npm - rekor-cli - Versions diffs - 0.1.18 → 0.1.20 - Mend

rekor-cli 0.1.18 → 0.1.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -13,190 +13,629 @@ import { homedir } from "os";
 var CONFIG_DIR = join(homedir(), ".config", "rekor");
 var CONFIG_FILE = join(CONFIG_DIR, "config.json");
 function loadConfig() {
-  const envToken = process.env["REKOR_TOKEN"];
   const envUrl = process.env["REKOR_API_URL"];
   try {
     const raw = readFileSync(CONFIG_FILE, "utf-8");
-    const config = JSON.parse(raw);
+    const stored = JSON.parse(raw);
     return {
-      ...config,
-      token: envToken ?? config.token,
-      api_url: envUrl ?? config.api_url
+      api_url: envUrl ?? stored.api_url ?? "http://localhost:8787",
+      default_workspace: stored.default_workspace,
+      org_id: stored.org_id
     };
   } catch {
     return {
-      api_url: envUrl ?? "http://localhost:8787",
-      token: envToken ?? ""
+      api_url: envUrl ?? "http://localhost:8787"
     };
   }
 }
 function saveConfig(config) {
   mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
-  writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 384 });
+  let existing = {};
+  try {
+    existing = JSON.parse(readFileSync(CONFIG_FILE, "utf-8"));
+  } catch {
+    existing = {};
+  }
+  const merged = { ...existing, ...config };
+  writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2), { mode: 384 });
 }
-// src/auth.ts
-function login(token, apiUrl) {
-  const config = loadConfig();
-  saveConfig({
-    ...config,
-    token,
-    api_url: apiUrl ?? config.api_url
-  });
+// src/token-store.ts
+import * as fs from "fs";
+var KEYRING_SERVICE = "rekor";
+var KEY_REC = "rec_token";
+var KEY_OAUTH_ACCESS = "oauth_access_token";
+var KEY_OAUTH_REFRESH = "oauth_refresh_token";
+var keyringCache;
+async function getKeyring() {
+  if (keyringCache !== void 0) return keyringCache;
+  try {
+    const mod = await import("@napi-rs/keyring");
+    const Entry = mod.Entry;
+    keyringCache = {
+      async getPassword(service, account) {
+        try {
+          return new Entry(service, account).getPassword();
+        } catch {
+          return null;
+        }
+      },
+      async setPassword(service, account, password) {
+        new Entry(service, account).setPassword(password);
+      },
+      async deletePassword(service, account) {
+        try {
+          return new Entry(service, account).deletePassword();
+        } catch {
+          return false;
+        }
+      }
+    };
+  } catch {
+    keyringCache = null;
+  }
+  return keyringCache;
+}
+function manualCleanupCommand(account) {
+  if (process.platform === "darwin") {
+    return `security delete-generic-password -s ${KEYRING_SERVICE} -a ${account}`;
+  }
+  if (process.platform === "win32") {
+    return `cmdkey /delete:${KEYRING_SERVICE}/${account}`;
+  }
+  if (process.platform === "linux") {
+    return `secret-tool clear service ${KEYRING_SERVICE} account ${account}`;
+  }
+  return `(remove service="${KEYRING_SERVICE}" account="${account}" from your OS credential store)`;
+}
+function readConfigFile() {
+  if (!fs.existsSync(CONFIG_FILE)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG_FILE, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function writeConfigFile(data) {
+  if (!fs.existsSync(CONFIG_DIR)) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
+  }
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(data, null, 2), { mode: 384 });
+}
+var StaleKeyringSlotError = class extends Error {
+  constructor(account) {
+    super(
+      `Stale credential remains in OS keychain slot "${account}" after delete. Clean it up manually and retry:
+  ${manualCleanupCommand(account)}`
+    );
+    this.account = account;
+    this.name = "StaleKeyringSlotError";
+  }
+};
+async function clearSlot(keyring, account) {
