined;
+  redirectUri: string | undefined;
+}) {
+  const redirectMessages: string[] = [];
+  if (appType === 'web' && redirectUri) {
+    redirectMessages.push(
+      ...redirectSetupMessages({
+        prompt: 'Add this redirect URI in Google Console',
+        redirectUri,
+        showCustomRedirectInstructions: Boolean(customRedirectUri),
+      }),
+    );
+  }
+
+  yield* Effect.log(
+    boxen(
+      [
+        `Google OAuth client created: ${client.client_name}`,
+        `App type: ${appType}`,
+        `ID: ${client.id}`,
+        `Google Client ID: ${client.client_id ?? clientId}`,
+        ...redirectMessages,
+      ].join('\n'),
+      { dimBorder: true, padding: { right: 1, left: 1 } },
+    ),
+  );
+});
+
 const handleGoogleClient = Effect.fn(function* (opts: Record<string, unknown>) {
   // This one requires special logic for getting client name
   // because the suggested name includes the app type
   const appType = yield* selectGoogleAppType(opts['app-type']);
+  const credentialMode = yield* resolveGoogleCredentialMode({
+    appType,
+    opts,
+  });
+  const useSharedCredentials = credentialMode === 'dev';
+
   const { auth, provider } = yield* getOrCreateProvider('google');
   const usedClientNames = new Set(
     (auth.oauth_clients ?? []).map((client) => client.client_name),
@@ -115,7 +284,10 @@ const handleGoogleClient = Effect.fn(function* (opts: Record<string, unknown>) {
       defaultValue: suggestedClientName,
       placeholder: suggestedClientName,
       validate: validateRequired,
-      modifyOutput: UI.modifiers.piped([UI.modifiers.dimOnComplete]),
+      modifyOutput: UI.modifiers.piped([
+        UI.modifiers.topPadding,
+        UI.modifiers.dimOnComplete,
+      ]),
     },
   });
 
@@ -127,68 +299,46 @@ const handleGoogleClient = Effect.fn(function* (opts: Record<string, unknown>) {
 
   const clientId = yield* optOrPrompt(opts['client-id'], {
     simpleName: '--client-id',
-    required: true,
-    skipIf: false,
-    prompt: {
-      prompt: `Client ID: ${chalk.dim(`(from ${link('https://console.developers.google.com/apis/credentials')})`)}`,
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-      validate: validateRequired,
-    },
+    required: !useSharedCredentials,
+    skipIf: useSharedCredentials,
+    skipMessage:
+      '--client-id is not compatible with --dev-credentials. Drop one or the other.',
+    prompt: clientIdPrompt({ providerUrl: googleConsoleUrl }),
   });
 
+  const usesCustomWebCredentials = !useSharedCredentials && appType === 'web';
   const clientSecret = yield* optOrPrompt(opts['client-secret'], {
-    required: appType === 'web',
-    skipIf: appType !== 'web',
+    required: usesCustomWebCredentials,
+    skipIf: !usesCustomWebCredentials,
     simpleName: '--client-secret',
-    prompt: {
-      prompt: `Client Secret: ${chalk.dim(`(from ${link('https://console.developers.google.com/apis/credentials')})`)}`,
-      validate: validateRequired,
-      sensitive: true,
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-    },
+    skipMessage: useSharedCredentials
+      ? '--client-secret is not compatible with --dev-credentials. Drop one or the other.'
+      : undefined,
+    prompt: clientSecretPrompt({ providerUrl: googleConsoleUrl }),
   });
 
   const customRedirectUri = yield* optOrPrompt(opts['custom-redirect-uri'], {
     required: false,
-    prompt: {
-      prompt: '',
-      placeholder: 'https://yoursite.com/oauth/callback',
-      modifyOutput: UI.modifiers.piped([
-        (output, status) => {
-          if (status === 'idle') {
-            return (
-              `\nCustom redirect URI (optional):
-${chalk.dim('With a custom redirect URI, users will see "Redirecting to yoursite.com..." for a more branded experience.')}
-${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all query parameters preserved.`)}\n\n` +
-              stripFirstBlankLine(output)
-            );
-          }
-          return `\nCustom redirect URI (optional):\n${stripFirstBlankLine(output)}`;
-        },
-        UI.modifiers.dimOnComplete,
-      ]),
-    },
+    prompt: optionalRedirectPrompt,
     simpleName: '--custom-redirect-uri',
-    skipIf: appType !== 'web',
-    skipMessage: 'Provided custom redirect URI when not using web app type.',
+    skipIf: !usesCustomWebCredentials,
+    skipMessage: useSharedCredentials
+      ? '--custom-redirect-uri is not compatible with --dev-credentials.'
+      : 'Provided custom redirect URI when not using web app type.',
   });
 
