latchkey 0.1.0

package/src/services/github.ts

@@ -0,0 +1,139 @@
+/**
+ * GitHub service implementation.
+ */
+
+import { randomUUID } from 'node:crypto';
+import type { Response, BrowserContext } from 'playwright';
+import { ApiCredentialStatus, ApiCredentials, AuthorizationBearer } from '../apiCredentials.js';
+import { runCaptured } from '../curl.js';
+import { typeLikeHuman } from '../playwrightUtils.js';
+import { Service, BrowserFollowupServiceSession, LoginFailedError } from './base.js';
+
+const DEFAULT_TIMEOUT_MS = 8000;
+
+// URL for creating a new personal access token (also used as login URL to trigger sudo)
+const GITHUB_NEW_TOKEN_URL = 'https://github.com/settings/tokens/new';
+
+// GitHub personal access token scopes to enable
+const GITHUB_TOKEN_SCOPES = [
+  'repo',
+  'workflow',
+  'write:packages',
+  'delete:packages',
+  'gist',
+  'notifications',
+  'admin:org',
+  'admin:repo_hook',
+  'admin:org_hook',
+  'user',
+  'delete_repo',
+  'write:discussion',
+  'admin:enterprise',
+  'read:audit_log',
+  'codespace',
+  'copilot',
+  'write:network_configurations',
+  'project',
+] as const;
+
+class GithubServiceSession extends BrowserFollowupServiceSession {
+  private isLoggedIn = false;
+
+  onResponse(response: Response): void {
+    if (this.isLoggedIn) {
+      return;
+    }
+
+    const request = response.request();
+    // Detect login (and github's sudo) by seeing if github allows us to access the new token page.
+    if (request.url() === GITHUB_NEW_TOKEN_URL) {
+      if (response.status() === 200) {
+        this.isLoggedIn = true;
+      }
+    }
+  }
+
+  protected isLoginComplete(): boolean {
+    return this.isLoggedIn;
+  }
+
+  protected async performBrowserFollowup(context: BrowserContext): Promise<ApiCredentials | null> {
+    const page = context.pages()[0];
+    if (!page) {
+      throw new LoginFailedError('No page available in browser context.');
+    }
+
+    await page.goto(GITHUB_NEW_TOKEN_URL);
+
+    // Add a note for the token
+    const noteInput = page.locator('//*[@id="oauth_access_description"]');
+    await noteInput.waitFor({ timeout: DEFAULT_TIMEOUT_MS });
+    await typeLikeHuman(page, noteInput, `Latchkey-${randomUUID().slice(0, 8)}`);
+
+    // Enable all necessary scopes
+    for (const scope of GITHUB_TOKEN_SCOPES) {
+      const checkbox = page.locator(`input[name="oauth_access[scopes][]"][value="${scope}"]`);
+      if (await checkbox.isVisible()) {
+        await checkbox.check();
+      }
+    }
+
+    // Click the Generate Token button
+    const generateButton = page.locator(
+      'button[type="submit"].btn-primary:has-text("Generate token")'
+    );
+    await generateButton.waitFor({ timeout: DEFAULT_TIMEOUT_MS });
+    await generateButton.click();
+
+    // Wait for the page to load and retrieve the generated token
+    const tokenElement = page.locator('//*[@id="new-oauth-token"]');
+    await tokenElement.waitFor({ timeout: DEFAULT_TIMEOUT_MS });
+
+    const token = await tokenElement.textContent();
+    if (token === null || token === '') {
+      throw new LoginFailedError('Failed to extract token from GitHub.');
+    }
+
+    await page.close();
+
+    return new AuthorizationBearer(token);
+  }
+}
+
+export class Github implements Service {
+  readonly name = 'github';
+  readonly baseApiUrls = ['https://api.github.com/'] as const;
+  readonly loginUrl = GITHUB_NEW_TOKEN_URL;
+
+  readonly credentialCheckCurlArguments = ['https://api.github.com/user'] as const;
+
+  getSession(): GithubServiceSession {
+    return new GithubServiceSession(this);
+  }
+
+  checkApiCredentials(apiCredentials: ApiCredentials): ApiCredentialStatus {
+    if (!(apiCredentials instanceof AuthorizationBearer)) {
+      return ApiCredentialStatus.Invalid;
+    }
+
+    const result = runCaptured(
+      [
+        '-s',
+        '-o',
+        '/dev/null',
+        '-w',
+        '%{http_code}',
+        ...apiCredentials.asCurlArguments(),
+        ...this.credentialCheckCurlArguments,
+      ],
+      10
+    );
+
+    if (result.stdout === '200') {
+      return ApiCredentialStatus.Valid;
+    }
+    return ApiCredentialStatus.Invalid;
+  }
+}
+
+export const GITHUB = new Github();

