securenow 6.0.2 → 6.1.0

package/cli/auth.js

@@ -0,0 +1,280 @@
+'use strict';
+
+const http = require('http');
+const crypto = require('crypto');
+const { execFileSync } = require('child_process');
+const config = require('./config');
+const { api, CLIError } = require('./client');
+const ui = require('./ui');
+
+function openBrowser(url) {
+  try {
+    const platform = process.platform;
+    if (platform === 'darwin') execFileSync('open', [url], { stdio: 'ignore' });
+    else if (platform === 'win32') execFileSync('rundll32', ['url.dll,FileProtocolHandler', url], { stdio: 'ignore' });
+    else execFileSync('xdg-open', [url], { stdio: 'ignore' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+    const payload = Buffer.from(parts[1], 'base64url').toString('utf8');
+    return JSON.parse(payload);
+  } catch {
+    try {
+      const parts = token.split('.');
+      const base64 = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+      const padded = base64 + '='.repeat((4 - base64.length % 4) % 4);
+      const payload = Buffer.from(padded, 'base64').toString('utf8');
+      return JSON.parse(payload);
+    } catch {
+      return null;
+    }
+  }
+}
+
+async function loginWithBrowser() {
+  const appUrl = config.getAppUrl();
+  const nonce = crypto.randomBytes(24).toString('base64url');
+
+  return new Promise((resolve, reject) => {
+    let pendingToken = null;
+
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url, `http://127.0.0.1`);
+
+      if (url.pathname === '/callback') {
+        const token = url.searchParams.get('token');
+        const error = url.searchParams.get('error');
+        const returnedState = url.searchParams.get('state');
+
+        res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+
+        if (error) {
+          res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2>Authentication Failed</h2><p>You can close this window.</p></body></html>');
+          server.close();
+          reject(new CLIError(`Authentication failed: ${error}`));
+          return;
+        }
+
+        if (returnedState !== nonce) {
+          res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2>Security Error</h2><p>State mismatch — this request may not have originated from your CLI. Please try again.</p></body></html>');
+          server.close();
+          reject(new CLIError('State mismatch on callback — possible CSRF. Please retry `securenow login`.'));
+          return;
+        }
+
+        if (token) {
+          pendingToken = token;
+          const payload = decodeJwtPayload(token);
+          const email = payload?.email || 'unknown account';
+          const safeEmail = email.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+          const port = server.address().port;
+          const switchUrl = `${appUrl}/cli/auth?callback=http://127.0.0.1:${port}/callback&state=${encodeURIComponent(nonce)}&force_login=1`;
+
+          res.end([
+            '<!DOCTYPE html><html><head><meta charset="utf-8"><title>SecureNow CLI Login</title></head>',
+            '<body style="font-family:system-ui,sans-serif;text-align:center;padding:60px;margin:0;background:#fafafa">',
+            '<div style="max-width:420px;margin:0 auto;background:#fff;border-radius:12px;padding:40px 32px;box-shadow:0 2px 12px rgba(0,0,0,.08)">',
+            '<div style="width:56px;height:56px;margin:0 auto 20px;background:#f0fdf4;border-radius:50%;display:flex;align-items:center;justify-content:center">',
+            '<svg width="28" height="28" fill="none" viewBox="0 0 24 24"><path d="M12 2a5 5 0 015 5v1a2 2 0 012 2v8a2 2 0 01-2 2H7a2 2 0 01-2-2v-8a2 2 0 012-2V7a5 5 0 015-5zm0 2a3 3 0 00-3 3v1h6V7a3 3 0 00-3-3z" fill="#22c55e"/></svg>',
+            '</div>',
+            '<h2 style="margin:0 0 8px;font-size:22px;color:#111">Connect to SecureNow CLI</h2>',
+            `<p style="margin:0 0 24px;color:#666;font-size:15px">You are signing in as</p>`,
