neonctl 2.15.0 → 2.16.0

package/auth.js

@@ -1,4 +1,4 @@
-import { custom, generators, Issuer } from 'openid-client';
+import * as client from 'openid-client';
 import { createServer } from 'node:http';
 import { createReadStream } from 'node:fs';
 import { join } from 'node:path';
@@ -7,6 +7,7 @@ import { log } from './log.js';
 import { fileURLToPath } from 'node:url';
 import { sendError } from './analytics.js';
 import { matchErrorCode } from './errors.js';
+import { extendTokenSet } from './utils/auth.js';
 // oauth server timeouts
 const SERVER_TIMEOUT = 10000;
 // where to wait for incoming redirect request from oauth server to arrive
@@ -27,22 +28,22 @@ const NEONCTL_SCOPES = [
 ];
 const AUTH_TIMEOUT_SECONDS = 60;
 export const defaultClientID = 'neonctl';
-custom.setHttpOptionsDefaults({
-    timeout: SERVER_TIMEOUT,
-});
-export const refreshToken = async ({ oauthHost, clientId }, tokenSet) => {
+export const refreshToken = async ({ oauthHost, clientId, allowUnsafeTls }, tokenSet) => {
     log.debug('Discovering oauth server');
-    const issuer = await Issuer.discover(oauthHost);
-    const neonOAuthClient = new issuer.Client({
-        token_endpoint_auth_method: 'none',
-        client_id: clientId,
-        response_types: ['code'],
+    const configuration = await client.discovery(new URL(oauthHost), clientId, { token_endpoint_auth_method: 'none' }, client.None(), {
+        timeout: SERVER_TIMEOUT,
+        // eslint-disable-next-line @typescript-eslint/no-deprecated
+        execute: allowUnsafeTls ? [client.allowInsecureRequests] : undefined,
     });
-    return await neonOAuthClient.refresh(tokenSet);
+    return await client.refreshTokenGrant(configuration, tokenSet.refresh_token);
 };
-export const auth = async ({ oauthHost, clientId }) => {
+export const auth = async ({ oauthHost, clientId, allowUnsafeTls, }) => {
     log.debug('Discovering oauth server');
-    const issuer = await Issuer.discover(oauthHost);
+    const configuration = await client.discovery(new URL(oauthHost), clientId, { token_endpoint_auth_method: 'none' }, client.None(), {
+        timeout: SERVER_TIMEOUT,
+        // eslint-disable-next-line @typescript-eslint/no-deprecated
+        execute: allowUnsafeTls ? [client.allowInsecureRequests] : undefined,
+    });
     //
     // Start HTTP server and wait till /callback is hit
     //
@@ -53,17 +54,11 @@ export const auth = async ({ oauthHost, clientId }) => {
     });
     await new Promise((resolve) => server.once('listening', resolve));
     const listen_port = server.address().port;
-    const neonOAuthClient = new issuer.Client({
-        token_endpoint_auth_method: 'none',
-        client_id: clientId,
-        redirect_uris: [REDIRECT_URI(listen_port)],
-        response_types: ['code'],
-    });
     // https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.1.8
-    const state = generators.state();
+    const state = client.randomState();
     // we store the code_verifier in memory
-    const codeVerifier = generators.codeVerifier();
-    const codeChallenge = generators.codeChallenge(codeVerifier);
+    const codeVerifier = client.randomPKCECodeVerifier();
+    const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier);
     return new Promise((resolve, reject) => {
         const timer = setTimeout(() => {
             reject(new Error(`Authentication timed out after ${AUTH_TIMEOUT_SECONDS} seconds`));
@@ -88,15 +83,16 @@ export const auth = async ({ oauthHost, clientId }) => {
                 return;
             }
             log.debug(`Callback received: ${request.url}`);
-            const params = neonOAuthClient.callbackParams(request);
-            const tokenSet = await neonOAuthClient.callback(REDIRECT_URI(listen_port), params, {
-                code_verifier: codeVerifier,
-                state,
+            const tokenSet = await client.authorizationCodeGrant(configuration, new URL(request.url, `http://127.0.0.1:${listen_port}`), {
+                pkceCodeVerifier: codeVerifier,
+                expectedState: state,
             });
             response.writeHead(200, { 'Content-Type': 'text/html' });
             createReadStream(join(fileURLToPath(new URL('.', import.meta.url)), './callback.html')).pipe(response);
             clearTimeout(timer);
-            resolve(tokenSet);
+            const exp = new Date();
+            exp.setSeconds(exp.getSeconds() + (tokenSet.expires_in ?? 0));
+            resolve(extendTokenSet(tokenSet));
             server.close();
         };
         server.on('request', (req, res) => {
@@ -106,15 +102,16 @@ export const auth = async ({ oauthHost, clientId }) => {
         // Open browser to let user authenticate
         //
         const scopes = clientId == defaultClientID ? NEONCTL_SCOPES : ALWAYS_PRESENT_SCOPES;
-        const authUrl = neonOAuthClient.authorizationUrl({
+        const authUrl = client.buildAuthorizationUrl(configuration, {
             scope: scopes.join(' '),
             state,
             code_challenge: codeChallenge,
             code_challenge_method: 'S256',
+            redirect_uri: REDIRECT_URI(listen_port),
         });
         log.info('Awaiting authentication in web browser.');
         log.info(`Auth Url: ${authUrl}`);
-        open(authUrl).catch((err) => {
+        open(authUrl.href).catch((err) => {
             const msg = `Failed to open web browser. Please copy & paste auth url to authenticate in browser.`;
             const typedErr = err && err instanceof Error ? err : undefined;
             sendError(typedErr || new Error(msg), matchErrorCode(msg));