+  await keyring.deletePassword(KEYRING_SERVICE, account);
+  try {
+    return await keyring.getPassword(KEYRING_SERVICE, account) === null;
+  } catch {
+    return false;
+  }
+}
+function stripTokenFieldsFromFile() {
+  const existing = readConfigFile();
+  if (!existing) return;
+  if (existing.token === void 0 && existing.access_token === void 0 && existing.refresh_token === void 0) return;
+  delete existing.token;
+  delete existing.access_token;
+  delete existing.refresh_token;
+  writeConfigFile(existing);
+}
+function readMetadataExpiresAt() {
+  return readConfigFile()?.token_expires_at;
+}
+function writeMetadataExpiresAt(value) {
+  const existing = readConfigFile() ?? {};
+  if (value === void 0) {
+    delete existing.token_expires_at;
+  } else {
+    existing.token_expires_at = value;
+  }
+  writeConfigFile(existing);
+}
+async function migrateLegacyFileToken(keyring) {
+  const existing = readConfigFile();
+  if (!existing) return null;
+  if (existing.access_token) {
+    const out = {
+      kind: "oauth",
+      access_token: existing.access_token,
+      refresh_token: existing.refresh_token,
+      expires_at: existing.token_expires_at
+    };
+    if (keyring) {
+      try {
+        const accessExisting = await keyring.getPassword(KEYRING_SERVICE, KEY_OAUTH_ACCESS);
+        if (!accessExisting) {
+          await keyring.setPassword(KEYRING_SERVICE, KEY_OAUTH_ACCESS, existing.access_token);
+          if (existing.refresh_token) {
+            await keyring.setPassword(KEYRING_SERVICE, KEY_OAUTH_REFRESH, existing.refresh_token);
+          }
+        }
+        try {
+          stripTokenFieldsFromFile();
+        } catch (err) {
+          console.warn(`rekor: failed to strip legacy OAuth tokens from ${CONFIG_FILE} (${err.message}).`);
+        }
+      } catch (err) {
+        console.warn(`rekor: OAuth migration to keychain failed (${err.message}); continuing with file-backed.`);
+      }
+    }
+    return out;
+  }
+  if (existing.token) {
+    const token = existing.token;
+    if (!keyring) return { kind: "rec", token };
+    try {
+      const recExisting = await keyring.getPassword(KEYRING_SERVICE, KEY_REC);
+      if (recExisting) {
+        try {
+          stripTokenFieldsFromFile();
+        } catch (err) {
+          console.warn(`rekor: failed to strip stale token from ${CONFIG_FILE} (${err.message}).`);
+        }
+        return null;
+      }
+      await keyring.setPassword(KEYRING_SERVICE, KEY_REC, token);
+      try {
+        stripTokenFieldsFromFile();
+      } catch (err) {
+        console.warn(`rekor: failed to strip legacy token from ${CONFIG_FILE} (${err.message}).`);
+      }
+    } catch (err) {
+      console.warn(`rekor: keychain migration failed (${err.message}); continuing with file-backed token.`);
+    }
+    return { kind: "rec", token };
+  }
+  return null;
+}
+async function getResolvedToken() {
+  const envToken = process.env["REKOR_TOKEN"];
+  if (envToken) {
+    return { kind: "rec", token: envToken };
+  }
+  const keyring = await getKeyring();
+  const migrated = await migrateLegacyFileToken(keyring);
+  if (migrated) return migrated;
+  if (keyring) {
+    const [rec, access, refresh] = await Promise.all([
+      keyring.getPassword(KEYRING_SERVICE, KEY_REC),
+      keyring.getPassword(KEYRING_SERVICE, KEY_OAUTH_ACCESS),
+      keyring.getPassword(KEYRING_SERVICE, KEY_OAUTH_REFRESH)
+    ]);
+    if (rec) return { kind: "rec", token: rec };
+    if (access) {
+      const out = { kind: "oauth", access_token: access };
+      if (refresh) out.refresh_token = refresh;
+      const expiresAt = readMetadataExpiresAt();
+      if (expiresAt) out.expires_at = expiresAt;
+      return out;
+    }
+  }
+  return null;
+}
+async function setRecToken(token) {
+  const keyring = await getKeyring();
+  if (keyring) {
+    try {
