opal-security 4.0.4 → 5.0.0

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (--version)
-opal-security/4.0.4 darwin-arm64 node-v18.20.4
+opal-security/5.0.0 darwin-arm64 node-v22.21.1
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -36,6 +36,7 @@ USAGE
 * [`opal autocomplete [SHELL]`](#opal-autocomplete-shell)
 * [`opal aws identity`](#opal-aws-identity)
 * [`opal clear-auth-config`](#opal-clear-auth-config)
+* [`opal curl-example`](#opal-curl-example)
 * [`opal groups get`](#opal-groups-get)
 * [`opal help [COMMANDS]`](#opal-help-commands)
 * [`opal iam-roles start`](#opal-iam-roles-start)
@@ -67,7 +68,7 @@ USAGE
   $ opal autocomplete [SHELL] [-r]
 
 ARGUMENTS
-  SHELL  shell type
+  [SHELL]  shell type
 
 FLAGS
   -r, --refresh-cache  Refresh cache (ignores displaying instructions)
@@ -105,7 +106,7 @@ EXAMPLES
   $ opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/aws/identity.ts)_
 
 ## `opal clear-auth-config`
 
@@ -122,7 +123,24 @@ EXAMPLES
   $ opal clear-auth-config
 ```
 
-_See code: [src/commands/clear-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/clear-auth-config.ts)_
+_See code: [src/commands/clear-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/clear-auth-config.ts)_
+
+## `opal curl-example`
+
+Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.
+
+```
+USAGE
+  $ opal curl-example [-h]
+
+FLAGS
+  -h, --help  Show CLI help.
+
+DESCRIPTION
+  Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.
+```
+
+_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/curl-example.ts)_
 
 ## `opal groups get`
 
@@ -143,7 +161,7 @@ EXAMPLES
   $ opal groups:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/groups/get.ts)_
+_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/groups/get.ts)_
 
 ## `opal help [COMMANDS]`
 
@@ -154,7 +172,7 @@ USAGE
   $ opal help [COMMANDS...] [-n]
 
 ARGUMENTS
-  COMMANDS...  Command to show help for.
+  [COMMANDS...]  Command to show help for.
 
 FLAGS
   -n, --nested-commands  Include all nested commands in the output.
@@ -171,15 +189,12 @@ Starts a session to assume an IAM role.
 
 ```
 USAGE
-  $ opal iam-roles start [-h] [-i <value>] [-s <value>] [-r] [--profileName <value>]
+  $ opal iam-roles start [-h] [-i <value>] [--profileName <value>]
 
 FLAGS
   -h, --help                 Show CLI help.
   -i, --id=<value>           The Opal ID of the asset. You can find this from the URL, e.g.
                              https://opal.dev/resources/[ID]
-  -r, --refresh              Starts a new session even if one already exists. Useful if a session is about to expire.
-  -s, --sessionId=<value>    The Opal ID of the session to connect to. Uses an existing session that was created via the
-                             web flow.
       --profileName=<value>  Uses a custom AWS profile name for the IAM role. Default value is the role's name.
 
 DESCRIPTION
@@ -193,7 +208,7 @@ EXAMPLES
   $ opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles start`
 
@@ -201,17 +216,13 @@ Starts a session to assume a Kubernetes cluster IAM role.
 
 ```
 USAGE
-  $ opal kube-roles start [-h] [-i <value>] [-a <value>] [-s <value>] [-r]
+  $ opal kube-roles start [-h] [-i <value>] [-a <value>]
 
 FLAGS
   -a, --accessLevelRemoteId=<value>  The remote ID of the access level with which to access the resource.
   -h, --help                         Show CLI help.
   -i, --id=<value>                   The Opal ID of the asset. You can find this from the URL, e.g.
                                      https://opal.dev/resources/[ID]
-  -r, --refresh                      Starts a new session even if one already exists. Useful if a session is about to
-                                     expire.
-  -s, --sessionId=<value>            The Opal ID of the session to connect to. Uses an existing session that was created
-                                     via the web flow.
 
 DESCRIPTION
   Starts a session to assume a Kubernetes cluster IAM role.
@@ -224,7 +235,7 @@ EXAMPLES
   $ opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -247,7 +258,7 @@ EXAMPLES
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -267,7 +278,7 @@ EXAMPLES
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/logout.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/logout.ts)_
 
 ## `opal postgres-instances start`
 
@@ -275,17 +286,13 @@ Starts a session to connect to a Postgres database.
 