package/commands/auth.js

@@ -1,12 +1,12 @@
 import { existsSync, readFileSync, writeFileSync, rmSync } from 'node:fs';
 import { join } from 'node:path';
 import { createHash } from 'node:crypto';
-import { TokenSet } from 'openid-client';
 import { getApiClient } from '../api.js';
 import { auth, refreshToken } from '../auth.js';
 import { CREDENTIALS_FILE } from '../config.js';
 import { isCi } from '../env.js';
 import { log } from '../log.js';
+import { extendTokenSet } from '../utils/auth.js';
 export const command = 'auth';
 export const aliases = ['login'];
 export const describe = 'Authenticate';
@@ -16,13 +16,14 @@ export const builder = (yargs) => yargs.option('context-file', {
 export const handler = async (args) => {
     await authFlow(args);
 };
-export const authFlow = async ({ configDir, oauthHost, clientId, apiHost, forceAuth, }) => {
+export const authFlow = async ({ configDir, oauthHost, clientId, apiHost, forceAuth, allowUnsafeTls, }) => {
     if (!forceAuth && isCi()) {
         throw new Error('Cannot run interactive auth in CI');
     }
     const tokenSet = await auth({
         oauthHost: oauthHost,
         clientId: clientId,
+        allowUnsafeTls,
     });
     const credentialsPath = join(configDir, CREDENTIALS_FILE);
     try {
@@ -49,17 +50,13 @@ const preserveCredentials = async (path, credentials, apiClient) => {
     writeFileSync(path, contents, {
         mode: 0o700,
     });
-    log.info('Saved credentials to %s', path);
+    log.debug('Saved credentials to %s', path);
     log.debug('Credentials MD5 hash: %s', md5hash(contents));
 };
-const isCompleteTokenSet = (tokenSet) => {
-    return !!(tokenSet.access_token &&
-        tokenSet.refresh_token &&
-        tokenSet.expires_at);
-};
 const handleExistingToken = async (tokenSet, props, credentialsPath) => {
     // Use existing access_token, if present and valid
-    if (!!tokenSet.access_token && !tokenSet.expired()) {
+    if (tokenSet.access_token && tokenSet.expires_at > Date.now()) {
+        log.debug('Using existing valid access_token');
         const apiClient = getApiClient({
             apiKey: tokenSet.access_token,
             apiHost: props.apiHost,
@@ -67,7 +64,7 @@ const handleExistingToken = async (tokenSet, props, credentialsPath) => {
         return { apiKey: tokenSet.access_token, apiClient };
     }
     // Either access_token is missing or its expired. Refresh the token
-    log.debug(tokenSet.expired()
+    log.debug(tokenSet.expires_at < Date.now()
         ? 'Token is expired, attempting refresh'
         : 'Token is missing access_token, attempting refresh');
     if (!tokenSet.refresh_token) {
@@ -78,17 +75,16 @@ const handleExistingToken = async (tokenSet, props, credentialsPath) => {
         const refreshedTokenSet = await refreshToken({
             oauthHost: props.oauthHost,
             clientId: props.clientId,
+            allowUnsafeTls: props.allowUnsafeTls,
         }, tokenSet);
-        if (!isCompleteTokenSet(refreshedTokenSet)) {
-            log.debug('Refreshed token is invalid or missing access_token');
-            return null;
-        }
-        const apiKey = refreshedTokenSet.access_token;
+        // Extend the token set with expires_at
+        const extendedTokenSet = extendTokenSet(refreshedTokenSet);
+        const apiKey = extendedTokenSet.access_token;
         const apiClient = getApiClient({
             apiKey,
             apiHost: props.apiHost,
         });
-        await preserveCredentials(credentialsPath, refreshedTokenSet, apiClient);
+        await preserveCredentials(credentialsPath, extendedTokenSet, apiClient);
         log.debug('Token refresh successful');
         return { apiKey, apiClient };
     }
@@ -121,8 +117,7 @@ export const ensureAuth = async (props) => {
         try {
             const contents = readFileSync(credentialsPath, 'utf8');
             log.debug('Credentials MD5 hash: %s', md5hash(contents));
-            const tokenSetContents = JSON.parse(contents);
-            const tokenSet = new TokenSet(tokenSetContents);
+            const tokenSet = JSON.parse(contents);
             // Try to use existing token or refresh it
             const result = await handleExistingToken(tokenSet, props, credentialsPath);
             if (result) {

