npm - passwd-sso-cli - Versions diffs - 0.4.4 → 0.4.6 - Mend

passwd-sso-cli 0.4.4 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/commands/login.d.ts CHANGED Viewed

@@ -1,4 +1,8 @@
 /**
- * `passwd-sso login` — Configure server URL and Bearer token.
+ * `passwd-sso login` — Authenticate via OAuth 2.1 PKCE or manual token paste.
  */
-export declare function loginCommand(): Promise<void>;
+export interface LoginOptions {
+    useToken?: boolean;
+    server?: string;
+}
+export declare function loginCommand(opts?: LoginOptions): Promise<void>;

package/dist/commands/login.js CHANGED Viewed

@@ -1,9 +1,10 @@
 /**
- * `passwd-sso login` — Configure server URL and Bearer token.
+ * `passwd-sso login` — Authenticate via OAuth 2.1 PKCE or manual token paste.
  */
 import { createInterface } from "node:readline";
-import { loadConfig, saveConfig, saveToken } from "../lib/config.js";
+import { loadConfig, saveConfig, loadCredentials, saveCredentials } from "../lib/config.js";
 import { setTokenCache } from "../lib/api-client.js";
+import { runOAuthFlow, revokeTokenRequest, validateServerUrl } from "../lib/oauth.js";
 import * as output from "../lib/output.js";
 async function prompt(question) {
     const rl = createInterface({ input: process.stdin, output: process.stdout });
@@ -14,32 +15,84 @@ async function prompt(question) {
         });
     });
 }
-export async function loginCommand() {
+export async function loginCommand(opts = {}) {
     const config = loadConfig();
-    const serverUrl = await prompt(`Server URL${config.serverUrl ? ` [${config.serverUrl}]` : ""}: `);
-    if (serverUrl) {
-        config.serverUrl = serverUrl.replace(/\/$/, "");
+    // Resolve server URL
+    const serverInput = opts.server ?? await prompt(`Server URL${config.serverUrl ? ` [${config.serverUrl}]` : ""}: `);
+    if (serverInput) {
+        config.serverUrl = serverInput.replace(/\/$/, "");
     }
     if (!config.serverUrl) {
         output.error("Server URL is required.");
         return;
     }
+    try {
+        validateServerUrl(config.serverUrl);
+    }
+    catch (err) {
+        output.error(err instanceof Error ? err.message : "Invalid server URL");
+        return;
+    }
+    saveConfig(config);
+    // Revoke previous session before starting new login
+    await revokeExistingSession(config.serverUrl);
+    if (opts.useToken) {
+        // Manual token paste fallback (CI / headless without callback)
+        await manualTokenLogin(config.serverUrl);
+    }
+    else {
+        // OAuth 2.1 Authorization Code + PKCE (default)
+        await oauthLogin(config.serverUrl);
+    }
+}
+/** Best-effort revocation of the previous session's tokens. */
+async function revokeExistingSession(serverUrl) {
+    const creds = loadCredentials();
+    if (!creds || !creds.refreshToken || !creds.clientId)
+        return;
+    try {
+        // Revoking the refresh token also revokes all access tokens in the family
+        await revokeTokenRequest(serverUrl, creds.refreshToken, creds.clientId, "refresh_token");
+    }
+    catch {
+        // Best-effort — failure here should not block login
+    }
+}
+async function oauthLogin(serverUrl) {
+    try {
+        const result = await runOAuthFlow(serverUrl);
+        const expiresAt = new Date(Date.now() + result.expiresIn * 1000).toISOString();
+        saveCredentials({
+            accessToken: result.accessToken,
+            refreshToken: result.refreshToken,
+            clientId: result.clientId,
+            expiresAt,
+        });
+        setTokenCache(result.accessToken, expiresAt, result.refreshToken, result.clientId);
+        output.success(`Logged in to ${serverUrl}`);
+    }
+    catch (err) {
+        output.error(err instanceof Error ? err.message : "OAuth login failed");
+    }
+}
+async function manualTokenLogin(serverUrl) {
     output.info("Open your browser and go to the token page to generate a CLI token.");
-    output.info(`  ${config.serverUrl}/dashboard/settings`);
+    output.info(`  ${serverUrl}/dashboard/settings/developer`);
     console.log();
     const token = await prompt("Paste your token: ");
     if (!token) {
         output.error("Token is required.");
         return;
     }
-    // Approximate token expiry (15 min from now)
-    config.tokenExpiresAt = new Date(Date.now() + 15 * 60 * 1000).toISOString();
-    saveConfig(config);
-    const storage = await saveToken(token);
-    setTokenCache(token, config.tokenExpiresAt);
-    if (storage === "file") {
-        output.warn("Token saved to file (plaintext). Consider installing keytar for OS keychain storage.");
-    }
-    output.success(`Logged in to ${config.serverUrl}`);
+    const expiresAt = new Date(Date.now() + 15 * 60 * 1000).toISOString();
+    saveCredentials({
+        accessToken: token,
+        refreshToken: "",
+        clientId: "",
+        expiresAt,
+    });
+    setTokenCache(token, expiresAt);
+    output.warn("Manual token will not auto-refresh. Use `passwd-sso login` for persistent sessions.");
+    output.success(`Logged in to ${serverUrl}`);
 }
 //# sourceMappingURL=login.js.map

