synqdb-agent 1.0.3 → 1.0.5

package/README.md

@@ -1,6 +1,6 @@
 # synqdb-agent
 
-Local database relay agent for [SynqDB](https://synqdb.com) — connects your local databases to the SynqDB cloud dashboard without any firewall changes or port forwarding.
+Local database relay agent for [SynqDB](https://synqdb.live) — connects your local databases to the SynqDB cloud dashboard without any firewall changes or port forwarding.
 
 ## How it works
 
@@ -24,78 +24,72 @@ npm install -g synqdb-agent
 Or run without installing:
 
 ```bash
-npx synqdb-agent <agentKey>
+npx synqdb-agent login
+npx synqdb-agent
 ```
 
-## Getting your agent key
+## Authentication
 
-1. Open the [SynqDB dashboard](https://synqdb.com)
-2. Click **Add Connection**
-3. Toggle **Local Database**
-4. Fill in your local DB credentials and click **Generate Agent Key**
-5. Copy the key — it is only shown once
-
-## Usage
-
-### Recommended — save once, run forever
-
-On first use, save your key:
+Authentication is browser-based — no keys to copy or paste.
 
 ```bash
-synqdb-agent --save <agentKey>
+synqdb-agent login
 ```
 
-From then on, just run:
+This opens your browser to the SynqDB app. Log in (if you aren't already) and click **Authorize**. The CLI detects approval automatically and saves the credential to `~/.synqdb-agent`.
+
+After that, just run:
 
 ```bash
 synqdb-agent
 ```
 
-The key is stored in `~/.synqdb-agent` (readable only by your user account).
+## Usage
 
-### Pass the key each time
+### Step 1 — Log in
 
 ```bash
-synqdb-agent <agentKey>
+synqdb-agent login
 ```
 
-The first successful connection will also auto-save the key so future runs need no arguments.
+Opens your browser → click **Authorize** → done. Credential is saved automatically.
 
-### Using environment variables
+### Step 2 — Start the agent
 
 ```bash
-SYNQDB_AGENT_KEY=abc-123-def-456 synqdb-agent
+synqdb-agent
 ```
 
-Or place them in a `.env` file in the directory where you run the agent:
+The agent connects and stays running. Queries from your dashboard are routed through it in real time.
+
+### Environment variable override
+
+If you need to supply the key directly (e.g. in a CI/CD pipeline or Docker container), set:
 
 ```env
-SYNQDB_AGENT_KEY=abc-123-def-456
-SYNQDB_SERVER_URL=https://api.synqdb.com
+SYNQDB_AGENT_KEY=<your-agent-key>
 ```
 
-### Key resolution order
+The key resolution order is:
+1. `SYNQDB_AGENT_KEY` environment variable
+2. Saved credential at `~/.synqdb-agent` (written by `synqdb-agent login`)
 
-The agent looks for the key in this order:
+### Custom server URL
 
-1. CLI argument (`synqdb-agent <key>`)
-2. `SYNQDB_AGENT_KEY` environment variable
-3. Saved config at `~/.synqdb-agent`
-
-### Environment variables
+```env
+SYNQDB_SERVER_URL=https://api.synqdb.live
+SYNQDB_FRONTEND_URL=https://synqdb.live
+```
 
-| Variable | Description | Default |
-|---|---|---|
-| `SYNQDB_AGENT_KEY` | Your agent key | — |
-| `SYNQDB_SERVER_URL` | SynqDB API URL | `https://api.synqdb.com` |
+Or place them in a `.env` file in the directory where you run the agent.
 