package/commands/auth.test.js

@@ -1,6 +1,5 @@
 import axios from 'axios';
 import { existsSync, mkdtempSync, readFileSync, rmSync, writeFileSync, } from 'node:fs';
-import { TokenSet } from 'openid-client';
 import { join } from 'path';
 import { afterAll, beforeAll, beforeEach, describe, expect, vi } from 'vitest';
 import * as authModule from '../auth';
@@ -29,6 +28,7 @@ describe('auth', () => {
             configDir,
             forceAuth: true,
             oauthHost: `http://localhost:${oauthServer.address().port}`,
+            allowUnsafeTls: true,
         });
         const credentials = JSON.parse(readFileSync(`${configDir}/credentials.json`, 'utf-8'));
         expect(credentials.access_token).toEqual(expect.any(String));
@@ -68,20 +68,21 @@ describe('ensureAuth', () => {
         apiHost: `http://localhost:${server.address().port}`,
         help: false,
         apiClient: mockApiClient,
+        allowUnsafeTls: true,
     });
     test('should start new auth flow when refresh token fails', async ({ runMockServer, }) => {
         refreshTokenSpy.mockImplementationOnce(() => Promise.reject(new Error('AUTH_REFRESH_FAILED')));
-        authSpy.mockImplementationOnce(() => Promise.resolve(new TokenSet({
+        authSpy.mockImplementationOnce(() => Promise.resolve({
             access_token: 'new-auth-token',
             refresh_token: 'new-refresh-token',
             expires_at: Math.floor(Date.now() / 1000) + 3600,
-        })));
+        }));
         const server = await runMockServer('main');
-        const expiredTokenSet = new TokenSet({
+        const expiredTokenSet = {
             access_token: 'expired-token',
             refresh_token: 'refresh-token',
-            expires_at: Math.floor(Date.now() / 1000) - 3600, // 1 hour ago
-        });
+            expires_at: Date.now() - 3600 * 1000,
+        };
         writeFileSync(join(configDir, 'credentials.json'), JSON.stringify(expiredTokenSet), { mode: 0o700 });
         const props = setupTestProps(server);
         await ensureAuth(props);
@@ -114,15 +115,15 @@ describe('ensureAuth', () => {
     });
     test('should try refresh when token is missing access_token but has refresh_token', async ({ runMockServer, }) => {
         const server = await runMockServer('main');
-        const tokenWithoutAccess = new TokenSet({
+        const tokenWithoutAccess = {
             refresh_token: 'refresh-token',
-        });
+        };
         writeFileSync(join(configDir, 'credentials.json'), JSON.stringify(tokenWithoutAccess), { mode: 0o700 });
-        refreshTokenSpy.mockImplementationOnce(() => Promise.resolve(new TokenSet({
+        refreshTokenSpy.mockImplementationOnce(() => Promise.resolve({
             access_token: 'refreshed-token',
             refresh_token: 'new-refresh-token',
             expires_at: Math.floor(Date.now() / 1000) + 3600,
-        })));
+        }));
         const props = setupTestProps(server);
         await ensureAuth(props);
         expect(refreshTokenSpy).toHaveBeenCalledTimes(1);
@@ -131,11 +132,11 @@ describe('ensureAuth', () => {
     });
     test('should use existing valid token', async ({ runMockServer }) => {
         const server = await runMockServer('main');
-        const validTokenSet = new TokenSet({
+        const validTokenSet = {
             access_token: 'valid-token',
             refresh_token: 'refresh-token',
