spck 0.3.1

package/src/config/credentials.ts

@@ -0,0 +1,302 @@
+/**
+ * Firebase credentials management
+ * Handles user-level credential storage in ~/.spck-editor/.credentials.json
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import { StoredCredentials, GlobalConfig } from '../types.js';
+import { getProjectFilePath } from '../utils/project-dir.js';
+import { logAuth } from '../utils/logger.js';
+import { t } from '../i18n/index.js';
+
+/**
+ * Get the user-level credentials directory
+ */
+export function getCredentialsDir(): string {
+  return path.join(os.homedir(), '.spck-editor');
+}
+
+/**
+ * Get the credentials file path
+ */
+export function getCredentialsPath(): string {
+  return path.join(getCredentialsDir(), '.credentials.json');
+}
+
+/**
+ * Get the global config file path
+ */
+export function getGlobalConfigPath(): string {
+  return path.join(getCredentialsDir(), 'global.config');
+}
+
+/**
+ * Load global config from user-level storage
+ */
+export function loadGlobalConfig(): GlobalConfig {
+  const configPath = getGlobalConfigPath();
+
+  if (!fs.existsSync(configPath)) {
+    return { knownDeviceIds: [] };
+  }
+
+  try {
+    const data = fs.readFileSync(configPath, 'utf8');
+    const parsed = JSON.parse(data);
+    return {
+      knownDeviceIds: Array.isArray(parsed.knownDeviceIds) ? parsed.knownDeviceIds : [],
+    };
+  } catch {
+    return { knownDeviceIds: [] };
+  }
+}
+
+/**
+ * Save global config to user-level storage
+ */
+export function saveGlobalConfig(config: GlobalConfig): void {
+  const credentialsDir = getCredentialsDir();
+  const configPath = getGlobalConfigPath();
+
+  if (!fs.existsSync(credentialsDir)) {
+    fs.mkdirSync(credentialsDir, { recursive: true, mode: 0o700 });
+  }
+
+  fs.writeFileSync(
+    configPath,
+    JSON.stringify(config, null, 2),
+    { encoding: 'utf8', mode: 0o600 }
+  );
+}
+
+/**
+ * Get the connection settings file path (project-level)
+ * This uses the symlinked project directory
+ */
+export function getConnectionSettingsPath(): string {
+  return getProjectFilePath(process.cwd(), 'connection-settings.json');
+}
+
+/**
+ * Load stored credentials from user-level storage
+ * Returns only refreshToken + userId; firebaseToken is generated on demand
+ * @throws {Error} with code 'CORRUPTED' if file is corrupted
+ */
+export function loadCredentials(): StoredCredentials | null {
+  const credentialsPath = getCredentialsPath();
+
+  if (!fs.existsSync(credentialsPath)) {
+    return null;
+  }
+
+  try {
+    const data = fs.readFileSync(credentialsPath, 'utf8');
+    const credentials = JSON.parse(data);
+
+    // Validate required fields for stored credentials
+    if (!credentials.refreshToken || !credentials.userId) {
+      const error: any = new Error('Invalid credentials format - missing refreshToken or userId');
+      error.code = 'CORRUPTED';
+      error.path = credentialsPath;
+      throw error;
+    }
+
+    // Return only the stored fields (refreshToken + userId + optional proxyServerUrl)
+    const result: StoredCredentials = {
+      refreshToken: credentials.refreshToken,
+      userId: credentials.userId,
+      proxyServerUrl: credentials.proxyServerUrl
+    };
+    return result;
+  } catch (error: any) {
+    // JSON parse error or validation error
+    if (error instanceof SyntaxError || error.code === 'CORRUPTED') {
+      logAuth('credentials_corrupted', {
+        path: credentialsPath,
+        error: error.message
+      }, 'error');
+      console.warn(`⚠️  ${t('credentials.corrupted', { path: credentialsPath })}`);
+      console.warn(`   ${t('credentials.corruptedHint')}\n`);
+      const corruptedError: any = new Error('Credentials file is corrupted');
+      corruptedError.code = 'CORRUPTED';
+      corruptedError.path = credentialsPath;
+      corruptedError.originalError = error;
+      throw corruptedError;
+    }
+    // Other errors (permission, etc.)