 ## Running persistently
 
-To keep the agent running in the background across terminal sessions and machine restarts, use [PM2](https://pm2.keymetrics.io):
+To keep the agent running across terminal sessions and machine restarts, use [PM2](https://pm2.keymetrics.io):
 
 ```bash
 npm install -g pm2
-pm2 start synqdb-agent --name synqdb-agent -- <agentKey>
+pm2 start synqdb-agent --name synqdb-agent
 pm2 save
 pm2 startup
 ```
@@ -109,6 +103,10 @@ pm2 restart synqdb-agent
 pm2 stop synqdb-agent
 ```
 
+## Revoking access
+
+If you need to invalidate the current credential (e.g. the machine was compromised), go to **Dashboard → Project Settings → Local Agent → Rotate Key**. Any running agent will be disconnected. Run `synqdb-agent login` to re-authenticate.
+
 ## Supported databases
 
 | Database | Driver |
@@ -119,10 +117,11 @@ pm2 stop synqdb-agent
 
 ## Security
 
-- Your agent key is a 128-bit random UUID — treat it like a password
+- Authentication uses short-lived browser tokens (5-minute TTL) — no long-lived secrets are ever transmitted in a URL or terminal output
+- The saved credential in `~/.synqdb-agent` is readable only by your user account (mode `0600`)
 - The agent connects **outbound only** — no inbound ports are opened on your machine
 - All queries are constructed server-side; the agent never builds SQL from user input
-- Credentials stay on your machine and are never sent to the SynqDB API
+- Database credentials stay on your machine and are never sent to the SynqDB API
 
 ## License
 

package/index.js

@@ -26,212 +26,263 @@ function saveConfig(data) {
   });
 }
 
-// ─── Resolve agentKey and serverUrl ──────────────────────────────────────────
+// ─── Resolve serverUrl ────────────────────────────────────────────────────────
 
 const saved = loadConfig();
 
-// --save flag: persist key (and optional server URL) then exit
-if (process.argv.includes('--save')) {
-  const saveIdx = process.argv.indexOf('--save');
-  const nonFlagArgs = process.argv.slice(saveIdx + 1).filter((a) => !a.startsWith('-'));
-  const keyToSave = nonFlagArgs[0] || process.env.SYNQDB_AGENT_KEY;
-  const urlToSave = nonFlagArgs[1] || process.env.SYNQDB_SERVER_URL;
+const serverUrl =
+  process.env.SYNQDB_SERVER_URL ||
+  (saved.serverUrl?.startsWith('http') ? saved.serverUrl : null) ||
+  'https://api.synqdb.live';
+
+const frontendUrl =
+  process.env.SYNQDB_FRONTEND_URL ||
+  (saved.frontendUrl?.startsWith('http') ? saved.frontendUrl : null) ||
+  'https://synqdb.live';
 
-  if (!keyToSave) {
-    console.error('Usage: synqdb-agent --save <agentKey> [serverUrl]');
+// ─── login command ────────────────────────────────────────────────────────────
+
+if (process.argv[2] === 'login') {
+  runLogin().catch((err) => {
+    console.error('Login failed:', err.message);
     process.exit(1);
-  }
+  });
+} else {
+  runAgent();
+}
 
-  saveConfig({
-    agentKey: keyToSave,
-    serverUrl: urlToSave || null,
+async function runLogin() {
+  // 1. Create a short-lived login token from the server
+  const initRes = await fetch(`${serverUrl}/v1/auth/cli-login/init`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
   });
+  if (!initRes.ok) {
+    throw new Error(`Server error: ${initRes.status}`);
+  }
+  const { loginToken } = await initRes.json();
 
-  console.log(`Saved to ${CONFIG_PATH}`);
-  console.log(`  agentKey: ${keyToSave}`);
-  if (urlToSave) console.log(`  serverUrl: ${urlToSave}`);
+  // 2. Open the authorize page in the user's browser
+  const authorizeUrl = `${frontendUrl}/agent/authorize?token=${loginToken}`;
+  console.log('');
+  console.log('  Opening browser for authentication...');
+  console.log(`  If the browser does not open, visit:\n  ${authorizeUrl}`);
   console.log('');
-  console.log('Run `synqdb-agent` with no arguments to start.');
-  process.exit(0);
-}
 
-const agentKey =
-  process.argv[2] ||
-  process.env.SYNQDB_AGENT_KEY ||
-  saved.agentKey;
+  try {
+    const open = require('open');
+    await open(authorizeUrl);
+  } catch {
+    // open might not be available in all environments — URL is printed above
+  }
 
-const serverUrl =
-  process.argv[3] ||
-  process.env.SYNQDB_SERVER_URL ||
