t3code-cli 0.2.0 → 0.4.0

package/src/auth/local.ts

@@ -1,241 +1,375 @@
+import {
+  AuthAdministrativeScopes,
+  AuthSessionId,
+  type AuthEnvironmentScope,
+} from "#t3tools/contracts";
+import * as Context from "effect/Context";
+import * as Crypto from "effect/Crypto";
+import * as DateTime from "effect/DateTime";
 import * as Effect from "effect/Effect";
+import * as Encoding from "effect/Encoding";
+import * as Filter from "effect/Filter";
 import * as FileSystem from "effect/FileSystem";
+import * as Layer from "effect/Layer";
 import * as Path from "effect/Path";
-import * as Stream from "effect/Stream";
-import * as ChildProcess from "effect/unstable/process/ChildProcess";
-import { ChildProcessSpawner } from "effect/unstable/process/ChildProcessSpawner";
+import * as Predicate from "effect/Predicate";
+import * as SqlClient from "effect/unstable/sql/SqlClient";
 
+import { T3Config } from "../config/service.ts";
 import { normalizeHttpBaseUrl } from "../config/url.ts";
-import { Environment, type EnvironmentShape } from "../environment/service.ts";
-import { AuthLocalError } from "./error.ts";
+import { Environment } from "../environment/service.ts";
+import { SqlClientFactory } from "../sql/service.ts";
 import {
-  decodeAuthLocalRuntimeStateFromJson,
-  decodeAuthLocalSessionIssueResultFromJson,
-  type AuthLocalSessionIssueResult,
-} from "./schema.ts";
-import type { LocalAuthInput } from "./type.ts";
-
-export const issueLocalSession = Effect.fn("issueLocalSession")(function* (
-  input: Pick<LocalAuthInput, "baseDir" | "t3Command" | "role" | "label" | "subject">,
-) {
-  const environment = yield* Environment;
-  const baseDir = yield* resolveLocalBaseDir(input.baseDir, environment);
-  if (input.label.length === 0) {
-    return yield* Effect.fail(new AuthLocalError({ message: "local auth label cannot be empty" }));
+  AuthConfigError,
+  AuthLocalDatabaseError,
+  AuthLocalError,
+  AuthLocalSecretError,
+  AuthLocalSigningError,
+} from "./error.ts";
+import { decodeAuthLocalRuntimeStateFromJson } from "./schema.ts";
+import type { LocalAuthInput, LocalAuthResult } from "./type.ts";
+
+export class T3LocalAuth extends Context.Service<
+  T3LocalAuth,
+  {
+    readonly local: (
+      input: LocalAuthInput,
+    ) => Effect.Effect<LocalAuthResult, AuthConfigError | AuthLocalError>;
   }
-  if (input.subject.length === 0) {
-    return yield* Effect.fail(
-      new AuthLocalError({ message: "local auth subject cannot be empty" }),
-    );
+>()("t3cli/T3LocalAuth") {}
+
+export const makeT3LocalAuth = Effect.fn("makeT3LocalAuth")(function* () {
+  const config = yield* T3Config;
+  const fs = yield* FileSystem.FileSystem;
+  const path = yield* Path.Path;
+  const environment = yield* Environment;
+  const crypto = yield* Crypto.Crypto;
+  const sqlClientFactory = yield* SqlClientFactory;
+
+  function resolveLocalBaseDir(input: string | undefined) {
+    const envBaseDir = environment.env["T3CODE_HOME"];
+    const raw = input ?? envBaseDir;
+    if (raw === undefined || raw.length === 0) {
+      return path.join(environment.homeDir, ".t3");
+    }
+    if (raw === "~") {
+      return environment.homeDir;
+    }
+    if (raw.startsWith("~/") || raw.startsWith("~\\")) {
+      return path.join(environment.homeDir, raw.slice(2));
+    }
+    return path.resolve(environment.cwd, raw);
   }
 