 ```
 USAGE
-  $ opal postgres-instances start [-h] [-i <value>] [-a <value>] [-s <value>] [-r] [--action open|psql|view]
+  $ opal postgres-instances start [-h] [-i <value>] [-a <value>] [--action open|psql|view]
 
 FLAGS
   -a, --accessLevelRemoteId=<value>  The remote ID of the access level with which to access the resource.
   -h, --help                         Show CLI help.
   -i, --id=<value>                   The Opal ID of the asset. You can find this from the URL, e.g.
                                      https://opal.dev/resources/[ID]
-  -r, --refresh                      Starts a new session even if one already exists. Useful if a session is about to
-                                     expire.
-  -s, --sessionId=<value>            The Opal ID of the session to connect to. Uses an existing session that was created
-                                     via the web flow.
       --action=<option>              Method of connecting to the database.
                                      - open: Open external database app
                                      - psql: Start psql session in shell
@@ -305,7 +312,7 @@ EXAMPLES
   $ opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/postgres-instances/start.ts)_
 
 ## `opal request create`
 
@@ -331,7 +338,7 @@ DESCRIPTION
   Creates an Opal access request via an interactive form
 ```
 
-_See code: [src/commands/request/create.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/request/create.ts)_
+_See code: [src/commands/request/create.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/request/create.ts)_
 
 ## `opal request get`
 
@@ -355,7 +362,7 @@ EXAMPLES
   $ opal request get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4 --verbose
 ```
 
-_See code: [src/commands/request/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/request/get.ts)_
+_See code: [src/commands/request/get.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/request/get.ts)_
 
 ## `opal request list`
 
@@ -387,7 +394,7 @@ EXAMPLES
   $ opal request list --n 5 --pending --verbose
 ```
 
-_See code: [src/commands/request/list.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/request/list.ts)_
+_See code: [src/commands/request/list.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/request/list.ts)_
 
 ## `opal request ls`
 
@@ -438,7 +445,7 @@ EXAMPLES
   $ opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/resources/get.ts)_
 
 ## `opal set-auth-config`
 
@@ -468,7 +475,7 @@ EXAMPLES
   $ opal set-auth-config --organizationID=org-456 --clientID=abc123 --issuerUrl=https://auth.example.com
 ```
 
-_See code: [src/commands/set-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/set-auth-config.ts)_
+_See code: [src/commands/set-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/set-auth-config.ts)_
 
 ## `opal set-custom-header`
 
@@ -489,7 +496,7 @@ EXAMPLES
   $ opal set-custom-header --header 'cf-access-token: $TOKEN'
 ```
 
-_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/set-custom-header.ts)_
+_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/set-custom-header.ts)_
 
 ## `opal set-token`
 
@@ -509,7 +516,7 @@ EXAMPLES
   $ opal set-token
 ```
 
-_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/set-token.ts)_
+_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/set-token.ts)_
 
 ## `opal set-url [URL]`
 
@@ -520,7 +527,7 @@ USAGE
   $ opal set-url [URL] [-h] [--allowSelfSignedCerts]
 
 ARGUMENTS
-  URL  URL of the Opal server to use. If unspecified, defaults to https://app.opal.dev
+  [URL]  URL of the Opal server to use. If unspecified, defaults to https://app.opal.dev
 
 FLAGS
   -h, --help                  Show CLI help.
@@ -533,7 +540,7 @@ EXAMPLES
   $ opal set-url
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/set-url.ts)_
 