package/dist/index.js CHANGED Viewed

@@ -40,8 +40,10 @@ program
 });
 program
     .command("login")
-    .description("Configure server URL and authentication token")
-    .action(loginCommand);
+    .description("Authenticate via browser (OAuth 2.1 PKCE) or paste a token")
+    .option("--token", "Use manual token paste instead of browser OAuth")
+    .option("-s, --server <url>", "Server URL")
+    .action((opts) => loginCommand({ useToken: opts.token, server: opts.server }));
 program
     .command("status")
     .description("Show connection and vault status")

package/dist/lib/api-client.d.ts CHANGED Viewed

@@ -2,11 +2,11 @@
  * API client for the CLI tool.
  *
  * Uses native Node.js fetch with Bearer token authentication.
- * Automatically refreshes expired tokens.
+ * Automatically refreshes expired tokens via OAuth 2.1 refresh_token grant.
  */
 export declare function setInsecure(enabled: boolean): void;
-export declare function getToken(): Promise<string | null>;
-export declare function setTokenCache(token: string, expiresAt?: string): void;
+export declare function getToken(): string | null;
+export declare function setTokenCache(token: string, expiresAt?: string, refreshToken?: string, clientId?: string): void;
 export declare function clearTokenCache(): void;
 export interface ApiResponse<T = unknown> {
     ok: boolean;

