lakebed 0.0.2 → 0.0.3

package/src/anonymous.js

@@ -16,6 +16,7 @@ export const DEFAULT_ANONYMOUS_LIMITS = {
 };
 
 const expressionOps = new Set(["arg", "auth", "call", "row"]);
+const authFields = new Set(["displayName", "email", "emailVerified", "isAuthenticated", "isGuest", "name", "picture", "provider", "userId"]);
 
 export class AnonymousCompilerError extends Error {
   constructor(diagnostics) {
@@ -131,9 +132,17 @@ function createSymbolicArg(index) {
 }
 
 function createSymbolicAuth() {
-  const userId = new SymbolicValue(["auth", "userId"], "guest:trace");
-  const displayName = new SymbolicValue(["auth", "displayName"], "Trace Guest");
-  return { displayName, userId };
+  return {
+    displayName: new SymbolicValue(["auth", "displayName"], "Trace Guest"),
+    email: new SymbolicValue(["auth", "email"], "trace@example.test"),
+    emailVerified: new SymbolicValue(["auth", "emailVerified"], true),
+    isAuthenticated: new SymbolicValue(["auth", "isAuthenticated"], true),
+    isGuest: new SymbolicValue(["auth", "isGuest"], false),
+    name: new SymbolicValue(["auth", "name"], "Trace Guest"),
+    picture: new SymbolicValue(["auth", "picture"], "https://example.test/avatar.png"),
+    provider: new SymbolicValue(["auth", "provider"], "google"),
+    userId: new SymbolicValue(["auth", "userId"], "guest:trace")
+  };
 }
 
 function createSymbolicRow({ auth, idExpr, scanId, schema, tableName }) {
@@ -484,7 +493,7 @@ function compileServerToIr(app, schema) {
   return { diagnostics, mutations, queries };
 }
 
-export async function createAnonymousArtifact({ app, clientOut, sourceStore, version = "0.0.2" }) {
+export async function createAnonymousArtifact({ app, clientOut, sourceStore, version = "0.0.3" }) {
   const sourceFiles = await readSourceFiles(sourceStore);
   const diagnostics = forbiddenSourceDiagnostics(sourceFiles);
   const { diagnostics: schemaDiagnostics, schema } = serializeSchema(app.schema);
@@ -561,7 +570,7 @@ function validateExpression(expr, path, diagnostics) {
   }
 
   if (op === "auth") {
-    if ((expr[1] !== "userId" && expr[1] !== "displayName") || expr.length !== 2) {
+    if (!authFields.has(expr[1]) || expr.length !== 2) {
       diagnostics.push(diagnostic(path, "Invalid auth expression."));
     }
     return;