+    throw error;
+  }
+}
+
+/**
+ * Save stored credentials to user-level storage
+ * Only persists refreshToken + userId (not firebaseToken or expiry)
+ * @throws {Error} with code 'EACCES' for permission errors
+ * @throws {Error} with code 'ENOSPC' for disk full errors
+ */
+export function saveCredentials(credentials: StoredCredentials): void {
+  const credentialsDir = getCredentialsDir();
+  const credentialsPath = getCredentialsPath();
+
+  try {
+    // Ensure directory exists
+    if (!fs.existsSync(credentialsDir)) {
+      fs.mkdirSync(credentialsDir, { recursive: true, mode: 0o700 });
+    }
+
+    // Persist refreshToken + userId + optional proxyServerUrl
+    const storedData: StoredCredentials = {
+      refreshToken: credentials.refreshToken,
+      userId: credentials.userId
+    };
+    if (credentials.proxyServerUrl) {
+      storedData.proxyServerUrl = credentials.proxyServerUrl;
+    }
+
+    // Write credentials file with restricted permissions
+    fs.writeFileSync(
+      credentialsPath,
+      JSON.stringify(storedData, null, 2),
+      { encoding: 'utf8', mode: 0o600 }
+    );
+  } catch (error: any) {
+    // Add context to error
+    error.path = error.path || credentialsPath;
+    error.operation = 'save credentials';
+    throw error;
+  }
+}
+
+
+/**
+ * Clear credentials (logout)
+ */
+export function clearCredentials(): void {
+  const credentialsPath = getCredentialsPath();
+
+  if (fs.existsSync(credentialsPath)) {
+    fs.unlinkSync(credentialsPath);
+  }
+}
+
+/**
+ * Load connection settings from project-level storage
+ * @throws {Error} with code 'CORRUPTED' if file is corrupted
+ */
+export function loadConnectionSettings(): any | null {
+  const settingsPath = getConnectionSettingsPath();
+
+  if (!fs.existsSync(settingsPath)) {
+    return null;
+  }
+
+  try {
+    const data = fs.readFileSync(settingsPath, 'utf8');
+    const settings = JSON.parse(data);
+
+    // Validate basic structure
+    if (!settings.serverToken || !settings.clientId || !settings.secret) {
+      const error: any = new Error('Invalid connection settings format - missing required fields');
+      error.code = 'CORRUPTED';
+      error.path = settingsPath;
+      throw error;
+    }
+
+    return settings;
+  } catch (error: any) {
+    // JSON parse error or validation error
+    if (error instanceof SyntaxError || error.code === 'CORRUPTED') {
+      logAuth('connection_settings_corrupted', {
+        path: settingsPath,
+        error: error.message
+      }, 'error');
+      console.warn(`⚠️  ${t('credentials.settingsCorrupted', { path: settingsPath })}`);
+      console.warn(`   ${t('credentials.settingsCorruptedHint')}\n`);
+      const corruptedError: any = new Error('Connection settings file is corrupted');
+      corruptedError.code = 'CORRUPTED';
+      corruptedError.path = settingsPath;
+      corruptedError.originalError = error;
+      throw corruptedError;
+    }
+    // Other errors (permission, etc.)