-            expires_at: Math.floor(Date.now() / 1000) + 3600, // 1 hour from now
-        });
+            expires_at: Date.now() + 3600 * 1000, // 1 hour from now
+        };
         writeFileSync(join(configDir, 'credentials.json'), JSON.stringify(validTokenSet), { mode: 0o700 });
         const props = setupTestProps(server);
         await ensureAuth(props);
@@ -144,17 +145,17 @@ describe('ensureAuth', () => {
         expect(props.apiKey).toBe('valid-token');
     });
     test('should successfully refresh expired token', async ({ runMockServer, }) => {
-        refreshTokenSpy.mockImplementationOnce(() => Promise.resolve(new TokenSet({
+        refreshTokenSpy.mockImplementationOnce(() => Promise.resolve({
             access_token: 'new-token',
             refresh_token: 'new-refresh-token',
             expires_at: Math.floor(Date.now() / 1000) + 3600,
-        })));
+        }));
         const server = await runMockServer('main');
-        const expiredTokenSet = new TokenSet({
+        const expiredTokenSet = {
             access_token: 'expired-token',
             refresh_token: 'refresh-token',
-            expires_at: Math.floor(Date.now() / 1000) - 3600, // 1 hour ago
-        });
+            expires_at: Date.now() - 3600 * 1000, // expired 1 hour ago
+        };
         writeFileSync(join(configDir, 'credentials.json'), JSON.stringify(expiredTokenSet), { mode: 0o700 });
         const props = setupTestProps(server);
         await ensureAuth(props);

package/commands/index.js

@@ -10,6 +10,7 @@ import * as roles from './roles.js';
 import * as operations from './operations.js';
 import * as cs from './connection_string.js';
 import * as setContext from './set_context.js';
+import * as init from './init.js';
 export default [
     auth,
     users,
@@ -23,4 +24,5 @@ export default [
     operations,
     cs,
     setContext,
+    init,
 ];

package/commands/init.js

@@ -0,0 +1,44 @@
+import { execa } from 'execa';
+import { log } from '../log.js';
+import { sendError } from '../analytics.js';
+export const command = 'init';
+export const describe = 'Initialize a new Neon project using your AI coding assistant';
+export const builder = (yargs) => yargs
+    .option('context-file', {
+    hidden: true,
+})
+    .strict(false);
+export const handler = async (args) => {
+    const passThruArgs = args['--'] || [];
+    await runNeonInit(passThruArgs);
+};
+const runNeonInit = async (args) => {
+    try {
+        await execa('npx', ['neon-init', ...args], {
+            stdio: 'inherit',
+        });
+    }
+    catch (error) {
+        // Check if it's an ENOENT error (command not found)
+        if (error?.code === 'ENOENT') {
+            log.error('npx is not available in the PATH');
+            sendError(error, 'NPX_NOT_FOUND');
+            process.exit(1);
+        }
+        // Check if the process was killed by a signal (user cancelled)
+        else if (error?.signal) {
+            process.exit(1);
+        }
+        // Handle all other errors
+        else {
+            const exitError = new Error(`failed to run neon-init`);
+            sendError(exitError, 'NEON_INIT_FAILED');
+            if (typeof error?.exitCode === 'number') {
+                process.exit(error.exitCode);
+            }
+            else {
+                process.exit(1);
+            }
+        }
+    }
+};