 ## `opal ssh copyFrom`
 
@@ -541,19 +548,16 @@ Use SCP to copy files from a compute instance.
 
 ```
 USAGE
-  $ opal ssh copyFrom --src <value> [-h] [--dest <value>] [--user <value>] [-i <value>] [-s <value>]
+  $ opal ssh copyFrom --src <value> [-h] [--dest <value>] [--user <value>] [-i <value>]
 
 FLAGS
-  -h, --help               Show CLI help.
-  -i, --id=<value>         The Opal ID of the asset. You can find this from the URL, e.g.
-                           https://opal.dev/resources/[ID]
-  -s, --sessionId=<value>  The Opal ID of the session to connect to. Uses an existing session that was created via the
-                           web flow.
-      --dest=<value>       [default: .] The directory you want your files to be copied to.
-      --src=<value>        (required) The directory or file you would like to copy over SCP. Note we only support one
-                           file or directory at a time.
-      --user=<value>       [default: ssm-user] The user you want to run SCP over. Keep in mind not all users will have
-                           access to each other's home directory.
+  -h, --help          Show CLI help.
+  -i, --id=<value>    The Opal ID of the asset. You can find this from the URL, e.g. https://opal.dev/resources/[ID]
+      --dest=<value>  [default: .] The directory you want your files to be copied to.
+      --src=<value>   (required) The directory or file you would like to copy over SCP. Note we only support one file or
+                      directory at a time.
+      --user=<value>  [default: ssm-user] The user you want to run SCP over. Keep in mind not all users will have access
+                      to each other's home directory.
 
 DESCRIPTION
   Use SCP to copy files from a compute instance.
@@ -564,7 +568,7 @@ EXAMPLES
   $ opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh copyTo`
 
@@ -572,19 +576,16 @@ Use SCP to copy files to a compute instance.
 
 ```
 USAGE
-  $ opal ssh copyTo --src <value> [-h] [--dest <value>] [--user <value>] [-i <value>] [-s <value>]
+  $ opal ssh copyTo --src <value> [-h] [--dest <value>] [--user <value>] [-i <value>]
 
 FLAGS
-  -h, --help               Show CLI help.
-  -i, --id=<value>         The Opal ID of the asset. You can find this from the URL, e.g.
-                           https://opal.dev/resources/[ID]
-  -s, --sessionId=<value>  The Opal ID of the session to connect to. Uses an existing session that was created via the
-                           web flow.
-      --dest=<value>       [default: .] The directory you want your files to be copied to.
-      --src=<value>        (required) The directory or file you would like to copy over SCP. Note we only support one
-                           file or directory at a time.
-      --user=<value>       [default: ssm-user] The user you want to run SCP over. Keep in mind not all users will have
-                           access to each other's home directory.
+  -h, --help          Show CLI help.
+  -i, --id=<value>    The Opal ID of the asset. You can find this from the URL, e.g. https://opal.dev/resources/[ID]
+      --dest=<value>  [default: .] The directory you want your files to be copied to.
+      --src=<value>   (required) The directory or file you would like to copy over SCP. Note we only support one file or
+                      directory at a time.
+      --user=<value>  [default: ssm-user] The user you want to run SCP over. Keep in mind not all users will have access
+                      to each other's home directory.
 
 DESCRIPTION
   Use SCP to copy files to a compute instance.
@@ -595,7 +596,7 @@ EXAMPLES
   $ opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh start`
 
@@ -603,15 +604,11 @@ Starts an SSH session to access a compute instance.
 
 ```
 USAGE
-  $ opal ssh start [-h] [-i <value>] [-s <value>] [-r]
+  $ opal ssh start [-h] [-i <value>]
 
 FLAGS
-  -h, --help               Show CLI help.
-  -i, --id=<value>         The Opal ID of the asset. You can find this from the URL, e.g.
-                           https://opal.dev/resources/[ID]
-  -r, --refresh            Starts a new session even if one already exists. Useful if a session is about to expire.
-  -s, --sessionId=<value>  The Opal ID of the session to connect to. Uses an existing session that was created via the
-                           web flow.
+  -h, --help        Show CLI help.
+  -i, --id=<value>  The Opal ID of the asset. You can find this from the URL, e.g. https://opal.dev/resources/[ID]
 
 DESCRIPTION
   Starts an SSH session to access a compute instance.
@@ -622,7 +619,7 @@ EXAMPLES
   $ opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/ssh/start.ts)_
 
 ## `opal version`
 
@@ -659,5 +656,5 @@ DESCRIPTION
   Describes current url set, organization name, and logged in user if applicable.
 ```
 
