whoop-up 1.0.1

package/src/api/client.ts

@@ -0,0 +1,207 @@
+import { getValidTokens } from '../auth/tokens.js';
+import { BASE_URL, ENDPOINTS, byId } from './endpoints.js';
+import { WhoopError, ExitCode } from '../utils/errors.js';
+import type {
+  WhoopProfile,
+  WhoopBody,
+  WhoopSleep,
+  WhoopRecovery,
+  WhoopWorkout,
+  WhoopCycle,
+  ApiResponse,
+  QueryParams,
+  CombinedOutput,
+  DataType,
+} from '../types/whoop.js';
+import { getDaysRange, getDateRange, nowISO } from '../utils/date.js';
+
+const USER_AGENT = 'whoop-up/1.0';
+const RETRY_CODES = new Set([429, 500, 502, 503, 504]);
+const MAX_RETRIES = 3;
+const MAX_PAGES = 50;
+
+async function request<T>(endpoint: string, params?: QueryParams): Promise<T> {
+  const tokens = await getValidTokens();
+
+  const url = new URL(BASE_URL + endpoint);
+  if (params?.start) url.searchParams.set('start', params.start);
+  if (params?.end) url.searchParams.set('end', params.end);
+  if (params?.limit) url.searchParams.set('limit', String(params.limit));
+  if (params?.nextToken) url.searchParams.set('nextToken', params.nextToken);
+
+  let backoff = 1000;
+
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+    const response = await fetch(url.toString(), {
+      headers: {
+        Authorization: `Bearer ${tokens.access_token}`,
+        'Content-Type': 'application/json',
+        'User-Agent': USER_AGENT,
+      },
+    });
+
+    if (response.ok) {
+      return response.json() as Promise<T>;
+    }
+
+    if (RETRY_CODES.has(response.status) && attempt < MAX_RETRIES) {
+      await new Promise(resolve => setTimeout(resolve, backoff));
+      backoff *= 2;
+      continue;
+    }
+
+    if (response.status === 401) {
+      throw new WhoopError('Authentication failed', ExitCode.AUTH_ERROR, 401);
+    }
+    if (response.status === 429) {
+      throw new WhoopError('Rate limit exceeded — try again later', ExitCode.RATE_LIMIT, 429);
+    }
+    throw new WhoopError(`API request failed`, ExitCode.GENERAL_ERROR, response.status);
+  }
+
+  throw new WhoopError('API request failed after retries', ExitCode.GENERAL_ERROR);
+}
+
+async function requestDelete(endpoint: string): Promise<void> {
+  const tokens = await getValidTokens();
+
+  const response = await fetch(BASE_URL + endpoint, {
+    method: 'DELETE',
+    headers: {
+      Authorization: `Bearer ${tokens.access_token}`,
+      'User-Agent': USER_AGENT,
+    },
+  });
+
+  if (!response.ok && response.status !== 204) {
+    throw new WhoopError(`DELETE request failed`, ExitCode.GENERAL_ERROR, response.status);
+  }
+}
+
+async function fetchAll<T>(
+  endpoint: string,
+  params: QueryParams,
+  fetchAllPages: boolean
+): Promise<T[]> {
+  const results: T[] = [];
+  let nextToken: string | undefined;
+  let pages = 0;
+
+  do {
+    if (pages >= MAX_PAGES) {
+      console.error(`Warning: pagination cap (${MAX_PAGES} pages) reached for ${endpoint}`);
+      break;
+    }
+    const response = await request<ApiResponse<T>>(endpoint, { ...params, nextToken });
+    results.push(...response.records);
+    nextToken = fetchAllPages ? response.next_token : undefined;
+    pages++;
+  } while (nextToken);
+
+  return results;
+}
+
+// ─── Collection endpoints ─────────────────────────────────────────────────────
+
+export async function getProfile(): Promise<WhoopProfile> {
+  return request<WhoopProfile>(ENDPOINTS.profile);
+}
+
+export async function getBody(): Promise<WhoopBody> {
