meshagent-cli 0.5.15__py3-none-any.whl → 0.6.0__py3-none-any.whl

meshagent/cli/auth_async.py

@@ -1,79 +1,153 @@
 import os
 import json
+import time
+import base64
+import hashlib
+import secrets
 import webbrowser
 import asyncio
 from pathlib import Path
-from aiohttp import web
-from supabase._async.client import (
-    AsyncClient,
-    create_client,
-)  # async flavour :contentReference[oaicite:1]{index=1}
-from supabase.lib.client_options import ClientOptions
-from supabase_auth import AsyncMemoryStorage
-
-AUTH_URL = os.getenv("MESHAGENT_AUTH_URL", "https://infra.meshagent.com")
-AUTH_ANON_KEY = os.getenv(
-    "MESHAGENT_AUTH_ANON_KEY",
-    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im5memhyeWpoc3RjZXdkeWdvampzIiwicm9sZSI6ImFub24iLCJpYXQiOjE3MzQ2MzU2MjgsImV4cCI6MjA1MDIxMTYyOH0.ujx9CIbYEvWbA77ogB1gg1Jrv3KtpB1rWh_LRRLpcow",
-)
+from urllib.parse import urlencode
+from aiohttp import web, ClientSession
+
+# -----------------------------------------------------------------------------
+# Config
+# -----------------------------------------------------------------------------
+
 CACHE_FILE = Path.home() / ".meshagent" / "session.json"
 REDIRECT_PORT = 8765
 REDIRECT_URL = f"http://localhost:{REDIRECT_PORT}/callback"
 
-# ---------- helpers ----------------------------------------------------------
+# Expected env vars:
+# - MESHAGENT_API_URL (required): e.g., https://api.meshagent.com
+# - MESHAGENT_OAUTH_CLIENT_ID (required)
+# - MESHAGENT_OAUTH_CLIENT_SECRET (optional; only if your server requires it)
+# - MESHAGENT_OAUTH_SCOPES (optional; defaults to "openid email profile")
+
+# -----------------------------------------------------------------------------
+# Helpers
+# -----------------------------------------------------------------------------
 
 
 def _ensure_cache_dir():
     CACHE_FILE.parent.mkdir(parents=True, exist_ok=True)
 
 
-async def _client() -> AsyncClient:
-    return await create_client(
-        AUTH_URL,
-        AUTH_ANON_KEY,
-        options=ClientOptions(
-            flow_type="pkce",  # OAuth + PKCE :contentReference[oaicite:2]{index=2}
-            auto_refresh_token=True,
-            persist_session=False,
-            storage=AsyncMemoryStorage(),
-        ),
-    )
+def _now() -> int:
+    return int(time.time())
+
+
+def _b64url_no_pad(data: bytes) -> str:
+    return base64.urlsafe_b64encode(data).decode().rstrip("=")
+
+
+def _pkce_pair():
+    """
+    Returns (code_verifier, code_challenge) using S256 per RFC 7636.
+    """
+    verifier = _b64url_no_pad(secrets.token_bytes(32))
+    digest = hashlib.sha256(verifier.encode()).digest()
+    challenge = _b64url_no_pad(digest)
+    return verifier, challenge
+
+
+def _api_base() -> str:
+    api = os.getenv("MESHAGENT_API_URL", "https://api.meshagent.com")
+    if not api:
+        raise RuntimeError("MESHAGENT_API_URL is not set")
+    return api.rstrip("/")
+
 
+def _authorization_url() -> str:
+    return f"{_api_base()}/oauth/authorize"
 
-def _save(s):
+
+def _token_url() -> str:
+    return f"{_api_base()}/oauth/token"
+
+
+def _client_id() -> str:
+    cid = os.getenv("MESHAGENT_OAUTH_CLIENT_ID", "p8xy1ZUi73jJUJbNfTg92HUSDpCSZJcc")
+    if not cid:
+        raise RuntimeError("MESHAGENT_OAUTH_CLIENT_ID is not set")
+    return cid
+
+
+def _client_secret() -> str | None:
+    return os.getenv("MESHAGENT_OAUTH_CLIENT_SECRET")
+
+
+def _scopes() -> str:
+    return os.getenv("MESHAGENT_OAUTH_SCOPES", "admin")
+
+
+def _save(tokens: dict):
+    """
+    Persist minimal token info to disk.
+    Expected keys: access_token, refresh_token (optional), expires_at (epoch int).
+    """
     _ensure_cache_dir()
     CACHE_FILE.write_text(
         json.dumps(
             {
-                "access_token": s.access_token,
-                "refresh_token": s.refresh_token,
-                "expires_at": s.expires_at,  # int (seconds since epoch)
+                "access_token": tokens.get("access_token"),
+                "refresh_token": tokens.get("refresh_token"),
+                "expires_at": tokens.get("expires_at"),
+                "token_type": tokens.get("token_type", "Bearer"),
+                "scope": tokens.get("scope"),
+                "id_token": tokens.get("id_token"),
             }
         )
     )
 