   if (!clientName) {
     return yield* BadArgsError.make({ message: 'Client name is required.' }); // Should never reach this
   }
-  const redirectUri = customRedirectUri || DEFAULT_OAUTH_CALLBACK_URL;
+  const redirectUri = useSharedCredentials
+    ? undefined
+    : customRedirectUri || DEFAULT_OAUTH_CALLBACK_URL;
 
   const response = yield* addOAuthClient({
     providerId: provider.id,
     clientName,
-    clientId,
-    clientSecret: clientSecret,
+    clientId: useSharedCredentials ? undefined : clientId,
+    clientSecret: useSharedCredentials ? undefined : clientSecret,
     authorizationEndpoint: GOOGLE_AUTHORIZATION_ENDPOINT,
     tokenEndpoint: GOOGLE_TOKEN_ENDPOINT,
     discoveryEndpoint: GOOGLE_DISCOVERY_ENDPOINT,
@@ -197,37 +347,24 @@ ${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all que
       appType,
       skipNonceChecks: true,
     },
+    useSharedCredentials,
   });
 
-  const redirectMessages: string[] = [];
-  if (appType === 'web') {
-    redirectMessages.push(
-      chalk.bold(
-        `\nAdd this redirect URI in Google Console:\n${redirectUri}\n`,
-      ),
-    );
-    if (customRedirectUri) {
-      redirectMessages.push(
-        `Your custom redirect must forward to ${chalk.bold(DEFAULT_OAUTH_CALLBACK_URL)} with all query parameters preserved.`,
-      );
-      redirectMessages.push(
-        `You can test it by visiting: ${chalk.bold(redirectUri + '?test-redirect=true')}`,
-      );
-    }
+  if (useSharedCredentials) {
+    yield* printGoogleDevCredentialsClient({
+      appType,
+      client: response.client,
+    });
+    return;
   }
 
-  yield* Effect.log(
-    boxen(
-      [
-        `Google OAuth client created: ${response.client.client_name}`,
-        `App type: ${appType}`,
-        `ID: ${response.client.id}`,
-        `Google Client ID: ${response.client.client_id ?? clientId}`,
-        ...redirectMessages,
-      ].join('\n'),
-      { dimBorder: true, padding: { right: 1, left: 1 } },
-    ),
-  );
+  yield* printGoogleCustomCredentialsClient({
+    appType,
+    client: response.client,
+    clientId,
+    customRedirectUri,
+    redirectUri,
+  });
 });
 
 const handleGithubClient = Effect.fn(function* (opts: Record<string, unknown>) {
@@ -240,53 +377,21 @@ const handleGithubClient = Effect.fn(function* (opts: Record<string, unknown>) {
     simpleName: '--client-id',
     required: true,
     skipIf: false,
-    prompt: {
-      prompt: `Client ID ${chalk.dim(`(from ${link('https://github.com/settings/developers')})`)}`,
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-      validate: validateRequired,
-    },
+    prompt: clientIdPrompt({ providerUrl: githubDeveloperUrl }),
   });
 
   const clientSecret = yield* optOrPrompt(opts['client-secret'], {
     required: true,
     skipIf: false,
     simpleName: '--client-secret',
-    prompt: {
-      prompt: `Client Secret: ${chalk.dim(`(from ${link('https://github.com/settings/developers')})`)}`,
-      validate: validateRequired,
-      sensitive: true,
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-    },
+    prompt: clientSecretPrompt({ providerUrl: githubDeveloperUrl }),
   });
 
   const customRedirectUri = yield* optOrPrompt(opts['custom-redirect-uri'], {
     required: false,
     simpleName: '--custom-redirect-uri',
     skipIf: false,
-    prompt: {
-      prompt: '',
-      placeholder: 'https://yoursite.com/oauth/callback',
-      modifyOutput: UI.modifiers.piped([
-        (output, status) => {
-          if (status === 'idle') {
-            return (
-              `\nCustom redirect URI (optional):
-${chalk.dim('With a custom redirect URI, users will see "Redirecting to yoursite.com..." for a more branded experience.')}
-${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all query parameters preserved.`)}\n\n` +
-              stripFirstBlankLine(output)
-            );
-          }
-          return `\nCustom redirect URI (optional):\n${stripFirstBlankLine(output)}`;
-        },
-        UI.modifiers.dimOnComplete,
-      ]),
-    },
+    prompt: optionalRedirectPrompt,
   });
 
   if (!clientName) {
@@ -306,19 +411,11 @@ ${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all que
     meta: { providerName: 'github' },
   });
 
