libretto 0.6.8 → 0.6.10

package/dist/cli/core/auth-fetch.js

@@ -0,0 +1,195 @@
+import { readAuthState, writeAuthState } from "./auth-storage.js";
+const HOSTED_API_URL = "https://api.libretto.sh";
+const NOT_AUTHENTICATED_MESSAGE = [
+  "Not authenticated.",
+  "  \u2022 Cookie expired or never set: run `libretto experimental auth login` to refresh it.",
+  "  \u2022 Or set LIBRETTO_API_KEY in your .env (issue one with `libretto experimental auth api-key issue --label <label>` after logging in)."
+].join("\n");
+function pickCredential(state) {
+  const envKey = process.env.LIBRETTO_API_KEY?.trim();
+  if (envKey) return { source: "env-api-key", apiKey: envKey };
+  if (state?.session?.cookie) {
+    return { source: "cookie", cookie: state.session.cookie };
+  }
+  return { source: "none" };
+}
+function resolveApiUrl(_state) {
+  return HOSTED_API_URL;
+}
+async function authFetch(options) {
+  const headers = {
+    "Content-Type": "application/json",
+    // Better Auth's CSRF middleware rejects state-changing requests
+    // ("/api/auth/*" POSTs like api-key/create, organization/invite-member,
+    // sign-in/email, etc.) when there's no Origin header. Browsers send
+    // this automatically; node:fetch does not. Sending the apiUrl as the
+    // Origin matches Better Auth's trustedOrigins default (which includes
+    // baseURL), so the check passes for our own service.
+    Origin: options.apiUrl
+  };
+  if (!options.unauthenticated) {
+    const credential = options.credential ?? pickCredential(await readAuthState());
+    if (credential.source === "env-api-key") {
+      headers["x-api-key"] = credential.apiKey;
+    } else if (credential.source === "cookie") {
+      headers["cookie"] = credential.cookie;
+    } else {
+      throw new Error(NOT_AUTHENTICATED_MESSAGE);
+    }
+  }
+  const response = await fetch(`${options.apiUrl}${options.path}`, {
+    method: options.method ?? "POST",
+    headers,
+    body: options.body !== void 0 ? JSON.stringify(options.body) : void 0
+  });
+  return response;
+}
+class ApiCallError extends Error {
+  status;
+  code;
+  data;
+  path;
+  constructor(opts) {
+    super(opts.message);
+    this.name = "ApiCallError";
+    this.status = opts.status;
+    this.code = opts.code;
+    this.data = opts.data;
+    this.path = opts.path;
+  }
+}
+async function orpcCall(opts) {
+  const response = await authFetch({
+    apiUrl: opts.apiUrl,
+    method: "POST",
+    path: opts.path,
+    body: { json: opts.input ?? {} },
+    unauthenticated: opts.unauthenticated,
+    credential: opts.credential
+  });
+  const text = await response.text();
+  let parsed;
+  try {
+    parsed = text.length === 0 ? {} : JSON.parse(text);
+  } catch {
+    throw new ApiCallError({
+      message: `Unexpected non-JSON response from ${opts.path} (${response.status}): ${text.slice(0, 200)}`,
+      status: response.status,
+      code: null,
+      data: null,
+      path: opts.path
+    });
+  }
+  if (!response.ok) {
+    const message = extractErrorMessage(parsed) ?? `${opts.path} failed (${response.status})`;
+    throw new ApiCallError({
+      message,
+      status: response.status,
+      code: extractErrorCode(parsed),
+      data: extractErrorData(parsed),
+      path: opts.path
+    });
+  }
+  const json = parsed.json;
+  if (json === void 0) {
+    return parsed;
+  }
+  return json;
+}
+async function betterAuthCall(opts) {
+  const response = await authFetch({
+    apiUrl: opts.apiUrl,
+    method: opts.method ?? "POST",
+    path: opts.path,
+    body: opts.input,
+    unauthenticated: opts.unauthenticated,
+    credential: opts.credential
+  });
+  const text = await response.text();
+  let parsed;
+  try {
+    parsed = text.length === 0 ? {} : JSON.parse(text);
+  } catch {
+    throw new Error(
+      `Unexpected non-JSON response from ${opts.path} (${response.status}): ${text.slice(0, 200)}`
+    );
+  }
+  if (!response.ok) {
+    const message = extractErrorMessage(parsed) ?? `${opts.path} failed (${response.status})`;
+    throw new ApiCallError({
+      message,
+      status: response.status,
+      code: extractErrorCode(parsed),
+      data: extractErrorData(parsed),
+      path: opts.path
+    });
+  }
+  const setCookie = readSetCookies(response);
+  return { data: parsed, setCookie };
+}
+function readSetCookies(response) {
+  const headers = response.headers;
+  if (typeof headers.getSetCookie === "function") {
+    return headers.getSetCookie();
+  }
+  const single = response.headers.get("set-cookie");
+  return single ? [single] : [];
+}
+function extractErrorMessage(body) {
+  if (!body || typeof body !== "object") return null;
+  const record = body;
+  if (typeof record.message === "string") return record.message;
+  if (record.json && typeof record.json === "object" && typeof record.json.message === "string") {
+    return record.json.message;
+  }
+  if (record.error && typeof record.error === "object") {
+    const errMsg = record.error.message;
+    if (typeof errMsg === "string") return errMsg;
+  }
+  return null;
+}
+function extractErrorCode(body) {
+  if (!body || typeof body !== "object") return null;
+  const record = body;
+  if (typeof record.code === "string") return record.code;
+  if (record.json && typeof record.json === "object" && typeof record.json.code === "string") {
+    return record.json.code;
+  }
+  if (record.error && typeof record.error === "object") {
+    const code = record.error.code;
+    if (typeof code === "string") return code;
+  }
+  return null;
+}
+function extractErrorData(body) {
+  if (!body || typeof body !== "object") return null;
+  const record = body;
+  if (record.data !== void 0) return record.data;
+  if (record.json && typeof record.json === "object") {
+    const inner = record.json.data;
+    if (inner !== void 0) return inner;
+  }
+  if (record.error && typeof record.error === "object") {
+    const inner = record.error.data;
+    if (inner !== void 0) return inner;
+  }
+  return null;
+}
+async function ensureAuthState(apiUrl) {
+  const existing = await readAuthState();
+  if (existing && existing.apiUrl === apiUrl) return existing;
+  const next = existing ? { ...existing, apiUrl } : { apiUrl, session: null };
+  await writeAuthState(next);
+  return next;
+}
+export {
+  ApiCallError,
+  HOSTED_API_URL,
+  NOT_AUTHENTICATED_MESSAGE,
+  authFetch,
+  betterAuthCall,
+  ensureAuthState,
+  orpcCall,
+  pickCredential,
+  resolveApiUrl
+};

