xenfra 0.2.7__py3-none-any.whl → 0.2.9__py3-none-any.whl

xenfra/commands/auth.py

@@ -85,165 +85,11 @@ def _exchange_code_for_tokens_with_retry(code: str, code_verifier: str, redirect
 
 @auth.command()
 def login():
-    """Login to Xenfra using OAuth2 PKCE flow."""
-    global oauth_data
-    oauth_data = {"code": None, "state": None, "error": None}
+    """Login to Xenfra using Device Authorization Flow (like GitHub CLI, Claude Code)."""
+    from .auth_device import device_login
+    device_login()
 
-    # 1. Generate PKCE parameters
-    code_verifier = secrets.token_urlsafe(96)
-    code_challenge = (
-        base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest())
-        .decode()
-        .rstrip("=")
-    )
-
-    # 2. Generate state for CSRF protection
-    state = secrets.token_urlsafe(32)
-
-    # 3. Start local HTTP server
-    server_port = None
-    httpd_instance = None
-    try:
-        for port in range(CLI_LOCAL_SERVER_START_PORT, CLI_LOCAL_SERVER_END_PORT + 1):
-            try:
-                server_address = ("127.0.0.1", port)
-                httpd_instance = HTTPServer(server_address, AuthCallbackHandler)
-                server_port = port
-                break
-            except OSError:
-                continue
-            except Exception as e:
-                console.print(f"[yellow]Warning: Failed to bind to port {port}: {e}[/yellow]")
-                continue
-
-        if not server_port:
-            console.print(
-                f"[bold red]Error: No available ports in range {CLI_LOCAL_SERVER_START_PORT}-{CLI_LOCAL_SERVER_END_PORT}[/bold red]"
-            )
-            return
-
-        redirect_uri = f"http://localhost:{server_port}{CLI_REDIRECT_PATH}"
-
-        # 4. Construct Authorization URL
-        auth_url = (
-            f"{API_BASE_URL}/auth/authorize?"
-            f"client_id={CLI_CLIENT_ID}&"
-            f"redirect_uri={urllib.parse.quote(redirect_uri)}&"
-            f"response_type=code&"
-            f"scope={urllib.parse.quote('openid profile')}&"
-            f"state={state}&"
-            f"code_challenge={code_challenge}&"
-            f"code_challenge_method=S256"
-        )
-
-        console.print("[bold blue]Opening browser for login...[/bold blue]")
-        console.print(
-            f"[dim]If browser doesn't open, navigate to:[/dim]\n[link={auth_url}]{auth_url}[/link]"
-        )
-
-        # Try to open browser, handle errors gracefully
-        try:
-            webbrowser.open(auth_url)
-        except Exception as e:
-            console.print(f"[yellow]Warning: Could not open browser automatically: {e}[/yellow]")
-            console.print(f"[dim]Please open the URL manually: {auth_url}[/dim]")
-
-        # 5. Run local server to capture redirect
-        try:
-            AuthCallbackHandler.server = httpd_instance  # type: ignore
-            httpd_instance.handle_request()  # type: ignore
-            console.print("[dim]Local OAuth server shut down.[/dim]")
-        except Exception as e:
-            console.print(f"[bold red]Error running OAuth server: {e}[/bold red]")
-            return
-        finally:
-            # Ensure server is closed
-            if httpd_instance:
-                try:
-                    httpd_instance.server_close()
-                except Exception:
-                    pass
-
-        if oauth_data["error"]:
-            console.print(f"[bold red]Login failed: {oauth_data['error']}[/bold red]")
-            return
