neonctl 2.8.0 → 2.9.1

package/analytics.js

@@ -66,6 +66,10 @@ export const sendError = (err, errCode) => {
         return;
     }
     const axiosError = isAxiosError(err) ? err : undefined;
+    const requestId = axiosError?.response?.headers['x-neon-ret-request-id'];
+    if (requestId) {
+        log.debug('Failed request ID: %s', requestId);
+    }
     client.track({
         event: 'CLI Error',
         userId: userId ?? 'anonymous',
@@ -74,6 +78,7 @@ export const sendError = (err, errCode) => {
             stack: err.stack,
             errCode,
             statusCode: axiosError?.response?.status,
+            requestId: requestId,
         },
     });
     log.debug('Sent CLI error event: %s', errCode);

package/commands/auth.js

@@ -1,11 +1,12 @@
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
-import { writeFileSync, existsSync, readFileSync } from 'node:fs';
+import { createHash } from 'node:crypto';
 import { TokenSet } from 'openid-client';
-import { auth, refreshToken } from '../auth.js';
-import { log } from '../log.js';
 import { getApiClient } from '../api.js';
-import { isCi } from '../env.js';
+import { auth, refreshToken } from '../auth.js';
 import { CREDENTIALS_FILE } from '../config.js';
+import { isCi } from '../env.js';
+import { log } from '../log.js';
 export const command = 'auth';
 export const aliases = ['login'];
 export const describe = 'Authenticate';
@@ -24,11 +25,16 @@ export const authFlow = async ({ configDir, oauthHost, clientId, apiHost, forceA
         clientId: clientId,
     });
     const credentialsPath = join(configDir, CREDENTIALS_FILE);
-    await preserveCredentials(credentialsPath, tokenSet, getApiClient({
-        apiKey: tokenSet.access_token || '',
-        apiHost,
-    }));
-    log.info(`Saved credentials to ${credentialsPath}`);
+    try {
+        await preserveCredentials(credentialsPath, tokenSet, getApiClient({
+            apiKey: tokenSet.access_token || '',
+            apiHost,
+        }));
+    }
+    catch {
+        log.error('Failed to save credentials');
+        return '';
+    }
     log.info('Auth complete');
     return tokenSet.access_token || '';
 };
@@ -42,12 +48,65 @@ const preserveCredentials = async (path, credentials, apiClient) => {
     writeFileSync(path, contents, {
         mode: 0o700,
     });
+    log.info('Saved credentials to %s', path);
+    log.debug('Credentials MD5 hash: %s', md5hash(contents));
+};
+const isCompleteTokenSet = (tokenSet) => {
+    return !!(tokenSet.access_token &&
+        tokenSet.refresh_token &&
+        tokenSet.expires_at);
+};
+const handleExistingToken = async (tokenSet, props, credentialsPath) => {
+    // Use existing access_token, if present and valid
+    if (!!tokenSet.access_token && !tokenSet.expired()) {
+        const apiClient = getApiClient({
+            apiKey: tokenSet.access_token,
+            apiHost: props.apiHost,
+        });
+        return { apiKey: tokenSet.access_token, apiClient };
+    }
+    // Either access_token is missing or its expired. Refresh the token
+    log.debug(tokenSet.expired()
+        ? 'Token is expired, attempting refresh'
+        : 'Token is missing access_token, attempting refresh');
+    if (!tokenSet.refresh_token) {
+        log.debug('TokenSet is missing refresh_token, starting authentication');
+        return null;
+    }
+    try {
+        const refreshedTokenSet = await refreshToken({
+            oauthHost: props.oauthHost,
+            clientId: props.clientId,
+        }, tokenSet);
+        if (!isCompleteTokenSet(refreshedTokenSet)) {
+            log.debug('Refreshed token is invalid or missing access_token');
+            return null;
+        }
+        const apiKey = refreshedTokenSet.access_token;
+        const apiClient = getApiClient({
+            apiKey,
+            apiHost: props.apiHost,
+        });
+        await preserveCredentials(credentialsPath, refreshedTokenSet, apiClient);
+        log.debug('Token refresh successful');
+        return { apiKey, apiClient };
+    }
+    catch (err) {