package/dist/cli/core/auth-storage.js

@@ -0,0 +1,52 @@
+import { promises as fs } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+const FILE_NAME = "auth.json";
+function authDir() {
+  return join(homedir(), ".libretto");
+}
+function authPath() {
+  return join(authDir(), FILE_NAME);
+}
+async function readAuthState() {
+  try {
+    const raw = await fs.readFile(authPath(), "utf8");
+    const parsed = JSON.parse(raw);
+    if (!parsed.apiUrl || typeof parsed.apiUrl !== "string") return null;
+    return {
+      apiUrl: parsed.apiUrl,
+      session: parsed.session ?? null
+    };
+  } catch (error) {
+    if (error.code === "ENOENT") return null;
+    throw error;
+  }
+}
+async function writeAuthState(state) {
+  await fs.mkdir(authDir(), { recursive: true, mode: 448 });
+  const payload = JSON.stringify(state, null, 2);
+  const target = authPath();
+  const tmp = `${target}.tmp`;
+  await fs.writeFile(tmp, payload, { mode: 384 });
+  await fs.rename(tmp, target);
+}
+async function clearAuthState() {
+  try {
+    await fs.unlink(authPath());
+  } catch (error) {
+    if (error.code !== "ENOENT") throw error;
+  }
+}
+function setCookieToCookieHeader(setCookie) {
+  return setCookie.map((entry) => entry.split(";")[0]?.trim()).filter((pair) => Boolean(pair && pair.includes("="))).join("; ");
+}
+function authStatePath() {
+  return authPath();
+}
+export {
+  authStatePath,
+  clearAuthState,
+  readAuthState,
+  setCookieToCookieHeader,
+  writeAuthState
+};