kasy-cli 1.21.7 → 1.21.9

package/lib/commands/new.js

@@ -44,7 +44,7 @@ const { generateApiProject } = require('../scaffold/backends/api/generator');
 const { createProjectAndGetKeys, setupLinkedProject, checkLoggedIn, getOrgsList, getProjectsByOrg, getProjectKeys } = require('../scaffold/backends/supabase/deploy');
 const { writeSupabaseGoogleAuthOptions, readSupabaseGoogleCredentials, getGoogleClientSecretViaGcloud, flutterfireConfigure, writeGoogleAuthOptions, writeGoogleIosUrlScheme, writeGoogleIosUrlSchemeFromClientId } = require('../scaffold/shared/post-build');
 const { toPackageName } = require('../scaffold/backends/firebase/tokens');
-const { setupFromScratch, setupExistingProject, listBillingAccounts, listGcpOrganizations, checkGcloudAuth, getFirebaseAccount, getGcloudInstallInstructions, enableAuthProviders, registerDebugSha1 } = require('../scaffold/backends/firebase/setup-from-scratch');
+const { setupFromScratch, setupExistingProject, listBillingAccounts, listGcpOrganizations, checkGcloudAuth, getFirebaseAccount, getGcloudInstallInstructions, enableAuthProviders, ensureFirebaseAuthInitialized, registerDebugSha1 } = require('../scaffold/backends/firebase/setup-from-scratch');
 const { enableAuthViaFirebaseCli } = require('../scaffold/backends/firebase/enable-auth-via-cli');
 const { createFcmServiceAccountKey } = require('../scaffold/shared/fcm-service-account');
 
@@ -1689,10 +1689,15 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
       // client, which is why Google used to come out disabled on Supabase projects.
       const googleSpinner = ui.spinner();
       googleSpinner.start(tr('new.google.enabling'));
+      // The deploy below needs the project's Identity Platform config to exist.
+      // Supabase setup runs in fcmOnly mode, which intentionally leaves Firebase
+      // Auth untouched, so initialize it here (idempotent) before the deploy.
+      await ensureFirebaseAuthInitialized(answers.firebaseProjectId);
       const cliResult = await enableAuthViaFirebaseCli({
         projectDir: targetDir,
         projectId: answers.firebaseProjectId,
         appName: answers.appName,
+        googleOnly: true,
       });
       googleSpinner.stop(tr('new.google.enabling'));
 

package/lib/scaffold/backends/firebase/enable-auth-via-cli.js

@@ -63,9 +63,12 @@ async function mergeAuthIntoFirebaseJson(projectDir, providers) {
  * @param {string} options.projectId
  * @param {string} options.appName
  * @param {string} [options.supportEmail] - falls back to active gcloud account
+ * @param {boolean} [options.googleOnly] - Supabase: enable ONLY Google (the deploy's
+ *   side effect creates the OAuth Web Client we need). Anonymous/Email/Password in
+ *   Firebase Auth would be dead config there, since the app uses Supabase Auth.
  * @returns {{ ok: boolean, error?: string, supportEmail?: string }}
  */
-async function enableAuthViaFirebaseCli({ projectDir, projectId, appName, supportEmail }) {
+async function enableAuthViaFirebaseCli({ projectDir, projectId, appName, supportEmail, googleOnly = false }) {
   // 1. Resolve support email (required by Google's OAuth consent screen)
   let email = (supportEmail || '').trim();
   if (!email) email = await getGcloudAccountEmail();
@@ -76,15 +79,20 @@ async function enableAuthViaFirebaseCli({ projectDir, projectId, appName, suppor
     };
   }
 