package/src/services/index.ts

@@ -0,0 +1,13 @@
+/**
+ * Re-export all services.
+ */
+
+export type { Service } from './base.js';
+export { ServiceSession, SimpleServiceSession, BrowserFollowupServiceSession } from './base.js';
+export { LoginCancelledError, LoginFailedError } from './base.js';
+
+export { Slack, SLACK } from './slack.js';
+export { Discord, DISCORD } from './discord.js';
+export { Github, GITHUB } from './github.js';
+export { Dropbox, DROPBOX } from './dropbox.js';
+export { Linear, LINEAR } from './linear.js';

package/src/services/linear.ts

@@ -0,0 +1,134 @@
+/**
+ * Linear service implementation.
+ */
+
+import { randomUUID } from 'node:crypto';
+import type { Response, BrowserContext } from 'playwright';
+import { ApiCredentialStatus, ApiCredentials, AuthorizationBare } from '../apiCredentials.js';
+import { runCaptured } from '../curl.js';
+import { typeLikeHuman } from '../playwrightUtils.js';
+import { Service, BrowserFollowupServiceSession, LoginFailedError } from './base.js';
+
+const DEFAULT_TIMEOUT_MS = 8000;
+
+// URL for creating a new personal API key (also used as login URL)
+const LINEAR_NEW_API_KEY_URL = 'https://linear.app/imbue/settings/account/security/api-keys/new';
+
+class LinearServiceSession extends BrowserFollowupServiceSession {
+  private isLoggedIn = false;
+
+  onResponse(response: Response): void {
+    if (this.isLoggedIn) {
+      return;
+    }
+
+    const request = response.request();
+    // Empirically, Linear always sends this request. When not logged in,
+    // the response only contains "data.organizationMeta". Otherwise it can
+    // contain different things based on how exactly the user authenticated.
+    if (request.url() === 'https://client-api.linear.app/graphql' && request.method() === 'POST') {
+      if (response.status() === 200) {
+        try {
+          // Note: response.json() returns a Promise in Playwright
+          response
+            .json()
+            .then((jsonData: unknown) => {
+              const data = (jsonData as { data?: Record<string, unknown> }).data ?? {};
+              if (Object.keys(data).some((key) => key !== 'organizationMeta')) {
+                this.isLoggedIn = true;
+              }
+            })
+            .catch(() => {
+              // Ignore JSON parse errors
+            });
+        } catch {
+          // Ignore errors
+        }
+      }
+    }
+  }
+
+  protected isLoginComplete(): boolean {
+    return this.isLoggedIn;
+  }
+
+  protected async performBrowserFollowup(context: BrowserContext): Promise<ApiCredentials | null> {
+    const page = context.pages()[0];
+    if (!page) {
+      throw new LoginFailedError('No page available in browser context.');
+    }
+
+    await page.goto(LINEAR_NEW_API_KEY_URL);
+
+    // Fill in the key name
+    const keyName = `Latchkey-${randomUUID().slice(0, 8)}`;
+    const keyNameInput = page.getByRole('textbox', { name: 'Key name' });
+    await keyNameInput.waitFor({ timeout: DEFAULT_TIMEOUT_MS });
+    await typeLikeHuman(page, keyNameInput, keyName);
+
+    // Click the Create button
+    const createButton = page.getByRole('button', { name: 'Create' });
+    await createButton.waitFor({ timeout: DEFAULT_TIMEOUT_MS });
+    await createButton.click();
+
+    // Wait for and extract the token from span element containing lin_api_ prefix
+    const tokenElement = page.locator("span:text-matches('^lin_api_')");
+    await tokenElement.waitFor({ timeout: DEFAULT_TIMEOUT_MS });
+
+    const token = await tokenElement.textContent();
+    if (token === null || token === '') {
+      throw new LoginFailedError('Failed to extract token from Linear.');
+    }
+
+    await page.close();
+
+    return new AuthorizationBare(token);
+  }
+}
+
+export class Linear implements Service {
+  readonly name = 'linear';
+  readonly baseApiUrls = ['https://api.linear.app/'] as const;
+  readonly loginUrl = LINEAR_NEW_API_KEY_URL;
+
+  readonly credentialCheckCurlArguments = [
+    '-X',
+    'POST',
+    '-H',
+    'Content-Type: application/json',
+    '-d',
+    '{"query": "{ viewer { id } }"}',
+    'https://api.linear.app/graphql',
+  ] as const;
+
+  getSession(): LinearServiceSession {
+    return new LinearServiceSession(this);
+  }
+
+  checkApiCredentials(apiCredentials: ApiCredentials): ApiCredentialStatus {
+    if (!(apiCredentials instanceof AuthorizationBare)) {
+      return ApiCredentialStatus.Invalid;
+    }
+
+    // Linear uses GraphQL API - check credentials with a simple query
+    const result = runCaptured(
+      [
+        '-s',
+        '-o',
+        '/dev/null',
+        '-w',
+        '%{http_code}',
+        ...apiCredentials.asCurlArguments(),
+        ...this.credentialCheckCurlArguments,
+      ],
+      10
+    );
+
+    if (result.stdout === '200') {
+      return ApiCredentialStatus.Valid;
+    }
+    return ApiCredentialStatus.Invalid;
+  }
+}
+
+export const LINEAR = new Linear();