-  (saved.serverUrl?.startsWith('http') ? saved.serverUrl : null) ||
-  'https://api.synqdb.com';
-
-if (!agentKey) {
-  console.error('');
-  console.error('  No agent key found. Options:');
-  console.error('');
-  console.error('  1. Save key once (recommended):');
-  console.error('       synqdb-agent --save <agentKey>');
-  console.error('       synqdb-agent');
-  console.error('');
-  console.error('  2. Pass key each time:');
-  console.error('       synqdb-agent <agentKey>');
-  console.error('');
-  console.error('  3. Set environment variable:');
-  console.error('       SYNQDB_AGENT_KEY=<agentKey> synqdb-agent');
-  console.error('');
-  process.exit(1);
-}
+  // 3. Poll the server until the user approves (or token expires ~5 min)
+  const POLL_INTERVAL_MS = 2000;
+  const POLL_TIMEOUT_MS = 5 * 60 * 1000;
+  const deadline = Date.now() + POLL_TIMEOUT_MS;
 
-// If key came from args (not saved), prompt user to save it
-if (process.argv[2] && !saved.agentKey) {
-  console.log(`Tip: run \`synqdb-agent --save ${process.argv[2]}\` to avoid typing the key next time.`);
-}
+  process.stdout.write('  Waiting for approval');
 
-console.log(`Connecting to SynqDB at ${serverUrl} ...`);
+  while (Date.now() < deadline) {
+    await sleep(POLL_INTERVAL_MS);
+    process.stdout.write('.');
 
-// Cache connections by a composite key so we don't open a new connection per query
-const connectionCache = new Map();
+    let pollRes;
+    try {
+      pollRes = await fetch(`${serverUrl}/v1/auth/cli-login/poll/${loginToken}`);
+    } catch {
+      // transient network error — keep retrying
+      continue;
+    }
 
-function cacheKey(payload) {
-  return `${payload.type}:${payload.host}:${payload.port}:${payload.database}:${payload.username}`;
-}
+    if (!pollRes.ok) {
+      process.stdout.write('\n');
+      throw new Error(`Token expired or invalid (server returned ${pollRes.status})`);
+    }
+
+    const body = await pollRes.json();
 
-// ─── MySQL ────────────────────────────────────────────────────────────────────
-
-async function runMySQL(payload) {
-  const mysql = require('mysql2/promise');
-  const key = cacheKey(payload);
-  let pool = connectionCache.get(key);
-  if (!pool) {
-    pool = mysql.createPool({
-      host: payload.host,
-      port: payload.port,
-      user: payload.username,
-      password: payload.password || undefined,
-      database: payload.database,
-      waitForConnections: true,
-      connectionLimit: 5,
-      multipleStatements: true,
-    });
-    connectionCache.set(key, pool);
+    if (body.status === 'authorized') {
+      process.stdout.write('\n');
+      saveConfig({ agentKey: body.agentKey, serverUrl });
+      console.log('');
+      console.log('  ✓ Authenticated! Agent key saved to', CONFIG_PATH);
+      console.log('  Run `synqdb-agent` with no arguments to start the agent.');
+      console.log('');
+      return;
+    }
   }
-  const [rows] = await pool.query(payload.sql, payload.params || []);
-  const data = Array.isArray(rows) ? rows : [rows];
-  return { rows: data, rowCount: data.length };
+
+  process.stdout.write('\n');
+  throw new Error('Login timed out. Please run `synqdb-agent login` again.');
 }
 
-// ─── PostgreSQL ───────────────────────────────────────────────────────────────
-
-async function runPostgres(payload) {
-  const { Pool } = require('pg');
-  const key = cacheKey(payload);
-  let pool = connectionCache.get(key);
-  if (!pool) {
-    pool = new Pool({
-      host: payload.host,
-      port: payload.port,
-      user: payload.username,
-      password: payload.password || undefined,
-      database: payload.database,
-      max: 5,
-      idleTimeoutMillis: 30000,
-      connectionTimeoutMillis: 10000,
-    });
-    connectionCache.set(key, pool);
-  }
-  const res = await pool.query(payload.sql, payload.params || []);
-  return { rows: res.rows, rowCount: res.rowCount ?? res.rows.length };
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
 }
 
-// ─── MSSQL ────────────────────────────────────────────────────────────────────
-
-async function runMSSQL(payload) {
-  const mssql = require('mssql');
-  const key = cacheKey(payload);