+            `<div style="background:#f8fafc;border:1px solid #e2e8f0;border-radius:8px;padding:14px 18px;margin:0 0 28px">`,
+            `<span style="font-size:17px;font-weight:600;color:#0f172a">${safeEmail}</span>`,
+            '</div>',
+            '<button id="confirm-btn" style="width:100%;padding:13px 24px;font-size:16px;font-weight:600;color:#fff;background:#22c55e;border:none;border-radius:8px;cursor:pointer;transition:background .15s" ',
+            'onmouseover="this.style.background=\'#16a34a\'" onmouseout="this.style.background=\'#22c55e\'">',
+            'Confirm &amp; Continue</button>',
+            `<p style="margin:20px 0 0"><a href="${switchUrl}" style="color:#6366f1;font-size:14px;text-decoration:none" `,
+            'onmouseover="this.style.textDecoration=\'underline\'" onmouseout="this.style.textDecoration=\'none\'">Use a different account</a></p>',
+            '<div id="done-msg" style="display:none;margin-top:24px">',
+            '<p style="color:#22c55e;font-weight:600;font-size:17px">\u2713 Connected! You can close this window.</p>',
+            '</div>',
+            '</div>',
+            '<script>',
+            'document.getElementById("confirm-btn").addEventListener("click", function(){',
+            '  this.disabled=true;this.textContent="Connecting\u2026";this.style.background="#86efac";this.style.cursor="default";',
+            `  fetch("/confirm?nonce=${encodeURIComponent(nonce)}").then(function(){`,
+            '    document.getElementById("confirm-btn").style.display="none";',
+            '    document.getElementById("done-msg").style.display="block";',
+            '  });',
+            '});',
+            '</script>',
+            '</body></html>',
+          ].join(''));
+          return;
+        }
+
+        res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2>Something went wrong</h2><p>No token received. Please try again.</p></body></html>');
+        server.close();
+        reject(new CLIError('No token received in callback'));
+        return;
+      }
+
+      if (url.pathname === '/confirm' && pendingToken) {
+        if (url.searchParams.get('nonce') !== nonce) {
+          res.writeHead(403, { 'Content-Type': 'application/json' });
+          res.end('{"error":"invalid nonce"}');
+          return;
+        }
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end('{"ok":true}');
+        const token = pendingToken;
+        pendingToken = null;
+        server.close();
+        resolve(token);
+        return;
+      }
+
+      res.writeHead(404);
+      res.end();
+    });
+
+    server.listen(0, '127.0.0.1', () => {
+      const port = server.address().port;
+      const authUrl = `${appUrl}/cli/auth?callback=http://127.0.0.1:${port}/callback&state=${encodeURIComponent(nonce)}`;
+
+      console.log('');
+      ui.info('Opening browser for authentication...');
+      console.log('');
+
+      const opened = openBrowser(authUrl);
+      if (!opened) {
+        console.log('  Open this URL in your browser to log in:\n');
+        console.log(`  ${ui.c.underline(ui.c.cyan(authUrl))}\n`);
+      } else {
+        console.log(`  If the browser didn't open, visit:`);
+        console.log(`  ${ui.c.underline(ui.c.cyan(authUrl))}\n`);
+      }
+
+      console.log(ui.c.dim('  Waiting for authentication...'));
+
+      const timeout = setTimeout(() => {
+        server.close();
+        reject(new CLIError('Login timed out after 5 minutes. Try `securenow login --token <TOKEN>` instead.'));
+      }, 5 * 60 * 1000);
+
+      server.on('close', () => clearTimeout(timeout));
+    });
+
+    server.on('error', (err) => {
+      reject(new CLIError(`Failed to start local server: ${err.message}`));
+    });
+  });
+}
+
+async function loginWithToken(token) {
+  const s = ui.spinner('Validating token');
+  try {
+    await api.get('/applications', { token });
+    s.stop('Token is valid');
+    return token;
+  } catch (err) {
