xenfra 0.3.2__py3-none-any.whl → 0.3.4__py3-none-any.whl

xenfra/commands/auth.py

@@ -114,18 +114,25 @@ def whoami(token):
         return
 
     try:
-        from jose import jwt
-
-        # For display purposes only, in a CLI context where the token has just
-        # been retrieved from a secure source (keyring), we can disable
-        # signature verification.
-        #
-        # SECURITY BEST PRACTICE: In a real application, especially a server,
-        # you would fetch the public key from the SSO's JWKS endpoint and
-        # fully verify the token's signature to ensure its integrity.
-        claims = jwt.decode(
-            access_token, options={"verify_signature": False}  # OK for local display
-        )
+        import base64
+        import json
+
+        # Manually decode JWT payload without verification
+        # JWT format: header.payload.signature
+        parts = access_token.split(".")
+        if len(parts) != 3:
+            console.print("[bold red]Invalid token format[/bold red]")
+            return
+
+        # Decode payload (second part)
+        payload_b64 = parts[1]
+        # Add padding if needed
+        padding = 4 - len(payload_b64) % 4
+        if padding != 4:
+            payload_b64 += "=" * padding
+
+        payload_bytes = base64.urlsafe_b64decode(payload_b64)
+        claims = json.loads(payload_bytes)
 
         console.print("[bold green]Logged in as:[/bold green]")
         console.print(f"  Email: {claims.get('sub', 'N/A')}")

xenfra/commands/intelligence.py

@@ -34,6 +34,43 @@ def get_client() -> XenfraClient:
         console.print("[bold red]Not logged in. Run 'xenfra login' first.[/bold red]")
         raise click.Abort()
 
+    # DEBUG: Only show token info if XENFRA_DEBUG environment variable is set
+    import os
+    if os.getenv("XENFRA_DEBUG") == "1":
+        import base64
+        import json
+        try:
+            parts = token.split(".")
+            if len(parts) == 3:
+                # Decode payload
+                payload_b64 = parts[1]
+                padding = 4 - len(payload_b64) % 4
+                if padding != 4:
+                    payload_b64 += "=" * padding
+                payload_bytes = base64.urlsafe_b64decode(payload_b64)
+                claims = json.loads(payload_bytes)
+
+                console.print("[dim]━━━ DEBUG: Token Info ━━━[/dim]")
+                console.print(f"[dim]  API URL: {API_BASE_URL}[/dim]")
+                console.print(f"[dim]  Token prefix: {token[:20]}...[/dim]")
+                console.print(f"[dim]  sub (email): {claims.get('sub', 'MISSING')}[/dim]")
+                console.print(f"[dim]  user_id: {claims.get('user_id', 'MISSING')}[/dim]")
+                console.print(f"[dim]  iss (issuer): {claims.get('iss', 'MISSING')}[/dim]")
+                console.print(f"[dim]  aud (audience): {claims.get('aud', 'MISSING')}[/dim]")
+
+                # Check if token is expired
+                exp = claims.get('exp')
+                if exp:
+                    import time
+                    is_expired = time.time() >= exp
+                    from datetime import datetime, timezone
+                    exp_time = datetime.fromtimestamp(exp, tz=timezone.utc)
+                    console.print(f"[dim]  expires_at: {exp_time}[/dim]")
+                    console.print(f"[dim]  expired: {is_expired}[/dim]")
+                console.print("[dim]━━━━━━━━━━━━━━━━━━━━━[/dim]\n")
+        except Exception as e:
+            console.print(f"[dim]DEBUG: Could not decode token: {e}[/dim]\n")
+
     return XenfraClient(token=token, api_url=API_BASE_URL)
 
 

xenfra/utils/auth.py

@@ -124,37 +124,89 @@ def _refresh_token_with_retry(refresh_token: str) -> dict:
         return token_data
 