package/src/auth.js

@@ -0,0 +1,155 @@
+const DEFAULT_SHOO_BASE_URL = "https://shoo.dev";
+
+export function shooBaseUrlFromEnv(env = process.env) {
+  return String(env.LAKEBED_SHOO_BASE_URL ?? env.SHOO_BASE_URL ?? DEFAULT_SHOO_BASE_URL).replace(/\/+$/g, "");
+}
+
+export function toGuestName(name) {
+  return (
+    String(name ?? "local")
+      .replace(/^guest:/, "")
+      .trim()
+      .replace(/[^a-zA-Z0-9_.-]+/g, "-")
+      .replace(/^-+|-+$/g, "")
+      .toLowerCase() || "local"
+  );
+}
+
+export function toDisplayName(name) {
+  return toGuestName(name)
+    .split(/[-_\s.]+/)
+    .filter(Boolean)
+    .map((part) => `${part[0]?.toUpperCase() ?? ""}${part.slice(1)}`)
+    .join(" ");
+}
+
+export function createGuestAuth(name) {
+  const guestName = toGuestName(name);
+  return {
+    displayName: toDisplayName(guestName),
+    isAuthenticated: false,
+    isGuest: true,
+    provider: "guest",
+    userId: `guest:${guestName}`
+  };
+}
+
+export function requestOrigin(req, fallbackUrl) {
+  const forwardedHost = String(req.headers["x-forwarded-host"] ?? "")
+    .split(",")[0]
+    .trim();
+  const host = forwardedHost || req.headers.host || (fallbackUrl ? new URL(fallbackUrl).host : "localhost");
+  const forwardedProto = String(req.headers["x-forwarded-proto"] ?? "")
+    .split(",")[0]
+    .trim();
+  const protocol = forwardedProto || (fallbackUrl ? new URL(fallbackUrl).protocol.replace(/:$/g, "") : "http");
+  return `${protocol}://${host}`;
+}
+
+function decodeBase64UrlJson(value) {
+  try {
+    return JSON.parse(Buffer.from(value, "base64url").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+
+export function decodeIdentityClaims(idToken) {
+  if (!idToken || typeof idToken !== "string") {
+    return null;
+  }
+
+  const parts = idToken.split(".");
+  if (parts.length < 2) {
+    return null;
+  }
+
+  return decodeBase64UrlJson(parts[1]);
+}
+
+function stringClaim(claims, name) {
+  return typeof claims?.[name] === "string" ? claims[name] : undefined;
+}
+
+function booleanClaim(claims, name) {
+  return typeof claims?.[name] === "boolean" ? claims[name] : undefined;
+}
+
+function authFromClaims(claims) {
+  const pairwiseSub = stringClaim(claims, "pairwise_sub") ?? stringClaim(claims, "sub");
+  if (!pairwiseSub) {
+    return null;
+  }
+
+  const name = stringClaim(claims, "name");
+  const email = stringClaim(claims, "email");
+  return {
+    displayName: name ?? email ?? "Google User",
+    email,
+    emailVerified: booleanClaim(claims, "email_verified"),
+    isAuthenticated: true,
+    isGuest: false,
+    name,
+    picture: stringClaim(claims, "picture"),
+    provider: "google",
+    userId: `google:${pairwiseSub}`
+  };
+}
+
+function isLocallyPlausibleShooToken(claims, origin, shooBaseUrl) {
+  if (!claims || typeof claims !== "object") {
+    return false;
+  }
+
+  if (claims.aud !== `origin:${new URL(origin).origin}`) {
+    return false;
+  }
+
+  if (typeof claims.iss !== "string" || claims.iss.replace(/\/+$/g, "") !== shooBaseUrl.replace(/\/+$/g, "")) {
+    return false;
+  }
+
+  return typeof claims.exp !== "number" || claims.exp * 1000 > Date.now();
+}
+
+export async function verifyShooAuth({ origin, shooBaseUrl = shooBaseUrlFromEnv(), token }) {
+  if (!token) {
+    return null;
+  }
+
+  const response = await fetch(new URL("/session/check", shooBaseUrl), {
+    headers: {
+      Authorization: `Bearer ${token}`,
+      Origin: new URL(origin).origin
+    },
+    method: "POST"
+  });
+
+  if (!response.ok) {
+    return null;
+  }
+
+  const claims = decodeIdentityClaims(token);
+  if (!isLocallyPlausibleShooToken(claims, origin, shooBaseUrl)) {
+    return null;
+  }
+
+  return authFromClaims(claims);
+}
+
+export async function authFromUrl({ defaultAuth = createGuestAuth("local"), onError, origin, shooBaseUrl, url }) {
+  const token = url.searchParams.get("lakebed_token") ?? url.searchParams.get("auth_token") ?? "";
+  if (token) {
+    try {
+      const shooAuth = await verifyShooAuth({ origin, shooBaseUrl, token });
+      if (shooAuth) {
+        return shooAuth;
+      }
+    } catch (error) {
+      await onError?.(error);
+    }
+  }
+
+  const guestName = url.searchParams.get("lakebed_guest") ?? url.searchParams.get("guest");
+  return guestName ? createGuestAuth(guestName) : defaultAuth;
+}

package/src/cli.js

@@ -14,6 +14,7 @@ import {
   stableStringify
 } from "./anonymous.js";
 import { startAnonymousServer } from "./anonymous-server.js";
+import { authFromUrl as resolveAuthFromUrl, createGuestAuth, requestOrigin, shooBaseUrlFromEnv } from "./auth.js";
 import { LogBuffer, StateCell } from "./runtime.js";
 import { createMemorySourceStoreFromDirectory, sourcePathDirname, sourcePathJoin } from "./source-store.js";
 