+    throw error;
+  }
+}
+
+/**
+ * Save connection settings to project-level storage
+ * @throws {Error} with code 'EACCES' for permission errors
+ * @throws {Error} with code 'ENOSPC' for disk full errors
+ */
+export function saveConnectionSettings(settings: any): void {
+  const settingsDir = path.dirname(getConnectionSettingsPath());
+  const settingsPath = getConnectionSettingsPath();
+
+  try {
+    // Ensure directory exists with restricted permissions
+    if (!fs.existsSync(settingsDir)) {
+      fs.mkdirSync(settingsDir, { recursive: true, mode: 0o700 });
+    }
+
+    // Write settings file with restricted permissions (owner read/write only)
+    fs.writeFileSync(
+      settingsPath,
+      JSON.stringify(settings, null, 2),
+      { encoding: 'utf8', mode: 0o600 }
+    );
+  } catch (error: any) {
+    // Add context to error
+    error.path = error.path || settingsPath;
+    error.operation = 'save connection settings';
+    throw error;
+  }
+}
+
+/**
+ * Clear connection settings
+ */
+export function clearConnectionSettings(): void {
+  const settingsPath = getConnectionSettingsPath();
+
+  if (fs.existsSync(settingsPath)) {
+    fs.unlinkSync(settingsPath);
+  }
+}
+
+/**
+ * Load saved proxy server preference from user-level credentials
+ */
+export function loadServerPreference(): string | null {
+  try {
+    const credentials = loadCredentials();
+    return credentials?.proxyServerUrl || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Save proxy server preference to user-level credentials
+ */
+export function saveServerPreference(proxyServerUrl: string): void {
+  const credentials = loadCredentials();
+  if (credentials) {
+    credentials.proxyServerUrl = proxyServerUrl;
+    saveCredentials(credentials);
+  }
+}
+
+/**
+ * Check if server JWT is expired
+ */
+export function isServerTokenExpired(settings: any): boolean {
+  if (!settings || !settings.serverTokenExpiry) {
+    return true;
+  }
+
+  // Add 5-minute buffer for safety
+  const expiryWithBuffer = settings.serverTokenExpiry - (5 * 60 * 1000);
+  return Date.now() > expiryWithBuffer;
+}

package/src/config/server-selection.ts

@@ -0,0 +1,150 @@
+/**
+ * CLI Server Selection
+ * Fetches available relay servers, checks ping, and auto-selects the best one
+ */
+
+import { t } from '../i18n/index.js';
+import { getLocale } from '../i18n/index.js';
+
+export interface CLIServer {
+  label: Record<string, string>;
+  url: string;
+  locale: Record<string, number>;
+}
+
+/**
+ * Hardcoded default server list — used as fallback when no server responds
+ */
+const DEFAULT_SERVERS: CLIServer[] = [
+  {
+    label: {en: 'Europe', es: 'Europa', fr: 'Europe', de: 'Europa', pt: 'Europa', ru: '\u0415\u0432\u0440\u043e\u043f\u0430', ja: '\u30e8\u30fc\u30ed\u30c3\u30d1', ko: '\uc720\ub7fd', zh: '\u6b27\u6d32', zhTW: '\u6b50\u6d32', id: 'Eropa'},
+    url: 'cli-eu-1.spck.io',
+    locale: {en: 3, es: 2, fr: 1, de: 1, pt: 2, ru: 1, ja: 3, ko: 3, zh: 3, zhTW: 3, id: 3}
+  },
+  {
+    label: {en: 'North America', es: 'Am\u00e9rica del Norte', fr: 'Am\u00e9rique du Nord', de: 'Nordamerika', pt: 'Am\u00e9rica do Norte', ru: '\u0421\u0435\u0432\u0435\u0440\u043d\u0430\u044f \u0410\u043c\u0435\u0440\u0438\u043a\u0430', ja: '\u5317\u30a2\u30e1\u30ea\u30ab', ko: '\ubd81\uc544\uba54\ub9ac\uce74', zh: '\u5317\u7f8e\u6d32', zhTW: '\u5317\u7f8e\u6d32', id: 'Amerika Utara'},
+    url: 'cli-na-1.spck.io',
+    locale: {en: 1, es: 1, fr: 2, de: 2, pt: 1, ru: 2, ja: 4, ko: 4, zh: 4, zhTW: 4, id: 4}
+  },
+  {
+    label: {en: 'South Asia', es: 'Asia del Sur', fr: 'Asie du Sud', de: 'S\u00fcdasien', pt: '\u00c1sia Meridional', ru: '\u042e\u0436\u043d\u0430\u044f \u0410\u0437\u0438\u044f', ja: '\u5357\u30a2\u30b8\u30a2', ko: '\ub0a8\uc544\uc2dc\uc544', zh: '\u5357\u4e9a', zhTW: '\u5357\u4e9e', id: 'Asia Selatan'},
+    url: 'cli-sas-1.spck.io',
+    locale: {en: 2, es: 4, fr: 4, de: 4, pt: 4, ru: 4, ja: 2, ko: 2, zh: 2, zhTW: 2, id: 1}
+  },
+  {
+    label: {en: 'East Asia', es: 'Asia Oriental', fr: 'Asie de l\u2019Est', de: 'Ostasien', pt: '\u00c1sia Oriental', ru: '\u0412\u043e\u0441\u0442\u043e\u0447\u043d\u0430\u044f \u0410\u0437\u0438\u044f', ja: '\u6771\u30a2\u30b8\u30a2', ko: '\ub3d9\uc544\uc2dc\uc544', zh: '\u4e1c\u4e9a', zhTW: '\u6771\u4e9e', id: 'Asia Timur'},
+    url: 'cli-ea-1.spck.io',
+    locale: {en: 4, es: 3, fr: 3, de: 3, pt: 3, ru: 3, ja: 1, ko: 1, zh: 1, zhTW: 1, id: 2}
+  }
+];
+
+/**
+ * Validate that a server URL belongs to spck.io (any subdomain).