package/dist/lib/api-client.js CHANGED Viewed

@@ -2,32 +2,49 @@
  * API client for the CLI tool.
  *
  * Uses native Node.js fetch with Bearer token authentication.
- * Automatically refreshes expired tokens.
+ * Automatically refreshes expired tokens via OAuth 2.1 refresh_token grant.
  */
-import { loadToken, saveToken, loadConfig, saveConfig } from "./config.js";
+import { loadCredentials, saveCredentials, loadConfig } from "./config.js";
+import { refreshTokenGrant } from "./oauth.js";
 let cachedToken = null;
 let cachedExpiresAt = null;
+let cachedRefreshToken = null;
+let cachedClientId = null;
 export function setInsecure(enabled) {
     if (enabled) {
         process.stderr.write("WARNING: TLS certificate verification is disabled. Your credentials may be intercepted.\n");
         process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
     }
 }
-export async function getToken() {
+export function getToken() {
     if (cachedToken)
         return cachedToken;
-    cachedToken = await loadToken();
+    const creds = loadCredentials();
+    if (!creds)
+        return null;
+    cachedToken = creds.accessToken;
+    cachedExpiresAt = new Date(creds.expiresAt).getTime();
+    cachedRefreshToken = creds.refreshToken || null;
+    cachedClientId = creds.clientId || null;
     return cachedToken;
 }
-export function setTokenCache(token, expiresAt) {
+export function setTokenCache(token, expiresAt, refreshToken, clientId) {
     cachedToken = token;
     if (expiresAt) {
         cachedExpiresAt = new Date(expiresAt).getTime();
     }
+    if (refreshToken !== undefined) {
+        cachedRefreshToken = refreshToken || null;
+    }
+    if (clientId !== undefined) {
+        cachedClientId = clientId || null;
+    }
 }
 export function clearTokenCache() {
     cachedToken = null;
     cachedExpiresAt = null;
+    cachedRefreshToken = null;
+    cachedClientId = null;
 }
 function getBaseUrl() {
     const config = loadConfig();
@@ -36,46 +53,28 @@ function getBaseUrl() {
     }
     return config.serverUrl.replace(/\/$/, "");
 }
-/** Refresh buffer: refresh 2 minutes before expiry */
 const REFRESH_BUFFER_MS = 2 * 60 * 1000;
 function isTokenExpiringSoon() {
-    if (!cachedExpiresAt) {
-        // Load from config if not cached
-        const config = loadConfig();
-        if (config.tokenExpiresAt) {
-            cachedExpiresAt = new Date(config.tokenExpiresAt).getTime();
-        }
-    }
     if (!cachedExpiresAt)
         return false;
     return Date.now() >= cachedExpiresAt - REFRESH_BUFFER_MS;
 }
 async function refreshToken() {
-    const token = await getToken();
-    if (!token)
+    if (!cachedRefreshToken || !cachedClientId)
         return false;
     const baseUrl = getBaseUrl();
     try {
-        const res = await fetch(`${baseUrl}/api/extension/token/refresh`, {
-            method: "POST",
-            headers: {
-                Authorization: `Bearer ${token}`,
-                "Content-Type": "application/json",
-            },
-        });
-        if (!res.ok)
-            return false;
-        const data = (await res.json());
-        if (typeof data.token !== "string" || !data.token)
+        const result = await refreshTokenGrant(baseUrl, cachedRefreshToken, cachedClientId);
+        if (!result || !result.refreshToken)
             return false;
-        if (typeof data.expiresAt !== "string" || isNaN(new Date(data.expiresAt).getTime()))
-            return false;
-        await saveToken(data.token);
-        setTokenCache(data.token, data.expiresAt);
-        // Persist expiresAt in config
-        const config = loadConfig();
-        config.tokenExpiresAt = data.expiresAt;
-        saveConfig(config);
+        const expiresAt = new Date(Date.now() + result.expiresIn * 1000).toISOString();
+        saveCredentials({
+            accessToken: result.accessToken,
+            refreshToken: result.refreshToken,
+            clientId: cachedClientId,
+            expiresAt,
+        });
+        setTokenCache(result.accessToken, expiresAt, result.refreshToken, cachedClientId);
         return true;
     }
     catch {
@@ -83,15 +82,14 @@ async function refreshToken() {
     }
 }
 export async function apiRequest(path, options = {}) {
-    let token = await getToken();
+    let token = getToken();
     if (!token) {
         throw new Error("Not logged in. Run `passwd-sso login` first.");
     }
-    // Proactively refresh if token is expiring soon
     if (isTokenExpiringSoon()) {
         const refreshed = await refreshToken();
         if (refreshed) {
-            token = await getToken();
+            token = getToken();
         }
     }
     const baseUrl = getBaseUrl();
@@ -109,11 +107,10 @@ export async function apiRequest(path, options = {}) {
         fetchOpts.body = JSON.stringify(body);
     }
     let res = await fetch(url, fetchOpts);
-    // Auto-refresh on 401
     if (res.status === 401) {
         const refreshed = await refreshToken();
         if (refreshed) {
-            const newToken = await getToken();
+            const newToken = getToken();
             fetchOpts.headers = {
                 ...fetchOpts.headers,
                 Authorization: `Bearer ${newToken}`,
@@ -125,15 +122,16 @@ export async function apiRequest(path, options = {}) {
     return { ok: res.ok, status: res.status, data };
 }
 // ─── Background Token Refresh Timer ─────────────────────────
-/** Interval: refresh every 10 minutes (well within 15-min TTL) */
-const BG_REFRESH_INTERVAL_MS = 10 * 60 * 1000;
+const BG_REFRESH_INTERVAL_MS = 50 * 60 * 1000;
 let bgRefreshTimer = null;
 export function startBackgroundRefresh() {
     stopBackgroundRefresh();
+    // Skip timer entirely for manual --token login (no refresh token)
+    if (!cachedRefreshToken)
+        return;
     bgRefreshTimer = setInterval(() => {
         void refreshToken();
     }, BG_REFRESH_INTERVAL_MS);
-    // Don't keep the process alive just for the timer
     bgRefreshTimer.unref();
 }
 export function stopBackgroundRefresh() {