+  return request<WhoopBody>(ENDPOINTS.body);
+}
+
+export async function getSleep(params: QueryParams = {}, all = true): Promise<WhoopSleep[]> {
+  return fetchAll<WhoopSleep>(ENDPOINTS.sleep, { limit: 25, ...params }, all);
+}
+
+export async function getRecovery(params: QueryParams = {}, all = true): Promise<WhoopRecovery[]> {
+  return fetchAll<WhoopRecovery>(ENDPOINTS.recovery, { limit: 25, ...params }, all);
+}
+
+export async function getWorkout(params: QueryParams = {}, all = true): Promise<WhoopWorkout[]> {
+  return fetchAll<WhoopWorkout>(ENDPOINTS.workout, { limit: 25, ...params }, all);
+}
+
+export async function getCycle(params: QueryParams = {}, all = true): Promise<WhoopCycle[]> {
+  return fetchAll<WhoopCycle>(ENDPOINTS.cycle, { limit: 25, ...params }, all);
+}
+
+// ─── By-ID endpoints ──────────────────────────────────────────────────────────
+
+export async function getSleepById(id: string): Promise<WhoopSleep> {
+  return request<WhoopSleep>(byId.sleep(id));
+}
+
+export async function getWorkoutById(id: string): Promise<WhoopWorkout> {
+  return request<WhoopWorkout>(byId.workout(id));
+}
+
+export async function getCycleById(id: number): Promise<WhoopCycle> {
+  return request<WhoopCycle>(byId.cycle(id));
+}
+
+// ─── Cycle sub-resource endpoints ─────────────────────────────────────────────
+
+export async function getSleepForCycle(cycleId: number): Promise<WhoopSleep> {
+  return request<WhoopSleep>(byId.cycleSleep(cycleId));
+}
+
+export async function getRecoveryForCycle(cycleId: number): Promise<WhoopRecovery> {
+  return request<WhoopRecovery>(byId.cycleRecovery(cycleId));
+}
+
+// ─── Revoke access ────────────────────────────────────────────────────────────
+
+export async function revokeAccess(): Promise<void> {
+  return requestDelete(ENDPOINTS.revokeAccess);
+}
+
+// ─── Composite helpers ────────────────────────────────────────────────────────
+
+export async function fetchData(
+  types: DataType[],
+  rangeParams: QueryParams,
+  options: { limit?: number; all?: boolean } = {}
+): Promise<CombinedOutput> {
+  const params: QueryParams = { ...rangeParams, limit: options.limit ?? 25 };
+  const fetchAllPages = options.all ?? true;
+
+  const output: CombinedOutput = {
+    date: new Date().toISOString().split('T')[0],
+    fetched_at: nowISO(),
+  };
+
+  const fetchers: Record<DataType, () => Promise<void>> = {
+    profile: async () => { output.profile = await getProfile(); },
+    body: async () => { output.body = await getBody(); },
+    sleep: async () => { output.sleep = await getSleep(params, fetchAllPages); },
+    recovery: async () => { output.recovery = await getRecovery(params, fetchAllPages); },
+    workout: async () => { output.workout = await getWorkout(params, fetchAllPages); },
+    cycle: async () => { output.cycle = await getCycle(params, fetchAllPages); },
+  };
+
+  await Promise.all(types.map((type) => fetchers[type]()));
+
+  return output;
+}
+
+export function buildRangeParams(options: {
+  days?: number;
+  start?: string;
+  end?: string;
+  date?: string;
+}): QueryParams {
+  if (options.start || options.end) {
+    return {
+      start: options.start ? options.start + 'T00:00:00.000Z' : undefined,
+      end: options.end ? options.end + 'T23:59:59.999Z' : undefined,
+    };
+  }
+  if (options.date) {
+    // Use WHOOP day boundaries (4am–4am) for a single date
+    return getDateRange(options.date);
+  }
+  // Default: last N days
+  return getDaysRange(options.days ?? 7);
+}