+ * Rejects bare IPs, other domains, and URLs with protocols.
+ */
+export function isValidDomain(url: string): boolean {
+  return /^([a-zA-Z0-9-]+\.)*spck\.io$/.test(url);
+}
+
+/**
+ * Get the hardcoded default server list
+ */
+export function getDefaultServerList(): CLIServer[] {
+  return DEFAULT_SERVERS;
+}
+
+/**
+ * Fetch the list of available CLI servers from the closest relay server.
+ * Tries servers sorted by locale proximity, falls back to hardcoded list.
+ */
+export async function fetchServerList(): Promise<CLIServer[]> {
+  // Race all servers in parallel — first successful response wins
+  try {
+    return await Promise.any(
+      DEFAULT_SERVERS.map(async (server) => {
+        const response = await fetch(`https://${server.url}/servers`, {
+          signal: AbortSignal.timeout(5000),
+        });
+        if (!response.ok) throw new Error(`${response.status}`);
+        const list = await response.json() as CLIServer[];
+        // Reject any server whose URL is not a *.spck.io domain
+        return list.filter(s => isValidDomain(s.url));
+      })
+    );
+  } catch {
+    // All servers failed — fall back to hardcoded list
+    return DEFAULT_SERVERS;
+  }
+}
+
+/**
+ * Check ping to a server by making 4 parallel HTTP calls to /health
+ * and averaging the latency
+ */
+export async function checkServerPing(serverUrl: string): Promise<number> {
+  const shortestTime = await Promise.any(
+    Array.from({ length: 4 }, async () => {
+      const start = Date.now();
+      try {
+        const response = await fetch(`https://${serverUrl}/health`, {
+          signal: AbortSignal.timeout(5000),
+        });
+        if (!response.ok) return Infinity;
+      } catch {
+        return Infinity;
+      }
+      return Date.now() - start;
+    })
+  );
+  return Math.round(shortestTime);
+}
+
+/**
+ * Ping all servers in parallel and select the one with the lowest latency
+ */
+export async function selectBestServer(
+  servers: CLIServer[]
+): Promise<{ server: CLIServer; ping: number }> {
+  const results = await Promise.all(
+    servers.map(async (server) => {
+      try {
+        const ping = await checkServerPing(server.url);
+        return { server, ping };
+      } catch {
+        return { server, ping: Infinity };
+      }
+    })
+  );
+  results.sort((a, b) => a.ping - b.ping);
+  return results[0];
+}
+
+/**
+ * Display ping results for all servers
+ */
+export async function displayServerPings(servers: CLIServer[]): Promise<Map<string, number>> {
+  console.log('\n   ' + t('server.checkingLatency') + '\n');
+
+  const pingResults = new Map<string, number>();
+  const results = await Promise.all(
+    servers.map(async (server) => {
+      try {
+        const ping = await checkServerPing(server.url);
+        return { server, ping };
+      } catch {
+        return { server, ping: Infinity };
+      }
+    })
+  );
+
+  const locale = getLocale();
+  for (const { server, ping } of results) {
+    const label = server.label[locale] || server.label.en || server.url;
+    const pingStr = ping === Infinity ? t('server.unreachable') : `${ping}ms`;
+    console.log(`   ${label}: ${pingStr}`);
+    pingResults.set(server.url, ping);
+  }
+
+  console.log('');
+  return pingResults;
+}

package/src/connection/__tests__/firebase-auth.test.ts

@@ -0,0 +1,121 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+/**
+ * Tests for Firebase auth token refresh logic
+ */
+
+import { StoredCredentials } from '../../types.js';