+      const [accessCleared, refreshCleared] = await Promise.all([
+        clearSlot(keyring, KEY_OAUTH_ACCESS),
+        clearSlot(keyring, KEY_OAUTH_REFRESH)
+      ]);
+      const stuck = [
+        accessCleared ? null : KEY_OAUTH_ACCESS,
+        refreshCleared ? null : KEY_OAUTH_REFRESH
+      ].filter((a) => a !== null);
+      if (stuck.length > 0) {
+        console.warn(
+          [
+            `rekor: stale OAuth credential remains in OS keychain after delete. Commands work but logout won't fully clear. Manually:`,
+            ...stuck.map((a) => `  ${manualCleanupCommand(a)}`)
+          ].join("\n")
+        );
+      }
+      await keyring.setPassword(KEYRING_SERVICE, KEY_REC, token);
+      writeMetadataExpiresAt(void 0);
+      try {
+        stripTokenFieldsFromFile();
+      } catch (err) {
+        console.warn(`rekor: failed to strip stale tokens from ${CONFIG_FILE} (${err.message}).`);
+      }
+      return;
+    } catch (err) {
+      if (err instanceof StaleKeyringSlotError) throw err;
+      console.warn(`rekor: keychain write failed (${err.message}); falling back to file storage.`);
+    }
+  }
+  const existing = readConfigFile() ?? {};
+  delete existing.access_token;
+  delete existing.refresh_token;
+  delete existing.token_expires_at;
+  existing.token = token;
+  writeConfigFile(existing);
+}
+async function setOAuthTokens(accessToken, refreshToken, expiresAt) {
+  const keyring = await getKeyring();
+  if (keyring) {
+    try {
+      if (!await clearSlot(keyring, KEY_REC)) {
+        throw new StaleKeyringSlotError(KEY_REC);
+      }
+      await keyring.setPassword(KEYRING_SERVICE, KEY_OAUTH_ACCESS, accessToken);
+      if (refreshToken) {
+        await keyring.setPassword(KEYRING_SERVICE, KEY_OAUTH_REFRESH, refreshToken);
+      } else {
+        await clearSlot(keyring, KEY_OAUTH_REFRESH);
+      }
+      writeMetadataExpiresAt(expiresAt);
+      try {
+        stripTokenFieldsFromFile();
+      } catch (err) {
+        console.warn(`rekor: failed to strip stale tokens from ${CONFIG_FILE} (${err.message}).`);
+      }
+      return;
+    } catch (err) {
+      if (err instanceof StaleKeyringSlotError) throw err;
+      console.warn(`rekor: keychain write failed (${err.message}); falling back to file storage.`);
+    }
+  }
+  const existing = readConfigFile() ?? {};
+  delete existing.token;
+  existing.access_token = accessToken;
+  if (refreshToken) existing.refresh_token = refreshToken;
+  existing.token_expires_at = expiresAt;
+  writeConfigFile(existing);
+}
+async function clearAllTokens() {
+  const keyring = await getKeyring();
+  if (keyring) {
+    const slots = [KEY_REC, KEY_OAUTH_ACCESS, KEY_OAUTH_REFRESH];
+    const cleared = await Promise.all(slots.map((s) => clearSlot(keyring, s)));
+    for (const [i, ok] of cleared.entries()) {
+      if (!ok) {
+        const account = slots[i];
+        console.warn(
+          `rekor: could not clear keychain slot "${account}". Subsequent commands may still pick the stale token. Manually:
+  ${manualCleanupCommand(account)}`
+        );
+      }
+    }
+  }
+  const existing = readConfigFile();
+  if (existing) {
+    let dirty = false;
+    for (const k of ["token", "access_token", "refresh_token", "token_expires_at"]) {
+      if (existing[k] !== void 0) {
+        delete existing[k];
+        dirty = true;
+      }
+    }
+    if (dirty) writeConfigFile(existing);
+  }
 }
-// src/browser-login.ts
-import { createServer } from "http";
-import { randomBytes } from "crypto";
-var DEFAULT_APP_URL = "https://rekor.pro";
-var TIMEOUT_MS = 12e4;
-var FALLBACK_URL_DELAY_MS = 5e3;
-async function browserLogin(apiUrl) {
-  const open = await import("open").then((m) => m.default);
-  const state = randomBytes(32).toString("hex");
-  const config = loadConfig();
+// src/oauth.ts
+import * as http from "http";
+var OAUTH_CALLBACK_PORT = 3927;