-_See code: [src/commands/whoami.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.4/src/commands/whoami.ts)_
+_See code: [src/commands/whoami.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.0/src/commands/whoami.ts)_
 <!-- commandsstop -->

package/build/commands/curl-example.d.ts

@@ -0,0 +1,8 @@
+import { Command } from "@oclif/core";
+export default class CurlExample extends Command {
+    static description: string;
+    static flags: {
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
+    };
+    run(): Promise<void>;
+}

package/build/commands/curl-example.js

@@ -0,0 +1,35 @@
+import { Command } from "@oclif/core";
+import chalk from "chalk";
+import { getOrCreateConfigData, urlKey } from "../lib/config.js";
+import { SecretType, getOpalCredentials } from "../lib/credentials/index.js";
+import { SHARED_FLAGS } from "../lib/flags.js";
+class CurlExample extends Command {
+    async run() {
+        const opalCreds = await getOpalCredentials(this);
+        const secret = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.secret;
+        const organizationID = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.organizationID;
+        const configData = getOrCreateConfigData(this.config.configDir);
+        const url = configData[urlKey];
+        let authStr = "";
+        if (opalCreds.secretType === SecretType.ApiToken) {
+            authStr = `Authorization: Bearer ${secret}`;
+        }
+        else {
+            authStr = `Cookie: ${secret}`;
+        }
+        this.log(chalk.yellow(`WARN: This command will be removed in a future version of the Opal CLI. \n\
+      Opal's GraphQL API is not intended for developer use, please use our REST API instead`));
+        this.log(`
+curl -v ${url}/query \\
+  --data-binary '{"query":"query ListSSHSessions {resources(input: {serviceType: SSH, onlyMine: true}) {... on ResourcesResult { resources { name } } } }"}' \\
+  --header "Content-Type: application/json" \\
+  --header "${authStr}" \\
+  --header "X-Opal-Organization-ID: ${organizationID}"
+`);
+    }
+}
+CurlExample.description = "Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.";
+CurlExample.flags = {
+    help: SHARED_FLAGS.help,
+};
+export default CurlExample;

package/build/commands/iam-roles/start.d.ts

@@ -5,8 +5,6 @@ export default class StartIAMRoleSession extends Command {
     static flags: {
         help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
         id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
         profileName: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
     };
     run(): Promise<void>;

package/build/commands/iam-roles/start.js

@@ -6,7 +6,7 @@ import { getAwsConfigUpdateCmd, getAwsEnvVarMessage } from "../../lib/aws.js";
 import { runCommandExec, setMostRecentCommand } from "../../lib/cmd.js";
 import { SHARED_FLAGS } from "../../lib/flags.js";
 import { DEFAULT_ACCESS_LEVEL, promptUserForResource, } from "../../lib/resources.js";
-import { getOrCreateSession, getSessionExpirationMessage, } from "../../lib/sessions.js";
+import { createSession, getSessionExpirationMessage } from "../../lib/sessions.js";
 const IamSessionMetadataFragment = `
 ... on AwsIamFederatedRoleSession {
   awsAccessKeyId
@@ -52,22 +52,22 @@ class StartIAMRoleSession extends Command {
         if (flags.profileName && flags.profileName !== "") {
             roleName = flags.profileName;
         }
-        const session = await getOrCreateSession(this, roleId, DEFAULT_ACCESS_LEVEL, sessionId, IamSessionMetadataFragment, flags.refresh);
+        const session = await createSession(this, roleId, DEFAULT_ACCESS_LEVEL, sessionId, IamSessionMetadataFragment);
         if (!session) {
             return;
         }
-        const metadata = session.metadata;
+        const metadata = session.sessionMetadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
             case "AwsIamFederatedRoleSession": {
                 const updateAwsConfigCommand = getAwsConfigUpdateCmd(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
                 const startSessionCmd = `${updateAwsConfigCommand}`;
                 const roleText = roleName ? `"${roleName}" role` : "role";
-                const expirationMessage = getSessionExpirationMessage(session);
+                const expirationMessage = getSessionExpirationMessage(session.session);
                 runCommandExec(startSessionCmd, `Now set to use ${roleText}. (session expires in ${expirationMessage})${getAwsEnvVarMessage()}`, `Failed to use ${roleText}.`);
                 break;
             }
             default:
-                return handleError(this, undefined, session);
+                return handleError(this, undefined);
         }
     }
 }
@@ -80,8 +80,6 @@ StartIAMRoleSession.examples = [
 StartIAMRoleSession.flags = {
     help: SHARED_FLAGS.help,
     id: SHARED_FLAGS.id,
-    sessionId: SHARED_FLAGS.sessionId,
-    refresh: SHARED_FLAGS.refresh,
     profileName: Flags.string({
         multiple: false,
         description: "Uses a custom AWS profile name for the IAM role. Default value is the role's name.",

