extendvcc-cli 0.1.0__tar.gz → 0.1.1__tar.gz

{extendvcc_cli-0.1.0 → extendvcc_cli-0.1.1}/.github/workflows/release.yml

@@ -10,14 +10,15 @@ permissions:
 jobs:
   build:
     strategy:
+      # One platform failing must not cancel the others; the release attaches
+      # whatever built. Intel macOS (macos-13) is intentionally dropped: the
+      # runner pool is scarce and being retired, and pip/pipx covers that case.
+      fail-fast: false
       matrix:
         include:
           - os: macos-latest
             arch: arm64
             artifact: extendvcc-macos-arm64
-          - os: macos-13
-            arch: x86_64
-            artifact: extendvcc-macos-x86_64
           - os: ubuntu-latest
             arch: x86_64
             artifact: extendvcc-linux-x86_64
@@ -54,6 +55,9 @@ jobs:
 
   release:
     needs: [build, test]
+    # Run once builds finish even if a platform failed, as long as tests passed,
+    # so a single bad/slow binary never blocks the GitHub release.
+    if: ${{ !cancelled() && needs.test.result == 'success' }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/download-artifact@v4

{extendvcc_cli-0.1.0 → extendvcc_cli-0.1.1}/CHANGELOG.md

@@ -10,6 +10,15 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 
 ---
 
+## [0.1.1] - 2026-06-15
+
+### Fixed
+
+- First-time login failed at device registration with `Found negative value for salt or password verifier`. The device SRP salt and password verifier are now zero-padded so Cognito never reads them as negative.
+- Authentication errors now include Cognito's error type and message instead of only a status code, so failures report the real reason.
+
+---
+
 ## [0.1.0] - 2026-06-14
 
 ### Added
@@ -28,5 +37,6 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 - **Python API:** public re-exports in `extendvcc.__init__` for programmatic use.
 - **Typed:** `py.typed` marker (PEP 561); type hints throughout.
 
-[Unreleased]: https://github.com/4LAU/extendvcc/compare/v0.1.0...HEAD
+[Unreleased]: https://github.com/4LAU/extendvcc/compare/v0.1.1...HEAD
+[0.1.1]: https://github.com/4LAU/extendvcc/compare/v0.1.0...v0.1.1
 [0.1.0]: https://github.com/4LAU/extendvcc/releases/tag/v0.1.0

{extendvcc_cli-0.1.0 → extendvcc_cli-0.1.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: extendvcc-cli
-Version: 0.1.0
+Version: 0.1.1
 Summary: Unofficial CLI and Python client for the Extend virtual card API
 Project-URL: Homepage, https://github.com/4LAU/extendvcc
 Project-URL: Repository, https://github.com/4LAU/extendvcc

{extendvcc_cli-0.1.0 → extendvcc_cli-0.1.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "extendvcc-cli"
-version = "0.1.0"
+version = "0.1.1"
 description = "Unofficial CLI and Python client for the Extend virtual card API"
 readme = "README.md"
 license = "MIT"

{extendvcc_cli-0.1.0 → extendvcc_cli-0.1.1}/src/extendvcc/auth.py

@@ -150,7 +150,20 @@ def _raise_for_status(resp: Any, *, kind: str = "auth", path: str | None = None)
             status_code=status_code,
             path=path or "",
         )
-    raise PayWithExtendAuthError(f"PayWithExtend Cognito request failed with status {status_code}")
+    # Cognito error responses carry {"__type": "...", "message": "..."} — surface
+    # it so a 400 distinguishes a wrong/expired code from a real flow bug. The body
+    # holds only Cognito's own error type/message, no secrets.
+    detail = ""
+    try:
+        body = _response_json(resp)
+        if isinstance(body, dict):
+            err_type = str(body.get("__type", "")).rsplit("#", 1)[-1]
+            message = body.get("message") or body.get("Message") or ""
+            detail = " - ".join(part for part in (err_type, message) if part)
+    except Exception:
+        detail = ""
+    suffix = f" ({detail})" if detail else ""
+    raise PayWithExtendAuthError(f"PayWithExtend Cognito request failed with status {status_code}{suffix}")
 
 
 def _inspect_account_risk(resp: Any, path: str) -> None:
@@ -284,12 +297,6 @@ def _hex_to_int(value: str) -> int:
     return int(value, 16)
 
 
-def _int_to_bytes(value: int) -> bytes:
-    if value == 0:
-        return b"\x00"
-    return value.to_bytes((value.bit_length() + 7) // 8, "big")
-
-
 def _hex_to_bytes(value: int | str) -> bytes:
     return bytes.fromhex(_pad_hex(value))
 
@@ -454,11 +461,17 @@ def _generate_device_verifier(
     salt: bytes | None = None,
 ) -> tuple[str, str]:
     salt_bytes = salt or secrets.token_bytes(16)
+    # Cognito decodes Salt and PasswordVerifier as signed big-endian integers, so a
+    # leading high bit is read as negative ("Found negative value for salt or password
+    # verifier") and ConfirmDevice 400s. Prepend a 0x00 byte when needed via
+    # _hex_to_bytes/_pad_hex, and use the SAME sign-fixed salt for both the x-hash and
+    # the wire value so they stay consistent.
+    salt_bytes = _hex_to_bytes(salt_bytes.hex())
     device_username = f"{device_group_key}{device_key}"
     x_value = _calculate_x(salt_bytes.hex(), device_username, device_password)
     verifier = pow(G, x_value, N)
     return (
-        base64.b64encode(_int_to_bytes(verifier)).decode("ascii"),
+        base64.b64encode(_hex_to_bytes(verifier)).decode("ascii"),
         base64.b64encode(salt_bytes).decode("ascii"),
     )
 

{extendvcc_cli-0.1.0 → extendvcc_cli-0.1.1}/tests/test_auth.py

@@ -207,6 +207,22 @@ def test_authenticate_handles_password_otp_and_device_registration(tmp_path, mon
     configure_paths()
 
 
+def test_device_verifier_pads_negative_salt_and_verifier() -> None:
+    """Cognito decodes Salt/PasswordVerifier as signed big-endian ints; a high bit must be
+    0x00-padded so neither is negative. Regression for the ConfirmDevice 400
+    'Found negative value for salt or password verifier'."""
+    salt = b"\x80" + b"\x11" * 15  # high bit set -> negative without padding
+    verifier_b64, salt_b64 = auth._generate_device_verifier("grp", "devkey", "pw", salt=salt)
+    salt_bytes = base64.b64decode(salt_b64)
+    verifier_bytes = base64.b64decode(verifier_b64)
+    # High bit clear (first byte < 0x80) keeps Cognito's signed decode non-negative.
+    assert salt_bytes[0] < 0x80
+    assert verifier_bytes[0] < 0x80
+    # The sign-fixed salt is the original 16 bytes with a 0x00 prepended, and that same
+    # salt is what gets sent (so it matches the value used in the x-hash).
+    assert salt_bytes == b"\x00" + salt
+
+
 def test_authenticate_handles_remembered_device_srp(tmp_path, monkeypatch) -> None:
     configure_paths(state_dir=tmp_path)
     auth.save_session(