+
+// Mock all external dependencies before importing the module
+vi.mock('open', () => ({ default: vi.fn() }));
+vi.mock('qrcode-terminal', () => ({ default: { generate: vi.fn() } }));
+vi.mock('jsonwebtoken', () => ({ default: { decode: vi.fn() } }));
+vi.mock('../../config/credentials.js', () => ({
+  saveCredentials: vi.fn(),
+}));
+vi.mock('../../utils/logger.js', () => ({
+  logAuth: vi.fn(),
+}));
+vi.mock('../../i18n/index.js', () => ({
+  t: (key: string) => key,
+}));
+
+// Import after mocks are set up
+import { refreshFirebaseToken } from '../firebase-auth.js';
+
+describe('refreshFirebaseToken()', () => {
+  const mockStoredCredentials: StoredCredentials = {
+    refreshToken: 'mock-refresh-token',
+    userId: 'user-123',
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it('should use expires_in value of 0 without falling back to default', async () => {
+    const now = Date.now();
+    vi.spyOn(Date, 'now').mockReturnValue(now);
+
+    // Firebase returns expires_in: "0"
+    const mockResponse = {
+      ok: true,
+      json: vi.fn().mockResolvedValue({
+        id_token: 'new-id-token',
+        refresh_token: 'new-refresh-token',
+        expires_in: '0',
+        user_id: 'user-123',
+      }),
+    };
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValue(mockResponse));
+
+    const result = await refreshFirebaseToken(mockStoredCredentials);
+
+    // With the bug (|| 3600), this would be now + 3600000
+    // With the fix (isNaN check), expires_in=0 means token expires immediately
+    expect(result.firebaseTokenExpiry).toBe(now);
+  });
+
+  it('should use the actual expires_in from the response', async () => {
+    const now = Date.now();
+    vi.spyOn(Date, 'now').mockReturnValue(now);
+
+    const mockResponse = {
+      ok: true,
+      json: vi.fn().mockResolvedValue({
+        id_token: 'new-id-token',
+        refresh_token: 'new-refresh-token',
+        expires_in: '7200',
+        user_id: 'user-123',
+      }),
+    };
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValue(mockResponse));
+
+    const result = await refreshFirebaseToken(mockStoredCredentials);
+
+    expect(result.firebaseTokenExpiry).toBe(now + 7200 * 1000);
+  });
+
+  it('should default to 3600 when expires_in is missing', async () => {
+    const now = Date.now();
+    vi.spyOn(Date, 'now').mockReturnValue(now);
+
+    const mockResponse = {
+      ok: true,
+      json: vi.fn().mockResolvedValue({
+        id_token: 'new-id-token',
+        refresh_token: 'new-refresh-token',
+        user_id: 'user-123',
+        // expires_in is missing
+      }),
+    };
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValue(mockResponse));
+
+    const result = await refreshFirebaseToken(mockStoredCredentials);
+
+    expect(result.firebaseTokenExpiry).toBe(now + 3600 * 1000);
+  });
+
+  it('should default to 3600 when expires_in is non-numeric', async () => {
+    const now = Date.now();
+    vi.spyOn(Date, 'now').mockReturnValue(now);
+
+    const mockResponse = {
+      ok: true,
+      json: vi.fn().mockResolvedValue({
+        id_token: 'new-id-token',
+        refresh_token: 'new-refresh-token',
+        expires_in: 'invalid',
+        user_id: 'user-123',
+      }),
+    };
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValue(mockResponse));
+
+    const result = await refreshFirebaseToken(mockStoredCredentials);
+
+    expect(result.firebaseTokenExpiry).toBe(now + 3600 * 1000);
+  });
+});