+    s.fail('Token validation failed');
+    throw new CLIError(`Invalid token: ${err.message}`);
+  }
+}
+
+async function login(args, flags) {
+  const local = !!flags.local;
+
+  if (flags.token) {
+    const token = flags.token;
+    await loginWithToken(token);
+    const payload = decodeJwtPayload(token);
+    const email = payload?.email || 'unknown';
+    const exp = payload?.exp ? payload.exp * 1000 : null;
+
+    config.setAuth(token, email, exp, { local });
+    if (local) config.ensureLocalGitignore();
+    console.log('');
+    ui.success(`Logged in as ${ui.c.bold(email)}`);
+    if (local) ui.info('Credentials saved to project .securenow/ (local)');
+    if (exp) {
+      const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
+      ui.info(`Session expires in ${days} days`);
+    }
+    return;
+  }
+
+  try {
+    const token = await loginWithBrowser();
+    const payload = decodeJwtPayload(token);
+    const email = payload?.email || 'unknown';
+    const exp = payload?.exp ? payload.exp * 1000 : null;
+
+    config.setAuth(token, email, exp, { local });
+    if (local) config.ensureLocalGitignore();
+    console.log('');
+    ui.success(`Logged in as ${ui.c.bold(email)}`);
+    if (local) ui.info('Credentials saved to project .securenow/ (local)');
+    if (exp) {
+      const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
+      ui.info(`Session expires in ${days} days`);
+    }
+  } catch (err) {
+    if (err.message.includes('timed out')) {
+      console.log('');
+      ui.warn('Browser login timed out. You can also login with a token:');
+      console.log('');
+      console.log(`  1. Go to ${ui.c.cyan(config.getAppUrl() + '/dashboard/settings')}`);
+      console.log(`  2. Copy your CLI token`);
+      console.log(`  3. Run: ${ui.c.bold('securenow login --token <YOUR_TOKEN>')}`);
+      console.log('');
+    } else {
+      throw err;
+    }
+  }
+}
+
+async function logout(args, flags) {
+  const local = flags ? flags.local : undefined;
+  const creds = config.loadCredentials();
+  config.clearCredentials({ local });
+  if (creds.email) {
+    ui.success(`Logged out from ${ui.c.bold(creds.email)}`);
+  } else {
+    ui.success('Logged out');
+  }
+  if (local) ui.info('Cleared project-local credentials');
+}
+
+async function whoami() {
+  const creds = config.loadCredentials();
+  const token = config.getToken();
+
+  if (!token) {
+    ui.error('Not logged in. Run `securenow login` to authenticate.');
+    process.exit(1);
+  }
+
+  const payload = decodeJwtPayload(token);
+
+  ui.heading('Current Session');
+  console.log('');
+  const pairs = [
+    ['Email', creds.email || payload?.email || 'unknown'],
+    ['User ID', payload?.sub || 'unknown'],
+    ['API', config.getApiUrl()],
+    ['Auth Source', config.getAuthSource()],
+  ];
+  if (creds.expiresAt) {
+    const days = Math.ceil((creds.expiresAt - Date.now()) / (1000 * 60 * 60 * 24));
+    pairs.push(['Expires', days > 0 ? `in ${days} days` : ui.c.red('expired')]);
+  }
+  const defaultApp = config.getDefaultApp();
+  if (defaultApp) {
+    pairs.push(['Default App', defaultApp]);
+  }
+  ui.keyValue(pairs);
+  console.log('');
+}
+
+module.exports = { login, logout, whoami };

package/cli/client.js

@@ -0,0 +1,115 @@
+'use strict';
+
+const https = require('https');
+const http = require('http');
+const { URL } = require('url');
+const config = require('./config');
+const ui = require('./ui');
+
+function buildQueryString(params) {
+  if (!params) return '';
+  const entries = Object.entries(params).filter(([, v]) => v != null && v !== '');
+  if (!entries.length) return '';
+  return '?' + entries.map(([k, v]) => `${encodeURIComponent(k)}=${encodeURIComponent(v)}`).join('&');
+}
+
+function request(method, endpoint, { body, query, token, raw } = {}) {
+  const baseUrl = config.getApiUrl();
+  const qs = buildQueryString(query);
+  const urlStr = `${baseUrl}/api${endpoint}${qs}`;