package/src/services/slack.ts

@@ -0,0 +1,85 @@
+/**
+ * Slack service implementation.
+ */
+
+import type { Response } from 'playwright';
+import { ApiCredentialStatus, ApiCredentials, SlackApiCredentials } from '../apiCredentials.js';
+import { runCaptured } from '../curl.js';
+import { Service, SimpleServiceSession } from './base.js';
+
+class SlackServiceSession extends SimpleServiceSession {
+  private pendingDCookie: string | null = null;
+
+  protected async getApiCredentialsFromResponse(
+    response: Response
+  ): Promise<ApiCredentials | null> {
+    const request = response.request();
+    const url = request.url();
+
+    // Check if the domain is under slack.com
+    if (!/^https:\/\/([a-z0-9-]+\.)?slack\.com\//.test(url)) {
+      return null;
+    }
+
+    const headers = await request.allHeaders();
+    const cookieHeader = headers.cookie;
+    if (cookieHeader === undefined) {
+      return null;
+    }
+
+    const cookieMatch = /\bd=([^;]+)/.exec(cookieHeader);
+    if (!cookieMatch?.[1]) {
+      return null;
+    }
+    const dCookie = cookieMatch[1];
+    this.pendingDCookie = dCookie;
+
+    // Extract token from response body (JSON embedded in HTML or raw JSON)
+    try {
+      const responseBody = await response.text();
+      const tokenMatch = /"api_token":"(xoxc-[a-zA-Z0-9-]+)"/.exec(responseBody);
+      if (tokenMatch?.[1]) {
+        return new SlackApiCredentials(tokenMatch[1], dCookie);
+      }
+    } catch {
+      // Ignore errors reading response body
+    }
+
+    return null;
+  }
+}
+
+export class Slack implements Service {
+  readonly name = 'slack';
+  readonly baseApiUrls = ['https://slack.com/api/'] as const;
+  readonly loginUrl = 'https://slack.com/signin';
+
+  readonly credentialCheckCurlArguments = ['https://slack.com/api/auth.test'] as const;
+
+  getSession(): SlackServiceSession {
+    return new SlackServiceSession(this);
+  }
+
+  checkApiCredentials(apiCredentials: ApiCredentials): ApiCredentialStatus {
+    if (!(apiCredentials instanceof SlackApiCredentials)) {
+      return ApiCredentialStatus.Invalid;
+    }
+
+    const result = runCaptured(
+      ['-s', ...apiCredentials.asCurlArguments(), ...this.credentialCheckCurlArguments],
+      10
+    );
+
+    try {
+      const data = JSON.parse(result.stdout) as { ok?: boolean };
+      if (data.ok) {
+        return ApiCredentialStatus.Valid;
+      }
+      return ApiCredentialStatus.Invalid;
+    } catch {
+      return ApiCredentialStatus.Invalid;
+    }
+  }
+}
+
+export const SLACK = new Slack();