+var DEFAULT_AUTHKIT_DOMAIN = "";
+var DEFAULT_AUTHKIT_CLIENT_ID = "";
+function getAuthKitDomain() {
+  const value = process.env["REKOR_AUTHKIT_DOMAIN"] || DEFAULT_AUTHKIT_DOMAIN;
+  if (!value) {
+    throw new Error("REKOR_AUTHKIT_DOMAIN is not configured \u2014 set the env var to your AuthKit tenant (e.g. https://<tenant>.authkit.app).");
+  }
+  return value;
+}
+function getAuthKitClientId() {
+  const value = process.env["REKOR_AUTHKIT_CLIENT_ID"] || DEFAULT_AUTHKIT_CLIENT_ID;
+  if (!value) {
+    throw new Error("REKOR_AUTHKIT_CLIENT_ID is not configured \u2014 set the env var to the AuthKit public PKCE client id registered for the Rekor CLI.");
+  }
+  return value;
+}
+function expiresInToIso(expiresInSeconds) {
+  return new Date(Date.now() + expiresInSeconds * 1e3).toISOString();
+}
+function asTokenResponse(value) {
+  if (typeof value !== "object" || value === null) {
+    throw new Error("AuthKit returned a non-object token payload");
+  }
+  const v = value;
+  if (typeof v.access_token !== "string" || typeof v.expires_in !== "number") {
+    throw new Error("AuthKit token payload missing required fields");
+  }
+  const out = { access_token: v.access_token, expires_in: v.expires_in };
+  if (typeof v.refresh_token === "string") out.refresh_token = v.refresh_token;
+  return out;
+}
+async function exchangeCodeForTokens(authkitDomain, clientId, code, codeVerifier, redirectUri) {
+  const response = await fetch(`${authkitDomain}/oauth2/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      code_verifier: codeVerifier,
+      redirect_uri: redirectUri,
+      client_id: clientId
+    }).toString()
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(`Token exchange failed (${response.status}): ${body}`);
+  }
+  return asTokenResponse(await response.json());
+}
+var SessionExpiredError = class extends Error {
+  constructor() {
+    super("SESSION_EXPIRED");
+    this.name = "SessionExpiredError";
+  }
+};
+async function refreshAccessToken(authkitDomain, clientId, refreshToken) {
+  const response = await fetch(`${authkitDomain}/oauth2/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: clientId
+    }).toString()
+  });
+  if (!response.ok) {
+    const status = response.status;
+    const body = await response.text();
+    if (status === 400 || status === 401) {
+      try {
+        const parsed = JSON.parse(body);
+        if (parsed.error === "invalid_grant") throw new SessionExpiredError();
+      } catch (err) {
+        if (err instanceof SessionExpiredError) throw err;
+      }
+    }
+    throw new Error(`Token refresh failed (${status}): ${body}`);
+  }
+  return asTokenResponse(await response.json());
+}
+function startCallbackServer(port, expectedState, timeoutMs = 12e4) {
   return new Promise((resolve, reject) => {
-    const server = createServer((req, res) => {
-      const url = new URL(req.url, `http://127.0.0.1`);
+    let handled = false;
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url || "/", `http://127.0.0.1:${port}`);
       if (url.pathname !== "/callback") {
         res.writeHead(404);
         res.end();
         return;
       }
-      const token = url.searchParams.get("token");
-      const returnedState = url.searchParams.get("state");
-      if (returnedState !== state) {
+      if (handled) {
+        res.writeHead(409);
+        res.end();
+        return;
+      }
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+      const errorDescription = url.searchParams.get("error_description");
+      if (error) {
+        handled = true;
         res.writeHead(400, { "Content-Type": "text/html" });
-        res.end(errorPage("Authentication failed: state mismatch. Please try again."));
+        res.end(errorPage(errorDescription || error));
         cleanup();
-        reject(new Error("State mismatch \u2014 possible CSRF attempt"));