-  const redirectMessages: string[] = [
-    chalk.bold(
-      `\nAdd this callback URL in your GitHub OAuth App settings:\n${redirectUri}\n`,
-    ),
-  ];
-  if (customRedirectUri) {
-    redirectMessages.push(
-      `Your custom redirect must forward to ${chalk.bold(DEFAULT_OAUTH_CALLBACK_URL)} with all query parameters preserved.`,
-    );
-    redirectMessages.push(
-      `You can test it by visiting: ${chalk.bold(redirectUri + '?test-redirect=true')}`,
-    );
-  }
+  const redirectMessages = redirectSetupMessages({
+    prompt: 'Add this callback URL in your GitHub OAuth App settings',
+    redirectUri,
+    showCustomRedirectInstructions: Boolean(customRedirectUri),
+  });
 
   yield* Effect.log(
     boxen(
@@ -345,53 +442,21 @@ const handleLinkedInClient = Effect.fn(function* (
     simpleName: '--client-id',
     required: true,
     skipIf: false,
-    prompt: {
-      prompt: `Client ID: ${chalk.dim(`(from ${link('https://www.linkedin.com/developers/apps')})`)}`,
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-      validate: validateRequired,
-    },
+    prompt: clientIdPrompt({ providerUrl: linkedinDeveloperUrl }),
   });
 
   const clientSecret = yield* optOrPrompt(opts['client-secret'], {
     required: true,
     skipIf: false,
     simpleName: '--client-secret',
-    prompt: {
-      prompt: `Client Secret: ${chalk.dim(`(from ${link('https://www.linkedin.com/developers/apps')})`)}`,
-      validate: validateRequired,
-      sensitive: true,
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-    },
+    prompt: clientSecretPrompt({ providerUrl: linkedinDeveloperUrl }),
   });
 
   const customRedirectUri = yield* optOrPrompt(opts['custom-redirect-uri'], {
     required: false,
     simpleName: '--custom-redirect-uri',
     skipIf: false,
-    prompt: {
-      prompt: '',
-      placeholder: 'https://yoursite.com/oauth/callback',
-      modifyOutput: UI.modifiers.piped([
-        (output, status) => {
-          if (status === 'idle') {
-            return (
-              `\nCustom redirect URI (optional):
-${chalk.dim('With a custom redirect URI, users will see "Redirecting to yoursite.com..." for a more branded experience.')}
-${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all query parameters preserved.`)}\n\n` +
-              stripFirstBlankLine(output)
-            );
-          }
-          return `\nCustom redirect URI (optional):\n${stripFirstBlankLine(output)}`;
-        },
-        UI.modifiers.dimOnComplete,
-      ]),
-    },
+    prompt: optionalRedirectPrompt,
   });
 
   if (!clientName) {
@@ -411,19 +476,11 @@ ${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all que
     redirectTo: redirectUri,
   });
 
-  const redirectMessages: string[] = [
-    chalk.bold(
-      `\nAdd this redirect URI in your LinkedIn app settings:\n${redirectUri}\n`,
-    ),
-  ];
-  if (customRedirectUri) {
-    redirectMessages.push(
-      `Your custom redirect must forward to ${chalk.bold(DEFAULT_OAUTH_CALLBACK_URL)} with all query parameters preserved.`,
-    );
-    redirectMessages.push(
-      `You can test it by visiting: ${chalk.bold(redirectUri + '?test-redirect=true')}`,
-    );
-  }
+  const redirectMessages = redirectSetupMessages({
+    prompt: 'Add this redirect URI in your LinkedIn app settings',
+    redirectUri,
+    showCustomRedirectInstructions: Boolean(customRedirectUri),
+  });
 
   yield* Effect.log(
     boxen(
@@ -438,32 +495,6 @@ ${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all que
   );
 });
 