-  let pool = connectionCache.get(key);
-  if (!pool || !pool.connected) {
-    pool = new mssql.ConnectionPool({
-      server: payload.host,
-      port: payload.port || 1433,
-      user: payload.username,
-      password: payload.password || undefined,
-      database: payload.database,
-      options: { encrypt: true, trustServerCertificate: true },
-    });
-    await pool.connect();
-    connectionCache.set(key, pool);
+// ─── Agent runner ─────────────────────────────────────────────────────────────
+
+function runAgent() {
+  const agentKey = process.env.SYNQDB_AGENT_KEY || saved.agentKey;
+
+  if (!agentKey) {
+    console.error('');
+    console.error('  No agent key found. Run:');
+    console.error('');
+    console.error('    synqdb-agent login');
+    console.error('');
+    console.error('  This opens your browser to authenticate — no key to copy.');
+    console.error('');
+    process.exit(1);
   }
-  const request = pool.request();
-  if (payload.namedParams) {
-    for (const [name, value] of Object.entries(payload.namedParams)) {
-      request.input(name, value);
-    }
+
+  console.log(`Connecting to SynqDB at ${serverUrl} ...`);
+
+  // Cache connections by a composite key so we don't open a new connection per query
+  const connectionCache = new Map();
+
+  function cacheKey(payload) {
+    return `${payload.type}:${payload.host}:${payload.port}:${payload.database}:${payload.username}`;
   }
-  const result = await request.query(payload.sql);
-  const rows = result.recordset || [];
-  return { rows, rowCount: result.rowsAffected?.[0] ?? rows.length };
-}
 
-// ─── Dispatch ─────────────────────────────────────────────────────────────────
+  // ─── MySQL ──────────────────────────────────────────────────────────────────
+
+  async function runMySQL(payload) {
+    const mysql = require('mysql2/promise');
+    const key = cacheKey(payload);
+    let pool = connectionCache.get(key);
+    if (!pool) {
+      pool = mysql.createPool({
+        host: payload.host,
+        port: payload.port,
+        user: payload.username,
+        password: payload.password || undefined,
+        database: payload.database,
+        waitForConnections: true,
+        connectionLimit: 5,
+        multipleStatements: true,
+      });
+      connectionCache.set(key, pool);
+    }
+    const [rows] = await pool.query(payload.sql, payload.params || []);
+    const data = Array.isArray(rows) ? rows : [rows];
+    return { rows: data, rowCount: data.length };
+  }
 
-async function executeQuery(payload) {
-  switch (payload.type) {
-    case 'mysql':   return runMySQL(payload);
-    case 'postgres': return runPostgres(payload);
-    case 'mssql':   return runMSSQL(payload);
-    default: throw new Error(`Unsupported database type: ${payload.type}`);
+  // ─── PostgreSQL ─────────────────────────────────────────────────────────────
+
+  async function runPostgres(payload) {
+    const { Pool } = require('pg');
+    const key = cacheKey(payload);
+    let pool = connectionCache.get(key);
+    if (!pool) {
+      pool = new Pool({
+        host: payload.host,
+        port: payload.port,
+        user: payload.username,
+        password: payload.password || undefined,
+        database: payload.database,
+        max: 5,
+        idleTimeoutMillis: 30000,
+        connectionTimeoutMillis: 10000,
+      });
+      connectionCache.set(key, pool);
+    }
+    const res = await pool.query(payload.sql, payload.params || []);
+    return { rows: res.rows, rowCount: res.rowCount ?? res.rows.length };
   }
-}
 
-// ─── Socket.IO ────────────────────────────────────────────────────────────────
-
-const socket = io(`${serverUrl}/agent`, {
-  reconnectionDelay: 2000,
-  reconnectionDelayMax: 10000,
-  transports: ['websocket'],
-});
-
-socket.on('connect', () => {
-  console.log('Connected. Authenticating ...');
-  socket.emit('register', { agentKey });
-});
-
-socket.on('registered', ({ clusterId }) => {
-  console.log(`Authenticated. Serving cluster: ${clusterId}`);
-  // If this was the first run with a key arg, auto-save it for next time
-  if (process.argv[2] && !saved.agentKey) {
-    saveConfig({ agentKey, serverUrl });