package/dist/lib/config.d.ts CHANGED Viewed

@@ -1,18 +1,33 @@
 /**
  * Configuration management for the CLI tool.
  *
- * Config file: $XDG_CONFIG_HOME/passwd-sso/config.json
- * Credentials: OS keychain (via keytar) or $XDG_DATA_HOME/passwd-sso/credentials
+ * Config file:  $XDG_CONFIG_HOME/passwd-sso/config.json
+ * Credentials:  $XDG_DATA_HOME/passwd-sso/credentials  (mode 0o600, JSON)
  *
  * Legacy ~/.passwd-sso/ is auto-migrated on first access.
  */
 export interface CliConfig {
     serverUrl: string;
     locale: string;
-    tokenExpiresAt?: string;
 }
 export declare function loadConfig(): CliConfig;
 export declare function saveConfig(config: CliConfig): void;
-export declare function saveToken(token: string): Promise<"keychain" | "file">;
-export declare function loadToken(): Promise<string | null>;
-export declare function deleteToken(): Promise<void>;
+export interface StoredCredentials {
+    accessToken: string;
+    refreshToken: string;
+    clientId: string;
+    expiresAt: string;
+}
+/**
+ * Write credentials to the data directory using O_NOFOLLOW to prevent
+ * symlink attacks. File is created with mode 0o600 (owner read/write only).
+ */
+export declare function saveCredentials(creds: StoredCredentials): void;
+/**
+ * Load stored credentials. Returns null if the file does not exist,
+ * cannot be parsed as JSON, or is missing required fields (e.g. legacy
+ * plaintext token format written by older CLI versions).
+ */
+export declare function loadCredentials(): StoredCredentials | null;
+/** Remove the stored credentials file. Silently ignores missing-file errors. */
+export declare function deleteCredentials(): void;

package/dist/lib/config.js CHANGED Viewed

@@ -1,16 +1,14 @@
 /**
  * Configuration management for the CLI tool.
  *
- * Config file: $XDG_CONFIG_HOME/passwd-sso/config.json
- * Credentials: OS keychain (via keytar) or $XDG_DATA_HOME/passwd-sso/credentials
+ * Config file:  $XDG_CONFIG_HOME/passwd-sso/config.json
+ * Credentials:  $XDG_DATA_HOME/passwd-sso/credentials  (mode 0o600, JSON)
  *
  * Legacy ~/.passwd-sso/ is auto-migrated on first access.
  */
-import { existsSync, mkdirSync, readFileSync, writeFileSync, lstatSync, openSync, writeSync, closeSync, constants as fsConstants } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, writeFileSync, lstatSync, openSync, writeSync, closeSync, unlinkSync, constants as fsConstants, } from "node:fs";
 import { getConfigDir, getDataDir, getConfigFilePath, getCredentialsFilePath, } from "./paths.js";
 import { migrateIfNeeded } from "./migrate.js";
-const KEYCHAIN_SERVICE = "passwd-sso-cli";
-const KEYCHAIN_ACCOUNT = "bearer-token";
 const DEFAULT_CONFIG = {
     serverUrl: "",
     locale: "en",
@@ -40,28 +38,15 @@ export function loadConfig() {
 }
 export function saveConfig(config) {
     ensureConfigDir();
-    writeFileSync(getConfigFilePath(), JSON.stringify(config, null, 2), { mode: 0o600 });
+    writeFileSync(getConfigFilePath(), JSON.stringify(config, null, 2), {
+        mode: 0o600,
+    });
 }
-// ─── Credential Storage ───────────────────────────────────────
-async function tryKeytar() {
-    if (process.env.PSSO_NO_KEYCHAIN === "1")
-        return null;
-    try {
-        const mod = await import("keytar");
-        // Dynamic import may wrap the CJS module in { default: ... }
-        return (mod.default ?? mod);
-    }
-    catch {
-        return null;
-    }
-}
-export async function saveToken(token) {
-    const kt = await tryKeytar();
-    if (kt) {
-        await kt.setPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, token);
-        return "keychain";
-    }
-    // File fallback — use O_NOFOLLOW to prevent symlink attacks (TOCTOU-safe)
+/**
+ * Write credentials to the data directory using O_NOFOLLOW to prevent
+ * symlink attacks. File is created with mode 0o600 (owner read/write only).
+ */
+export function saveCredentials(creds) {
     ensureDataDir();
     const dataDir = getDataDir();
     const stat = lstatSync(dataDir);
@@ -69,38 +54,60 @@ export async function saveToken(token) {
         throw new Error("Data directory is a symlink — refusing to write credentials.");
     }
     const credPath = getCredentialsFilePath();
-    const fd = openSync(credPath, fsConstants.O_WRONLY | fsConstants.O_CREAT | fsConstants.O_TRUNC | (fsConstants.O_NOFOLLOW ?? 0), 0o600);
+    const fd = openSync(credPath, fsConstants.O_WRONLY |
+        fsConstants.O_CREAT |
+        fsConstants.O_TRUNC |
+        (fsConstants.O_NOFOLLOW ?? 0), 0o600);
     try {
-        writeSync(fd, token);
+        writeSync(fd, JSON.stringify(creds)); // codeql[js/network-data-written-to-file] OAuth tokens are intentionally persisted for session continuity
     }
     finally {
         closeSync(fd);
     }
-    return "file";
 }
-export async function loadToken() {
+/**
+ * Load stored credentials. Returns null if the file does not exist,
+ * cannot be parsed as JSON, or is missing required fields (e.g. legacy
+ * plaintext token format written by older CLI versions).
+ */
+export function loadCredentials() {
     migrateIfNeeded();
-    const kt = await tryKeytar();
-    if (kt) {
-        const token = await kt.getPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
-        if (token)
-            return token;
-    }
-    // File fallback
     try {
-        return readFileSync(getCredentialsFilePath(), "utf-8").trim();
+        const raw = readFileSync(getCredentialsFilePath(), "utf-8").trim();
+        let parsed;
+        try {
+            parsed = JSON.parse(raw);
+        }
+        catch {
+            // Legacy plaintext token — prompt user to re-login
+            return null;
+        }
+        if (parsed === null ||
+            typeof parsed !== "object" ||
+            Array.isArray(parsed)) {
+            return null;
+        }
+        const obj = parsed;
+        if (typeof obj.accessToken !== "string" ||
+            typeof obj.refreshToken !== "string" ||
+            typeof obj.clientId !== "string" ||
+            typeof obj.expiresAt !== "string") {
+            return null;
+        }
+        return {
+            accessToken: obj.accessToken,
+            refreshToken: obj.refreshToken,
+            clientId: obj.clientId,
+            expiresAt: obj.expiresAt,
+        };
     }
     catch {
         return null;
     }
 }
-export async function deleteToken() {
-    const kt = await tryKeytar();
-    if (kt) {
-        await kt.deletePassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
-    }
+/** Remove the stored credentials file. Silently ignores missing-file errors. */
+export function deleteCredentials() {
     try {
-        const { unlinkSync } = await import("node:fs");
         unlinkSync(getCredentialsFilePath());
     }
     catch {