@@ -30,8 +31,8 @@ Usage:
   lakebed new <name> [--template todo]
   lakebed dev <capsule-dir> [--port 3000]
   lakebed build <capsule-dir> --target anonymous [--out .lakebed/artifacts/app.json] [--json]
-  lakebed deploy <capsule-dir> [--ttl 7d] [--api <url>] [--json]
-  lakebed anonymous-server [--port 8787] [--public-root-url <url>]
+  lakebed deploy [capsule-dir] [--ttl 7d] [--api <url>] [--json]
+  lakebed anonymous-server [--port 8787] [--public-root-url <url>] [--app-base-domain <domain>]
   lakebed inspect <deploy-id-or-url> [--api <url>] [--json]
   lakebed run-many <capsule-dir> [--count 20] [--base-port 4000]
   lakebed auth as <name>
@@ -91,31 +92,6 @@ function authFile() {
   return resolve(root, ".lakebed/auth.json");
 }
 
-function toGuestName(name) {
-  return String(name ?? "local")
-    .replace(/^guest:/, "")
-    .trim()
-    .replace(/[^a-zA-Z0-9_.-]+/g, "-")
-    .replace(/^-+|-+$/g, "")
-    .toLowerCase() || "local";
-}
-
-function toDisplayName(name) {
-  return toGuestName(name)
-    .split(/[-_\s.]+/)
-    .filter(Boolean)
-    .map((part) => `${part[0]?.toUpperCase() ?? ""}${part.slice(1)}`)
-    .join(" ");
-}
-
-function createGuestAuth(name) {
-  const guestName = toGuestName(name);
-  return {
-    userId: `guest:${guestName}`,
-    displayName: toDisplayName(guestName)
-  };
-}
-
 async function readAuth() {
   try {
     return JSON.parse(await readFile(authFile(), "utf8"));
@@ -129,11 +105,6 @@ async function writeAuth(auth) {
   await writeFile(authFile(), `${JSON.stringify(auth, null, 2)}\n`);
 }
 
-function authFromUrl(url, defaultAuth) {
-  const guestName = url.searchParams.get("lakebed_guest") ?? url.searchParams.get("guest");
-  return guestName ? createGuestAuth(guestName) : defaultAuth;
-}
-
 function isBareSpecifier(path) {
   return !path.startsWith(".") && !path.startsWith("/") && !/^[a-zA-Z]:/.test(path);
 }
@@ -332,7 +303,7 @@ export async function buildCapsule({ capsuleDir, sourceStore, capsuleId = "dev"
   };
 }
 
-function html(title) {
+function html(title, { shooBaseUrl } = {}) {
   return `<!doctype html>
 <html lang="en">
   <head>
@@ -342,6 +313,7 @@ function html(title) {
   </head>
   <body>
     <div id="app"></div>
+    <script>window.__LAKEBED_AUTH__ = ${JSON.stringify({ shooBaseUrl })};</script>
     <script type="module" src="/client.js"></script>
     <script>
       const tailwind = document.createElement("script");
@@ -394,7 +366,14 @@ async function runMutation({ app, stateCell, auth, logs, env, name, args }) {
   );
 }
 
