xenfra 0.3.1__py3-none-any.whl → 0.3.3__py3-none-any.whl

xenfra/commands/auth.py

@@ -114,22 +114,29 @@ def whoami(token):
         return
 
     try:
-        from jose import jwt
-
-        # For display purposes only, in a CLI context where the token has just
-        # been retrieved from a secure source (keyring), we can disable
-        # signature verification.
-        #
-        # SECURITY BEST PRACTICE: In a real application, especially a server,
-        # you would fetch the public key from the SSO's JWKS endpoint and
-        # fully verify the token's signature to ensure its integrity.
-        claims = jwt.decode(
-            access_token, options={"verify_signature": False}  # OK for local display
-        )
+        import base64
+        import json
+
+        # Manually decode JWT payload without verification
+        # JWT format: header.payload.signature
+        parts = access_token.split(".")
+        if len(parts) != 3:
+            console.print("[bold red]Invalid token format[/bold red]")
+            return
+
+        # Decode payload (second part)
+        payload_b64 = parts[1]
+        # Add padding if needed
+        padding = 4 - len(payload_b64) % 4
+        if padding != 4:
+            payload_b64 += "=" * padding
+
+        payload_bytes = base64.urlsafe_b64decode(payload_b64)
+        claims = json.loads(payload_bytes)
 
         console.print("[bold green]Logged in as:[/bold green]")
-        console.print(f"  User ID: {claims.get('sub')}")
-        console.print(f"  Email: {claims.get('email', 'N/A')}")
+        console.print(f"  Email: {claims.get('sub', 'N/A')}")
+        console.print(f"  User ID: {claims.get('user_id', 'N/A')}")
 
         if token:
             console.print(f"\n[dim]Access Token:[/dim]\n{access_token}")

xenfra/commands/auth_device.py

@@ -105,13 +105,18 @@ def device_login():
                         access_token = token_data["access_token"]
                         refresh_token = token_data.get("refresh_token")
 
-                        # Store tokens in keyring
+                        # Store tokens (keyring or file fallback)
                         try:
                             keyring.set_password(SERVICE_ID, "access_token", access_token)
                             if refresh_token:
                                 keyring.set_password(SERVICE_ID, "refresh_token", refresh_token)
                         except keyring.errors.KeyringError as e:
-                            console.print(f"[yellow]Warning: Could not save tokens to keyring: {e}[/yellow]")
+                            console.print(f"[dim]Keyring unavailable, using file storage: {e}[/dim]")
+                            # Fallback to file storage
+                            from ..utils.auth import _set_token_to_file
+                            _set_token_to_file("access_token", access_token)
+                            if refresh_token:
+                                _set_token_to_file("refresh_token", refresh_token)
 
                         console.print()
                         console.print("[bold green]✓ Successfully authenticated![/bold green]")

xenfra/commands/intelligence.py

@@ -34,6 +34,41 @@ def get_client() -> XenfraClient:
         console.print("[bold red]Not logged in. Run 'xenfra login' first.[/bold red]")
         raise click.Abort()
 
+    # DEBUG: Show token details
+    import base64
+    import json
+    try:
+        parts = token.split(".")
+        if len(parts) == 3:
+            # Decode payload
+            payload_b64 = parts[1]
+            padding = 4 - len(payload_b64) % 4
+            if padding != 4:
+                payload_b64 += "=" * padding
+            payload_bytes = base64.urlsafe_b64decode(payload_b64)
+            claims = json.loads(payload_bytes)
+
+            console.print("[dim]━━━ DEBUG: Token Info ━━━[/dim]")
+            console.print(f"[dim]  API URL: {API_BASE_URL}[/dim]")
+            console.print(f"[dim]  Token prefix: {token[:20]}...[/dim]")
+            console.print(f"[dim]  sub (email): {claims.get('sub', 'MISSING')}[/dim]")
+            console.print(f"[dim]  user_id: {claims.get('user_id', 'MISSING')}[/dim]")
+            console.print(f"[dim]  iss (issuer): {claims.get('iss', 'MISSING')}[/dim]")
+            console.print(f"[dim]  aud (audience): {claims.get('aud', 'MISSING')}[/dim]")
+
+            # Check if token is expired
+            exp = claims.get('exp')
+            if exp:
+                import time
+                is_expired = time.time() >= exp
+                from datetime import datetime, timezone
+                exp_time = datetime.fromtimestamp(exp, tz=timezone.utc)
+                console.print(f"[dim]  expires_at: {exp_time}[/dim]")
+                console.print(f"[dim]  expired: {is_expired}[/dim]")
+            console.print("[dim]━━━━━━━━━━━━━━━━━━━━━[/dim]\n")
+    except Exception as e:
+        console.print(f"[dim]DEBUG: Could not decode token: {e}[/dim]\n")
+
     return XenfraClient(token=token, api_url=API_BASE_URL)
 