-    console.log(`Key saved to ${CONFIG_PATH} — next time just run \`synqdb-agent\``);
+  // ─── MSSQL ──────────────────────────────────────────────────────────────────
+
+  async function runMSSQL(payload) {
+    const mssql = require('mssql');
+    const key = cacheKey(payload);
+    let pool = connectionCache.get(key);
+    if (!pool || !pool.connected) {
+      pool = new mssql.ConnectionPool({
+        server: payload.host,
+        port: payload.port || 1433,
+        user: payload.username,
+        password: payload.password || undefined,
+        database: payload.database,
+        options: { encrypt: true, trustServerCertificate: true },
+      });
+      await pool.connect();
+      connectionCache.set(key, pool);
+    }
+    const request = pool.request();
+    if (payload.namedParams) {
+      for (const [name, value] of Object.entries(payload.namedParams)) {
+        request.input(name, value);
+      }
+    }
+    const result = await request.query(payload.sql);
+    const rows = result.recordset || [];
+    return { rows, rowCount: result.rowsAffected?.[0] ?? rows.length };
   }
-});
 
-socket.on('auth_error', ({ message }) => {
-  console.error(`Authentication failed: ${message}`);
-  process.exit(1);
-});
+  // ─── Dispatch ────────────────────────────────────────────────────────────────
 
-socket.on('query', async (payload) => {
-  const { requestId } = payload;
-  try {
-    const { rows, rowCount } = await executeQuery(payload);
-    socket.emit('result', { requestId, rows, rowCount });
-  } catch (err) {
-    console.error(`Query error [${requestId}]:`, err.message);
-    socket.emit('error', { requestId, message: err.message });
+  async function executeQuery(payload) {
+    switch (payload.type) {
+      case 'mysql':    return runMySQL(payload);
+      case 'postgres': return runPostgres(payload);
+      case 'mssql':    return runMSSQL(payload);
+      default: throw new Error(`Unsupported database type: ${payload.type}`);
+    }
   }
-});
 
-socket.on('disconnect', (reason) => {
-  console.log(`Disconnected: ${reason}. Reconnecting ...`);
-});
+  // ─── Socket.IO ──────────────────────────────────────────────────────────────
+
+  const socket = io(`${serverUrl}/agent`, {
+    reconnectionDelay: 2000,
+    reconnectionDelayMax: 10000,
+    transports: ['websocket'],
+  });
+
+  socket.on('connect', () => {
+    console.log('Connected. Authenticating ...');
+    socket.emit('register', { agentKey });
+  });
+
+  socket.on('registered', ({ clusterId }) => {
+    console.log(`Authenticated. Serving cluster: ${clusterId}`);
+  });
 
-socket.on('connect_error', (err) => {
-  console.error('Connection error:', err.message);
-});
+  socket.on('auth_error', ({ message }) => {
+    if (message && message.includes('rotated')) {
+      console.error(`\n  ${message}`);
+      console.error('  Run `synqdb-agent login` to re-authenticate.\n');
+    } else {
+      console.error(`Authentication failed: ${message}`);
+      console.error('Run `synqdb-agent login` to re-authenticate.');
+    }
+    process.exit(1);
+  });
 
-process.on('SIGINT', () => {
-  console.log('\nShutting down agent.');
-  socket.disconnect();
-  process.exit(0);
-});
+  socket.on('query', async (payload) => {
+    const { requestId } = payload;
+    try {
+      const { rows, rowCount } = await executeQuery(payload);
+      socket.emit('result', { requestId, rows, rowCount });
+    } catch (err) {
+      console.error(`Query error [${requestId}]:`, err.message);
+      socket.emit('error', { requestId, message: err.message });
+    }
+  });
+
+  socket.on('disconnect', (reason) => {
+    console.log(`Disconnected: ${reason}. Reconnecting ...`);
+  });
+
+  socket.on('connect_error', (err) => {
+    console.error('Connection error:', err.message);
+  });
+
+  process.on('SIGINT', () => {
+    console.log('\nShutting down agent.');
+    socket.disconnect();
+    process.exit(0);
+  });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "synqdb-agent",
-  "version": "1.0.3",
+  "version": "1.0.5",
   "description": "Local database relay agent for SynqDB — connects your local databases to the SynqDB cloud dashboard",
   "main": "index.js",
   "bin": {