package/dist/lib/oauth.d.ts ADDED Viewed

@@ -0,0 +1,60 @@
+/**
+ * OAuth 2.1 Authorization Code + PKCE client for the CLI.
+ *
+ * Uses only Node.js built-in modules (node:crypto, node:http, node:child_process).
+ * Implements DCR (RFC 7591) for client registration against the MCP OAuth endpoints.
+ */
+export interface OAuthResult {
+    accessToken: string;
+    refreshToken: string;
+    expiresIn: number;
+    scope: string;
+    clientId: string;
+}
+export interface TokenResponse {
+    accessToken: string;
+    refreshToken: string;
+    expiresIn: number;
+    scope: string;
+}
+interface CallbackResult {
+    code: string;
+    state: string;
+}
+export declare function generateCodeVerifier(): string;
+export declare function computeS256Challenge(verifier: string): string;
+/**
+ * Start a local HTTP server on port 0 (OS-assigned) that waits for the
+ * OAuth redirect callback. Returns the assigned port and a promise that
+ * resolves with the authorization code.
+ *
+ * Verifies the state parameter using constant-time comparison (RFC 9700 §2.1.2).
+ */
+export declare function startCallbackServer(expectedState: string): Promise<{
+    port: number;
+    waitForCallback: () => Promise<CallbackResult>;
+}>;
+/** Register a new public OAuth client via Dynamic Client Registration (RFC 7591). */
+export declare function registerClient(serverUrl: string, redirectUri: string): Promise<{
+    clientId: string;
+}>;
+/** Exchange an authorization code for access + refresh tokens. */
+export declare function exchangeCode(serverUrl: string, params: {
+    code: string;
+    redirectUri: string;
+    clientId: string;
+    codeVerifier: string;
+}): Promise<OAuthResult>;
+/** Exchange a refresh token for a new access + refresh token pair. */
+export declare function refreshTokenGrant(serverUrl: string, refreshToken: string, clientId: string): Promise<TokenResponse | null>;
+/** Revoke a token via the server's revocation endpoint. Best-effort — does not throw. */
+export declare function revokeTokenRequest(serverUrl: string, token: string, clientId: string, tokenTypeHint?: "access_token" | "refresh_token"): Promise<void>;
+/**
+ * Attempt to open the URL in the system browser.
+ * Returns false when running in a headless environment (no display server).
+ */
+export declare function openBrowser(url: string): boolean;
+/** Reject non-HTTPS URLs except for loopback development. */
+export declare function validateServerUrl(url: string): void;
+export declare function runOAuthFlow(serverUrl: string): Promise<OAuthResult>;
+export {};