 

xenfra/utils/auth.py

@@ -3,7 +3,10 @@ Authentication utilities for Xenfra CLI.
 Handles OAuth2 PKCE flow and token management.
 """
 
+import json
+import os
 from http.server import BaseHTTPRequestHandler, HTTPServer
+from pathlib import Path
 from urllib.parse import parse_qs, urlparse
 
 import httpx
@@ -24,6 +27,9 @@ console = Console()
 API_BASE_URL = validate_and_get_api_url()
 SERVICE_ID = "xenfra"
 
+# Fallback file-based token storage (for Windows if keyring fails)
+TOKEN_FILE = Path.home() / ".xenfra" / "tokens.json"
+
 # CLI OAuth2 Configuration
 CLI_CLIENT_ID = "xenfra-cli"
 CLI_REDIRECT_PATH = "/auth/callback"
@@ -118,6 +124,62 @@ def _refresh_token_with_retry(refresh_token: str) -> dict:
         return token_data
 
 
+def _get_token_from_file(key: str) -> str | None:
+    """Fallback: Get token from file storage (for Windows if keyring fails)."""
+    try:
+        if TOKEN_FILE.exists():
+            with open(TOKEN_FILE, "r") as f:
+                tokens = json.load(f)
+                return tokens.get(key)
+    except Exception:
+        pass
+    return None
+
+
+def _set_token_to_file(key: str, value: str):
+    """Fallback: Save token to file storage (for Windows if keyring fails)."""
+    try:
+        TOKEN_FILE.parent.mkdir(parents=True, exist_ok=True)
+
+        # Load existing tokens
+        tokens = {}
+        if TOKEN_FILE.exists():
+            with open(TOKEN_FILE, "r") as f:
+                tokens = json.load(f)
+
+        # Update token
+        tokens[key] = value
+
+        # Save (with restrictive permissions on Unix-like systems)
+        with open(TOKEN_FILE, "w") as f:
+            json.dump(tokens, f)
+
+        # Set file permissions (owner read/write only)
+        if os.name != "nt":  # Not Windows
+            TOKEN_FILE.chmod(0o600)
+    except Exception as e:
+        console.print(f"[yellow]Warning: Could not save token to file: {e}[/yellow]")
+
+
+def _delete_token_from_file(key: str):
+    """Fallback: Delete token from file storage."""
+    try:
+        if TOKEN_FILE.exists():
+            with open(TOKEN_FILE, "r") as f:
+                tokens = json.load(f)
+
+            if key in tokens:
+                del tokens[key]
+
+                if tokens:
+                    with open(TOKEN_FILE, "w") as f:
+                        json.dump(tokens, f)
+                else:
+                    TOKEN_FILE.unlink()  # Delete file if empty
+    except Exception:
+        pass
+
+
 def get_auth_token() -> str | None:
     """
     Retrieve a valid access token, refreshing it if necessary.
@@ -125,12 +187,20 @@ def get_auth_token() -> str | None:
     Returns:
         Valid access token or None if not authenticated
     """
+    # Try keyring first
+    access_token = None
+    refresh_token = None
+    use_file_fallback = False
+
     try:
         access_token = keyring.get_password(SERVICE_ID, "access_token")
         refresh_token = keyring.get_password(SERVICE_ID, "refresh_token")
+        console.print("[dim]DEBUG: Token retrieved from keyring[/dim]")
     except keyring.errors.KeyringError as e:
-        console.print(f"[yellow]Warning: Could not access keyring: {e}[/yellow]")
-        return None
+        console.print(f"[dim]DEBUG: Keyring unavailable, using file storage: {e}[/dim]")
+        use_file_fallback = True
+        access_token = _get_token_from_file("access_token")
+        refresh_token = _get_token_from_file("refresh_token")
 