package/src/api/endpoints.ts

@@ -0,0 +1,20 @@
+export const BASE_URL = 'https://api.prod.whoop.com/developer/v2';
+
+export const ENDPOINTS = {
+  profile: '/user/profile/basic',
+  body: '/user/measurement/body',
+  workout: '/activity/workout',
+  sleep: '/activity/sleep',
+  recovery: '/recovery',
+  cycle: '/cycle',
+  revokeAccess: '/user/access',
+} as const;
+
+// By-ID endpoints (parametric)
+export const byId = {
+  sleep: (id: string) => `/activity/sleep/${id}`,
+  workout: (id: string) => `/activity/workout/${id}`,
+  cycle: (id: number) => `/cycle/${id}`,
+  cycleSleep: (cycleId: number) => `/cycle/${cycleId}/sleep`,
+  cycleRecovery: (cycleId: number) => `/cycle/${cycleId}/recovery`,
+} as const;

package/src/auth/oauth.ts

@@ -0,0 +1,171 @@
+import { randomBytes } from 'node:crypto';
+import { createInterface } from 'node:readline';
+import open from 'open';
+import { saveTokens, clearTokens, getTokenStatus, getValidTokens, isTokenExpired, loadTokens } from './tokens.js';
+import { WhoopError, ExitCode } from '../utils/errors.js';
+import type { OAuthTokenResponse } from '../types/whoop.js';
+
+const WHOOP_AUTH_URL = 'https://api.prod.whoop.com/oauth/oauth2/auth';
+const WHOOP_TOKEN_URL = 'https://api.prod.whoop.com/oauth/oauth2/token';
+const WHOOP_REVOKE_URL = 'https://api.prod.whoop.com/developer/v2/user/access';
+const SCOPES = 'read:profile read:body_measurement read:workout read:recovery read:sleep read:cycles offline';
+
+function getCredentials(): { clientId: string; clientSecret: string; redirectUri: string } {
+  const clientId = process.env.WHOOP_CLIENT_ID;
+  const clientSecret = process.env.WHOOP_CLIENT_SECRET;
+  const redirectUri = process.env.WHOOP_REDIRECT_URI;
+
+  if (!clientId || !clientSecret || !redirectUri) {
+    throw new WhoopError(
+      'Missing WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, or WHOOP_REDIRECT_URI in environment',
+      ExitCode.AUTH_ERROR
+    );
+  }
+
+  return { clientId, clientSecret, redirectUri };
+}
+
+function prompt(question: string): Promise<string> {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+export async function login(): Promise<void> {
+  const { clientId, clientSecret, redirectUri } = getCredentials();
+  const state = randomBytes(16).toString('hex');
+
+  const authUrl = new URL(WHOOP_AUTH_URL);
+  authUrl.searchParams.set('client_id', clientId);
+  authUrl.searchParams.set('redirect_uri', redirectUri);
+  authUrl.searchParams.set('response_type', 'code');
+  authUrl.searchParams.set('scope', SCOPES);
+  authUrl.searchParams.set('state', state);
+
+  console.log('Opening browser for authorization...');
+  console.log('\nIf browser does not open, visit this URL:\n');
+  console.log(authUrl.toString());
+  console.log('');
+
+  await open(authUrl.toString()).catch(() => {});
+
+  const callbackUrl = await prompt('Paste the callback URL here: ');
+
+  const url = new URL(callbackUrl);
+  const code = url.searchParams.get('code');
+  const returnedState = url.searchParams.get('state');
+
+  if (!code) {
+    throw new WhoopError('No authorization code in callback URL', ExitCode.AUTH_ERROR);
+  }
+
+  if (returnedState !== state) {
+    throw new WhoopError('OAuth state mismatch', ExitCode.AUTH_ERROR);
+  }
+
+  const tokenResponse = await fetch(WHOOP_TOKEN_URL, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      grant_type: 'authorization_code',
+      code,
+      redirect_uri: redirectUri,
+      client_id: clientId,
+      client_secret: clientSecret,
+    }),
+  });
+
+  if (!tokenResponse.ok) {
+    const text = await tokenResponse.text();
+    throw new WhoopError(`Token exchange failed: ${text}`, ExitCode.AUTH_ERROR, tokenResponse.status);
+  }
+
+  const tokens = (await tokenResponse.json()) as OAuthTokenResponse;
+  saveTokens(tokens);
+  console.log('Authentication successful');
+}
+
+export async function logout(): Promise<void> {
+  const tokens = loadTokens();
+
+  if (tokens) {
+    // Revoke on WHOOP's server first, then clear locally
+    try {
+      const response = await fetch(WHOOP_REVOKE_URL, {
+        method: 'DELETE',
+        headers: {
+          Authorization: `Bearer ${tokens.access_token}`,
+          'User-Agent': 'whoop-up/1.0',
+        },
+      });
+      if (response.ok || response.status === 204) {
+        console.log('Access revoked on WHOOP server');
+      } else {
+        // Token may already be expired — still clear locally
+        console.log(`Note: server revoke returned ${response.status}, clearing local tokens anyway`);
+      }
+    } catch {
+      console.log('Note: could not reach WHOOP server, clearing local tokens anyway');
+    }
+  }
+
+  clearTokens();
+  console.log('Logged out');
+}
+
+export function status(): void {
+  const tokenStatus = getTokenStatus();
+  const tokens = loadTokens();
+
+  if (!tokenStatus.authenticated) {
+    console.log(JSON.stringify({ authenticated: false, message: 'Not logged in. Run: whoop auth login' }, null, 2));
+    return;
+  }
+
+  const now = Math.floor(Date.now() / 1000);
+  const expiresIn = tokenStatus.expires_at! - now;
+  const needsRefresh = isTokenExpired(tokens!);
+
+  console.log(JSON.stringify({
+    authenticated: true,
+    expires_at: tokenStatus.expires_at,
+    expires_in_seconds: expiresIn,
+    expires_in_human: expiresIn > 0 ? `${Math.floor(expiresIn / 60)} minutes` : 'EXPIRED',
+    needs_refresh: needsRefresh,
+  }, null, 2));
+}
+
+export async function refresh(): Promise<void> {
+  const tokens = loadTokens();
+
+  if (!tokens) {
+    throw new WhoopError('Not authenticated. Run: whoop auth login', ExitCode.AUTH_ERROR);
+  }
+
+  try {
+    const newTokens = await getValidTokens();
+
+    const now = Math.floor(Date.now() / 1000);
+    const expiresIn = newTokens.expires_at - now;
+
+    console.log(JSON.stringify({
+      success: true,
+      message: 'Token refreshed successfully',
+      expires_at: newTokens.expires_at,
+      expires_in_seconds: expiresIn,
+      expires_in_human: `${Math.floor(expiresIn / 60)} minutes`,
+    }, null, 2));
+  } catch (error) {
+    if (error instanceof WhoopError && error.message.includes('refresh')) {
+      throw new WhoopError(
+        'Refresh token expired. Please re-authenticate with: whoop auth login',
+        ExitCode.AUTH_ERROR
+      );
+    }
+    throw error;
+  }
+}