 
-def _load():
+def _load() -> dict | None:
     _ensure_cache_dir()
     if CACHE_FILE.exists():
         return json.loads(CACHE_FILE.read_text())
 
 
-# ---------- local HTTP callback ---------------------------------------------
+async def _post_form(url: str, form: dict) -> dict:
+    """
+    POST application/x-www-form-urlencoded and return parsed JSON or raise.
+    """
+    headers = {"Accept": "application/json"}
+    async with ClientSession() as s:
+        async with s.post(url, data=form, headers=headers) as resp:
+            text = await resp.text()
+            if resp.status >= 400:
+                raise RuntimeError(f"Token endpoint error {resp.status}: {text}")
+            try:
+                return json.loads(text)
+            except json.JSONDecodeError:
+                raise RuntimeError(
+                    f"Unexpected non-JSON response from token endpoint: {text}"
+                )
+
 
+# -----------------------------------------------------------------------------
+# Local HTTP callback
+# -----------------------------------------------------------------------------
 
-async def _wait_for_code() -> str:
-    """Spin up a one-shot aiohttp server and await ?code=…"""
+
+async def _wait_for_code(expected_state: str) -> str:
+    """
+    Spin up a one-shot aiohttp server and await ?code=…&state=…
+    Validates 'state' if provided. Returns the 'code'.
+    """
     app = web.Application()
     code_fut: asyncio.Future[str] = asyncio.get_event_loop().create_future()
 
     async def callback(request):
         code = request.query.get("code")
+        state = request.query.get("state")
+        if expected_state and state != expected_state:
+            return web.Response(status=400, text="State mismatch. Close this tab.")
         if code:
             if not code_fut.done():
                 code_fut.set_result(code)
             return web.Response(text="You may close this tab.")
-        return web.Response(status=400)
+        return web.Response(status=400, text="Missing 'code'.")
 
     app.add_routes([web.get("/callback", callback)])
     runner = web.AppRunner(app, access_log=None)
@@ -87,52 +161,135 @@ async def _wait_for_code() -> str:
         await runner.cleanup()
 
 
-# ---------- public API -------------------------------------------------------
+# -----------------------------------------------------------------------------
+# OAuth flows
+# -----------------------------------------------------------------------------
+
+
+async def _exchange_code_for_tokens(code: str, code_verifier: str) -> dict:
+    form = {
+        "grant_type": "authorization_code",
+        "code": code,
+        "redirect_uri": REDIRECT_URL,
+        "client_id": _client_id(),
+        "code_verifier": code_verifier,
+    }
+    # Include client_secret only if provided (public clients typically omit)
+    client_secret = _client_secret()
+    if client_secret:
+        form["client_secret"] = client_secret
+
+    token_json = await _post_form(_token_url(), form)
+
+    # Compute absolute expiry; default to 3600s if expires_in missing
+    expires_in = int(token_json.get("expires_in", 3600))
+    token_json["expires_at"] = _now() + max(0, expires_in - 30)  # small safety skew
+    return token_json
+
+
+async def _refresh_tokens(tokens: dict) -> dict:
+    if not tokens or not tokens.get("refresh_token"):
+        raise RuntimeError("No refresh token available to refresh access token.")
+
+    form = {
+        "grant_type": "refresh_token",
+        "refresh_token": tokens["refresh_token"],
+        "client_id": _client_id(),
+    }
+    client_secret = _client_secret()
+    if client_secret:
+        form["client_secret"] = client_secret
+
+    token_json = await _post_form(_token_url(), form)
+
+    # Some servers rotate refresh tokens; keep old one if none returned
+    token_json["refresh_token"] = token_json.get(
+        "refresh_token", tokens.get("refresh_token")
+    )
+    expires_in = int(token_json.get("expires_in", 3600))
+    token_json["expires_at"] = _now() + max(0, expires_in - 30)
+    return token_json
+
+
+# -----------------------------------------------------------------------------
+# Public API (unchanged names)
+# -----------------------------------------------------------------------------
 