+        reject(new Error(`OAuth error: ${errorDescription || error}`));
         return;
       }
-      if (!token) {
+      if (state !== expectedState) {
+        handled = true;
         res.writeHead(400, { "Content-Type": "text/html" });
-        res.end(errorPage("Authentication failed: no token received."));
+        res.end(errorPage("Invalid state parameter"));
         cleanup();
-        reject(new Error("No token in callback"));
+        reject(new Error("OAuth state mismatch \u2014 possible CSRF attempt"));
         return;
       }
-      const orgId = url.searchParams.get("org_id") ?? void 0;
-      saveConfig({
-        ...config,
-        token,
-        api_url: apiUrl ?? config.api_url,
-        org_id: orgId
-      });
+      if (!code) {
+        handled = true;
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(errorPage("No authorization code received"));
+        cleanup();
+        reject(new Error("No authorization code received"));
+        return;
+      }
+      handled = true;
       res.writeHead(200, { "Content-Type": "text/html" });
       res.end(successPage());
       cleanup();
-      resolve();
+      resolve({ code });
     });
     const timeout = setTimeout(() => {
       cleanup();
-      reject(new Error("Login timed out \u2014 no response from browser within 2 minutes"));
-    }, TIMEOUT_MS);
-    let fallbackTimer;
+      reject(new Error("Timed out waiting for login. Run `rekor login` again."));
+    }, timeoutMs);
     function cleanup() {
       clearTimeout(timeout);
-      if (fallbackTimer) {
-        clearTimeout(fallbackTimer);
-        fallbackTimer = void 0;
-      }
       server.close();
     }
-    server.listen(0, "127.0.0.1", () => {
-      const addr = server.address();
-      if (!addr || typeof addr === "string") {
-        cleanup();
-        reject(new Error("Failed to start local server"));
-        return;
+    server.on("error", (err) => {
+      cleanup();
+      if (err.code === "EADDRINUSE") {
+        reject(new Error(`Port ${port} is in use. Close the other process and retry.`));
+      } else {
+        reject(err);
       }
-      const port = addr.port;
-      const appUrl = process.env["REKOR_APP_URL"] || DEFAULT_APP_URL;
-      const authUrl = `${appUrl}/cli-auth?port=${port}&state=${state}`;
-      console.log("Opening browser for authentication...");
-      fallbackTimer = setTimeout(() => {
-        fallbackTimer = void 0;
-        console.log(`If the browser didn't open, visit: ${authUrl}`);
-      }, FALLBACK_URL_DELAY_MS);
-      open(authUrl).catch(() => {
-        if (!fallbackTimer) return;
-        clearTimeout(fallbackTimer);
-        fallbackTimer = void 0;
-        console.log("Could not open browser automatically.");
-        console.log(`Visit: ${authUrl}`);
-      });
     });
+    server.listen(port, "127.0.0.1");
   });
 }
 function successPage() {
   return `<!DOCTYPE html>
-<html>
-<head><title>Rekor CLI</title></head>
+<html><head><title>Rekor CLI</title></head>
 <body style="font-family: system-ui, sans-serif; display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0; background: #fafafa;">
   <div style="text-align: center;">
     <h1 style="font-size: 1.25rem; font-weight: 600;">Authentication successful</h1>
     <p style="color: #666; margin-top: 0.5rem;">You can close this tab and return to your terminal.</p>
   </div>
-</body>
-</html>`;
+</body></html>`;
+}
+function escapeHtml(input) {
+  return input.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
 function errorPage(message) {
   return `<!DOCTYPE html>
-<html>
-<head><title>Rekor CLI</title></head>
+<html><head><title>Rekor CLI</title></head>
 <body style="font-family: system-ui, sans-serif; display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0; background: #fafafa;">
   <div style="text-align: center;">