-
-        if not oauth_data["code"]:
-            console.print("[bold red]Login failed: No authorization code received.[/bold red]")
-            return
-
-        # 6. Verify state (CSRF protection)
-        if not oauth_data.get("state"):
-            console.print(
-                "[bold red]Login failed: State parameter missing in callback (possible CSRF attack)[/bold red]"
-            )
-            return
-
-        if oauth_data["state"] != state:
-            console.print(
-                "[bold red]Login failed: State mismatch (possible CSRF attack)[/bold red]"
-            )
-            return
-
-        # 7. Exchange code for tokens with retry logic
-        console.print("[bold cyan]Exchanging authorization code for tokens...[/bold cyan]")
-        try:
-            token_data = _exchange_code_for_tokens_with_retry(
-                oauth_data["code"], code_verifier, redirect_uri
-            )
-
-            access_token = token_data.get("access_token")
-            refresh_token = token_data.get("refresh_token")
-
-            if access_token and refresh_token:
-                try:
-                    keyring.set_password(SERVICE_ID, "access_token", access_token)
-                    keyring.set_password(SERVICE_ID, "refresh_token", refresh_token)
-                    console.print(
-                        "[bold green]Login successful! Tokens saved securely.[/bold green]"
-                    )
-                except keyring.errors.KeyringError as e:
-                    console.print(f"[bold red]Failed to save tokens to keyring: {e}[/bold red]")
-                    console.print("[yellow]Tokens were received but not saved.[/yellow]")
-            else:
-                console.print("[bold red]Login failed: No tokens received.[/bold red]")
-
-        except httpx.TimeoutException:
-            console.print(
-                "[bold red]Token exchange failed: Request timed out. Please try again.[/bold red]"
-            )
-        except httpx.NetworkError as e:
-            console.print(
-                f"[bold red]Token exchange failed: Network error - {type(e).__name__}[/bold red]"
-            )
-        except httpx.HTTPStatusError as exc:
-            error_detail = "Unknown error"
-            try:
-                if exc.response.content:
-                    content_type = exc.response.headers.get("content-type", "")
-                    if "application/json" in content_type:
-                        error_data = exc.response.json()
-                        error_detail = error_data.get("detail", str(error_data))
-            except Exception:
-                error_detail = exc.response.text[:200] if exc.response.text else "Unknown error"
-
-            console.print(
-                f"[bold red]Token exchange failed: {exc.response.status_code} - {error_detail}[/bold red]"
-            )
-        except ValueError as e:
-            console.print(f"[bold red]Token exchange failed: {e}[/bold red]")
-        except Exception as e:
-            console.print(
-                f"[bold red]Token exchange failed: Unexpected error - {type(e).__name__}[/bold red]"
-            )
-
-    except Exception as e:
-        console.print(f"[bold red]Login failed: {type(e).__name__} - {e}[/bold red]")
-        if httpd_instance:
-            try:
-                httpd_instance.server_close()
-            except Exception:
-                pass
+    # Removed old PKCE flow - now using Device Authorization Flow
 