package/dist/lib/oauth.js ADDED Viewed

@@ -0,0 +1,321 @@
+/**
+ * OAuth 2.1 Authorization Code + PKCE client for the CLI.
+ *
+ * Uses only Node.js built-in modules (node:crypto, node:http, node:child_process).
+ * Implements DCR (RFC 7591) for client registration against the MCP OAuth endpoints.
+ */
+import { randomBytes, createHash, timingSafeEqual } from "node:crypto";
+import { createServer, } from "node:http";
+import { spawn } from "node:child_process";
+const CALLBACK_TIMEOUT_MS = 120_000; // 2 minutes
+const CLI_CLIENT_NAME = "passwd-sso-cli";
+const CLI_SCOPES = "credentials:list credentials:use vault:status vault:unlock-data passwords:read passwords:write";
+const MCP_TOKEN_ENDPOINT = "/api/mcp/token";
+// ─── PKCE helpers ─────────────────────────────────────────────────────────────
+export function generateCodeVerifier() {
+    return randomBytes(32).toString("base64url");
+}
+export function computeS256Challenge(verifier) {
+    return createHash("sha256").update(verifier).digest("base64url");
+}
+// ─── HTML templates ──────────────────────────────────────────────────────────
+function escapeHtml(s) {
+    return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+const SUCCESS_HTML = `<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="utf-8"><title>Login successful</title>
+<style>body{font-family:sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0}
+.box{text-align:center;max-width:400px}</style></head>
+<body><div class="box">
+<h2>Login successful</h2>
+<p>You can close this tab and return to the terminal.</p>
+</div></body></html>`;
+function errorHtml(msg) {
+    return `<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="utf-8"><title>Login failed</title>
+<style>body{font-family:sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0}
+.box{text-align:center;max-width:400px}</style></head>
+<body><div class="box">
+<h2>Login failed</h2>
+<p>${escapeHtml(msg)}</p>
+<p>Please return to the terminal.</p>
+</div></body></html>`;
+}
+// ─── Loopback callback server ─────────────────────────────────────────────────
+/**
+ * Start a local HTTP server on port 0 (OS-assigned) that waits for the
+ * OAuth redirect callback. Returns the assigned port and a promise that
+ * resolves with the authorization code.
+ *
+ * Verifies the state parameter using constant-time comparison (RFC 9700 §2.1.2).
+ */
+export async function startCallbackServer(expectedState) {
+    let resolve;
+    let reject;
+    const callbackPromise = new Promise((res, rej) => {
+        resolve = res;
+        reject = rej;
+    });
+    // Prevent unhandled rejection — errors are consumed via waitForCallback()
+    callbackPromise.catch(() => { });
+    const server = createServer((req, res) => {
+        const addr = server.address();
+        const p = typeof addr === "object" && addr ? addr.port : 0;
+        const url = new URL(req.url ?? "/", `http://127.0.0.1:${p}`);
+        if (url.pathname !== "/callback") {
+            res.writeHead(404);
+            res.end("Not found");
+            return;
+        }
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        const error = url.searchParams.get("error");
+        if (error) {
+            const desc = url.searchParams.get("error_description") ?? error;
+            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+            res.end(errorHtml(`Authorization error: ${desc}`));
+            reject(new Error(`OAuth error: ${desc}`));
+            return;
+        }
+        if (!code || !state) {
+            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+            res.end(errorHtml("Missing code or state parameter."));
+            reject(new Error("Callback missing code or state parameter"));
+            return;
+        }
+        const expectedBuf = Buffer.from(expectedState, "utf-8");
+        const receivedBuf = Buffer.from(state, "utf-8");
+        const stateValid = expectedBuf.length === receivedBuf.length &&
+            timingSafeEqual(expectedBuf, receivedBuf);
+        if (!stateValid) {
+            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+            res.end(errorHtml("State mismatch — possible CSRF attack."));
+            reject(new Error("OAuth state mismatch"));
+            return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(SUCCESS_HTML);
+        resolve({ code, state });
+    });