package/commands/init.test.js

@@ -0,0 +1,10 @@
+import { describe } from 'vitest';
+import { test } from '../test_utils/fixtures';
+describe('init', () => {
+    test('init should run neon-init', async ({ testCliCommand }) => {
+        await testCliCommand(['init']);
+    });
+    test('init with an argument', async ({ testCliCommand }) => {
+        await testCliCommand(['init', '--', '--debug']);
+    });
+});

package/index.js

@@ -34,6 +34,7 @@ const NO_SUBCOMMANDS_VERBS = [
     'cs',
     'connection-string',
     'set-context',
+    'init',
     // aliases
 ];
 let builder = yargs(hideBin(process.argv));

package/package.json

@@ -5,7 +5,7 @@
     "url": "git+ssh://git@github.com/neondatabase/neonctl.git"
   },
   "type": "module",
-  "version": "2.15.0",
+  "version": "2.16.0",
   "description": "CLI tool for NeonDB Cloud management",
   "main": "index.js",
   "author": "NeonDB",
@@ -43,7 +43,7 @@
     "express": "^4.18.2",
     "husky": "^8.0.3",
     "lint-staged": "^13.0.3",
-    "oauth2-mock-server": "^6.0.0",
+    "oauth2-mock-server": "^8.1.0",
     "pkg": "^5.8.1",
     "prettier": "^3.1.0",
     "rollup": "^3.26.2",
@@ -62,8 +62,9 @@
     "cli-table": "^0.3.11",
     "crypto-random-string": "^5.0.0",
     "diff": "^5.2.0",
+    "execa": "^9.6.0",
     "open": "^10.1.0",
-    "openid-client": "^5.6.5",
+    "openid-client": "^6.8.1",
     "prompts": "2.4.2",
     "validate-npm-package-name": "5.0.1",
     "which": "^3.0.1",

package/test_utils/oauth_server.js

@@ -4,6 +4,6 @@ export const startOauthServer = async () => {
     const server = new OAuth2Server();
     await server.issuer.keys.generate('RS256');
     await server.start(0, 'localhost');
-    log.debug('Started OAuth server');
+    log.debug('Started OAuth server on port %d', server.address().port);
     return server;
 };

package/utils/auth.js

@@ -0,0 +1,5 @@
+export const extendTokenSet = (tokenSet) => {
+    const exp = new Date();
+    exp.setSeconds(exp.getSeconds() + (tokenSet.expires_in ?? 0));
+    return { ...tokenSet, expires_at: exp.getTime() };
+};

package/utils/formats.js

@@ -1,5 +1,18 @@
-const HAIKU_REGEX = /^[a-z]+-[a-z]+-[a-z0-9]+$/;
+const HAIKU_REGEX = /^[a-z0-9]+-[a-z0-9]+-[a-z0-9]+$/;
 export const looksLikeBranchId = (branch) => branch.startsWith('br-') && HAIKU_REGEX.test(branch.substring(3));
 const LSN_REGEX = /^[a-fA-F0-9]{1,8}\/[a-fA-F0-9]{1,8}$/;
 export const looksLikeLSN = (lsn) => LSN_REGEX.test(lsn);
-export const looksLikeTimestamp = (timestamp) => !isNaN(Date.parse(timestamp));
+export const looksLikeTimestamp = (timestamp) => {
+    if (isNaN(Date.parse(timestamp)))
+        return false;
+    /**
+     * @info
+     * Check for ISO 8601/RFC 3339 format patterns
+     * Must contain 'T' separator and end with 'Z' or timezone offset
+     *
+     * `Date.parse` aggressive parsing will attempt a date out of any string.
+     * so if a branch name has a number, `Date.parse` will return a valid timestamp.
+     */
+    const iso8601Regex = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d{3})?([+-]\d{2}:\d{2}|Z)$/;
+    return iso8601Regex.test(timestamp);
+};