+        const typedErr = err instanceof Error ? err : new Error('Unknown error');
+        log.debug('Failed to refresh token: %s', typedErr.message);
+        throw new Error('AUTH_REFRESH_FAILED');
+    }
 };
 export const ensureAuth = async (props) => {
+    // Skip auth for help command or no command
     if (props._.length === 0 || props.help) {
         return;
     }
+    // Use existing API key or handle auth command
     if (props.apiKey || props._[0] === 'auth') {
+        if (props.apiKey) {
+            log.debug('Using an API key to authorize requests');
+        }
         props.apiClient = getApiClient({
             apiKey: props.apiKey,
             apiHost: props.apiHost,
@@ -55,49 +114,42 @@ export const ensureAuth = async (props) => {
         return;
     }
     const credentialsPath = join(props.configDir, CREDENTIALS_FILE);
+    // Handle case when credentials file exists
     if (existsSync(credentialsPath)) {
+        log.debug('Trying to read credentials from %s', credentialsPath);
         try {
-            const tokenSetContents = await JSON.parse(readFileSync(credentialsPath, 'utf8'));
+            const contents = readFileSync(credentialsPath, 'utf8');
+            log.debug('Credentials MD5 hash: %s', md5hash(contents));
+            const tokenSetContents = JSON.parse(contents);
             const tokenSet = new TokenSet(tokenSetContents);
-            if (tokenSet.expired()) {
-                log.debug('using refresh token to update access token');
-                const refreshedTokenSet = await refreshToken({
-                    oauthHost: props.oauthHost,
-                    clientId: props.clientId,
-                }, tokenSet).catch((err) => {
-                    const typedErr = err && err instanceof Error ? err : undefined;
-                    log.error('failed to refresh token\n%s', typedErr?.message);
-                    process.exit(1);
-                });
-                props.apiKey = refreshedTokenSet.access_token || 'UNKNOWN';
-                props.apiClient = getApiClient({
-                    apiKey: props.apiKey,
-                    apiHost: props.apiHost,
-                });
-                await preserveCredentials(credentialsPath, refreshedTokenSet, props.apiClient);
+            // Try to use existing token or refresh it
+            const result = await handleExistingToken(tokenSet, props, credentialsPath);
+            if (result) {
+                props.apiKey = result.apiKey;
+                props.apiClient = result.apiClient;
                 return;
             }
-            const token = tokenSet.access_token || 'UNKNOWN';
-            props.apiKey = token;
-            props.apiClient = getApiClient({
-                apiKey: props.apiKey,
-                apiHost: props.apiHost,
-            });
-            return;
         }
-        catch (e) {
-            if (e.code !== 'ENOENT') {
-                // not a "file does not exist" error
-                throw e;
+        catch (err) {
+            if (!(err instanceof Error && err.message === 'AUTH_REFRESH_FAILED') &&
+                err.code !== 'ENOENT' &&
+                !(err instanceof SyntaxError)) {
+                // Throw for any errors except auth refresh failure, missing file, or invalid credentials file
+                throw err;
             }
-            props.apiKey = await authFlow(props);
+            // Fall through to new auth flow for auth failures
+            log.debug('Ensure auth failed, starting authentication', err);
         }
     }
     else {
-        props.apiKey = await authFlow(props);
+        log.debug('Credentials file %s does not exist, starting authentication', credentialsPath);
     }
+    // Start new auth flow if no valid token exists or refresh failed
+    const apiKey = await authFlow(props);
+    props.apiKey = apiKey;
     props.apiClient = getApiClient({
-        apiKey: props.apiKey,
+        apiKey,
         apiHost: props.apiHost,
     });
 };
+const md5hash = (s) => createHash('md5').update(s).digest('hex');