-export async function startDevServer({ capsuleDir, sourceStore, port = 3000, capsuleId = "dev", quiet = false } = {}) {
+export async function startDevServer({
+  capsuleDir,
+  sourceStore,
+  port = 3000,
+  capsuleId = "dev",
+  quiet = false,
+  shooBaseUrl = shooBaseUrlFromEnv()
+} = {}) {
   const resolvedCapsuleDir = resolveCapsuleDir(capsuleDir);
   const built = await buildCapsule({ capsuleDir: resolvedCapsuleDir, sourceStore, capsuleId });
   const defaultAuth = await readAuth();
@@ -406,9 +385,9 @@ export async function startDevServer({ capsuleDir, sourceStore, port = 3000, cap
     try {
       const requestUrl = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
 
-      if (requestUrl.pathname === "/" || requestUrl.pathname === "/index.html") {
+      if (requestUrl.pathname === "/" || requestUrl.pathname === "/index.html" || requestUrl.pathname === "/auth/callback") {
         res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-        res.end(html(built.app.name ?? "Lakebed Capsule"));
+        res.end(html(built.app.name ?? "Lakebed Capsule", { shooBaseUrl }));
         return;
       }
 
@@ -529,14 +508,22 @@ export async function startDevServer({ capsuleDir, sourceStore, port = 3000, cap
     });
   });
 
-  server.on("upgrade", (req, socket, head) => {
+  server.on("upgrade", async (req, socket, head) => {
     const requestUrl = new URL(req.url ?? "/", "http://lakebed.local");
     if (requestUrl.pathname !== "/__lakebed/ws") {
       socket.destroy();
       return;
     }
 
-    const auth = authFromUrl(requestUrl, defaultAuth);
+    const auth = await resolveAuthFromUrl({
+      defaultAuth,
+      onError: (error) => {
+        logs.append("warn", "google auth verification failed", { error: error instanceof Error ? error.message : String(error) });
+      },
+      origin: requestOrigin(req),
+      shooBaseUrl,
+      url: requestUrl
+    });
     wss.handleUpgrade(req, socket, head, (ws) => {
       wss.emit("connection", ws, req, auth);
     });
@@ -615,6 +602,55 @@ function defaultArtifactPath(capsuleDir) {
   return resolve(root, ".lakebed/artifacts", `${basename(capsuleDir)}.anonymous.json`);
 }
 
+function deployMetadataPath(capsuleDir) {
+  return resolve(capsuleDir, ".lakebed/deploy.json");
+}
+
+async function readDeployMetadata(capsuleDir) {
+  try {
+    return JSON.parse(await readFile(deployMetadataPath(capsuleDir), "utf8"));
+  } catch (error) {
+    if (error?.code === "ENOENT") {
+      return null;
+    }
+
+    throw new Error(`Unable to read Lakebed deploy metadata: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+
+async function writeDeployMetadata(capsuleDir, metadata) {
+  const path = deployMetadataPath(capsuleDir);
+  await mkdir(dirname(path), { recursive: true });
+  await writeFile(path, `${JSON.stringify(metadata, null, 2)}\n`);
+}
+
+function claimTokenFromDeployResponse(deployed) {
+  if (!deployed?.claimUrl || !deployed?.deployId) {
+    return null;
+  }
+
+  try {
+    const url = new URL(deployed.claimUrl);
+    const segments = url.pathname.split("/").filter(Boolean);
+    if (segments[0] === "claim" && segments[1] === deployed.deployId) {
+      return segments[2] ?? null;
+    }
+  } catch {
+    return null;
+  }
+
+  return null;
+}
+
+function deployRequestBody(envelope, ttl) {
+  return JSON.stringify({
+    artifact: envelope.artifact,
+    clientBundle: envelope.clientBundle,
+    clientVersion: "0.0.3",
+    requestedTtlSeconds: ttl
+  });
+}
+
 async function buildCommand(args) {
   const [capsuleArg] = positionals(args);
   const target = readArg(args, "--target", "anonymous");
@@ -663,32 +699,65 @@ async function readResponseJson(response) {
 