package/src/auth/tokens.ts

@@ -0,0 +1,120 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import type { TokenData, OAuthTokenResponse } from '../types/whoop.js';
+import { WhoopError, ExitCode } from '../utils/errors.js';
+
+const CONFIG_DIR = join(homedir(), '.whoop-up');
+const TOKEN_FILE = join(CONFIG_DIR, 'tokens.json');
+
+// Refresh tokens 15 minutes before expiry to avoid race conditions
+const REFRESH_BUFFER_SECONDS = 900;
+
+function ensureConfigDir(): void {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+export function saveTokens(response: OAuthTokenResponse): void {
+  ensureConfigDir();
+
+  const data: TokenData = {
+    access_token: response.access_token,
+    refresh_token: response.refresh_token,
+    expires_at: Math.floor(Date.now() / 1000) + response.expires_in,
+    token_type: response.token_type,
+    scope: response.scope,
+  };
+
+  writeFileSync(TOKEN_FILE, JSON.stringify(data, null, 2));
+  chmodSync(TOKEN_FILE, 0o600);
+}
+
+export function loadTokens(): TokenData | null {
+  if (!existsSync(TOKEN_FILE)) {
+    return null;
+  }
+
+  try {
+    const content = readFileSync(TOKEN_FILE, 'utf-8');
+    return JSON.parse(content) as TokenData;
+  } catch {
+    return null;
+  }
+}
+
+export function clearTokens(): void {
+  if (existsSync(TOKEN_FILE)) {
+    writeFileSync(TOKEN_FILE, '');
+  }
+}
+
+export function isTokenExpired(tokens: TokenData): boolean {
+  const now = Math.floor(Date.now() / 1000);
+  return now >= tokens.expires_at - REFRESH_BUFFER_SECONDS;
+}
+
+export async function refreshAccessToken(tokens: TokenData): Promise<TokenData> {
+  const clientId = process.env.WHOOP_CLIENT_ID;
+  const clientSecret = process.env.WHOOP_CLIENT_SECRET;
+
+  if (!clientId || !clientSecret) {
+    throw new WhoopError('Missing WHOOP_CLIENT_ID or WHOOP_CLIENT_SECRET', ExitCode.AUTH_ERROR);
+  }
+
+  const response = await fetch('https://api.prod.whoop.com/oauth/oauth2/token', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    body: new URLSearchParams({
+      grant_type: 'refresh_token',
+      refresh_token: tokens.refresh_token,
+      client_id: clientId,
+      client_secret: clientSecret,
+      scope: 'offline',
+    }),
+  });
+
+  if (!response.ok) {
+    const errorBody = await response.text();
+    let errorMsg = `Token refresh failed (${response.status})`;
+    try {
+      const errorJson = JSON.parse(errorBody);
+      errorMsg = errorJson.error_description || errorJson.error || errorMsg;
+    } catch {
+      // Use default error message
+    }
+    throw new WhoopError(errorMsg, ExitCode.AUTH_ERROR, response.status);
+  }
+
+  const data = (await response.json()) as OAuthTokenResponse;
+  saveTokens(data);
+  return loadTokens()!;
+}
+
+export async function getValidTokens(): Promise<TokenData> {
+  let tokens = loadTokens();
+
+  if (!tokens) {
+    throw new WhoopError('Not authenticated. Run: whoop auth login', ExitCode.AUTH_ERROR);
+  }
+
+  if (isTokenExpired(tokens)) {
+    tokens = await refreshAccessToken(tokens);
+  }
+
+  return tokens;
+}
+
+export function getTokenStatus(): { authenticated: boolean; expires_at?: number } {
+  const tokens = loadTokens();
+  if (!tokens) {
+    return { authenticated: false };
+  }
+  return {
+    authenticated: true,
+    expires_at: tokens.expires_at,
+  };
+}