package/commands/auth.test.js

@@ -1,9 +1,12 @@
 import axios from 'axios';
-import { vi, beforeAll, describe, afterAll, expect } from 'vitest';
-import { mkdtempSync, rmSync, readFileSync } from 'node:fs';
-import { startOauthServer } from '../test_utils/oauth_server';
+import { existsSync, mkdtempSync, readFileSync, rmSync, writeFileSync, } from 'node:fs';
+import { TokenSet } from 'openid-client';
+import { join } from 'path';
+import { afterAll, beforeAll, beforeEach, describe, expect, vi } from 'vitest';
+import * as authModule from '../auth';
 import { test } from '../test_utils/fixtures';
-import { authFlow } from './auth';
+import { startOauthServer } from '../test_utils/oauth_server';
+import { authFlow, ensureAuth } from './auth';
 vi.mock('open', () => ({ default: vi.fn((url) => axios.get(url)) }));
 vi.mock('../pkg.ts', () => ({ default: { version: '0.0.0' } }));
 describe('auth', () => {
@@ -33,3 +36,130 @@ describe('auth', () => {
         expect(credentials.user_id).toEqual(expect.any(String));
     });
 });
+describe('ensureAuth', () => {
+    let configDir = '';
+    let oauthServer;
+    let mockApiClient;
+    let authSpy;
+    let refreshTokenSpy;
+    beforeAll(async () => {
+        configDir = mkdtempSync('test-config');
+        oauthServer = await startOauthServer();
+        mockApiClient = {};
+        authSpy = vi.spyOn(authModule, 'auth');
+        refreshTokenSpy = vi.spyOn(authModule, 'refreshToken');
+    });
+    afterAll(async () => {
+        rmSync(configDir, { recursive: true });
+        await oauthServer.stop();
+        vi.restoreAllMocks();
+    });
+    beforeEach(() => {
+        authSpy.mockClear();
+        refreshTokenSpy.mockClear();
+    });
+    const setupTestProps = (server) => ({
+        _: ['some-command'],
+        configDir,
+        oauthHost: `http://localhost:${oauthServer.address().port}`,
+        clientId: 'test-client-id',
+        forceAuth: true,
+        apiKey: '',
+        apiHost: `http://localhost:${server.address().port}`,
+        help: false,
+        apiClient: mockApiClient,
+    });
+    test('should start new auth flow when refresh token fails', async ({ runMockServer, }) => {
+        refreshTokenSpy.mockImplementationOnce(() => Promise.reject(new Error('AUTH_REFRESH_FAILED')));
+        authSpy.mockImplementationOnce(() => Promise.resolve(new TokenSet({
+            access_token: 'new-auth-token',
+            refresh_token: 'new-refresh-token',
+            expires_at: Math.floor(Date.now() / 1000) + 3600,
+        })));
+        const server = await runMockServer('main');
+        const expiredTokenSet = new TokenSet({
+            access_token: 'expired-token',
+            refresh_token: 'refresh-token',
+            expires_at: Math.floor(Date.now() / 1000) - 3600, // 1 hour ago
+        });
+        writeFileSync(join(configDir, 'credentials.json'), JSON.stringify(expiredTokenSet), { mode: 0o700 });
+        const props = setupTestProps(server);
+        await ensureAuth(props);
+        expect(refreshTokenSpy).toHaveBeenCalledTimes(1);
+        expect(authSpy).toHaveBeenCalledTimes(1);
+        expect(props.apiKey).toBe('new-auth-token');
+    });
+    test('should trigger auth flow when credentials.json does not exist', async ({ runMockServer, }) => {
+        const server = await runMockServer('main');
+        // Ensure the credentials file does not exist
+        const credentialsPath = join(configDir, 'credentials.json');
+        if (existsSync(credentialsPath)) {
+            rmSync(credentialsPath);
+        }
+        const props = setupTestProps(server);
+        await ensureAuth(props);
+        expect(authSpy).toHaveBeenCalledTimes(1);
+        expect(refreshTokenSpy).not.toHaveBeenCalled();
+        expect(props.apiKey).toEqual(expect.any(String));
+    });
+    test('should trigger auth flow when credentials.json is invalid', async ({ runMockServer, }) => {
+        const server = await runMockServer('main');
+        // Write an empty credentials file
+        writeFileSync(join(configDir, 'credentials.json'), '', { mode: 0o700 });
+        const props = setupTestProps(server);
+        await ensureAuth(props);
+        expect(authSpy).toHaveBeenCalledTimes(1);
+        expect(refreshTokenSpy).not.toHaveBeenCalled();
+        expect(props.apiKey).toEqual(expect.any(String));
+    });
+    test('should try refresh when token is missing access_token but has refresh_token', async ({ runMockServer, }) => {
+        const server = await runMockServer('main');
+        const tokenWithoutAccess = new TokenSet({
+            refresh_token: 'refresh-token',
+        });
+        writeFileSync(join(configDir, 'credentials.json'), JSON.stringify(tokenWithoutAccess), { mode: 0o700 });
+        refreshTokenSpy.mockImplementationOnce(() => Promise.resolve(new TokenSet({
+            access_token: 'refreshed-token',
+            refresh_token: 'new-refresh-token',
+            expires_at: Math.floor(Date.now() / 1000) + 3600,
+        })));
+        const props = setupTestProps(server);
+        await ensureAuth(props);
+        expect(refreshTokenSpy).toHaveBeenCalledTimes(1);
+        expect(authSpy).not.toHaveBeenCalled();
+        expect(props.apiKey).toBe('refreshed-token');
+    });
+    test('should use existing valid token', async ({ runMockServer }) => {
+        const server = await runMockServer('main');
+        const validTokenSet = new TokenSet({
+            access_token: 'valid-token',
+            refresh_token: 'refresh-token',
+            expires_at: Math.floor(Date.now() / 1000) + 3600, // 1 hour from now
+        });
+        writeFileSync(join(configDir, 'credentials.json'), JSON.stringify(validTokenSet), { mode: 0o700 });
+        const props = setupTestProps(server);
+        await ensureAuth(props);
+        expect(authSpy).not.toHaveBeenCalled();
+        expect(refreshTokenSpy).not.toHaveBeenCalled();
+        expect(props.apiKey).toBe('valid-token');
+    });
+    test('should successfully refresh expired token', async ({ runMockServer, }) => {
+        refreshTokenSpy.mockImplementationOnce(() => Promise.resolve(new TokenSet({
+            access_token: 'new-token',
+            refresh_token: 'new-refresh-token',
+            expires_at: Math.floor(Date.now() / 1000) + 3600,
+        })));
+        const server = await runMockServer('main');
+        const expiredTokenSet = new TokenSet({
+            access_token: 'expired-token',
+            refresh_token: 'refresh-token',
+            expires_at: Math.floor(Date.now() / 1000) - 3600, // 1 hour ago
+        });
+        writeFileSync(join(configDir, 'credentials.json'), JSON.stringify(expiredTokenSet), { mode: 0o700 });
+        const props = setupTestProps(server);
+        await ensureAuth(props);
+        expect(refreshTokenSpy).toHaveBeenCalledTimes(1);
+        expect(authSpy).not.toHaveBeenCalled();
+        expect(props.apiKey).toBe('new-token');
+    });
+});