-  const args = [
-    "auth",
-    "session",
-    "issue",
-    "--base-dir",
-    baseDir,
-    "--json",
-    "--role",
-    input.role,
-    "--label",
-    input.label,
-    "--subject",
-    input.subject,
-  ];
-  const command = resolveLocalT3Command(input.t3Command, environment);
-  const output = yield* runLocalT3Command(command, args);
-  const parsed = yield* parseSessionIssueOutput(output.stdout);
-  return { baseDir, session: parsed } as const;
-});
+  function resolveLocalOrigin(input: { readonly baseDir: string; readonly origin?: string }) {
+    return Effect.gen(function* () {
+      if (input.origin !== undefined) {
+        return yield* normalizeLocalOrigin(input.origin);
+      }
 
-export const resolveLocalOrigin = Effect.fn("resolveLocalOrigin")(function* (input: {
-  readonly baseDir: string;
-  readonly origin?: string;
-}) {
-  if (input.origin !== undefined) {
-    return yield* normalizeLocalOrigin(input.origin);
+      const runtimeStatePath = path.join(input.baseDir, "userdata", "server-runtime.json");
+      const raw = yield* fs.readFileString(runtimeStatePath).pipe(
+        Effect.mapError(
+          (error) =>
+            new AuthLocalError({
+              message: `local runtime state not found: ${runtimeStatePath}. Make sure T3 Code is running with Network access enabled, or pass --origin manually.`,
+              cause: error,
+            }),
+        ),
+      );
+      const state = yield* decodeAuthLocalRuntimeStateFromJson(raw).pipe(
+        Effect.mapError(
+          (error) =>
+            new AuthLocalError({ message: "local runtime state has invalid shape", cause: error }),
+        ),
+      );
+      return yield* normalizeLocalOrigin(state.origin);
+    });
   }
 
-  const path = yield* Path.Path;
-  const runtimeStatePath = path.join(input.baseDir, "userdata", "server-runtime.json");
-  const fs = yield* FileSystem.FileSystem;
-  const raw = yield* fs.readFileString(runtimeStatePath).pipe(
-    Effect.mapError(
-      (error) =>
-        new AuthLocalError({
-          message: `local runtime state not found: ${runtimeStatePath}. Make sure T3 Code is running with Network access enabled, or pass --origin manually.`,
-          cause: error,
+  function readSigningSecret(secretPath: string) {
+    return fs.readFile(secretPath).pipe(
+      Effect.map((bytes) => Uint8Array.from(bytes)),
+      Effect.catchFilter(Filter.reason("PlatformError", "NotFound"), () =>
+        Effect.succeed(undefined),
+      ),
+      Effect.mapError(
+        (error) =>
+          new AuthLocalSecretError({
+            message: `failed to read signing secret: ${secretPath}`,
+            cause: error,
+          }),
+      ),
+    );
+  }
+
+  const readRequiredSigningSecret = Effect.fn("readRequiredSigningSecret")(function* (
+    secretsDir: string,
+  ) {
+    const secretPath = path.join(secretsDir, `${signingSecretName}.bin`);
+    const secret = yield* readSigningSecret(secretPath);
+    if (secret === undefined) {
+      return yield* Effect.fail(
+        new AuthLocalSecretError({
+          message: `local signing secret not found: ${secretPath}`,
         }),
-    ),
-  );
-  const state = yield* decodeAuthLocalRuntimeStateFromJson(raw).pipe(
-    Effect.mapError(
-      (error) =>
-        new AuthLocalError({ message: "local runtime state has invalid shape", cause: error }),
-    ),
-  );
-  return yield* normalizeLocalOrigin(state.origin);
-});
+      );
+    }
+    return secret;
+  });
 
-function parseSessionIssueOutput(
-  stdout: string,
-): Effect.Effect<AuthLocalSessionIssueResult, AuthLocalError> {
-  return decodeAuthLocalSessionIssueResultFromJson(stdout).pipe(
-    Effect.mapError(
-      (error) => new AuthLocalError({ message: "local auth returned invalid shape", cause: error }),
-    ),
-  );
-}
+  const hmacSha256 = (secret: Uint8Array, payload: Uint8Array) =>
+    Effect.gen(function* () {
+      const key =
+        secret.byteLength > sha256BlockSize ? yield* crypto.digest("SHA-256", secret) : secret;
+      const block = new Uint8Array(sha256BlockSize);
+      block.set(key);
+      const outerPad = block.map((byte) => byte ^ 0x5c);
+      const innerPad = block.map((byte) => byte ^ 0x36);
+      const innerHash = yield* crypto.digest("SHA-256", concatBytes(innerPad, payload));
+      return yield* crypto.digest("SHA-256", concatBytes(outerPad, innerHash));
+    });
 