     <h1 style="font-size: 1.25rem; font-weight: 600; color: #dc2626;">Authentication failed</h1>
-    <p style="color: #666; margin-top: 0.5rem;">${message}</p>
+    <p style="color: #666; margin-top: 0.5rem;">${escapeHtml(message)}</p>
   </div>
-</body>
-</html>`;
+</body></html>`;
+}
+// src/auth.ts
+async function login(token, apiUrl) {
+  await setRecToken(token);
+  const config = loadConfig();
+  saveConfig({
+    ...config,
+    api_url: apiUrl ?? config.api_url
+  });
+}
+var REFRESH_LEEWAY_MS = 6e4;
+async function getAccessToken() {
+  const resolved = await getResolvedToken();
+  if (!resolved) return null;
+  if (resolved.kind === "rec") return resolved.token;
+  const expiresAtMs = resolved.expires_at ? new Date(resolved.expires_at).getTime() : Number.NaN;
+  if (!Number.isFinite(expiresAtMs) || expiresAtMs > Date.now() + REFRESH_LEEWAY_MS) {
+    return resolved.access_token;
+  }
+  if (!resolved.refresh_token) {
+    throw new Error("Access token expired and no refresh token available. Run `rekor login` again.");
+  }
+  try {
+    const result = await refreshAccessToken(getAuthKitDomain(), getAuthKitClientId(), resolved.refresh_token);
+    const newExpiresAt = expiresInToIso(result.expires_in);
+    await setOAuthTokens(result.access_token, result.refresh_token ?? resolved.refresh_token, newExpiresAt);
+    return result.access_token;
+  } catch (err) {
+    if (err instanceof SessionExpiredError) {
+      await clearAllTokens();
+      throw new Error("Session expired. Run `rekor login` again.");
+    }
+    throw err;
+  }
+}
+async function currentAuthKind() {
+  const resolved = await getResolvedToken();
+  return resolved?.kind ?? null;
+}
+// src/pkce.ts
+import * as crypto from "crypto";
+function generateCodeVerifier() {
+  return crypto.randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+  return crypto.createHash("sha256").update(verifier).digest().toString("base64url");
+}
+function generateState() {
+  return crypto.randomBytes(16).toString("base64url");
 }
 // src/commands/login.ts
+var FALLBACK_URL_DELAY_MS = 5e3;
 var loginCommand = new Command("login").description("Authenticate with Rekor").option("--token <token>", "API key for headless/CI authentication (rec_...)").option("--api-url <url>", "API base URL").action(async (opts) => {
   if (opts.token) {
-    login(opts.token, opts.apiUrl);
+    await login(opts.token, opts.apiUrl);
     console.log("Authenticated successfully");
-  } else {
-    try {
-      await browserLogin(opts.apiUrl);
-      console.log("Authenticated successfully");
-    } catch (err) {
-      console.error(
-        `Login failed: ${err instanceof Error ? err.message : "Unknown error"}`
-      );
-      process.exit(1);
-    }
+    return;
+  }
+  try {
+    await browserLoginPkce(opts.apiUrl);
+    console.log("Authenticated successfully");
+  } catch (err) {
+    console.error(
+      `Login failed: ${err instanceof Error ? err.message : "Unknown error"}`
+    );
+    process.exit(1);
   }
 });
+async function browserLoginPkce(apiUrl) {
+  const open = await import("open").then((m) => m.default);
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = generateCodeChallenge(codeVerifier);
+  const state = generateState();
+  const port = OAUTH_CALLBACK_PORT;
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+  const authkitDomain = getAuthKitDomain();
+  const clientId = getAuthKitClientId();
+  const authorizeUrl = new URL(`${authkitDomain}/oauth2/authorize`);
+  authorizeUrl.searchParams.set("client_id", clientId);
+  authorizeUrl.searchParams.set("redirect_uri", redirectUri);
+  authorizeUrl.searchParams.set("response_type", "code");
+  authorizeUrl.searchParams.set("code_challenge", codeChallenge);
+  authorizeUrl.searchParams.set("code_challenge_method", "S256");
+  authorizeUrl.searchParams.set("state", state);