package/commands/index.js

@@ -10,7 +10,6 @@ import * as roles from './roles.js';
 import * as operations from './operations.js';
 import * as cs from './connection_string.js';
 import * as setContext from './set_context.js';
-import * as bootstrap from './bootstrap/index.js';
 export default [
     auth,
     users,
@@ -24,5 +23,4 @@ export default [
     operations,
     cs,
     setContext,
-    bootstrap,
 ];

package/index.js

@@ -35,8 +35,6 @@ const NO_SUBCOMMANDS_VERBS = [
     'connection-string',
     'set-context',
     // aliases
-    'create-app',
-    'bootstrap',
 ];
 let builder = yargs(hideBin(process.argv));
 builder = builder

package/package.json

@@ -5,7 +5,7 @@
     "url": "git+ssh://git@github.com/neondatabase/neonctl.git"
   },
   "type": "module",
-  "version": "2.8.0",
+  "version": "2.9.1",
   "description": "CLI tool for NeonDB Cloud management",
   "main": "index.js",
   "author": "NeonDB",
@@ -51,7 +51,7 @@
     "strip-ansi": "^7.1.0",
     "typescript": "^4.7.4",
     "typescript-eslint": "v8.0.0-alpha.41",
-    "vitest": "^1.6.0"
+    "vitest": "^1.6.1"
   },
   "dependencies": {
     "@neondatabase/api-client": "1.12.0",
@@ -62,7 +62,6 @@
     "cli-table": "^0.3.11",
     "crypto-random-string": "^5.0.0",
     "diff": "^5.2.0",
-    "inquirer": "^9.2.6",
     "open": "^10.1.0",
     "openid-client": "^5.6.5",
     "prompts": "2.4.2",

package/commands/bootstrap/authjs-secret.js

@@ -1,6 +0,0 @@
-// See https://github.com/nextauthjs/cli/blob/8443988fe7e7f078ead32288dcd1b01b9443f13a/commands/secret.js#L9
-// for reference.
-export function getAuthjsSecret() {
-    const bytes = crypto.getRandomValues(new Uint8Array(32));
-    return Buffer.from(bytes.toString(), 'base64').toString('base64');
-}