package/build/commands/kube-roles/start.d.ts

@@ -6,8 +6,6 @@ export default class StartKubeIAMRoleSession extends Command {
         help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
         id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
         accessLevelRemoteId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
     };
     run(): Promise<void>;
 }

package/build/commands/kube-roles/start.js

@@ -4,7 +4,7 @@ import { getAwsConfigUpdateCmd, getAwsEnvVarMessage } from "../../lib/aws.js";
 import { runCommandExec, setMostRecentCommand } from "../../lib/cmd.js";
 import { SHARED_FLAGS } from "../../lib/flags.js";
 import { promptUserForAccessLevels, promptUserForResource, } from "../../lib/resources.js";
-import { getOrCreateSession, getSessionExpirationMessage, } from "../../lib/sessions.js";
+import { createSession, getSessionExpirationMessage } from "../../lib/sessions.js";
 const EksSessionMetadataFragment = `
 ... on AwsIamFederatedEksSession {
   awsAccessKeyId
@@ -34,11 +34,11 @@ class StartKubeIAMRoleSession extends Command {
         if (!accessLevel) {
             return;
         }
-        const session = await getOrCreateSession(this, clusterId, accessLevel, sessionId, EksSessionMetadataFragment, flags.refresh);
+        const session = await createSession(this, clusterId, accessLevel, sessionId, EksSessionMetadataFragment);
         if (!session) {
             return;
         }
-        const metadata = session.metadata;
+        const metadata = session.sessionMetadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
             case "AwsIamFederatedEksSession": {
                 const roleName = accessLevel.accessLevelName;
@@ -46,12 +46,12 @@ class StartKubeIAMRoleSession extends Command {
                 const updateKubeConfigCmd = `aws eks update-kubeconfig --name ${metadata.clusterName} --region ${metadata.clusterRegion} --alias ${metadata.clusterName} --profile opal`;
                 const startSessionCmd = `${updateAwsConfigCommand} && ${updateKubeConfigCmd}`;
                 const roleText = roleName ? `"${roleName}" role` : "role";
-                const expirationMessage = getSessionExpirationMessage(session);
+                const expirationMessage = getSessionExpirationMessage(session.session);
                 runCommandExec(startSessionCmd, `Now set to use ${roleText} with updated Kube config pointing to "${metadata.clusterName}" cluster. (session expires in ${expirationMessage})${getAwsEnvVarMessage()}`, `Failed to assume ${roleText} and update Kube config.`);
                 break;
             }
             default:
-                return handleError(this, undefined, session);
+                return handleError(this, undefined);
         }
     }
 }
@@ -65,7 +65,5 @@ StartKubeIAMRoleSession.flags = {
     help: SHARED_FLAGS.help,
     id: SHARED_FLAGS.id,
     accessLevelRemoteId: SHARED_FLAGS.accessLevelRemoteId,
-    sessionId: SHARED_FLAGS.sessionId,
-    refresh: SHARED_FLAGS.refresh,
 };
 export default StartKubeIAMRoleSession;