-function normalizeLocalOrigin(origin: string) {
-  return normalizeHttpBaseUrl(origin).pipe(
-    Effect.mapError((error) => new AuthLocalError({ message: error.message, cause: error })),
-  );
-}
+  const signPayload = (payload: string, secret: Uint8Array) =>
+    hmacSha256(secret, new TextEncoder().encode(payload)).pipe(
+      Effect.map(Encoding.encodeBase64Url),
+      Effect.mapError(
+        (error) =>
+          new AuthLocalSigningError({
+            operation: "sign",
+            message: "failed to sign local auth payload",
+            cause: error,
+          }),
+      ),
+    );
 
-type LocalT3Command = {
-  readonly command: string;
-  readonly argsPrefix: ReadonlyArray<string>;
-  readonly env?: Readonly<Record<string, string>>;
-};
+  function openAuthDatabase(dbPath: string) {
+    return sqlClientFactory.sqliteClient({ filename: dbPath }).pipe(
+      Effect.catchTag("SqlError", (error) =>
+        Effect.fail(
+          new AuthLocalDatabaseError({
+            operation: "connect",
+            message: error.message,
+          }),
+        ),
+      ),
+    );
+  }
 
-const defaultLocalT3Command: LocalT3Command = {
-  command: "t3",
-  argsPrefix: [],
-};
+  const provideAuthDatabase =
+    (dbPath: string) =>
+    <A, E, R>(effect: Effect.Effect<A, E, R>) =>
+      Effect.gen(function* () {
+        const sql = yield* openAuthDatabase(dbPath);
+        return yield* effect.pipe(Effect.provideService(SqlClient.SqlClient, sql));
+      }).pipe(Effect.scoped);
 
-const macOsAppNames = ["T3 Code (Dev)", "T3 Code (Alpha)", "T3 Code (Nightly)", "T3 Code"] as const;
-
-function resolveLocalT3Command(
-  input: string | undefined,
-  environment: EnvironmentShape,
-): LocalT3Command {
-  const envCommand = environment.env["T3CLI_T3_COMMAND"];
-  const exactCommand =
-    input ?? (envCommand !== undefined && envCommand.length > 0 ? envCommand : undefined);
-  if (exactCommand !== undefined && exactCommand.length > 0) {
-    return { command: exactCommand, argsPrefix: [] };
+  const issueLocalDatabaseSession = Effect.fn("issueLocalDatabaseSession")(function* (
+    input: LocalDatabaseSessionInput,
+  ) {
+    const secret = yield* readRequiredSigningSecret(input.secretsDir);
+    const issuedAt = yield* DateTime.now;
+    const expiresAt = DateTime.add(issuedAt, { milliseconds: defaultSessionTtlMs });
+    const sessionId = yield* crypto.randomUUIDv4.pipe(
+      Effect.map((id) => AuthSessionId.make(id)),
+      Effect.mapError(
+        (error) =>
+          new AuthLocalSecretError({
+            message: "failed to generate auth session id",
+            cause: error,
+          }),
+      ),
+    );
+    const scopes = [...AuthAdministrativeScopes];
+    const claims: LocalSessionClaims = {
+      v: 1,
+      kind: "session",
+      sid: sessionId,
+      sub: input.subject,
+      scopes,
+      method: "bearer-access-token",
+      iat: DateTime.toEpochMillis(issuedAt),
+      exp: DateTime.toEpochMillis(expiresAt),
+    };
+    const encodedPayload = Encoding.encodeBase64Url(JSON.stringify(claims));
+    const token = `${encodedPayload}.${yield* signPayload(encodedPayload, secret)}`;
+    yield* insertAuthSession({
+      sessionId,
+      subject: input.subject,
+      scopes,
+      label: input.label,
+      issuedAt: DateTime.formatIso(issuedAt),
+      expiresAt: DateTime.formatIso(expiresAt),
+    }).pipe(
+      provideAuthDatabase(input.dbPath),
+      Effect.catchTag("SqlError", (error) =>
+        Effect.fail(
+          new AuthLocalDatabaseError({
+            operation: Predicate.isTagged(error.reason, "ConnectionError") ? "connect" : "query",
+            message: error.message,
+          }),
+        ),
+      ),
+    );
+    return {
+      token,
+      role: input.role,
+      expiresAt: DateTime.formatIso(expiresAt),
+    };
+  });
+
+  function writeLocalConfig(input: { readonly url: string; readonly token: string }) {
+    return Effect.gen(function* () {
+      const existing = yield* config.readStored().pipe(
+        Effect.catchTags({
+          ConfigError: (error) =>
+            Effect.fail(new AuthConfigError({ message: "auth config failed", cause: error })),
+        }),
+      );
+      yield* config.writeStored({ ...existing, url: input.url, token: input.token }).pipe(
+        Effect.catchTags({
+          ConfigError: (error) =>
+            Effect.fail(new AuthConfigError({ message: "auth config failed", cause: error })),
+        }),
+      );
+    });
   }
-  return defaultLocalT3Command;
-}
 