-  // 2. Merge firebase.json
-  const merge = await mergeAuthIntoFirebaseJson(projectDir, {
-    anonymous: true,
-    emailPassword: true,
+  // 2. Merge firebase.json. Google is always enabled (it's the whole point — the
+  // deploy creates its OAuth Web Client). Anonymous + Email/Password are added only
+  // for the Firebase backend, whose app actually signs in through Firebase Auth.
+  const providers = {
     googleSignIn: {
       oAuthBrandDisplayName: appName,
       supportEmail: email,
     },
-  });
+  };
+  if (!googleOnly) {
+    providers.anonymous = true;
+    providers.emailPassword = true;
+  }
+  const merge = await mergeAuthIntoFirebaseJson(projectDir, providers);
   if (!merge.ok) return merge;
 
   // 3. Deploy. --non-interactive prevents the CLI from prompting on edge cases.

package/lib/scaffold/backends/firebase/setup-from-scratch.js

@@ -19,6 +19,7 @@ const path = require('node:path');
 const fs = require('fs-extra');
 const os = require('node:os');
 const { getInstallGuide } = require('../../../utils/checks');
+const { keytoolBin } = require('../../../utils/env-tools');
 
 const execAsync = promisify(exec);
 
@@ -536,7 +537,7 @@ async function ensureDebugKeystore() {
   if (!(await fs.pathExists(DEBUG_KEYSTORE))) {
     await fs.ensureDir(androidDir);
     const createResult = await run(
-      `keytool -genkeypair -v -keystore "${DEBUG_KEYSTORE}" -storepass android -alias androiddebugkey -keypass android -keyalg RSA -keysize 2048 -validity 10000 -dname "CN=Android Debug,O=Android,C=US" -noprompt`
+      `${keytoolBin()} -genkeypair -v -keystore "${DEBUG_KEYSTORE}" -storepass android -alias androiddebugkey -keypass android -keyalg RSA -keysize 2048 -validity 10000 -dname "CN=Android Debug,O=Android,C=US" -noprompt`
     );
     if (!createResult.ok) return { ok: false, error: createResult.stderr || createResult.error };
   }
@@ -552,7 +553,7 @@ async function extractSha1() {
   if (!ensureResult.ok) return ensureResult;
 
   const result = await run(
-    `keytool -list -v -keystore "${DEBUG_KEYSTORE}" -alias androiddebugkey -storepass android -keypass android`
+    `${keytoolBin()} -list -v -keystore "${DEBUG_KEYSTORE}" -alias androiddebugkey -storepass android -keypass android`
   );
   if (!result.ok) return { ok: false, error: result.stderr || result.error };
 
@@ -729,34 +730,24 @@ async function ensureLocalhostAuthorizedDomains(projectId, token) {
 }
 