package/build/commands/login.js

@@ -19,7 +19,6 @@ const ISSUER_PROD = "https://auth.opal.dev";
 const ISSUER_DEV = "https://authdev.opal.dev";
 const CLIENT_ID_PROD = "42rm6E5v7o67LBpRfjdT9KhnjrQHr9UF";
 const CLIENT_ID_DEV = "XYV8qoAvZG7dHnhRp2g5XMJ1zX9fBP6s";
-const REDIRECT_URI = "http://127.0.0.1:8080/callback";
 const CLISignInMethodDocumentLegacy = `
 query CLISignInMethod($input: SignInMethodInput!) {
   signInMethod(input: $input) {
@@ -84,7 +83,7 @@ mutation CLITokenExchange($input: CLITokenExchangeInput!) {
 `;
 class Login extends Command {
     async run() {
-        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o;
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p;
         try {
             await initClient(this, false);
             const { flags } = await this.parse(Login);
@@ -94,7 +93,7 @@ class Login extends Command {
             let email = flags.email;
             let organizationId = existingCreds.organizationID;
             let organizationName;
-            let clientIDCandidate = (_a = existingCreds.clientID) !== null && _a !== void 0 ? _a : configData.creds.clientIDCandidate; // configData.creds.clientIDCandidate is pre-4.0, load from here for backwards-compat
+            let clientIDCandidate = (_a = existingCreds.clientID) !== null && _a !== void 0 ? _a : (_b = configData === null || configData === void 0 ? void 0 : configData.creds) === null || _b === void 0 ? void 0 : _b.clientIDCandidate; // configData.creds.clientIDCandidate is pre-4.0, load from here for backwards-compat
             const useDeviceCodeFlow = flags["device-code"];
             // If user starts a new login, remove their existing auth cookie / API token
             await removeAuthSecret(this);
@@ -145,11 +144,11 @@ class Login extends Command {
                         return handleError(this, "Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)");
                     }
                 }
-                const signInOrganizations = ((_c = (_b = signInOrganizationsResponse === null || signInOrganizationsResponse === void 0 ? void 0 : signInOrganizationsResponse.data) === null || _b === void 0 ? void 0 : _b.signInMethod) === null || _c === void 0 ? void 0 : _c.__typename) ===
+                const signInOrganizations = ((_d = (_c = signInOrganizationsResponse === null || signInOrganizationsResponse === void 0 ? void 0 : signInOrganizationsResponse.data) === null || _c === void 0 ? void 0 : _c.signInMethod) === null || _d === void 0 ? void 0 : _d.__typename) ===
                     "SignInMethodResult"
                     ? signInOrganizationsResponse.data.signInMethod.signInOrganizations
-                    : ((_e = (_d = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data) === null || _d === void 0 ? void 0 : _d.signInMethod) === null || _e === void 0 ? void 0 : _e.__typename) === "SignInMethodResult"
-                        ? (_f = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data.signInMethod) === null || _f === void 0 ? void 0 : _f.signInOrganizations
+                    : ((_f = (_e = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data) === null || _e === void 0 ? void 0 : _e.signInMethod) === null || _f === void 0 ? void 0 : _f.__typename) === "SignInMethodResult"
+                        ? (_g = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data.signInMethod) === null || _g === void 0 ? void 0 : _g.signInOrganizations
                         : undefined;
                 if (signInOrganizations && signInOrganizations.length > 0) {
                     if (signInOrganizations.length === 1) {
@@ -192,7 +191,7 @@ class Login extends Command {
                     input: { organizationId },
                 },
             });
-            const signInRespState = (_h = (_g = signInResp === null || signInResp === void 0 ? void 0 : signInResp.data) === null || _g === void 0 ? void 0 : _g.signIn) === null || _h === void 0 ? void 0 : _h.state;
+            const signInRespState = (_j = (_h = signInResp === null || signInResp === void 0 ? void 0 : signInResp.data) === null || _h === void 0 ? void 0 : _h.signIn) === null || _j === void 0 ? void 0 : _j.state;
             let server; // Authorization Server's Issuer Identifier
             let clientId; // Client identifier at the Authorization Server
             let isAuth0Issuer = true;
