nothumanallowed 13.5.163 → 13.5.164

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "13.5.163",
+  "version": "13.5.164",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/commands/ui.mjs

@@ -60,6 +60,9 @@ import {
 
 const DEFAULT_PORT = 3847;
 
+// In-memory pending OAuth state (verifier + state for PKCE callback)
+let _googleOAuthPending = null;
+
 /**
  * Extract text from PDF buffer — zero dependencies.
  * Handles text-based PDFs (not scanned images).
@@ -361,15 +364,18 @@ export async function cmdUI(args) {
         return;
       }
 
-      // POST /api/google/auth — trigger Google OAuth flow from web UI
+      // POST /api/google/auth — return OAuth URL for the browser to open
       if (method === 'POST' && pathname === '/api/google/auth') {
         try {
-          const { runAuthFlow } = await import('../services/google-oauth.mjs');
-          // Run auth flow in background — opens browser
-          runAuthFlow(config).then(success => {
-            if (success) config._googleConnected = true;
-          }).catch(() => {});
-          sendJSON(res, 200, { ok: true, message: 'OAuth flow started. Check the browser window that opened.' });
+          const { buildAuthUrl } = await import('../services/google-oauth.mjs');
+          // Derive the redirect URI from the request Host header so it works
+          // on any IP/port (localhost, LAN, VM, etc.)
+          const host = req.headers['host'] || `127.0.0.1:${PORT}`;
+          const redirectUri = `http://${host}/api/google/callback`;
+          const { url, verifier, state } = buildAuthUrl(config, redirectUri);
+          // Store verifier+state in memory for the callback
+          _googleOAuthPending = { verifier, state, redirectUri };
+          sendJSON(res, 200, { ok: true, url });
         } catch (e) {
           sendJSON(res, 500, { error: e.message });
         }
@@ -377,6 +383,32 @@ export async function cmdUI(args) {
         return;
       }
 
+      // GET /api/google/callback — receives OAuth code from Google redirect
+      if (method === 'GET' && pathname === '/api/google/callback') {
+        const params = new URL(req.url, `http://localhost`).searchParams;
+        const code = params.get('code');
+        const state = params.get('state');
+        if (!code || !_googleOAuthPending || _googleOAuthPending.state !== state) {
+          res.writeHead(400, { 'Content-Type': 'text/html' });
+          res.end('<html><body><h2>OAuth error: invalid state or missing code.</h2><p>Please try again from the NHA UI.</p></body></html>');
+          logRequest(method, pathname, 400, Date.now() - start);
+          return;
+        }
+        try {
+          const { exchangeCodeFromUI } = await import('../services/google-oauth.mjs');
+          const { email } = await exchangeCodeFromUI(config, code, _googleOAuthPending.verifier, _googleOAuthPending.redirectUri);
+          _googleOAuthPending = null;
+          res.writeHead(200, { 'Content-Type': 'text/html' });
+          res.end(`<html><body style="font-family:sans-serif;text-align:center;padding:60px;background:#0a0a0a;color:#fff"><h2 style="color:#22c55e">&#10003; Google Connected!</h2><p style="color:#aaa">Signed in as <strong>${email}</strong></p><p style="color:#aaa">You can close this tab and return to NHA.</p><script>setTimeout(function(){window.close()},3000)</script></body></html>`);
+        } catch (e) {
+          _googleOAuthPending = null;
+          res.writeHead(200, { 'Content-Type': 'text/html' });
+          res.end(`<html><body style="font-family:sans-serif;text-align:center;padding:60px;background:#0a0a0a;color:#fff"><h2 style="color:#ef4444">&#10007; Error</h2><p style="color:#aaa">${e.message}</p></body></html>`);
+        }
+        logRequest(method, pathname, 200, Date.now() - start);
+        return;
+      }
+
       // ── Collab (Alexandria proxy) ─────────────────────────────────────
       if (pathname.startsWith('/api/collab/')) {
         const collabAction = pathname.split('/').pop();

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '13.5.163';
+export const VERSION = '13.5.164';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/services/google-oauth.mjs

@@ -305,6 +305,52 @@ export async function runAuthFlow(config, manual = false) {
   }
 }
 
+/**
+ * Build an OAuth URL for the web UI flow.
+ * The redirect_uri points back to the NHA web UI server so the callback
+ * is received directly in the browser session (works across VMs/headless).
+ *
+ * @param {object} config
+ * @param {string} redirectUri — e.g. http://192.168.1.45:3847/api/google/callback
+ * @returns {{ url: string, verifier: string, state: string }}
+ */
+export function buildAuthUrl(config, redirectUri) {
+  const clientId = config.google?.clientId || DEFAULT_CLIENT_ID;
+  if (!clientId) throw new Error('Google client ID not configured. Run: nha config set google-client-id YOUR_ID');
+  const { verifier, challenge } = generatePKCE();
+  const state = crypto.randomBytes(16).toString('hex');
+  const authUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');
+  authUrl.searchParams.set('client_id', clientId);
+  authUrl.searchParams.set('redirect_uri', redirectUri);
+  authUrl.searchParams.set('response_type', 'code');
+  authUrl.searchParams.set('scope', SCOPES);
+  authUrl.searchParams.set('state', state);
+  authUrl.searchParams.set('code_challenge', challenge);
+  authUrl.searchParams.set('code_challenge_method', 'S256');
+  authUrl.searchParams.set('access_type', 'offline');
+  authUrl.searchParams.set('prompt', 'consent');
+  return { url: authUrl.toString(), verifier, state };
+}
+
+/**
+ * Exchange an auth code received by the web UI callback.
+ */
+export async function exchangeCodeFromUI(config, code, verifier, redirectUri) {
+  const clientId = config.google?.clientId || DEFAULT_CLIENT_ID;
+  const clientSecret = config.google?.clientSecret || '';
+  const tokenData = await exchangeCode(code, verifier, clientId, clientSecret, redirectUri);
+  const email = await getUserEmail(tokenData.access_token);
+  const tokens = {
+    access_token: tokenData.access_token,
+    refresh_token: tokenData.refresh_token,
+    expires_at: Date.now() + (tokenData.expires_in * 1000),
+    scope: tokenData.scope,
+    email: email || 'unknown',
+  };
+  saveTokens(tokens);
+  return { email: email || 'unknown' };
+}
+
 /**
  * Show connection status.
  */

package/src/services/web-ui.mjs

@@ -3405,10 +3405,15 @@ function imapSync(accountId) {
 
 function connectGoogle() {
   var s = document.getElementById('googleStatus');
-  if (s) s.textContent = 'Starting Google sign-in...';
+  if (s) { s.textContent = 'Opening Google sign-in...'; s.style.color = 'var(--dim)'; }
   apiPost('/api/google/auth', {}).then(function(r) {
-    if (s) s.textContent = r.message || 'Check the browser window that opened.';
-    if (s) s.style.color = 'var(--green)';
+    if (r.url) {
+      // Open OAuth URL in current browser — works on VMs and LAN
+      window.open(r.url, '_blank');
+      if (s) { s.textContent = 'Sign-in page opened. Complete the login then reload NHA.'; s.style.color = 'var(--green)'; }
+    } else if (r.error) {
+      if (s) { s.textContent = 'Error: ' + r.error; s.style.color = 'var(--red)'; }
+    }
   }).catch(function(e) {
     if (s) { s.textContent = 'Error: ' + e.message; s.style.color = 'var(--red)'; }
   });