 
+def _get_encryption_key() -> bytes:
+    """
+    Get or create encryption key for file-based token storage.
+
+    Uses machine-specific identifier to generate key (not perfect but better than plaintext).
+    """
+    import platform
+    import hashlib
+
+    # Use machine ID + username as seed (available on Windows/Linux/Mac)
+    machine_id = platform.node() + os.getlogin()
+    key = hashlib.sha256(machine_id.encode()).digest()[:32]  # 32 bytes for Fernet
+    return key
+
+
 def _get_token_from_file(key: str) -> str | None:
     """Fallback: Get token from file storage (for Windows if keyring fails)."""
     try:
         if TOKEN_FILE.exists():
+            with open(TOKEN_FILE, "rb") as f:
+                encrypted_data = f.read()
+
+            # Decrypt the file contents
+            from cryptography.fernet import Fernet
+            import base64
+
+            fernet_key = base64.urlsafe_b64encode(_get_encryption_key())
+            cipher = Fernet(fernet_key)
+            decrypted_data = cipher.decrypt(encrypted_data)
+            tokens = json.loads(decrypted_data.decode())
+            return tokens.get(key)
+    except Exception:
+        # If decryption fails, try reading as plaintext (for backward compatibility)
+        try:
             with open(TOKEN_FILE, "r") as f:
                 tokens = json.load(f)
                 return tokens.get(key)
-    except Exception:
-        pass
+        except Exception:
+            pass
     return None
 
 
 def _set_token_to_file(key: str, value: str):
-    """Fallback: Save token to file storage (for Windows if keyring fails)."""
+    """Fallback: Save token to file storage (encrypted for Windows if keyring fails)."""
     try:
         TOKEN_FILE.parent.mkdir(parents=True, exist_ok=True)
 
-        # Load existing tokens
+        # Load existing tokens (try encrypted first, then plaintext)
         tokens = {}
         if TOKEN_FILE.exists():
-            with open(TOKEN_FILE, "r") as f:
-                tokens = json.load(f)
+            try:
+                with open(TOKEN_FILE, "rb") as f:
+                    encrypted_data = f.read()
+                from cryptography.fernet import Fernet
+                import base64
+
+                fernet_key = base64.urlsafe_b64encode(_get_encryption_key())
+                cipher = Fernet(fernet_key)
+                decrypted_data = cipher.decrypt(encrypted_data)
+                tokens = json.loads(decrypted_data.decode())
+            except Exception:
+                # Fallback to plaintext for backward compatibility
+                try:
+                    with open(TOKEN_FILE, "r") as f:
+                        tokens = json.load(f)
+                except Exception:
+                    tokens = {}
 
         # Update token
         tokens[key] = value
 
-        # Save (with restrictive permissions on Unix-like systems)
-        with open(TOKEN_FILE, "w") as f:
-            json.dump(tokens, f)
+        # Encrypt and save
+        from cryptography.fernet import Fernet
+        import base64
+
+        fernet_key = base64.urlsafe_b64encode(_get_encryption_key())
+        cipher = Fernet(fernet_key)
+        encrypted_data = cipher.encrypt(json.dumps(tokens).encode())
+
+        with open(TOKEN_FILE, "wb") as f:
+            f.write(encrypted_data)
 
-        # Set file permissions (owner read/write only)
+        # Set file permissions (owner read/write only) - works on Unix-like systems
         if os.name != "nt":  # Not Windows
             TOKEN_FILE.chmod(0o600)
     except Exception as e:
@@ -195,8 +247,11 @@ def get_auth_token() -> str | None:
     try:
         access_token = keyring.get_password(SERVICE_ID, "access_token")
         refresh_token = keyring.get_password(SERVICE_ID, "refresh_token")
+        if os.getenv("XENFRA_DEBUG") == "1":
+            console.print("[dim]DEBUG: Token retrieved from keyring[/dim]")
     except keyring.errors.KeyringError as e:
-        console.print(f"[dim]Keyring unavailable, using file storage: {e}[/dim]")
+        if os.getenv("XENFRA_DEBUG") == "1":
+            console.print(f"[dim]DEBUG: Keyring unavailable, using file storage: {e}[/dim]")
         use_file_fallback = True
         access_token = _get_token_from_file("access_token")
         refresh_token = _get_token_from_file("refresh_token")

{xenfra-0.3.2.dist-info → xenfra-0.3.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: xenfra
-Version: 0.3.2
+Version: 0.3.4
 Summary: A 'Zen Mode' infrastructure engine for Python developers.
 Author: xenfra-cloud
 Author-email: xenfra-cloud <xenfracloud@gmail.com>
@@ -23,6 +23,7 @@ Requires-Dist: httpx>=0.27.0
 Requires-Dist: keyring>=25.7.0
 Requires-Dist: keyrings-alt>=5.0.2
 Requires-Dist: tenacity>=8.2.3
+Requires-Dist: cryptography>=43.0.0
 Requires-Dist: pytest>=8.0.0 ; extra == 'test'
 Requires-Dist: pytest-mock>=3.12.0 ; extra == 'test'
 Requires-Python: >=3.13