 async function deployCommand(args) {
   const [capsuleArg] = positionals(args);
-  const envelope = await buildAnonymousEnvelope(capsuleArg);
+  const capsuleDir = capsuleArg ? resolveCapsuleDir(capsuleArg) : root;
+  const envelope = await buildAnonymousEnvelope(capsuleDir);
   const ttl = parseTtlSeconds(readArg(args, "--ttl", "7d"));
   const api = deployApiUrl(args);
-  const response = await fetch(`${api}/v1/anonymous-deploys`, {
-    body: JSON.stringify({
-      artifact: envelope.artifact,
-      clientBundle: envelope.clientBundle,
-      clientVersion: "0.0.2",
-      requestedTtlSeconds: ttl
-    }),
+  const body = deployRequestBody(envelope, ttl);
+  const metadata = await readDeployMetadata(capsuleDir);
+  const canUpdate =
+    metadata?.api === api && typeof metadata?.deployId === "string" && typeof metadata?.claimToken === "string";
+  let mode = "created";
+  let response;
+
+  if (canUpdate) {
+    response = await fetch(`${api}/v1/deploys/${encodeURIComponent(metadata.deployId)}`, {
+      body,
+      headers: {
+        "Authorization": `Bearer ${metadata.claimToken}`,
+        "Content-Type": "application/json"
+      },
+      method: "PUT"
+    });
+
+    if (response.status === 404 || response.status === 410) {
+      mode = "created";
+      response = null;
+    } else {
+      mode = "updated";
+    }
+  }
+
+  response ??= await fetch(`${api}/v1/anonymous-deploys`, {
+    body,
     headers: {
       "Content-Type": "application/json"
     },
     method: "POST"
   });
   const deployed = await readResponseJson(response);
+  const claimToken = claimTokenFromDeployResponse(deployed) ?? metadata?.claimToken;
+  if (claimToken) {
+    await writeDeployMetadata(capsuleDir, {
+      api,
+      claimToken,
+      deployId: deployed.deployId,
+      updatedAt: new Date().toISOString(),
+      url: deployed.url
+    });
+  }
 
   if (hasFlag(args, "--json")) {
     console.log(JSON.stringify(deployed, null, 2));
     return;
   }
 
-  console.log("Deploying anonymous preview...\n");
+  console.log(`${mode === "updated" ? "Updated" : "Created"} anonymous preview.\n`);
   console.log(`App:        ${deployed.url}`);
   console.log(`Expires:    ${deployed.expiresAt}`);
-  console.log(`Claim:      ${deployed.claimUrl}`);
+  if (deployed.claimUrl) {
+    console.log(`Claim:      ${deployed.claimUrl}`);
+  }
   console.log(`Inspect:    lakebed inspect ${deployed.deployId}`);
   console.log("\nLimits:");
   console.log(`  source/artifact: ${deployed.limits.artifactBytes} bytes`);
@@ -833,7 +902,7 @@ lakebed dev .
 Deploy:
 
 \`\`\`sh
-lakebed deploy .
+lakebed deploy
 \`\`\`
 
 Inspect local state while \`lakebed dev\` is running:
@@ -852,14 +921,15 @@ lakebed logs --port 3000
 - Do not use Node built-ins in app code.
 - Use Tailwind classes directly in JSX.
 - Do not add a CSS, PostCSS, or Tailwind build pipeline.
-- Use guest auth through \`ctx.auth\` on the server and \`useAuth()\` on the client.
+- Use auth through \`ctx.auth\` on the server and \`useAuth()\` on the client.
+- Add Google sign-in with \`<SignInWithGoogle />\` or \`signInWithGoogle()\` from \`lakebed/client\`.
 - Keep \`shared/\` free of DOM, Node, env, and Lakebed runtime imports.
 