 
 async def login():
-    supa = await _client()
-
-    # 1️⃣  Build provider URL – async now
-    res = await supa.auth.sign_in_with_oauth(
-        {
-            "provider": os.getenv("MESHAGENT_AUTH_PROVIDER", "google"),
-            "options": {"redirect_to": REDIRECT_URL, "scopes": "email"},
-        }
-    )  # :contentReference[oaicite:3]{index=3}
-    oauth_url = res.url
-
-    # 2️⃣  Kick user to browser without blocking the loop
-    await asyncio.to_thread(webbrowser.open, oauth_url)
-    print(f"Waiting for auth redirect on {oauth_url}…")
-
-    # 3️⃣  Await the auth code, then exchange for tokens
-    auth_code = await _wait_for_code()
+    """
+    Launches the system browser for OAuth 2.0 Authorization Code + PKCE.
+    Persists tokens to ~/.meshagent/session.json
+    """
+    authz = _authorization_url()
+    client_id = _client_id()
+    scope = _scopes()
+
+    code_verifier, code_challenge = _pkce_pair()
+    state = _b64url_no_pad(secrets.token_bytes(16))
+
+    query = {
+        "response_type": "code",
+        "client_id": client_id,
+        "redirect_uri": REDIRECT_URL,
+        "scope": scope,
+        "code_challenge": code_challenge,
+        "code_challenge_method": "S256",
+        "state": state,
+    }
+    auth_url = f"{authz}?{urlencode(query)}"
+
+    # Kick user to browser without blocking the loop
+    await asyncio.to_thread(webbrowser.open, auth_url)
+    print(f"Waiting for auth redirect on {auth_url}…")
+
+    # Await the auth code, then exchange for tokens
+    auth_code = await _wait_for_code(state)
     print("Got code, exchanging…")
-    sess = await supa.auth.exchange_code_for_session({"auth_code": auth_code})  #
-    _save(sess.session)
-    print("✅ Logged in as", sess.user.email)
+
+    tokens = await _exchange_code_for_tokens(auth_code, code_verifier)
+    _save(tokens)
+    print("✅ Logged in (tokens cached).")
 
 
 async def session():
-    supa = await _client()
-    cached = _load()
-    fresh = None
-    if cached:
-        await supa.auth.set_session(cached["access_token"], cached["refresh_token"])
-        fresh = await supa.auth.get_session()  # returns a Session object
-        _save(fresh)
-    return supa, fresh
+    """
+    Returns a tuple (client, tokens_dict)
+    - client is None (kept for backward compatibility with prior signature).
+    - tokens_dict contains access_token, refresh_token, expires_at, token_type, scope, id_token.
+    Will auto-refresh if expired/near-expiry and update the cache.
+    """
+    tokens = _load()
+    if not tokens:
+        return None, None
+
+    # Refresh if expired or within 5 min of expiry
+    if not tokens.get("expires_at") or tokens["expires_at"] <= _now() + 5 * 60:
+        try:
+            tokens = await _refresh_tokens(tokens)
+            _save(tokens)
+        except Exception as e:
+            # If refresh fails, wipe session to force re-login
+            print(f"⚠️  Token refresh failed: {e}")
+            return None, None
+
+    return None, tokens
 
 
 async def logout():
-    supa, s = await session()
-    if s:
-        await supa.auth.sign_out()
+    """
+    Clears the cached tokens. (If your OAuth server supports revocation,
+    you can add a call here; not provided in the spec.)
+    """
+    _, tokens = await session()
+    # Optional: call a revocation endpoint here if your server provides one.
     CACHE_FILE.unlink(missing_ok=True)
     print("👋 Signed out")
 
 
 async def get_access_token():
-    supa, fresh = await session()
-    return fresh.access_token
+    """
+    Returns a fresh access token, refreshing if needed.
+    """
+    _, tokens = await session()
+    return tokens["access_token"] if tokens else None

meshagent/cli/call.py

@@ -1,7 +1,7 @@
 import typer
 from rich import print
 from typing import Annotated, Optional
-from meshagent.cli.common_options import ProjectIdOption, ApiKeyIdOption, RoomOption
+from meshagent.cli.common_options import ProjectIdOption, RoomOption
 import json
 import aiohttp
 from meshagent.api import (
@@ -9,16 +9,20 @@ from meshagent.api import (
     ParticipantToken,
     WebSocketClientProtocol,
     ParticipantGrant,
+    ApiScope,
 )
 from meshagent.api.helpers import meshagent_base_url, websocket_room_url
 from meshagent.api.services import send_webhook
 from meshagent.cli import async_typer
-from meshagent.cli.helper import get_client, resolve_project_id
-from meshagent.cli.helper import resolve_api_key, resolve_room
+from meshagent.cli.helper import get_client, resolve_project_id, resolve_key
+from meshagent.cli.helper import resolve_room
 from urllib.parse import urlparse
 from pathlib import PurePath
 import socket
 import ipaddress
+import pathlib
+from pydantic_yaml import parse_yaml_raw_as
+from meshagent.api.participant_token import ParticipantTokenSpec
 
 app = async_typer.AsyncTyper()
 