+    // Bind to port 0 so the OS assigns a free ephemeral port — no TOCTOU race
+    const port = await new Promise((res, rej) => {
+        server.listen(0, "127.0.0.1", () => {
+            const addr = server.address();
+            if (addr && typeof addr !== "string") {
+                res(addr.port);
+            }
+            else {
+                server.close();
+                rej(new Error("Failed to determine callback server port"));
+            }
+        });
+        server.on("error", rej);
+    });
+    const waitForCallback = () => {
+        return new Promise((res, rej) => {
+            const timer = setTimeout(() => {
+                server.close();
+                rej(new Error(`Timed out waiting for OAuth callback after ${CALLBACK_TIMEOUT_MS / 1000}s`));
+            }, CALLBACK_TIMEOUT_MS);
+            callbackPromise
+                .then((result) => { clearTimeout(timer); server.close(); res(result); })
+                .catch((err) => { clearTimeout(timer); server.close(); rej(err); });
+        });
+    };
+    return { port, waitForCallback };
+}
+// ─── DCR client registration ──────────────────────────────────────────────────
+/** Register a new public OAuth client via Dynamic Client Registration (RFC 7591). */
+export async function registerClient(serverUrl, redirectUri) {
+    const response = await fetch(`${serverUrl}/api/mcp/register`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            client_name: CLI_CLIENT_NAME,
+            redirect_uris: [redirectUri],
+            grant_types: ["authorization_code", "refresh_token"],
+            response_types: ["code"],
+            token_endpoint_auth_method: "none",
+            scope: CLI_SCOPES,
+        }),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new Error(`DCR registration failed (${response.status}): ${text}`);
+    }
+    const data = (await response.json());
+    const clientId = data.client_id;
+    if (typeof clientId !== "string" || !clientId) {
+        throw new Error("DCR response missing client_id");
+    }
+    const registeredUris = data.redirect_uris;
+    if (Array.isArray(registeredUris) && !registeredUris.includes(redirectUri)) {
+        throw new Error("DCR: server registered unexpected redirect_uri");
+    }
+    return { clientId };
+}
+// ─── Token endpoint helpers ──────────────────────────────────────────────────
+/** Parse an OAuth token endpoint response into a structured result. */
+function parseTokenResponse(data) {
+    const accessToken = data.access_token;
+    const refreshToken = data.refresh_token;
+    const expiresIn = data.expires_in;
+    const scope = data.scope;
+    if (typeof accessToken !== "string" || !accessToken) {
+        throw new Error("Token response missing access_token");
+    }
+    if (typeof refreshToken !== "string" || !refreshToken) {
+        throw new Error("Token response missing refresh_token");
+    }
+    return {
+        accessToken,
+        refreshToken,
+        expiresIn: typeof expiresIn === "number" ? expiresIn : 3600,
+        scope: typeof scope === "string" ? scope : CLI_SCOPES,
+    };
+}
+/** Exchange an authorization code for access + refresh tokens. */
+export async function exchangeCode(serverUrl, params) {
+    const response = await fetch(`${serverUrl}${MCP_TOKEN_ENDPOINT}`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+            grant_type: "authorization_code",
+            code: params.code,
+            redirect_uri: params.redirectUri,
+            client_id: params.clientId,
+            code_verifier: params.codeVerifier,
+        }).toString(),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new Error(`Token exchange failed (${response.status}): ${text}`);
+    }
+    const data = (await response.json());
+    const token = parseTokenResponse(data);
+    return { ...token, clientId: params.clientId };
+}
+/** Exchange a refresh token for a new access + refresh token pair. */
+export async function refreshTokenGrant(serverUrl, refreshToken, clientId) {
+    const response = await fetch(`${serverUrl}${MCP_TOKEN_ENDPOINT}`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+            grant_type: "refresh_token",
+            refresh_token: refreshToken,
+            client_id: clientId,
+        }).toString(),
+    });
+    if (!response.ok)
+        return null;
+    const data = (await response.json());