 
 @auth.command()

xenfra/commands/auth_device.py

@@ -0,0 +1,159 @@
+"""
+Device Authorization Flow for Xenfra CLI.
+Modern OAuth flow used by GitHub CLI, AWS CLI, Claude Code, etc.
+"""
+
+import time
+import webbrowser
+from urllib.parse import urlencode
+
+import click
+import httpx
+import keyring
+from rich.console import Console
+from rich.panel import Panel
+
+from ..utils.auth import API_BASE_URL, CLI_CLIENT_ID, HTTP_TIMEOUT, SERVICE_ID
+
+console = Console()
+
+
+def device_login():
+    """
+    Device Authorization Flow (OAuth 2.0 Device Grant).
+
+    Flow:
+    1. CLI calls /auth/device/authorize to get device_code and user_code
+    2. User visits https://www.xenfra.tech/activate and enters user_code
+    3. CLI polls /auth/device/token until user authorizes
+    4. CLI receives access_token and stores it
+    """
+    try:
+        # Step 1: Request device code
+        console.print("[cyan]Initiating device authorization...[/cyan]")
+
+        with httpx.Client(timeout=HTTP_TIMEOUT) as client:
+            response = client.post(
+                f"{API_BASE_URL}/auth/device/authorize",
+                data={
+                    "client_id": CLI_CLIENT_ID,
+                    "scope": "openid profile",
+                },
+            )
+            response.raise_for_status()
+            device_data = response.json()
+
+        device_code = device_data["device_code"]
+        user_code = device_data["user_code"]
+        verification_uri = device_data["verification_uri"]
+        verification_uri_complete = device_data.get("verification_uri_complete")
+        expires_in = device_data["expires_in"]
+        interval = device_data.get("interval", 5)
+
+        # Step 2: Show user code and open browser
+        console.print()
+        console.print(
+            Panel.fit(
+                f"[bold white]{user_code}[/bold white]",
+                title="[bold green]Your Activation Code[/bold green]",
+                border_style="green",
+            )
+        )
+        console.print()
+        console.print(f"[bold]Visit:[/bold] [link]{verification_uri}[/link]")
+        console.print(f"[bold]Enter code:[/bold] [cyan]{user_code}[/cyan]")
+        console.print()
+
+        # Open browser automatically
+        try:
+            url_to_open = verification_uri_complete or verification_uri
+            webbrowser.open(url_to_open)
+            console.print("[dim]Opening browser...[/dim]")
+        except Exception:
+            console.print("[yellow]Could not open browser automatically. Please visit the URL above.[/yellow]")
+
+        # Step 3: Poll for authorization
+        console.print()
+        console.print("[cyan]Waiting for authorization...[/cyan]")
+        console.print("[dim](Press Ctrl+C to cancel)[/dim]")
+        console.print()
+
+        start_time = time.time()
+        poll_count = 0
+
+        with httpx.Client(timeout=HTTP_TIMEOUT) as client:
+            while True:
+                # Check timeout
+                if time.time() - start_time > expires_in:
+                    console.print("[bold red]✗ Authorization timed out. Please try again.[/bold red]")
+                    return False
+
+                # Poll the token endpoint
+                try:
+                    response = client.post(
+                        f"{API_BASE_URL}/auth/device/token",
+                        data={
+                            "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
+                            "device_code": device_code,
+                            "client_id": CLI_CLIENT_ID,
+                        },
+                    )
+
+                    if response.status_code == 200:
+                        # Success! User authorized
+                        token_data = response.json()
+                        access_token = token_data["access_token"]
+                        refresh_token = token_data.get("refresh_token")
+
+                        # Store tokens in keyring
+                        try:
+                            keyring.set_password(SERVICE_ID, "access_token", access_token)
+                            if refresh_token:
+                                keyring.set_password(SERVICE_ID, "refresh_token", refresh_token)
+                        except keyring.errors.KeyringError as e:
+                            console.print(f"[yellow]Warning: Could not save tokens to keyring: {e}[/yellow]")
+
+                        console.print()
+                        console.print("[bold green]✓ Successfully authenticated![/bold green]")
+                        console.print()
+                        return True
+
+                    elif response.status_code == 400:
+                        error_data = response.json()
+                        error = error_data.get("error", "unknown_error")
+
+                        if error == "authorization_pending":
+                            # Still waiting for user to authorize
+                            poll_count += 1
+                            if poll_count % 6 == 0:  # Every 30 seconds
+                                console.print("[dim]Still waiting...[/dim]")
+                            time.sleep(interval)
+                            continue
+
+                        elif error == "slow_down":
+                            # We're polling too fast
+                            interval += 5
+                            time.sleep(interval)
+                            continue
+
+                        else:
+                            # Other error
+                            error_desc = error_data.get("error_description", error)
+                            console.print(f"[bold red]✗ Authorization failed: {error_desc}[/bold red]")
+                            return False
+
+                    else:
+                        console.print(f"[bold red]✗ Unexpected response: {response.status_code}[/bold red]")
+                        return False
+
+                except httpx.HTTPError as e:
+                    console.print(f"[bold red]✗ Network error: {e}[/bold red]")
+                    return False
+
+    except KeyboardInterrupt:
+        console.print()
+        console.print("[yellow]Authorization cancelled.[/yellow]")
+        return False
+    except Exception as e:
+        console.print(f"[bold red]✗ Error: {e}[/bold red]")
+        return False

xenfra/main.py

@@ -5,10 +5,8 @@ A modern, AI-powered CLI for deploying Python apps to DigitalOcean.
 """
 
 import os
-from pathlib import Path
 
 import click
-from dotenv import load_dotenv
 from rich.console import Console
 
 from .commands.auth import auth
@@ -19,14 +17,12 @@ from .commands.security_cmd import security
 
 console = Console()
 
-# Load .env file from project root (searches parent directories)
-# This allows CLI to use XENFRA_API_URL and other vars from .env
-load_dotenv(dotenv_path=Path.cwd() / ".env", override=False)
-load_dotenv(override=False)  # Also check current directory and parents
+# Production-ready: API URL is hardcoded as https://api.xenfra.tech
+# No configuration needed - works out of the box after pip install
 
 
 @click.group()
-@click.version_option(version="0.2.3")
+@click.version_option(version="0.2.9")
 def cli():
     """
     Xenfra CLI: Deploy Python apps to DigitalOcean with zero configuration.