-const readPrivateKeyFile = Effect.fn('readPrivateKeyFile')(function* (
-  path: string,
-) {
-  const fs = yield* FileSystem.FileSystem;
-  // Strip shell-escape backslashes so paths like "file\ (2).p8" resolve correctly.
-  // Only on POSIX — Windows uses backslashes as path separators.
-  const normalizedPath =
-    process.platform === 'win32' ? path : path.replace(/\\(.)/g, '$1');
-  const contents = yield* fs.readFileString(normalizedPath, 'utf8').pipe(
-    Effect.mapError(
-      (e) =>
-        new BadArgsError({
-          message: `Could not read private key file at ${normalizedPath}: ${e.message}`,
-        }),
-    ),
-  );
-
-  const trimmed = contents.trim();
-  if (!trimmed) {
-    return yield* BadArgsError.make({
-      message: `Private key file at ${normalizedPath} is empty.`,
-    });
-  }
-  return trimmed;
-});
-
 const handleAppleClient = Effect.fn(function* (opts: Record<string, unknown>) {
   const { yes } = yield* GlobalOpts;
   const { clientName, provider } = yield* getClientNameAndProvider(
@@ -475,14 +506,7 @@ const handleAppleClient = Effect.fn(function* (opts: Record<string, unknown>) {
     simpleName: '--services-id',
     required: true,
     skipIf: false,
-    prompt: {
-      prompt: `Services ID ${chalk.dim(`(from ${link('https://developer.apple.com/account/resources/identifiers/list/serviceId')})`)}`,
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-      validate: validateRequired,
-    },
+    prompt: appleServicesIdPrompt({}),
   });
 
   // If any web-flow flag is provided, enable web flow; otherwise ask
@@ -518,14 +542,7 @@ const handleAppleClient = Effect.fn(function* (opts: Record<string, unknown>) {
     required: true,
     skipIf: skipWeb,
     skipMessage: `--team-id ${webSkipMessage}`,
-    prompt: {
-      prompt: `Team ID ${chalk.dim(`(from ${link('https://developer.apple.com/account#MembershipDetailsCard')})`)}`,
-      validate: validateRequired,
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-    },
+    prompt: appleTeamIdPrompt({}),
   });
 
   const keyId = yield* optOrPrompt(opts['key-id'], {
@@ -533,14 +550,7 @@ const handleAppleClient = Effect.fn(function* (opts: Record<string, unknown>) {
     required: true,
     skipIf: skipWeb,
     skipMessage: `--key-id ${webSkipMessage}`,
-    prompt: {
-      prompt: `Key ID ${chalk.dim(`(from ${link('https://developer.apple.com/account/resources/authkeys/list')})`)}`,
-      validate: validateRequired,
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-    },
+    prompt: appleKeyIdPrompt({}),
   });
 
   const privateKeyPath = yield* optOrPrompt(opts['private-key-file'], {
@@ -548,14 +558,7 @@ const handleAppleClient = Effect.fn(function* (opts: Record<string, unknown>) {
     required: true,
     skipIf: skipWeb,
     skipMessage: `--private-key-file ${webSkipMessage}`,
-    prompt: {
-      prompt: `Path to .p8 private key file ${chalk.dim('(downloaded from Apple)')}`,
-      validate: validateRequired,
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-    },
+    prompt: applePrivateKeyFilePrompt({}),
   });
 
   const privateKey = privateKeyPath
@@ -567,24 +570,7 @@ const handleAppleClient = Effect.fn(function* (opts: Record<string, unknown>) {
     simpleName: '--custom-redirect-uri',
     skipIf: skipWeb,
     skipMessage: `--custom-redirect-uri ${webSkipMessage}`,
-    prompt: {
-      prompt: '',
-      placeholder: 'https://yoursite.com/oauth/callback',
-      modifyOutput: UI.modifiers.piped([
-        (output, status) => {
-          if (status === 'idle') {
-            return (
-              `\nCustom redirect URI (optional):
-${chalk.dim('With a custom redirect URI, users will see "Redirecting to yoursite.com..." for a more branded experience.')}
-${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all query parameters preserved.`)}\n\n` +
-              stripFirstBlankLine(output)
-            );
-          }
-          return `\nCustom redirect URI (optional):\n${stripFirstBlankLine(output)}`;
-        },
-        UI.modifiers.dimOnComplete,
-      ]),
-    },
+    prompt: optionalRedirectPrompt,
   });
 
   if (!clientName) {
@@ -617,22 +603,16 @@ ${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all que
     `Services ID: ${response.client.client_id ?? servicesId}`,
   ];
 