+  authorizeUrl.searchParams.set("scope", "openid profile email offline_access");
+  console.log("Opening browser for authentication...");
+  const callbackPromise = startCallbackServer(port, state);
+  let fallbackPrinted = false;
+  const fallbackTimer = setTimeout(() => {
+    fallbackPrinted = true;
+    console.log(`If the browser didn't open, visit: ${authorizeUrl.toString()}`);
+  }, FALLBACK_URL_DELAY_MS);
+  open(authorizeUrl.toString()).catch(() => {
+    if (fallbackPrinted) return;
+    clearTimeout(fallbackTimer);
+    console.log("Could not open browser automatically.");
+    console.log(`Visit: ${authorizeUrl.toString()}`);
+  });
+  let code;
+  try {
+    ({ code } = await callbackPromise);
+  } finally {
+    clearTimeout(fallbackTimer);
+  }
+  const tokens = await exchangeCodeForTokens(authkitDomain, clientId, code, codeVerifier, redirectUri);
+  const expiresAt = expiresInToIso(tokens.expires_in);
+  await setOAuthTokens(tokens.access_token, tokens.refresh_token, expiresAt);
+  const config = loadConfig();
+  saveConfig({
+    ...config,
+    api_url: apiUrl ?? config.api_url
+  });
+}
 // src/commands/logout.ts
 import { Command as Command2 } from "commander";
-var logoutCommand = new Command2("logout").description("Remove stored authentication credentials").action(() => {
-  const config = loadConfig();
-  saveConfig({ ...config, token: "" });
-  console.log("Logged out successfully");
-});
-// src/commands/workspaces.ts
-import { Command as Command3 } from "commander";
 // src/client.ts
 var ApiClient = class {
   baseUrl;
-  token;
+  _tokenPromise;
   constructor() {
     const config = loadConfig();
     this.baseUrl = config.api_url;
-    this.token = config.token;
+  }
+  getToken() {
+    if (!this._tokenPromise) this._tokenPromise = getAccessToken();
+    return this._tokenPromise;
+  }
+  async authHeaders() {
+    const token = await this.getToken();
+    return token ? { "Authorization": `Bearer ${token}` } : {};
   }
   async request(method, path, body) {
     const res = await fetch(`${this.baseUrl}${path}`, {
       method,
       headers: {
-        "Authorization": `Bearer ${this.token}`,
+        ...await this.authHeaders(),
         "Content-Type": "application/json"
       },
       body: body ? JSON.stringify(body) : void 0
@@ -207,8 +646,39 @@ var ApiClient = class {
     }
     return json.data;
   }
+  async uploadFile(url, body, contentType) {
+    const res = await fetch(url, {
+      method: "PUT",
+      headers: {
+        ...await this.authHeaders(),
+        "Content-Type": contentType
+      },
+      body
+    });
+    if (!res.ok) {
+      throw new Error(`Upload failed: HTTP ${res.status}`);
+    }
+  }
 };
+// src/commands/logout.ts
+var logoutCommand = new Command2("logout").description("Remove stored authentication credentials").action(async () => {
+  const kind = await currentAuthKind();
+  if (kind === "oauth") {
+    try {
+      const client = new ApiClient();
+      await client.request("POST", "/v1/auth/logout");
+    } catch (err) {
+      console.warn(`rekor: server-side logout failed (${err instanceof Error ? err.message : "unknown"}); clearing local credentials anyway.`);
+    }
+  }
+  await clearAllTokens();
+  console.log("Logged out successfully");
+});
+// src/commands/workspaces.ts
+import { Command as Command3 } from "commander";
 // src/output.ts
 import chalk from "chalk";
 import Table from "cli-table3";
@@ -248,10 +718,10 @@ function formatKeyValue(obj) {
 }
 // src/helpers.ts
-import { readFileSync as readFileSync2 } from "fs";
+import { readFileSync as readFileSync3 } from "fs";
 function parseData(data) {
   if (data.startsWith("@")) {
-    const content = readFileSync2(data.slice(1), "utf-8");
+    const content = readFileSync3(data.slice(1), "utf-8");
     return JSON.parse(content);
   }
   return JSON.parse(data);
