thinkpool-pair 0.7.3 → 0.7.4

package/account.mjs

@@ -19,27 +19,35 @@ const VERSION = (() => { try { return JSON.parse(fs.readFileSync(new URL('./pack
 
 const BRIDGE = fileURLToPath(new URL('./bridge.mjs', import.meta.url))
 
-// ── login: web hands the bridge a session over an ephemeral realtime channel ──
-// The bridge prints a one-time URL with a high-entropy code; the signed-in web
-// page broadcasts {refresh_token,…} to tplink:<code> after the user approves.
-// (Phase-1 handoff — an edge-function device-code flow can harden this later.)
+// ── login: OAuth-style DEVICE-CODE flow (hardened) ──────────────────────────
+// The bridge asks Postgres (start_device_code) for a secret device_code + a short
+// human user_code, prints the user_code + URL, then POLLS claim_device_code with
+// the secret until the signed-in web has approved (approve_device_code stores the
+// browser's session). The session is delivered only over authenticated TLS RPCs
+// + a single-use secret — never broadcast on a public channel.
 export async function runLogin(SUPABASE_URL, SUPABASE_ANON, WEB_BASE) {
   const sb = createClient(SUPABASE_URL, SUPABASE_ANON, { auth: { persistSession: false } })
-  const code = randomUUID().replace(/-/g, '').slice(0, 12)
-  const ch = sb.channel(`tplink:${code}`, { config: { broadcast: { self: false } } })
-  let done = false
-  ch.on('broadcast', { event: 'session' }, async ({ payload }) => {
-    if (done || !payload?.refresh_token) return
-    done = true
-    saveAuth(payload)
-    process.stderr.write(`\n  ◆ linked as ${payload.email || 'your account'}. You can close the browser tab.\n    Now run:  npx thinkpool-pair\n`)
-    try { await sb.removeChannel(ch) } catch { /* noop */ }
-    process.exit(0)
-  })
-  await new Promise((res) => ch.subscribe((s) => { if (s === 'SUBSCRIBED') res() }))
-  const url = `${WEB_BASE}/code/link?c=${code}`
-  process.stderr.write(`\n  ◆ Link this device to your ThinkPool account.\n    Open (signed in) and approve:\n\n    ${url}\n\n  Code: ${code}  —  waiting up to 5 min…\n`)
-  setTimeout(() => { if (!done) { process.stderr.write('\n  ◇ link timed out — run `npx thinkpool-pair login` again.\n'); process.exit(1) } }, 5 * 60 * 1000)
+  const { data, error } = await sb.rpc('start_device_code')
+  const row = Array.isArray(data) ? data[0] : data
+  if (error || !row?.device_code) { process.stderr.write(`\n  ✗ couldn't start login: ${error?.message || 'no response'}\n`); process.exit(1) }
+  const { device_code, user_code } = row
+  const url = `${WEB_BASE}/code/link?c=${encodeURIComponent(user_code)}`
+  process.stderr.write(`\n  ◆ Link this device to your ThinkPool account.\n    Open (signed in) and approve:\n\n    ${url}\n\n    code:  ${user_code}\n\n  Waiting…\n`)
+  const started = Date.now()
+  const poll = async () => {
+    if (Date.now() - started > 5 * 60 * 1000) { process.stderr.write('\n  ◇ link timed out — run `npx thinkpool-pair login` again.\n'); process.exit(1) }
+    try {
+      const { data: r } = await sb.rpc('claim_device_code', { p_device_code: device_code })
+      if (r?.status === 'approved' && r.session?.refresh_token) {
+        saveAuth(r.session)
+        process.stderr.write(`\n  ◆ linked as ${r.session.email || 'your account'}. You can close the browser tab.\n    Now run:  npx thinkpool-pair\n`)
+        process.exit(0)
+      }
+      if (r?.status === 'expired' || r?.status === 'not_found') { process.stderr.write('\n  ◇ link expired — run `npx thinkpool-pair login` again.\n'); process.exit(1) }
+    } catch { /* transient — keep polling */ }
+    setTimeout(poll, 3000)
+  }
+  poll()
   await new Promise(() => {})
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thinkpool-pair",
-  "version": "0.7.3",
+  "version": "0.7.4",
   "description": "Share a local coding-agent CLI (Claude Code, Codex, Gemini, Aider, …) into a ThinkPool Code room, live.",
   "type": "module",
   "bin": {