-const resolveMacOsAppT3Command = Effect.fn("resolveMacOsAppT3Command")(function* () {
-  const fs = yield* FileSystem.FileSystem;
-  for (const appName of macOsAppNames) {
-    const appPath = `/Applications/${appName}.app`;
-    const command = `${appPath}/Contents/MacOS/${appName}`;
-    if (yield* fs.exists(command)) {
-      return {
-        command,
-        argsPrefix: [`${appPath}/Contents/Resources/app.asar/apps/server/dist/bin.mjs`],
-        env: { ELECTRON_RUN_AS_NODE: "1" },
-      } satisfies LocalT3Command;
+  const local = Effect.fn("T3LocalAuthLive.local")(function* (input: LocalAuthInput) {
+    if (input.label.length === 0) {
+      return yield* Effect.fail(
+        new AuthLocalError({ message: "local auth label cannot be empty" }),
+      );
+    }
+    if (input.subject.length === 0) {
+      return yield* Effect.fail(
+        new AuthLocalError({ message: "local auth subject cannot be empty" }),
+      );
     }
-  }
-  return undefined;
-});
 
-const runLocalT3Command = Effect.fn("runLocalT3Command")(function* (
-  command: LocalT3Command,
-  args: ReadonlyArray<string>,
-) {
-  return yield* runLocalT3CommandOnce(command, args).pipe(
-    Effect.catchTag("PlatformError", (error) =>
-      command === defaultLocalT3Command && process.platform === "darwin"
-        ? Effect.gen(function* () {
-            const fallback = yield* resolveMacOsAppT3Command();
-            if (fallback === undefined) {
-              return yield* Effect.fail(error);
-            }
-            return yield* runLocalT3CommandOnce(fallback, args);
-          })
-        : Effect.fail(error),
-    ),
-    Effect.catchTag("PlatformError", (error) =>
-      Effect.fail(
-        new AuthLocalError({
-          message: `local auth failed: ${error.message}`,
-          cause: error,
-        }),
+    const baseDir = resolveLocalBaseDir(input.baseDir);
+    const session = yield* issueLocalDatabaseSession({
+      dbPath: path.join(baseDir, "userdata", "state.sqlite"),
+      secretsDir: path.join(baseDir, "userdata", "secrets"),
+      role: input.role,
+      label: input.label,
+      subject: input.subject,
+    }).pipe(
+      Effect.mapError(
+        (error) =>
+          new AuthLocalError({ message: `local auth failed: ${error.message}`, cause: error }),
       ),
-    ),
-  );
+    );
+    const url = yield* resolveLocalOrigin({
+      baseDir,
+      ...(input.origin !== undefined ? { origin: input.origin } : {}),
+    });
+    yield* writeLocalConfig({ url, token: session.token });
+    return {
+      url,
+      role: session.role,
+      expiresAt: session.expiresAt,
+      source: "local" as const,
+      baseDir,
+    };
+  });
+
+  return { local };
 });
 