xenfra/utils/security.py

@@ -44,22 +44,15 @@ class SecurityConfig:
 
     def __init__(self):
         """Initialize security configuration from environment."""
-        # Environment detection - Solution 3
-        self.environment = os.getenv("XENFRA_ENV", "development").lower()
-
-        # Security settings (can be overridden by environment variables)
-        self.enforce_https = os.getenv("XENFRA_ENFORCE_HTTPS", "false").lower() == "true"
-        self.enforce_whitelist = os.getenv("XENFRA_ENFORCE_WHITELIST", "false").lower() == "true"
-        self.enable_cert_pinning = (
-            os.getenv("XENFRA_ENABLE_CERT_PINNING", "false").lower() == "true"
-        )
-        self.warn_on_http = os.getenv("XENFRA_WARN_ON_HTTP", "true").lower() == "true"
+        # PRODUCTION-ONLY: Default to production settings
+        # Environment variable only used for self-hosted instances
+        self.environment = "production"
 
-        # Auto-enable strict security in production
-        if self.environment == "production":
-            self.enforce_https = True
-            self.enforce_whitelist = True
-            self.enable_cert_pinning = True
+        # Security settings - ALWAYS enforced for production safety
+        self.enforce_https = True  # Always require HTTPS
+        self.enforce_whitelist = False  # Allow self-hosted instances
+        self.enable_cert_pinning = False  # Disabled (see future-enhancements.md #3)
+        self.warn_on_http = True  # Always warn on HTTP
 
     def is_production(self) -> bool:
         """Check if running in production environment."""
@@ -243,25 +236,19 @@ def validate_and_get_api_url(url: str = None) -> str:
     Comprehensive API URL validation (combines all 4 solutions).
 
     Args:
-        url: Optional URL override (defaults to XENFRA_API_URL env var)
+        url: Optional URL override (only for self-hosted instances)
 
     Returns:
-        Validated API URL
+        Validated API URL (defaults to https://api.xenfra.tech)
 
     Raises:
         ValueError: If URL fails validation
         click.Abort: If user cancels security prompts
     """
-    # Get URL from parameter or environment
+    # PRODUCTION DEFAULT: Use hardcoded production URL
+    # Only check environment variable for self-hosted overrides
     if url is None:
-        url = os.getenv("XENFRA_API_URL")
-
-        # Use production URL in production environment
-        if url is None and security_config.is_production():
-            url = PRODUCTION_API_URL
-        # Use localhost in development
-        elif url is None:
-            url = "http://localhost:8000"
+        url = os.getenv("XENFRA_API_URL", PRODUCTION_API_URL)
 
     try:
         # Solution 1: Validate URL format
@@ -316,41 +303,34 @@ def display_security_info():
 
 # Environment variable documentation
 """
-Security can be configured via environment variables:
-
-XENFRA_ENV=production|staging|development
-  - Controls default security settings
-  - production: All security features enabled
-  - development: Permissive mode (localhost allowed)
+PRODUCTION-FIRST DESIGN:
+The CLI defaults to production (api.xenfra.tech) with HTTPS enforcement.
+No configuration needed for normal users.
 
-XENFRA_ENFORCE_HTTPS=true|false
-  - Require HTTPS for all connections (except localhost)
-  - Default: false (dev), true (production)
-
-XENFRA_ENFORCE_WHITELIST=true|false
-  - Block connections to non-whitelisted domains
-  - Default: false (dev), true (production)
+Environment variables (for developers/self-hosted only):
 
-XENFRA_ENABLE_CERT_PINNING=true|false
-  - Enable certificate pinning for production domains
-  - Default: false (dev), true (production)
+XENFRA_ENV=development
+  - Enables local development mode
+  - Allows HTTP, relaxes security
+  - Default: production (safe by default)
 
-XENFRA_WARN_ON_HTTP=true|false
-  - Show warning when using HTTP (non-localhost)
-  - Default: true
+XENFRA_API_URL=https://your-instance.com
+  - Override API URL for self-hosted instances
+  - Default: https://api.xenfra.tech
 
-XENFRA_API_URL=https://api.example.com
-  - Override default API URL
-  - Subject to all security validations
+XENFRA_ENFORCE_HTTPS=true|false
+  - Require HTTPS for all connections
+  - Default: true (production), false (development)
 
 Example usage:
 
-# Development (permissive):
-XENFRA_API_URL=http://localhost:8000 xenfra login
+# Production users (zero config):
+xenfra auth login
+xenfra deploy
 
-# Self-hosted instance (disable whitelist):
-XENFRA_API_URL=https://xenfra.mycompany.com XENFRA_ENFORCE_WHITELIST=false xenfra login
+# Local development:
+XENFRA_ENV=development xenfra auth login
 
-# Production (strict):
-XENFRA_ENV=production XENFRA_API_URL=https://api.xenfra.tech xenfra login
+# Self-hosted instance:
+XENFRA_API_URL=https://xenfra.mycompany.com xenfra login
 """