 /**
- * Enable Firebase Auth sign-in providers: Email/Password, Anonymous and Google.
- * Uses the Identity Toolkit Admin v2 REST API with gcloud credentials.
+ * Initialize Firebase Auth (Identity Platform) for a project. Brand-new projects
+ * have no auth config, so any Admin v2 operation (PATCH /config, or the Firebase
+ * CLI `deploy --only auth`) fails with CONFIGURATION_NOT_FOUND until this runs.
  *
- * Flow:
- *  1. Call identityPlatform:initializeAuth to create the auth config for the project
- *     (required for new projects — PATCH fails with CONFIGURATION_NOT_FOUND without it).
- *  2. PATCH /config to enable Email/Password and Anonymous.
- *  3. POST defaultSupportedIdpConfigs to enable Google Sign-In.
- *     Google Sign-In requires an OAuth client_id that Firebase creates when the user
- *     enables it in the Console — if the client doesn't exist yet this step is skipped
- *     and googleSignInSkipped=true is returned so the caller can show a targeted hint.
- *
- * Non-fatal: returns { ok: false, error } without throwing if the API call fails.
+ * The endpoint is idempotent: it returns {} both on first init and when auth was
+ * already initialized. Non-fatal by contract — callers proceed on failure since
+ * the config may already exist.
  *
  * @param {string} projectId
- * @returns {{ ok: boolean, googleSignInSkipped?: boolean, error?: string }}
+ * @returns {{ ok: boolean, error?: string }}
  */
-async function enableAuthProviders(projectId, { maxRetries = 3, retryDelayMs = 15000 } = {}) {
+async function ensureFirebaseAuthInitialized(projectId, { maxRetries = 3, retryDelayMs = 15000 } = {}) {
   let token;
   try {
     token = await getAccessToken();
   } catch (_) {
     return { ok: false, error: 'Could not get access token' };
   }
-
-  // Step 1: Initialize Firebase Auth for the project.
-  // New projects have no auth config — PATCH returns CONFIGURATION_NOT_FOUND without this.
-  // The endpoint is idempotent: it returns {} on success or if already initialized.
   const initUrl = `https://identitytoolkit.googleapis.com/v2/projects/${projectId}/identityPlatform:initializeAuth`;
   for (let attempt = 1; attempt <= maxRetries; attempt++) {
     const initRes = await fetch(initUrl, {
@@ -768,19 +759,45 @@ async function enableAuthProviders(projectId, { maxRetries = 3, retryDelayMs = 1
       },
       body: JSON.stringify({}),
     });
-    if (initRes.ok) break;
-    await initRes.text(); // consume body to release connection
+    if (initRes.ok) return { ok: true };
+    const text = await initRes.text(); // consume body to release connection
     if (attempt < maxRetries && (initRes.status === 404 || initRes.status === 503)) {
       await sleep(retryDelayMs);
       try { token = await getAccessToken(); } catch (_) {}
       continue;
     }
-    // Non-fatal — still attempt PATCH below in case auth was already initialized.
-    break;
+    return { ok: false, error: `${initRes.status}: ${text}` };
   }
+  return { ok: false, error: 'initializeAuth: exhausted retries' };
+}
+
+/**
+ * Enable Firebase Auth sign-in providers: Email/Password, Anonymous and Google.
+ * Uses the Identity Toolkit Admin v2 REST API with gcloud credentials.
+ *
+ * Flow:
+ *  1. Call identityPlatform:initializeAuth to create the auth config for the project
+ *     (required for new projects — PATCH fails with CONFIGURATION_NOT_FOUND without it).
+ *  2. PATCH /config to enable Email/Password and Anonymous.
+ *  3. POST defaultSupportedIdpConfigs to enable Google Sign-In.
+ *     Google Sign-In requires an OAuth client_id that Firebase creates when the user
+ *     enables it in the Console — if the client doesn't exist yet this step is skipped
+ *     and googleSignInSkipped=true is returned so the caller can show a targeted hint.
+ *
+ * Non-fatal: returns { ok: false, error } without throwing if the API call fails.
+ *
+ * @param {string} projectId
+ * @returns {{ ok: boolean, googleSignInSkipped?: boolean, error?: string }}
+ */
+async function enableAuthProviders(projectId, { maxRetries = 3, retryDelayMs = 15000 } = {}) {
+  // Step 1: Initialize Firebase Auth (non-fatal — the PATCH below still runs in
+  // case auth was already initialized). The shared helper keeps the init logic in
+  // one place so the Supabase flow can reuse it before its `deploy --only auth`.
+  await ensureFirebaseAuthInitialized(projectId, { maxRetries, retryDelayMs });
 
   // Step 2: Enable Email/Password and Anonymous auth providers.
   const configUrl = `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/config?updateMask=signIn.email,signIn.anonymous`;
+  let token;
   let lastError;
   for (let attempt = 1; attempt <= maxRetries; attempt++) {
     try { token = await getAccessToken(); } catch (_) {
@@ -995,27 +1012,34 @@ async function setupFromScratch(appName, bundleId, options = {}) {
   const addResult = await addFirebaseToProject(projectId, { onProgress });
   if (!addResult.ok) return { ok: false, error: `[addFirebase] ${addResult.error}`, projectId };
 