@@ -72,7 +76,6 @@ async def make_call(
     *,
     project_id: ProjectIdOption = None,
     room: RoomOption,
-    api_key_id: ApiKeyIdOption = None,
     role: str = "agent",
     local: Optional[bool] = None,
     agent_name: Annotated[
@@ -87,12 +90,76 @@ async def make_call(
     arguments: Annotated[
         str, typer.Option(..., help="JSON string with arguments for the call")
     ] = {},
+    permissions: Annotated[
+        Optional[str],
+        typer.Option(
+            "--permissions",
+            "-p",
+            help="File path to a token definition, if not specified default agent permissions will be used",
+        ),
+    ] = None,
+    key: Annotated[
+        str,
+        typer.Option("--key", help="an api key to sign the token with"),
+    ] = None,
+):
+    key = await resolve_key(project_id=project_id, key=key)
+
+    if permissions is not None:
+        with open(str(pathlib.Path(permissions).expanduser().resolve()), "rb") as f:
+            spec = parse_yaml_raw_as(ParticipantTokenSpec, f.read())
+
+            token = ParticipantToken(
+                name=spec.identity,
+            )
+            token.add_role_grant(role=role)
+            token.add_room_grant(room)
+            token.add_api_grant(spec.api)
+
+    else:
+        token = None
+
+    await _make_call(
+        project_id=project_id,
+        room=room,
+        role=role,
+        local=local,
+        agent_name=agent_name,
+        name=name,
+        participant_name=participant_name,
+        url=url,
+        arguments=arguments,
+        token=token,
+        key=key,
+    )
+
+
+async def _make_call(
+    *,
+    project_id: ProjectIdOption = None,
+    room: RoomOption,
+    role: str = "agent",
+    local: Optional[bool] = None,
+    agent_name: Annotated[
+        Optional[str], typer.Option(..., help="deprecated and unused", hidden=True)
+    ] = None,
+    name: Annotated[str, typer.Option(..., help="deprecated", hidden=True)] = None,
+    participant_name: Annotated[
+        Optional[str],
+        typer.Option(..., help="the participant name to be used by the callee"),
+    ] = None,
+    url: Annotated[str, typer.Option(..., help="URL the agent should call")],
+    arguments: Annotated[
+        str, typer.Option(..., help="JSON string with arguments for the call")
+    ] = {},
+    token: Optional[ParticipantToken] = None,
+    permissions: Optional[ApiScope] = None,
+    key: str,
 ):
     """
     Instruct an agent to 'call' a given URL with specific arguments.
 
     """
-
     if name is not None:
         print("[yellow]name is deprecated and should no longer be passed[/yellow]")
 
@@ -109,21 +176,17 @@ async def make_call(
     account_client = await get_client()
     try:
         project_id = await resolve_project_id(project_id=project_id)
-        api_key_id = await resolve_api_key(project_id, api_key_id)
+
         room = resolve_room(room)
 
-        key = (
-            await account_client.decrypt_project_api_key(
-                project_id=project_id, id=api_key_id
+        if token is None:
+            token = ParticipantToken(
+                name=participant_name,
             )
-        )["token"]
-
-        token = ParticipantToken(
-            name=participant_name, project_id=project_id, api_key_id=api_key_id
-        )
-        token.add_role_grant(role=role)
-        token.add_room_grant(room)
-        token.grants.append(ParticipantGrant(name="tunnel_ports", scope="9000"))
+            token.add_api_grant(permissions or ApiScope.agent_default())
+            token.add_role_grant(role=role)
+            token.add_room_grant(room)
+            token.grants.append(ParticipantGrant(name="tunnel_ports", scope="9000"))
 
         if local is None:
             local = is_local_url(url)
@@ -134,7 +197,7 @@ async def make_call(
                 data = {
                     "room_url": websocket_room_url(room_name=room),
                     "room_name": room,
-                    "token": token.to_jwt(token=key),
+                    "token": token.to_jwt(api_key=key),
                     "arguments": arguments,
                 }
 
@@ -148,7 +211,7 @@ async def make_call(
                     url=websocket_room_url(
                         room_name=room, base_url=meshagent_base_url()
                     ),
-                    token=token.to_jwt(token=key),
+                    token=token.to_jwt(api_key=key),
                 )
             ) as client:
                 print("[bold green]Making agent call...[/bold green]")