+  const url = new URL(urlStr);
+  const mod = url.protocol === 'https:' ? https : http;
+
+  const authToken = token || config.getToken();
+
+  return new Promise((resolve, reject) => {
+    const options = {
+      hostname: url.hostname,
+      port: url.port || (url.protocol === 'https:' ? 443 : 80),
+      path: url.pathname + url.search,
+      method,
+      headers: { 'Content-Type': 'application/json', 'User-Agent': 'securenow-cli' },
+    };
+
+    if (authToken) {
+      options.headers['Authorization'] = `Bearer ${authToken}`;
+    }
+
+    const req = mod.request(options, (res) => {
+      let data = '';
+      res.on('data', (chunk) => (data += chunk));
+      res.on('end', () => {
+        if (raw) {
+          return resolve({ status: res.statusCode, headers: res.headers, body: data });
+        }
+
+        let parsed;
+        try {
+          parsed = JSON.parse(data);
+        } catch {
+          parsed = data;
+        }
+
+        if (res.statusCode === 401) {
+          reject(new CLIError('Session expired. Run `securenow login` to re-authenticate.', 401));
+          return;
+        }
+        if (res.statusCode === 403) {
+          reject(new CLIError('Access denied. You may need to upgrade your plan.', 403));
+          return;
+        }
+        if (res.statusCode >= 400) {
+          const msg = parsed?.error || parsed?.message || `Request failed (HTTP ${res.statusCode})`;
+          const details = parsed?.details || parsed?.unauthorizedKeys;
+          const err = new CLIError(details ? `${msg} — ${details}` : msg, res.statusCode);
+          reject(err);
+          return;
+        }
+
+        resolve(parsed);
+      });
+    });
+
+    req.on('error', (err) => {
+      if (err.code === 'ECONNREFUSED') {
+        reject(new CLIError(`Cannot connect to ${baseUrl}. Is the API server running?`));
+      } else if (err.code === 'ENOTFOUND') {
+        reject(new CLIError(`Cannot resolve ${url.hostname}. Check your internet connection.`));
+      } else {
+        reject(new CLIError(`Network error: ${err.message}`));
+      }
+    });
+
+    if (body) {
+      req.write(JSON.stringify(body));
+    }
+    req.end();
+  });
+}
+
+class CLIError extends Error {
+  constructor(message, statusCode) {
+    super(message);
+    this.name = 'CLIError';
+    this.statusCode = statusCode;
+  }
+}
+
+function requireAuth() {
+  const token = config.getToken();
+  if (!token) {
+    ui.error('Not logged in. Run `securenow login` first.');
+    process.exit(1);
+  }
+  return token;
+}
+
+const api = {
+  get: (endpoint, opts) => request('GET', endpoint, opts),
+  post: (endpoint, body, opts) => request('POST', endpoint, { body, ...opts }),
+  put: (endpoint, body, opts) => request('PUT', endpoint, { body, ...opts }),
+  patch: (endpoint, body, opts) => request('PATCH', endpoint, { body, ...opts }),
+  delete: (endpoint, opts) => request('DELETE', endpoint, opts),
+};
+
+module.exports = { api, CLIError, requireAuth, buildQueryString };

package/cli/config.js

@@ -0,0 +1,173 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const CONFIG_DIR = path.join(os.homedir(), '.securenow');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+const CREDENTIALS_FILE = path.join(CONFIG_DIR, 'credentials.json');
+
+const LOCAL_CONFIG_DIR = path.join(process.cwd(), '.securenow');
+const LOCAL_CONFIG_FILE = path.join(LOCAL_CONFIG_DIR, 'config.json');
+const LOCAL_CREDENTIALS_FILE = path.join(LOCAL_CONFIG_DIR, 'credentials.json');
+
+const DEFAULTS = {
+  apiUrl: 'https://api.securenow.ai',
+  appUrl: 'https://app.securenow.ai',
+  defaultApp: null,
+  output: 'table',
+};
+
+function ensureDir(dir) {
+  if (!fs.existsSync(dir || CONFIG_DIR)) {
+    fs.mkdirSync(dir || CONFIG_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+function loadJSON(filepath) {
+  try {
+    return JSON.parse(fs.readFileSync(filepath, 'utf8'));
+  } catch {
+    return {};