-  // Enable Email/Password, Anonymous and Google Sign-In auth providers automatically.
-  // Non-fatal — project setup continues even if this call fails.
-  const authResult = await enableAuthProviders(projectId);
-  if (!authResult.ok) {
-    onProgress('auth-providers-warn', {
-      error: authResult.error,
-      url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
-    });
-  } else if (authResult.googleSignInSkipped) {
-    // Email/Password and Anonymous were enabled. Google Sign-In needs an OAuth client
-    // that Firebase creates when you enable it in the Console for the first time.
-    onProgress('auth-google-warn', {
-      url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
-    });
-  }
-  // Providers were enabled but localhost couldn't be authorized — warn so the user
-  // isn't surprised by [firebase_auth/unauthorized-domain] on web sign-in.
-  if (authResult.ok && authResult.localhostAuthorized === false) {
-    onProgress('auth-localhost-warn', {
-      url: `https://console.firebase.google.com/project/${projectId}/authentication/settings`,
-    });
+  // Firebase Auth providers (Email/Password, Anonymous, Google, Apple) only matter
+  // for the Firebase backend, whose app authenticates against Firebase Auth. In
+  // fcmOnly mode the app is Supabase/API and authenticates elsewhere, so we leave
+  // Firebase Auth untouched — this project exists purely for FCM/push (and, for
+  // Supabase, the Google OAuth client, which new.js creates separately via
+  // `firebase deploy --only auth`). Non-fatal — setup continues even if it fails.
+  let authResult = null;
+  if (!fcmOnly) {
+    authResult = await enableAuthProviders(projectId);
+    if (!authResult.ok) {
+      onProgress('auth-providers-warn', {
+        error: authResult.error,
+        url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
+      });
+    } else if (authResult.googleSignInSkipped) {
+      // Email/Password and Anonymous were enabled. Google Sign-In needs an OAuth client
+      // that Firebase creates when you enable it in the Console for the first time.
+      onProgress('auth-google-warn', {
+        url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
+      });
+    }
+    // Providers were enabled but localhost couldn't be authorized — warn so the user
+    // isn't surprised by [firebase_auth/unauthorized-domain] on web sign-in.
+    if (authResult.ok && authResult.localhostAuthorized === false) {
+      onProgress('auth-localhost-warn', {
+        url: `https://console.firebase.google.com/project/${projectId}/authentication/settings`,
+      });
+    }
   }
 
   // Firestore + Storage are Firebase-backend features (and need Blaze). In
@@ -1088,8 +1112,8 @@ async function setupFromScratch(appName, bundleId, options = {}) {
   return {
     ok: true,
     projectId,
-    authEnabled: authResult.ok,
-    googleSignInSkipped: authResult.ok && !!authResult.googleSignInSkipped,
+    authEnabled: authResult ? authResult.ok : null,
+    googleSignInSkipped: authResult ? (authResult.ok && !!authResult.googleSignInSkipped) : false,
     sha1Skipped,
     sha1Error,
     sha1ManualUrl: `https://console.firebase.google.com/project/${projectId}/settings/general/android:${bundleId}`,
@@ -1237,6 +1261,7 @@ module.exports = {
   applyStorageCors,
   checkBillingEnabled,
   enableAuthProviders,
+  ensureFirebaseAuthInitialized,
   ensureLocalhostAuthorizedDomains,
   listBillingAccounts,
   listGcpOrganizations,

package/lib/scaffold/backends/supabase/deploy.js

@@ -13,16 +13,29 @@ const { exec, execFile } = require('node:child_process');
 const { promisify } = require('node:util');
 const path = require('node:path');
 const fs = require('fs-extra');
+const { augmentedEnv } = require('../../../utils/env-tools');
 
 const execAsync = promisify(exec);
 const execFileAsync = promisify(execFile);
 
