orchestrating 0.1.15 → 0.1.16

package/bin/orch

@@ -53,6 +53,39 @@ function clearAuth() {
   } catch {}
 }
 
+// --- Supabase config (public anon key, same as browser dashboard) ---
+const SUPABASE_URL = process.env.SUPABASE_URL || "https://vhyqfzdskgrmnxrdaqql.supabase.co";
+const SUPABASE_ANON_KEY = process.env.SUPABASE_ANON_KEY || "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InZoeXFmemRza2dybW54cmRhcXFsIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzE1NjU5NTYsImV4cCI6MjA4NzE0MTk1Nn0.hWAceFshHoeTlnwThM08enNWG-ZeXICl3uyi-AmIJEk";
+
+async function refreshAuthToken() {
+  const auth = loadStoredAuth();
+  if (!auth || !auth.refresh_token) return null;
+
+  try {
+    const res = await fetch(`${SUPABASE_URL}/auth/v1/token?grant_type=refresh_token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "apikey": SUPABASE_ANON_KEY,
+      },
+      body: JSON.stringify({ refresh_token: auth.refresh_token }),
+    });
+
+    if (!res.ok) return null;
+
+    const data = await res.json();
+    if (data.access_token) {
+      saveAuth({
+        access_token: data.access_token,
+        refresh_token: data.refresh_token || auth.refresh_token,
+        expires_at: data.expires_at || 0,
+      });
+      return data.access_token;
+    }
+  } catch {}
+  return null;
+}
+
 function getAuthToken() {
   // 1. Env var override
   if (process.env.ORC_TOKEN || process.env.CAST_TOKEN || process.env.AUTH_TOKEN) {
@@ -61,16 +94,18 @@ function getAuthToken() {
   // 2. Stored credentials
   const auth = loadStoredAuth();
   if (auth && auth.access_token) {
-    // Check expiry — if expired and we have a refresh token, caller should refresh
-    if (auth.expires_at && Date.now() / 1000 > auth.expires_at) {
-      // Token expired — still return it, server will reject and CLI can prompt re-login
-      return auth.access_token;
-    }
     return auth.access_token;
   }
   return "";
 }
 
+function isTokenExpired() {
+  const auth = loadStoredAuth();
+  if (!auth || !auth.expires_at) return false;
+  // Expired or expires within 5 minutes
+  return Date.now() / 1000 > auth.expires_at - 300;
+}
+
 // --- Login command ---
 async function handleLogin() {
   const loginUrl = process.env.ORC_LOGIN_URL || "https://orchestrat.ing/cli-auth";
@@ -216,10 +251,21 @@ const spawnArgs = commandArgs.slice(1);
 let sessionId;
 const hostname = os.hostname();
 const serverUrl = process.env.ORC_URL || process.env.CAST_URL || "wss://api.orchestrat.ing/ws";
-const authToken = getAuthToken();
+let authToken = getAuthToken();
 const cwdFolder = path.basename(process.cwd());
 const effectiveLabel = label || cwdFolder || commandArgs.join(" ");
 
+// Refresh token on startup if expired or about to expire
+if (authToken && isTokenExpired()) {
+  const refreshed = await refreshAuthToken();
+  if (refreshed) {
+    authToken = refreshed;
+    process.stderr.write(`${DIM}[orch] Token refreshed${RESET}\n`);
+  } else {
+    process.stderr.write("\x1b[33mToken expired. Run 'orch login' to re-authenticate.\x1b[0m\n");
+  }
+}
+
 // Warn if no auth and connecting to remote server
 if (!authToken && !serverUrl.includes("localhost") && !serverUrl.includes("127.0.0.1")) {
   console.error("\x1b[33mNo credentials found. Run 'orch login' to authenticate.\x1b[0m");
@@ -829,7 +875,16 @@ function printLocalEvent(event) {
 
 // --- WebSocket connection ---
 
-function connectWs() {
+async function connectWs() {
+  // Refresh token if expired before (re)connecting
+  if (isTokenExpired()) {
+    const refreshed = await refreshAuthToken();
+    if (refreshed) {
+      authToken = refreshed;
+      process.stderr.write(`${DIM}[orch] Token refreshed${RESET}\n`);
+    }
+  }
+
   if (ws) {
     ws.removeAllListeners();
     ws.close();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "orchestrating",
-  "version": "0.1.15",
+  "version": "0.1.16",
   "description": "Stream terminal sessions to the orchestrat.ing dashboard",
   "type": "module",
   "bin": {