     if not access_token:
         return None
@@ -173,18 +243,24 @@ def get_auth_token() -> str | None:
             new_refresh_token = token_data.get("refresh_token")
 
             if new_access_token:
-                try:
-                    keyring.set_password(SERVICE_ID, "access_token", new_access_token)
+                # Save tokens (keyring or file fallback)
+                if use_file_fallback:
+                    _set_token_to_file("access_token", new_access_token)
                     if new_refresh_token:
-                        keyring.set_password(SERVICE_ID, "refresh_token", new_refresh_token)
-                    console.print("[bold green]Token refreshed successfully.[/bold green]")
-                    return new_access_token
-                except keyring.errors.KeyringError as e:
-                    console.print(
-                        f"[yellow]Warning: Could not save refreshed token to keyring: {e}[/yellow]"
-                    )
-                    # Return the token anyway, but warn user
-                    return new_access_token
+                        _set_token_to_file("refresh_token", new_refresh_token)
+                else:
+                    try:
+                        keyring.set_password(SERVICE_ID, "access_token", new_access_token)
+                        if new_refresh_token:
+                            keyring.set_password(SERVICE_ID, "refresh_token", new_refresh_token)
+                    except keyring.errors.KeyringError as e:
+                        console.print(f"[dim]Keyring failed, falling back to file storage: {e}[/dim]")
+                        _set_token_to_file("access_token", new_access_token)
+                        if new_refresh_token:
+                            _set_token_to_file("refresh_token", new_refresh_token)
+
+                console.print("[bold green]Token refreshed successfully.[/bold green]")
+                return new_access_token
             else:
                 console.print("[bold red]Failed to get new access token.[/bold red]")
                 return None
@@ -214,11 +290,7 @@ def get_auth_token() -> str | None:
                 )
 
             # Clear tokens on refresh failure
-            try:
-                keyring.delete_password(SERVICE_ID, "access_token")
-                keyring.delete_password(SERVICE_ID, "refresh_token")
-            except keyring.errors.KeyringError:
-                pass  # Ignore errors when clearing
+            clear_tokens()
             return None
         except ValueError as e:
             console.print(f"[bold red]Token refresh failed: {e}[/bold red]")
@@ -233,11 +305,16 @@ def get_auth_token() -> str | None:
 
 
 def clear_tokens():
-    """Clear stored access and refresh tokens."""
+    """Clear stored access and refresh tokens (from both keyring and file)."""
+    # Clear from keyring
     try:
         keyring.delete_password(SERVICE_ID, "access_token")
         keyring.delete_password(SERVICE_ID, "refresh_token")
     except keyring.errors.PasswordDeleteError:
         pass  # Tokens already cleared
-    except keyring.errors.KeyringError as e:
-        console.print(f"[yellow]Warning: Could not clear tokens from keyring: {e}[/yellow]")
+    except keyring.errors.KeyringError:
+        pass  # Keyring not available, that's OK
+
+    # Clear from file storage (fallback)
+    _delete_token_from_file("access_token")
+    _delete_token_from_file("refresh_token")

{xenfra-0.3.1.dist-info → xenfra-0.3.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: xenfra
-Version: 0.3.1
+Version: 0.3.3
 Summary: A 'Zen Mode' infrastructure engine for Python developers.
 Author: xenfra-cloud
 Author-email: xenfra-cloud <xenfracloud@gmail.com>