+/**
+ * Parse JSON from a CLI's stdout tolerantly. The Supabase CLI sometimes prints
+ * an "update available" notice before the JSON payload (more often on Windows),
+ * which would break a strict JSON.parse — so we grab from the first [ or {.
+ */
+function parseJsonLoose(stdout) {
+  const s = (stdout || '').trim();
+  const start = s.search(/[[{]/);
+  if (start === -1) return null;
+  try { return JSON.parse(s.slice(start)); } catch { return null; }
+}
+
 async function run(cmd, cwd, env = {}) {
   try {
     const { stdout, stderr } = await execAsync(cmd, {
       cwd,
       maxBuffer: 10 * 1024 * 1024,
-      env: { ...process.env, ...env },
+      env: { ...augmentedEnv(), ...env },
     });
     return { ok: true, stdout, stderr };
   } catch (err) {
@@ -40,13 +53,14 @@ async function run(cmd, cwd, env = {}) {
  */
 async function checkLoggedIn() {
   const result = await run('supabase projects list -o json', process.cwd());
-  if (!result.ok) return { ok: false, error: result.error };
-  try {
-    const data = JSON.parse(result.stdout);
-    return { ok: true, projects: Array.isArray(data) ? data : [] };
-  } catch {
+  // Trust the exit code: a successful command means we're authenticated. Only a
+  // non-zero exit (e.g. "Access token not provided") means login is required.
+  // The list itself is parsed best-effort (tolerant of update notices).
+  if (!result.ok) {
     return { ok: false, error: 'Supabase login required. Run: supabase login' };
   }
+  const data = parseJsonLoose(result.stdout);
+  return { ok: true, projects: Array.isArray(data) ? data : [] };
 }
 
 /**
@@ -69,13 +83,9 @@ async function getProjectsByOrg(orgId) {
 async function getOrgsList() {
   const result = await run('supabase orgs list -o json', process.cwd());
   if (!result.ok) return { ok: false, error: result.error };
-  try {
-    const data = JSON.parse(result.stdout);
-    const orgs = Array.isArray(data) ? data : [];
-    return { ok: true, orgs: orgs.map((o) => ({ id: o.id, name: o.name || o.id })) };
-  } catch {
-    return { ok: false, error: 'Could not parse orgs list. Run: supabase login' };
-  }
+  const data = parseJsonLoose(result.stdout);
+  const orgs = Array.isArray(data) ? data : [];
+  return { ok: true, orgs: orgs.map((o) => ({ id: o.id, name: o.name || o.id })) };
 }
 
 /**

package/lib/utils/env-tools.js

@@ -69,6 +69,30 @@ function pubCacheBin(name) {
   return `"${file}"`;
 }
 
+/**
+ * Quoted path to `keytool` (used for the Android debug SHA-1). It ships with
+ * the JDK and is almost never on PATH on Windows, so we look in JAVA_HOME and
+ * Android Studio's bundled JBR before falling back to bare `keytool`.
+ */
+function keytoolBin() {
+  const exe = isWindows ? 'keytool.exe' : 'keytool';
+  const candidates = [];
+  if (process.env.JAVA_HOME) candidates.push(path.join(process.env.JAVA_HOME, 'bin', exe));
+  if (isWindows) {
+    const pf = process.env.ProgramFiles;
+    const local = process.env.LOCALAPPDATA;
+    if (pf) candidates.push(path.win32.join(pf, 'Android', 'Android Studio', 'jbr', 'bin', exe));
+    if (local) candidates.push(path.win32.join(local, 'Programs', 'Android Studio', 'jbr', 'bin', exe));
+    if (pf) candidates.push(path.win32.join(pf, 'Android', 'Android Studio', 'jre', 'bin', exe));
+  } else {
+    candidates.push('/Applications/Android Studio.app/Contents/jbr/Contents/Home/bin/keytool');
+  }
+  for (const candidate of candidates) {
+    if (fs.existsSync(candidate)) return `"${candidate}"`;
+  }
+  return 'keytool';
+}
+
 /**
  * Well-known install dirs of tools that may not be on the frozen session PATH
  * yet — e.g. the Google Cloud SDK right after it's installed mid-run. Only
@@ -114,5 +138,6 @@ module.exports = {
   homeDir,
   pubCacheBinDir,
   pubCacheBin,
+  keytoolBin,
   augmentedEnv,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.21.7",
+  "version": "1.21.9",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"