+    return parseTokenResponse(data);
+}
+// ─── Token revocation (RFC 7009) ─────────────────────────────────────────────
+/** Revoke a token via the server's revocation endpoint. Best-effort — does not throw. */
+export async function revokeTokenRequest(serverUrl, token, clientId, tokenTypeHint) {
+    const params = { token, client_id: clientId };
+    if (tokenTypeHint)
+        params.token_type_hint = tokenTypeHint;
+    try {
+        await fetch(`${serverUrl}/api/mcp/revoke`, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams(params).toString(),
+        });
+    }
+    catch {
+        // Best-effort — network errors are silently ignored
+    }
+}
+// ─── Browser launcher ─────────────────────────────────────────────────────────
+/**
+ * Attempt to open the URL in the system browser.
+ * Returns false when running in a headless environment (no display server).
+ */
+export function openBrowser(url) {
+    const platform = process.platform;
+    if (platform === "linux") {
+        const hasDisplay = process.env.DISPLAY ||
+            process.env.WAYLAND_DISPLAY ||
+            process.env.TERM_PROGRAM;
+        if (!hasDisplay)
+            return false;
+    }
+    let cmd;
+    let args;
+    if (platform === "darwin") {
+        cmd = "open";
+        args = [url];
+    }
+    else if (platform === "win32") {
+        cmd = "cmd";
+        args = ["/c", "start", "", url];
+    }
+    else {
+        cmd = "xdg-open";
+        args = [url];
+    }
+    try {
+        spawn(cmd, args, { detached: true, stdio: "ignore" }).unref();
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+// ─── URL validation ───────────────────────────────────────────────────────────
+/** Reject non-HTTPS URLs except for loopback development. */
+export function validateServerUrl(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new Error(`Invalid server URL: ${url}`);
+    }
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+        throw new Error(`Unsupported protocol: ${parsed.protocol} (only https and http are allowed)`);
+    }
+    if (parsed.protocol === "http:") {
+        const isLoopback = parsed.hostname === "localhost" ||
+            parsed.hostname === "127.0.0.1" ||
+            parsed.hostname === "[::1]";
+        if (!isLoopback) {
+            throw new Error("Server URL must use HTTPS (http is only allowed for localhost/127.0.0.1/::1)");
+        }
+    }
+}
+// ─── Main OAuth flow ──────────────────────────────────────────────────────────
+export async function runOAuthFlow(serverUrl) {
+    validateServerUrl(serverUrl);
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = computeS256Challenge(codeVerifier);
+    const state = randomBytes(16).toString("hex");
+    // Start callback server on OS-assigned port (no TOCTOU)
+    const { port, waitForCallback } = await startCallbackServer(state);
+    const redirectUri = `http://127.0.0.1:${port}/callback`;
+    const { clientId } = await registerClient(serverUrl, redirectUri);
+    const authUrl = new URL(`${serverUrl}/api/mcp/authorize`);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("client_id", clientId);
+    authUrl.searchParams.set("redirect_uri", redirectUri);
+    authUrl.searchParams.set("scope", CLI_SCOPES);
+    authUrl.searchParams.set("state", state);
+    authUrl.searchParams.set("code_challenge", codeChallenge);
+    authUrl.searchParams.set("code_challenge_method", "S256");
+    const urlString = authUrl.toString();
+    const opened = openBrowser(urlString);
+    if (opened) {
+        process.stderr.write("Opening browser for authentication...\n");
+    }
+    else {
+        process.stderr.write("Cannot open browser. Please visit:\n  " + urlString + "\n");
+        process.stderr.write("Waiting for authorization... (press Ctrl+C to cancel)\n");
+    }
+    const { code } = await waitForCallback();
+    return exchangeCode(serverUrl, { code, redirectUri, clientId, codeVerifier });
+}
+//# sourceMappingURL=oauth.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "passwd-sso-cli",
-  "version": "0.4.4",
+  "version": "0.4.6",
   "description": "CLI for passwd-sso password manager",
   "type": "module",
   "license": "MIT",
@@ -44,9 +44,6 @@
     "otpauth": "^9.4.0",
     "zod": "^4.3.6"
   },
-  "optionalDependencies": {
-    "keytar": "^7.9.0"
-  },
   "devDependencies": {
     "@types/node": "^22.15.3",
     "tsx": "^4.19.4",