@@ -406,13 +876,13 @@ recordsCommand.command("delete <collection> <id>").description("Delete a record"
 // src/commands/sql.ts
 import { Command as Command6 } from "commander";
-import { readFileSync as readFileSync3 } from "fs";
+import { readFileSync as readFileSync4 } from "fs";
 var sqlCommand = new Command6("sql").description("Execute a read-only SQL query against workspace data").argument("[query]", "SQL query (SELECT only)").option("--file <path>", "Read SQL from a file instead of argument").option("--param <kv...>", "Named parameters as key=value pairs (e.g., --param status=issued)").action(async function(queryArg, opts) {
   const ws = getWorkspace(this);
   const client = new ApiClient();
   let query;
   if (opts.file) {
-    query = readFileSync3(opts.file, "utf-8").trim();
+    query = readFileSync4(opts.file, "utf-8").trim();
   } else if (queryArg) {
     query = queryArg;
   } else {
@@ -487,7 +957,7 @@ var queryRelationshipsCommand = new Command8("query-relationships").description(
 // src/commands/attachments.ts
 import { Command as Command9 } from "commander";
-import { readFileSync as readFileSync4 } from "fs";
+import { readFileSync as readFileSync5 } from "fs";
 var attachmentsCommand = new Command9("attachments").description("Manage record attachments");
 attachmentsCommand.command("upload <collection> <id>").description("Get a presigned upload URL for a record attachment. With --file, uploads the file content in one step.").requiredOption("--filename <name>", "File name or path (e.g. docs/guide.md)").option("--content-type <type>", "MIME type", "application/octet-stream").option("--file <path>", "Local file to upload (skips presigned URL output, uploads directly)").action(async function(collection, id, opts) {
   const ws = getWorkspace(this);
@@ -497,16 +967,9 @@ attachmentsCommand.command("upload <collection> <id>").description("Get a presig
     content_type: opts.contentType
   });
   if (opts.file) {
-    const body = readFileSync4(opts.file);
+    const body = readFileSync5(opts.file);
     const uploadUrl = data.upload_url.startsWith("http") ? data.upload_url : `${client.baseUrl}${data.upload_url}`;
-    const uploadRes = await fetch(uploadUrl, {
-      method: "PUT",
-      headers: { "Content-Type": opts.contentType, "Authorization": `Bearer ${client.token}` },
-      body
-    });
-    if (!uploadRes.ok) {
-      throw new Error(`Upload failed: HTTP ${uploadRes.status}`);
-    }
+    await client.uploadFile(uploadUrl, body, opts.contentType);
     console.log(formatOutput({ ...data, uploaded: true }, getFormat(this)));
   } else {
     console.log(formatOutput(data, getFormat(this)));
@@ -725,8 +1188,8 @@ providersCommand.command("export <provider>").description(`Export collections as
   const query = opts.collections ? `?collections=${opts.collections}` : "";
   const data = await client.request("GET", `/v1/${ws}/providers/${provider}/export${query}`);
   if (opts.output) {
-    const { writeFileSync: writeFileSync2 } = await import("fs");
-    writeFileSync2(opts.output, JSON.stringify(data, null, 2));
+    const { writeFileSync: writeFileSync3 } = await import("fs");
+    writeFileSync3(opts.output, JSON.stringify(data, null, 2));
     console.log(`Written to ${opts.output}`);
   } else {
     console.log(formatOutput(data, getFormat(this)));
@@ -774,8 +1237,11 @@ tokensCommand.command("revoke <token_id>").description("Revoke an API token").ac
 // package.json
 var package_default = {
   name: "rekor-cli",
-  version: "0.1.18",
+  version: "0.1.20",
   type: "module",
+  engines: {
+    node: ">=20.0.0"
+  },
   bin: {
     rekor: "dist/index.js"
   },
@@ -789,6 +1255,7 @@ var package_default = {
     dev: "tsup --watch"
   },
   dependencies: {
+    "@napi-rs/keyring": "^1.1.6",
     chalk: "^5.4.1",
     "cli-table3": "^0.6.5",
     commander: "^13.1.0",