-const runLocalT3CommandOnce = Effect.fn("runLocalT3CommandOnce")(function* (
-  command: LocalT3Command,
-  args: ReadonlyArray<string>,
-) {
-  const spawner = yield* ChildProcessSpawner;
-  const processCommand = ChildProcess.make(command.command, [...command.argsPrefix, ...args]).pipe(
-    command.env === undefined ? (self) => self : ChildProcess.setEnv(command.env),
-  );
-  const child = yield* spawner.spawn(processCommand);
-  const [stdout, stderr, exitCode] = yield* Effect.all(
-    [
-      collectProcessOutput(child.stdout),
-      collectProcessOutput(child.stderr),
-      child.exitCode.pipe(Effect.map(Number)),
-    ],
-    { concurrency: "unbounded" },
-  ).pipe(
-    Effect.mapError(
-      (error) =>
-        new AuthLocalError({
-          message: `local auth failed: ${error.message}`,
-          cause: error,
+export const T3LocalAuthLive = Layer.effect(T3LocalAuth, makeT3LocalAuth());
+
+function insertAuthSession(input: InsertAuthSessionInput) {
+  return Effect.gen(function* () {
+    const sql = yield* SqlClient.SqlClient;
+    yield* sql`PRAGMA busy_timeout = 5000;`;
+    yield* sql`PRAGMA foreign_keys = ON;`;
+    const columns = yield* sql<{ readonly name: string }>`PRAGMA table_info(auth_sessions)`;
+    if (!columns.some((column) => column.name === "scopes")) {
+      return yield* Effect.fail(
+        new AuthLocalDatabaseError({
+          operation: "schema",
+          message: "local auth database is missing scoped auth_sessions schema",
         }),
-    ),
+      );
+    }
+    yield* sql`
+      INSERT INTO auth_sessions (
+        session_id,
+        subject,
+        scopes,
+        method,
+        client_label,
+        client_ip_address,
+        client_user_agent,
+        client_device_type,
+        client_os,
+        client_browser,
+        issued_at,
+        expires_at,
+        revoked_at
+      )
+      VALUES (
+        ${input.sessionId},
+        ${input.subject},
+        ${JSON.stringify(input.scopes)},
+        ${"bearer-access-token"},
+        ${input.label},
+        NULL,
+        NULL,
+        ${"bot"},
+        NULL,
+        NULL,
+        ${input.issuedAt},
+        ${input.expiresAt},
+        NULL
+      )
+    `;
+    return undefined;
+  });
+}
+
+function normalizeLocalOrigin(origin: string) {
+  return normalizeHttpBaseUrl(origin).pipe(
+    Effect.mapError((error) => new AuthLocalError({ message: error.message, cause: error })),
   );
+}
 
-  if (exitCode !== 0) {
-    return yield* Effect.fail(
-      new AuthLocalError({
-        message: `local auth failed: ${formatCommandFailure(stderr, stdout, exitCode)}`,
-      }),
-    );
-  }
+type LocalSessionClaims = {
+  readonly v: 1;
+  readonly kind: "session";
+  readonly sid: AuthSessionId;
+  readonly sub: string;
+  readonly scopes: ReadonlyArray<AuthEnvironmentScope>;
+  readonly method: "bearer-access-token";
+  readonly iat: number;
+  readonly exp: number;
+};
 
-  return { stdout, stderr };
-});
+type LocalDatabaseSessionInput = {
+  readonly dbPath: string;
+  readonly secretsDir: string;
+  readonly role: LocalAuthInput["role"];
+  readonly label: string;
+  readonly subject: string;
+};
 
-const collectProcessOutput = <E>(stream: Stream.Stream<Uint8Array, E>): Effect.Effect<string, E> =>
-  stream.pipe(
-    Stream.decodeText(),
-    Stream.runFold(
-      () => "",
-      (acc, chunk) => acc + chunk,
-    ),
-  );
+type InsertAuthSessionInput = {
+  readonly sessionId: AuthSessionId;
+  readonly subject: string;
+  readonly scopes: ReadonlyArray<AuthEnvironmentScope>;
+  readonly label: string;
+  readonly issuedAt: string;
+  readonly expiresAt: string;
+};
 