 ## Current Limits
 
 - One server entry.
 - One client entry.
-- Guest auth only.
+- Guest auth locally, with built-in Google sign-in through Shoo.
 - No file storage.
 - No outbound fetch in anonymous deploys.
 - Local state resets when \`lakebed dev\` restarts.
@@ -905,13 +975,14 @@ export default capsule({
   }
 });
 `,
-    "client/index.tsx": `import { useAuth, useMutation, useQuery } from "lakebed/client";
+    "client/index.tsx": `import { SignInWithGoogle, signOut, useAuth, useMutation, useQuery } from "lakebed/client";
 import { cleanTodoText, type Todo } from "../shared/todo";
 
 export function App() {
   const auth = useAuth();
   const todos = useQuery<Todo[]>("todos");
   const addTodo = useMutation<[text: string], void>("addTodo");
+  const authLabel = auth.email ?? auth.displayName;
 
   async function onSubmit(event: SubmitEvent) {
     event.preventDefault();
@@ -929,7 +1000,16 @@ export function App() {
   return (
     <main className="min-h-screen bg-black px-6 py-10 text-white">
       <section className="mx-auto max-w-2xl">
-        <p className="mb-3 font-mono text-sm text-neutral-500">signed in as {auth.userId}</p>
+        <div className="mb-3 flex items-center justify-between gap-3">
+          <p className="font-mono text-sm text-neutral-500">signed in as {authLabel}</p>
+          {auth.isGuest ? (
+            <SignInWithGoogle className="border border-neutral-700 px-3 py-1.5 text-sm font-medium text-neutral-200 hover:border-white hover:text-white" />
+          ) : (
+            <button className="text-sm text-neutral-400 hover:text-white" type="button" onClick={() => signOut()}>
+              Sign out
+            </button>
+          )}
+        </div>
         <h1 className="mb-8 text-5xl font-bold tracking-tight">${title}</h1>
         <form className="mb-8 flex gap-3" onSubmit={(event) => void onSubmit(event)}>
           <input className="min-w-0 flex-1 border border-neutral-700 bg-black px-3 py-2 text-white outline-none focus:border-white" name="text" placeholder="Add a todo" />
@@ -957,6 +1037,8 @@ export function App() {
 export function cleanTodoText(value: string): string {
   return value.trim().slice(0, 160);
 }
+`,
+    ".gitignore": `.lakebed/
 `,
     "README.md": `# ${title}
 

package/src/client.d.ts

@@ -1,8 +1,63 @@
+import type { ComponentChildren, JSX } from "preact";
+
 export type Auth = {
   userId: string;
   displayName: string;
+  provider: "guest" | "google";
+  isGuest: boolean;
+  isAuthenticated: boolean;
+  email?: string;
+  emailVerified?: boolean;
+  name?: string;
+  picture?: string;
+};
+
+export type Identity = {
+  userId: string | null;
+  token?: string;
+};
+
+export type IdentityClaims = {
+  iss?: string;
+  aud?: string;
+  sub?: string;
+  iat?: number;
+  exp?: number;
+  jti?: string;
+  pairwise_sub?: string;
+  email?: string;
+  email_verified?: boolean;
+  name?: string;
+  picture?: string;
 };
 
+export type SignInWithGoogleOptions = {
+  callbackPath?: string;
+  clientId?: string;
+  redirectUri?: string;
+  returnTo?: string;
+  shooBaseUrl?: string;
+};
+
+export type SignInWithGoogleResult = {
+  url: string;
+  bundle: {
+    state: string;
+    verifier: string;
+    challenge: string;
+  };
+};
+
+export type SignInWithGoogleProps = Omit<JSX.ButtonHTMLAttributes<HTMLButtonElement>, "children"> &
+  SignInWithGoogleOptions & {
+    children?: ComponentChildren;
+  };
+
 export function useAuth(): Auth;
+export function signInWithGoogle(options?: SignInWithGoogleOptions): Promise<SignInWithGoogleResult>;
+export function signOut(): void;
+export function getIdentity(): Identity;
+export function decodeIdentityClaims(idToken?: string): IdentityClaims | null;
+export function SignInWithGoogle(props?: SignInWithGoogleProps): JSX.Element;
 export function useQuery<T>(name: string): T;
 export function useMutation<TArgs extends unknown[], TResult>(name: string): (...args: TArgs) => Promise<TResult>;