-  if (privateKey) {
+  if (privateKey && redirectUri) {
     summaryLines.push(`Team ID: ${teamId}`);
     summaryLines.push(`Key ID: ${keyId}`);
     summaryLines.push(
-      chalk.bold(
-        `\nAdd this return URL under your Services ID on ${link('https://developer.apple.com', 'developer.apple.com')}:\n${redirectUri}\n`,
-      ),
+      ...redirectSetupMessages({
+        prompt: `Add this return URL under your Services ID on ${link('https://developer.apple.com', 'developer.apple.com')}`,
+        redirectUri,
+        showCustomRedirectInstructions: Boolean(customRedirectUri),
+      }),
     );
-    if (customRedirectUri) {
-      summaryLines.push(
-        `Your custom redirect must forward to ${chalk.bold(DEFAULT_OAUTH_CALLBACK_URL)} with all query parameters preserved.`,
-      );
-      summaryLines.push(
-        `You can test it by visiting: ${chalk.bold(redirectUri + '?test-redirect=true')}`,
-      );
-    }
   }
   yield* Effect.log(
     boxen(summaryLines.join('\n'), {
@@ -652,23 +632,7 @@ const handleClerkClient = Effect.fn(function* (opts: Record<string, unknown>) {
     simpleName: '--publishable-key',
     required: true,
     skipIf: false,
-    prompt: {
-      prompt: `Clerk publishable key ${chalk.dim(`(from ${link('https://dashboard.clerk.com/last-active?path=api-keys')})`)}`,
-      placeholder:
-        'pk_********************************************************',
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-      validate: (val) => {
-        if (!val) {
-          return 'Publishable key is required';
-        }
-        if (!val.startsWith('pk_')) {
-          return 'Invalid publishable key. It should start with "pk_".';
-        }
-      },
-    },
+    prompt: clerkPublishableKeyPrompt({}),
   });
 
   if (!clientName) {
@@ -680,7 +644,7 @@ const handleClerkClient = Effect.fn(function* (opts: Record<string, unknown>) {
     });
   }
 
-  const domain = domainFromClerkKey(publishableKey);
+  const domain = clerkDomainFromPublishableKey(publishableKey);
   if (!domain) {
     return yield* BadArgsError.make({
       message: 'Invalid publishable key. Could not extract domain.',
@@ -731,27 +695,11 @@ const handleFirebaseClient = Effect.fn(function* (
     opts,
   );
 
-  const firebaseProjectIdRegex = /^[a-z][a-z0-9-]{4,28}[a-z0-9]$/;
   const projectId = yield* optOrPrompt(opts['project-id'], {
     simpleName: '--project-id',
     required: true,
     skipIf: false,
-    prompt: {
-      prompt: `Firebase project ID: (From Project Settings page on ${link('https://console.firebase.google.com/')})`,
-      placeholder: '',
-      modifyOutput: UI.modifiers.piped([
-        UI.modifiers.topPadding,
-        UI.modifiers.dimOnComplete,
-      ]),
-      validate: (val) => {
-        if (!val) {
-          return 'Project ID is required';
-        }
-        if (!firebaseProjectIdRegex.test(val)) {
-          return 'Invalid Firebase project ID. It must be 6-30 characters, start with a lowercase letter, contain only lowercase letters, digits, and hyphens, and not end with a hyphen.';
-        }
-      },
-    },
+    prompt: firebaseProjectIdPrompt({}),
   });
   // typeguard
   if (!clientName || !projectId) {
@@ -759,16 +707,14 @@ const handleFirebaseClient = Effect.fn(function* (
       message: 'Missing required arguments',
     });
   }
-  if (!firebaseProjectIdRegex.test(projectId)) {
-    return yield* BadArgsError.make({
-      message:
-        'Invalid Firebase project ID. It must be 6-30 characters, start with a lowercase letter, contain only lowercase letters, digits, and hyphens, and not end with a hyphen.',
-    });
+  const validationError = validateFirebaseProjectId(projectId);
+  if (validationError) {
+    return yield* BadArgsError.make({ message: validationError });
   }
   const response = yield* addOAuthClient({
     providerId: provider.id,
     clientName,
-    discoveryEndpoint: `https://securetoken.google.com/${encodeURIComponent(projectId)}/.well-known/openid-configuration`,
+    discoveryEndpoint: firebaseDiscoveryEndpoint(projectId),
   });
 
   yield* Effect.log(
@@ -840,28 +786,3 @@ export const authClientAddCmd = Effect.fn(
     }),
   ),
 );
-
-function domainFromClerkKey(key: string): string | null {
-  try {
-    const parts = key.split('_');
-    const domainPartB64 = parts[parts.length - 1];
-    const domainPart = base64Decode(domainPartB64);
-    return domainPart.replace('$', '');
-  } catch (e) {
-    console.error('Error getting domain from clerk key', e);
-    return null;
-  }
-}
-
-// Base64 decode, switching to url-safe decode if we hit an error
-// Can't be sure which method Clerk uses because you can't generate
-// `+` or `/` with characters that go in a normal host. Urls with
-// chinese characters exist, they might encode to `+` or `/`, and
-// Clerk might support them, so we'll be safe and do both.
-function base64Decode(s: string) {
-  try {
-    return Buffer.from(s, 'base64').toString('utf-8');
-  } catch (e) {
-    return Buffer.from(s, 'base64url').toString('utf-8');
-  }
-}