-const resolveLocalBaseDir = Effect.fn("resolveLocalBaseDir")(function* (
-  input: string | undefined,
-  environment: EnvironmentShape,
-) {
-  const path = yield* Path.Path;
-  const envBaseDir = environment.env["T3CODE_HOME"];
-  const raw = input ?? envBaseDir;
-  if (raw === undefined || raw.length === 0) {
-    return path.join(environment.homeDir, ".t3");
-  }
-  if (raw === "~") {
-    return environment.homeDir;
-  }
-  if (raw.startsWith("~/") || raw.startsWith("~\\")) {
-    return path.join(environment.homeDir, raw.slice(2));
-  }
-  return path.resolve(environment.cwd, raw);
-});
+const defaultSessionTtlMs = 30 * 24 * 60 * 60 * 1000;
+const signingSecretName = "server-signing-key";
+const sha256BlockSize = 64;
 
-function formatCommandFailure(stderr: string, stdout: string, exitCode: number) {
-  const stderrDetail = stderr.trim();
-  if (stderrDetail.length > 0) {
-    return stderrDetail;
-  }
-  const stdoutDetail = stdout.trim();
-  if (stdoutDetail.length > 0) {
-    return stdoutDetail;
-  }
-  return `t3 exited with code ${exitCode}`;
+function concatBytes(first: Uint8Array, second: Uint8Array) {
+  const bytes = new Uint8Array(first.byteLength + second.byteLength);
+  bytes.set(first);
+  bytes.set(second, first.byteLength);
+  return bytes;
 }

package/src/auth/pairing.ts

@@ -1,8 +1,50 @@
+import * as Context from "effect/Context";
 import * as Effect from "effect/Effect";
+import * as Layer from "effect/Layer";
 import { Url } from "effect/unstable/http";
 
-import { AuthPairingUrlError } from "./error.ts";
-import type { PairingUrl } from "./type.ts";
+import { T3Config } from "../config/service.ts";
+import { AuthConfigError, AuthPairingUrlError, AuthTransportError } from "./error.ts";
+import { T3AuthTransport } from "./transport.ts";
+import type { PairingUrl, PairResult } from "./type.ts";
+
+export class T3AuthPairing extends Context.Service<
+  T3AuthPairing,
+  {
+    readonly pair: (
+      pairingUrl: string,
+    ) => Effect.Effect<PairResult, AuthConfigError | AuthPairingUrlError | AuthTransportError>;
+  }
+>()("t3cli/T3AuthPairing") {}
+
+export const makeT3AuthPairing = Effect.fn("makeT3AuthPairing")(function* () {
+  const config = yield* T3Config;
+  const transport = yield* T3AuthTransport;
+
+  const pair = Effect.fn("T3AuthPairingLive.pair")(function* (pairingUrl: string) {
+    const parsed = yield* parsePairingUrl(pairingUrl);
+    const result = yield* transport.bootstrapBearer(parsed);
+    const existing = yield* config.readStored().pipe(
+      Effect.catchTags({
+        ConfigError: (error) =>
+          Effect.fail(new AuthConfigError({ message: "auth config failed", cause: error })),
+      }),
+    );
+    yield* config
+      .writeStored({ ...existing, url: parsed.baseUrl, token: result.sessionToken })
+      .pipe(
+        Effect.catchTags({
+          ConfigError: (error) =>
+            Effect.fail(new AuthConfigError({ message: "auth config failed", cause: error })),
+        }),
+      );
+    return { url: parsed.baseUrl, role: result.role, expiresAt: result.expiresAt };
+  });
+
+  return { pair };
+});
+
+export const T3AuthPairingLive = Layer.effect(T3AuthPairing, makeT3AuthPairing());
 
 export function parsePairingUrl(value: string): Effect.Effect<PairingUrl, AuthPairingUrlError> {
   return Effect.gen(function* () {