@@ -221,7 +220,7 @@ class Login extends Command {
             // This scope is evaluated in Auth0 "MFA Rule" Action to skip or enabled MFA
             let scope = "openid email profile";
             // This extra scope is only supported in Auth0, so if the user has a custom issuer, we omit it
-            if (!((_k = (_j = signInResp === null || signInResp === void 0 ? void 0 : signInResp.data) === null || _j === void 0 ? void 0 : _j.signIn) === null || _k === void 0 ? void 0 : _k.forceExtraStep) && isAuth0Issuer) {
+            if (!((_l = (_k = signInResp === null || signInResp === void 0 ? void 0 : signInResp.data) === null || _k === void 0 ? void 0 : _k.signIn) === null || _l === void 0 ? void 0 : _l.forceExtraStep) && isAuth0Issuer) {
                 scope += " mfa:skip";
             }
             let tokens;
@@ -251,7 +250,7 @@ Verify this code in your browser
                     {
                         type: "input",
                         name: "continue",
-                        message: "Press Enter to open your browser and continue",
+                        message: "Press Enter to open your browser and continue\n",
                     },
                 ]);
                 this.log(`
@@ -271,12 +270,12 @@ If your browser doesn't automatically, go to:
                 }
             }
             else {
-                const serverPromise = startLocalServer();
+                const { port, urlPromise } = await startLocalServer();
                 const code_verifier = client.randomPKCECodeVerifier();
                 const code_challenge = await client.calculatePKCECodeChallenge(code_verifier);
                 const clientState = client.randomState();
                 const parameters = {
-                    redirect_uri: REDIRECT_URI,
+                    redirect_uri: `http://127.0.0.1:${port}/callback`,
                     scope,
                     code_challenge,
                     code_challenge_method: "S256",
@@ -300,18 +299,18 @@ To continue, please authorize this application in your browser.
                     {
                         type: "input",
                         name: "continue",
-                        message: "Press Enter to open your browser and continue",
+                        message: "Press Enter to open your browser and continue\n",
                     },
                 ]);
                 this.log(`
-If your browser doesn't automatically, go to: 
-          
+If your browser doesn't automatically, go to:
+
 ${redirectTo}
 `);
                 ux.action.start("Waiting for authorization");
                 try {
                     await open(redirectTo.toString(), { wait: false });
-                    const url = await serverPromise;
+                    const url = await urlPromise;
                     tokens = await client.authorizationCodeGrant(config, new URL(url), {
                         pkceCodeVerifier: code_verifier,
                         expectedState: clientState,
@@ -348,7 +347,7 @@ ${redirectTo}
                 variables: {},
             });
             if (authCheckErr ||
-                !((_o = (_m = (_l = authCheckResp === null || authCheckResp === void 0 ? void 0 : authCheckResp.data) === null || _l === void 0 ? void 0 : _l.organizationSettings) === null || _m === void 0 ? void 0 : _m.settings) === null || _o === void 0 ? void 0 : _o.id)) {
+                !((_p = (_o = (_m = authCheckResp === null || authCheckResp === void 0 ? void 0 : authCheckResp.data) === null || _m === void 0 ? void 0 : _m.organizationSettings) === null || _o === void 0 ? void 0 : _o.settings) === null || _p === void 0 ? void 0 : _p.id)) {
                 this.log("Error verifying log in. Authenticated commands may fail. Please double check your URL and use `opal logout; opal login` to try again.\n");
                 await removeAuthSecret(this);
                 process.exit(1);

package/build/commands/postgres-instances/start.d.ts

@@ -6,8 +6,6 @@ export default class StartPostgresInstanceSession extends Command {
         help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
         id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
         accessLevelRemoteId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
         action: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
     };
     run(): Promise<void>;