package/tests/apiCredentialStore.test.ts

@@ -0,0 +1,162 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { mkdtempSync, rmSync, existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { ApiCredentialStore } from '../src/apiCredentialStore.js';
+import {
+  AuthorizationBearer,
+  AuthorizationBare,
+  SlackApiCredentials,
+} from '../src/apiCredentials.js';
+import { EncryptedStorage } from '../src/encryptedStorage.js';
+import { generateKey } from '../src/encryption.js';
+
+describe('ApiCredentialStore', () => {
+  let tempDir: string;
+  let storePath: string;
+  let encryptedStorage: EncryptedStorage;
+
+  beforeEach(() => {
+    tempDir = mkdtempSync(join(tmpdir(), 'latchkey-test-'));
+    storePath = join(tempDir, 'credentials.json');
+    encryptedStorage = new EncryptedStorage({ encryptionKeyOverride: generateKey() });
+  });
+
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  describe('get', () => {
+    it('should return null for non-existent store file', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      expect(store.get('slack')).toBeNull();
+    });
+
+    it('should return null for non-existent service', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      store.save('discord', new AuthorizationBare('token'));
+      expect(store.get('slack')).toBeNull();
+    });
+
+    it('should retrieve saved AuthorizationBearer credentials', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      const credentials = new AuthorizationBearer('test-token');
+      store.save('github', credentials);
+
+      const retrieved = store.get('github');
+      expect(retrieved).toBeInstanceOf(AuthorizationBearer);
+      expect((retrieved as AuthorizationBearer).token).toBe('test-token');
+    });
+
+    it('should retrieve saved AuthorizationBare credentials', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      const credentials = new AuthorizationBare('discord-token');
+      store.save('discord', credentials);
+
+      const retrieved = store.get('discord');
+      expect(retrieved).toBeInstanceOf(AuthorizationBare);
+      expect((retrieved as AuthorizationBare).token).toBe('discord-token');
+    });
+
+    it('should retrieve saved SlackApiCredentials', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      const credentials = new SlackApiCredentials('xoxc-token', 'd-cookie');
+      store.save('slack', credentials);
+
+      const retrieved = store.get('slack');
+      expect(retrieved).toBeInstanceOf(SlackApiCredentials);
+      expect((retrieved as SlackApiCredentials).token).toBe('xoxc-token');
+      expect((retrieved as SlackApiCredentials).dCookie).toBe('d-cookie');
+    });
+  });
+
+  describe('save', () => {
+    it('should create the store file if it does not exist', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      store.save('github', new AuthorizationBearer('token'));
+      expect(existsSync(storePath)).toBe(true);
+    });
+
+    it('should create parent directories if they do not exist', () => {
+      const nestedPath = join(tempDir, 'nested', 'deep', 'credentials.json');
+      const store = new ApiCredentialStore(nestedPath, encryptedStorage);
+      store.save('github', new AuthorizationBearer('token'));
+      expect(existsSync(nestedPath)).toBe(true);
+    });
+
+    it('should overwrite existing credentials for the same service', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      store.save('github', new AuthorizationBearer('old-token'));
+      store.save('github', new AuthorizationBearer('new-token'));
+
+      const retrieved = store.get('github');
+      expect((retrieved as AuthorizationBearer).token).toBe('new-token');
+    });
+
+    it('should preserve other services when saving', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      store.save('github', new AuthorizationBearer('github-token'));
+      store.save('discord', new AuthorizationBare('discord-token'));
+
+      expect(store.get('github')).not.toBeNull();
+      expect(store.get('discord')).not.toBeNull();
+    });
+
+    it('should write valid JSON (encrypted)', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      store.save('github', new AuthorizationBearer('token'));
+
+      const content = readFileSync(storePath, 'utf-8');
+      // When encrypted, content starts with prefix, followed by encrypted JSON
+      expect(content.startsWith('LATCHKEY_ENCRYPTED:')).toBe(true);
+    });
+  });
+
+  describe('delete', () => {
+    it('should return false for non-existent service', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      expect(store.delete('github')).toBe(false);
+    });
+
+    it('should return false for non-existent store file', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      expect(store.delete('github')).toBe(false);
+    });
+
+    it('should delete existing credentials and return true', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      store.save('github', new AuthorizationBearer('token'));
+      expect(store.delete('github')).toBe(true);
+      expect(store.get('github')).toBeNull();
+    });
+
+    it('should preserve other services when deleting', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+      store.save('github', new AuthorizationBearer('github-token'));
+      store.save('discord', new AuthorizationBare('discord-token'));
+
+      store.delete('github');
+
+      expect(store.get('github')).toBeNull();
+      expect(store.get('discord')).not.toBeNull();
+    });
+  });
+
+  describe('multiple credential types', () => {
+    it('should store and retrieve different credential types', () => {
+      const store = new ApiCredentialStore(storePath, encryptedStorage);
+
+      store.save('github', new AuthorizationBearer('github-token'));
+      store.save('discord', new AuthorizationBare('discord-token'));
+      store.save('slack', new SlackApiCredentials('slack-token', 'slack-cookie'));
+
+      const github = store.get('github');
+      const discord = store.get('discord');
+      const slack = store.get('slack');
+
+      expect(github).toBeInstanceOf(AuthorizationBearer);
+      expect(discord).toBeInstanceOf(AuthorizationBare);
+      expect(slack).toBeInstanceOf(SlackApiCredentials);
+    });
+  });
+});