{xenfra-0.3.2.dist-info → xenfra-0.3.4.dist-info}/RECORD

@@ -1,19 +1,19 @@
 xenfra/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 xenfra/commands/__init__.py,sha256=kTTwVnTvoxikyPUhQiyTAbnw4PYafktuE1----TqQoA,43
-xenfra/commands/auth.py,sha256=V6azS3ohhuEufHS1j34W2If08cCfYUUeDYApGSfGedg,4118
+xenfra/commands/auth.py,sha256=ecReVCGl7Ys2d77mv_e4mCbs4ug6FLIb3S9dl2FUhr4,4178
 xenfra/commands/auth_device.py,sha256=caD2UdveEZtAFjgjmnA-l5bjbbPONFjXJXgeJN7mhbk,6710
 xenfra/commands/deployments.py,sha256=bI6d9lVYPhCDoQE3nke7s80MUQ75ILPqiEGhcbXDExo,28609
-xenfra/commands/intelligence.py,sha256=1lw1Pw6deyC52JmpK8YAVFuydAC7cvg_2qiRnw8B8Yc,13884
+xenfra/commands/intelligence.py,sha256=U4nYh1aoJJ3Pxv_eliG3tmJUhCzX9iOiWg5yFALXtvE,15799
 xenfra/commands/projects.py,sha256=SAxF_pOr95K6uz35U-zENptKndKxJNZn6bcD45PHcpI,6696
 xenfra/commands/security_cmd.py,sha256=EI5sjX2lcMxgMH-LCFmPVkc9YqadOrcoSgTiKknkVRY,7327
 xenfra/main.py,sha256=2EPPuIdxjhW-I-e-Mc0i2ayeLaSJdmzddNThkXq7B7c,2033
 xenfra/utils/__init__.py,sha256=4ZRYkrb--vzoXjBHG8zRxz2jCXNGtAoKNtkyu2WRI2A,45
-xenfra/utils/auth.py,sha256=4sjcuFwiqnSTBBiE9JAX36qLpZsrn6H-v_633Pj8ia8,11534
+xenfra/utils/auth.py,sha256=9JbFnv0-rdlJF-4hKD2uWd9h9ehqC1iIHee1O5e-3RM,13769
 xenfra/utils/codebase.py,sha256=57GthXOvOQnUHiDwIHqxK6hNUGWlWf6Nfs3T8647Wrc,4144
 xenfra/utils/config.py,sha256=F2zedd3JXP7TBdul0u8b4NVx-C1N6Hq4sH5szyWim6M,11947
 xenfra/utils/security.py,sha256=EA8CIPLt8Y-QP5uZ7c5NuC6ZLRV1aZS8NapS9ix_vok,11479
 xenfra/utils/validation.py,sha256=cvuL_AEFJ2oCoP0abCqoOIABOwz79Gkf-jh_dcFIQlM,6912
-xenfra-0.3.2.dist-info/WHEEL,sha256=RRVLqVugUmFOqBedBFAmA4bsgFcROUBiSUKlERi0Hcg,79
-xenfra-0.3.2.dist-info/entry_points.txt,sha256=a_2cGhYK__X6eW05Ba8uB6RIM_61c2sHtXsPY8N0mic,45
-xenfra-0.3.2.dist-info/METADATA,sha256=5u2CxbFjkXvlMqnf06WIN5cr-7iBBDDf-3aCu6zjVcU,3834
-xenfra-0.3.2.dist-info/RECORD,,
+xenfra-0.3.4.dist-info/WHEEL,sha256=RRVLqVugUmFOqBedBFAmA4bsgFcROUBiSUKlERi0Hcg,79
+xenfra-0.3.4.dist-info/entry_points.txt,sha256=a_2cGhYK__X6eW05Ba8uB6RIM_61c2sHtXsPY8N0mic,45
+xenfra-0.3.4.dist-info/METADATA,sha256=0b3lQ-vh0J5Wyeaa7_UKA9HKfRRnw9CjkD068to65os,3870
+xenfra-0.3.4.dist-info/RECORD,,