{xenfra-0.2.7.dist-info → xenfra-0.2.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: xenfra
-Version: 0.2.7
+Version: 0.2.9
 Summary: A 'Zen Mode' infrastructure engine for Python developers.
 Author: xenfra-cloud
 Author-email: xenfra-cloud <xenfracloud@gmail.com>

{xenfra-0.2.7.dist-info → xenfra-0.2.9.dist-info}/RECORD

@@ -1,18 +1,19 @@
 xenfra/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 xenfra/commands/__init__.py,sha256=bdugTOErbWUhDvnwFl17KkGPPV7gtmDkSOzhF_NEHX0,40
-xenfra/commands/auth.py,sha256=W7ncG9ombHRKpjxKEZov5Fj3Tlr8Cx0mbze5nrPedlw,10175
+xenfra/commands/auth.py,sha256=vFsvoIzc_kea__2wA62YioxOURLorFIqiVZoqKaKRbk,3972
+xenfra/commands/auth_device.py,sha256=gUUBiOnszUCiUkFdIH1DoIzEnV4AS38MRy6WwAGo_4Q,6205
 xenfra/commands/deployments.py,sha256=-185BevHVrUT-LAU2k_uZNpKJPCcwpCDEHOFPfD0Wmw,19348
 xenfra/commands/intelligence.py,sha256=w8GxwGu63KQ5fwhPpTNTDeW1Xg5g3aFzzIBuP_CeRQo,13541
 xenfra/commands/projects.py,sha256=O2tG--iDWN5oCcHOv1jp88kl9bAK61oGRCLJ60M0b7E,6492
 xenfra/commands/security_cmd.py,sha256=MJxbjQksKrtRn21FSAhTY3ESn_S_tUCGfdNRWL7kNsc,7094
-xenfra/main.py,sha256=KLIqdvMpo2ahoz_vnoxq9yPwOJhnyRJKQ4pDgr4FovY,2110
+xenfra/main.py,sha256=kLZWK-aAw3HC7uOp85WKSsNDiyy6XifWwGMOAbTQPaU,1926
 xenfra/utils/__init__.py,sha256=57o8j7Tibrhyid84zTFLHjFmRP5sCnNbtLEfpRqIpMk,42
 xenfra/utils/auth.py,sha256=oDxDiIWC9851fu_gL-7TVJ60uJT3sZ_DvMIy69SUAEM,8308
 xenfra/utils/codebase.py,sha256=vx-1pMpnefPJ_Xy1UoH7wgHJ2c5ZAsVX1g1IXAfkI28,4018
 xenfra/utils/config.py,sha256=6A6WAggaH2Rco4RJydALxcKteOzXLCKDV0ZxjHhAJHk,11584
-xenfra/utils/security.py,sha256=IR_Hzgfc4KeT-qr2LVBxSvBTO4AP4MCkIlU47_yKN_0,11947
+xenfra/utils/security.py,sha256=V0CqA47ZYt-8AesWb7FPRzzygqEY_g2WF1Duvs5BZ_Y,11143
 xenfra/utils/validation.py,sha256=6mGC5CqAbx-CBp06omWLBpKjnEWXsEzlYWq71wjDeX8,6678
-xenfra-0.2.7.dist-info/WHEEL,sha256=ZyFSCYkV2BrxH6-HRVRg3R9Fo7MALzer9KiPYqNxSbo,79
-xenfra-0.2.7.dist-info/entry_points.txt,sha256=a_2cGhYK__X6eW05Ba8uB6RIM_61c2sHtXsPY8N0mic,45
-xenfra-0.2.7.dist-info/METADATA,sha256=6BeWMSpOmcy-enLutVCeq8XOR0MfuRJRaz4gEbSD_bA,3751
-xenfra-0.2.7.dist-info/RECORD,,
+xenfra-0.2.9.dist-info/WHEEL,sha256=ZyFSCYkV2BrxH6-HRVRg3R9Fo7MALzer9KiPYqNxSbo,79
+xenfra-0.2.9.dist-info/entry_points.txt,sha256=a_2cGhYK__X6eW05Ba8uB6RIM_61c2sHtXsPY8N0mic,45
+xenfra-0.2.9.dist-info/METADATA,sha256=-SyUFzDdmncdgGvbOHdgepZM6IDYQIpziPhZs0v8FzE,3751
+xenfra-0.2.9.dist-info/RECORD,,