+  }
+}
+
+function saveJSON(filepath, data) {
+  ensureDir(path.dirname(filepath));
+  fs.writeFileSync(filepath, JSON.stringify(data, null, 2), { encoding: 'utf8', mode: 0o600 });
+  if (process.platform === 'win32') {
+    try {
+      const { execFileSync } = require('child_process');
+      execFileSync('icacls', [filepath, '/inheritance:r', '/grant:r', `${process.env.USERNAME}:F`], { stdio: 'ignore' });
+    } catch (_) {}
+  }
+}
+
+function hasLocalCredentials() {
+  return fs.existsSync(LOCAL_CREDENTIALS_FILE);
+}
+
+function resolveCredentialsFile() {
+  if (fs.existsSync(LOCAL_CREDENTIALS_FILE)) return LOCAL_CREDENTIALS_FILE;
+  return CREDENTIALS_FILE;
+}
+
+function getAuthSource() {
+  if (process.env.SECURENOW_TOKEN) return 'env (SECURENOW_TOKEN)';
+  if (fs.existsSync(LOCAL_CREDENTIALS_FILE)) return 'project (.securenow/)';
+  return 'global (~/.securenow/)';
+}
+
+function loadConfig() {
+  const global = loadJSON(CONFIG_FILE);
+  const local = fs.existsSync(LOCAL_CONFIG_FILE) ? loadJSON(LOCAL_CONFIG_FILE) : {};
+  if (hasLocalCredentials()) {
+    const { defaultApp: _ignored, ...globalWithoutAccountScoped } = global;
+    return { ...DEFAULTS, ...globalWithoutAccountScoped, ...local };
+  }
+  return { ...DEFAULTS, ...global, ...local };
+}
+
+function saveConfig(config, { local } = {}) {
+  const useLocal = local === true || (local == null && hasLocalCredentials());
+  const targetFile = useLocal ? LOCAL_CONFIG_FILE : CONFIG_FILE;
+  const existing = loadJSON(targetFile);
+  saveJSON(targetFile, { ...existing, ...config });
+}
+
+function getConfigValue(key) {
+  const config = loadConfig();
+  return config[key];
+}
+
+function setConfigValue(key, value) {
+  saveConfig({ [key]: value });
+}
+
+function loadCredentials() {
+  return loadJSON(resolveCredentialsFile());
+}
+
+function saveCredentials(creds, { local = false } = {}) {
+  const targetFile = local ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
+  saveJSON(targetFile, creds);
+}
+
+function clearCredentials({ local } = {}) {
+  try {
+    if (local === true) {
+      fs.unlinkSync(LOCAL_CREDENTIALS_FILE);
+    } else if (local === false || !hasLocalCredentials()) {
+      fs.unlinkSync(CREDENTIALS_FILE);
+    } else {
+      fs.unlinkSync(LOCAL_CREDENTIALS_FILE);
+    }
+  } catch {}
+}
+
+function getToken() {
+  if (process.env.SECURENOW_TOKEN) return process.env.SECURENOW_TOKEN;
+
+  const creds = loadCredentials();
+  if (!creds.token) return null;
+
+  if (creds.expiresAt && Date.now() > creds.expiresAt) {
+    return null;
+  }
+  return creds.token;
+}
+
+function setAuth(token, email, expiresAt, { local = false } = {}) {
+  saveCredentials({ token, email, expiresAt }, { local });
+}
+
+function ensureLocalGitignore() {
+  const gitignorePath = path.join(process.cwd(), '.gitignore');
+  const entry = '.securenow/';
+  try {
+    if (fs.existsSync(gitignorePath)) {
+      const content = fs.readFileSync(gitignorePath, 'utf8');
+      if (!content.split('\n').some(line => line.trim() === entry)) {
+        fs.appendFileSync(gitignorePath, `\n# SecureNow local credentials\n${entry}\n`);
+      }
+    } else {
+      fs.writeFileSync(gitignorePath, `# SecureNow local credentials\n${entry}\n`);
+    }
+  } catch {}
+}
+
+function getApiUrl() {
+  return process.env.SECURENOW_API_URL || loadConfig().apiUrl;
+}
+
+function getAppUrl() {
+  return process.env.SECURENOW_APP_URL || loadConfig().appUrl;
+}
+
+function getDefaultApp() {
+  return process.env.SECURENOW_APP || loadConfig().defaultApp;
+}
+
+module.exports = {
+  CONFIG_DIR,
+  CONFIG_FILE,
+  CREDENTIALS_FILE,
+  LOCAL_CONFIG_DIR,
+  LOCAL_CREDENTIALS_FILE,
+  loadConfig,
+  saveConfig,
+  getConfigValue,
+  setConfigValue,
+  loadCredentials,
+  saveCredentials,
+  clearCredentials,
+  getToken,
+  setAuth,
+  getAuthSource,
+  hasLocalCredentials,
+  ensureLocalGitignore,
+  getApiUrl,
+  getAppUrl,
+  getDefaultApp,
+};