{xenfra-0.3.1.dist-info → xenfra-0.3.3.dist-info}/RECORD

@@ -1,19 +1,19 @@
 xenfra/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 xenfra/commands/__init__.py,sha256=kTTwVnTvoxikyPUhQiyTAbnw4PYafktuE1----TqQoA,43
-xenfra/commands/auth.py,sha256=UMtaIPsBqrVoYDmXkbQZoeEQrPyf6vHQmgPFS4PGwYQ,4109
-xenfra/commands/auth_device.py,sha256=BfSjyoOHgvfPH69QdD4fF_VdCktS99z2k7UGFPClWls,6364
+xenfra/commands/auth.py,sha256=ecReVCGl7Ys2d77mv_e4mCbs4ug6FLIb3S9dl2FUhr4,4178
+xenfra/commands/auth_device.py,sha256=caD2UdveEZtAFjgjmnA-l5bjbbPONFjXJXgeJN7mhbk,6710
 xenfra/commands/deployments.py,sha256=bI6d9lVYPhCDoQE3nke7s80MUQ75ILPqiEGhcbXDExo,28609
-xenfra/commands/intelligence.py,sha256=1lw1Pw6deyC52JmpK8YAVFuydAC7cvg_2qiRnw8B8Yc,13884
+xenfra/commands/intelligence.py,sha256=leaGDzSG2rGrdNLvRHHZrWsRQXvnTj3-aX7T62xdk3Y,15572
 xenfra/commands/projects.py,sha256=SAxF_pOr95K6uz35U-zENptKndKxJNZn6bcD45PHcpI,6696
 xenfra/commands/security_cmd.py,sha256=EI5sjX2lcMxgMH-LCFmPVkc9YqadOrcoSgTiKknkVRY,7327
 xenfra/main.py,sha256=2EPPuIdxjhW-I-e-Mc0i2ayeLaSJdmzddNThkXq7B7c,2033
 xenfra/utils/__init__.py,sha256=4ZRYkrb--vzoXjBHG8zRxz2jCXNGtAoKNtkyu2WRI2A,45
-xenfra/utils/auth.py,sha256=L6fDwYbvDhZ7gky68GxNEMHGxdi-k1kzFvjDSe-uqI4,9092
+xenfra/utils/auth.py,sha256=jyzwGrA7NEheUoggOgERMBl-45g0NNbNhjLDv8aK-SQ,11614
 xenfra/utils/codebase.py,sha256=57GthXOvOQnUHiDwIHqxK6hNUGWlWf6Nfs3T8647Wrc,4144
 xenfra/utils/config.py,sha256=F2zedd3JXP7TBdul0u8b4NVx-C1N6Hq4sH5szyWim6M,11947
 xenfra/utils/security.py,sha256=EA8CIPLt8Y-QP5uZ7c5NuC6ZLRV1aZS8NapS9ix_vok,11479
 xenfra/utils/validation.py,sha256=cvuL_AEFJ2oCoP0abCqoOIABOwz79Gkf-jh_dcFIQlM,6912
-xenfra-0.3.1.dist-info/WHEEL,sha256=RRVLqVugUmFOqBedBFAmA4bsgFcROUBiSUKlERi0Hcg,79
-xenfra-0.3.1.dist-info/entry_points.txt,sha256=a_2cGhYK__X6eW05Ba8uB6RIM_61c2sHtXsPY8N0mic,45
-xenfra-0.3.1.dist-info/METADATA,sha256=nGWJ17J9a4dKTy_nT3Qu_0elfTlM3vhB-u_ArQ7U_uE,3834
-xenfra-0.3.1.dist-info/RECORD,,
+xenfra-0.3.3.dist-info/WHEEL,sha256=RRVLqVugUmFOqBedBFAmA4bsgFcROUBiSUKlERi0Hcg,79
+xenfra-0.3.3.dist-info/entry_points.txt,sha256=a_2cGhYK__X6eW05Ba8uB6RIM_61c2sHtXsPY8N0mic,45
+xenfra-0.3.3.dist-info/METADATA,sha256=uISd9cESqrhksNFb9QS9KpSeqOCs4lbs0_uT4r-5HJk,3834
+xenfra-0.3.3.dist-info/RECORD,,