| 59e6667 | | | 1 | import { intro, outro, spinner, log } from "@clack/prompts"; |
| 4ae9b20 | | | 2 | import { mkdirSync, writeFileSync, existsSync, chmodSync } from "node:fs"; |
| fafa260 | | | 3 | import { join } from "node:path"; |
| 4ae9b20 | | | 4 | import { homedir, platform, arch } from "node:os"; |
| 4ae9b20 | | | 5 | import { execSync } from "node:child_process"; |
| e93a978 | | | 6 | import { waitForAuthCallback } from "../auth-server.js"; |
| e93a978 | | | 7 | import { loadConfig, saveConfig } from "../config.js"; |
| e93a978 | | | 8 | |
| 7010ba9 | | | 9 | function isHeadless(): boolean { |
| 7010ba9 | | | 10 | // SSH session, no display, or explicitly requested |
| 7010ba9 | | | 11 | return !!(process.env.SSH_CLIENT || process.env.SSH_TTY || process.env.SSH_CONNECTION); |
| 7010ba9 | | | 12 | } |
| 7010ba9 | | | 13 | |
| 7010ba9 | | | 14 | async function deviceCodeFlow(config: { hub: string; token?: string }) { |
| 7010ba9 | | | 15 | // Request a device code from the hub |
| 7010ba9 | | | 16 | const res = await fetch(`${config.hub}/api/auth/device-code`, { method: "POST" }); |
| 7010ba9 | | | 17 | if (!res.ok) { |
| 7010ba9 | | | 18 | throw new Error(`Failed to start device code flow: ${res.statusText}`); |
| 7010ba9 | | | 19 | } |
| 7010ba9 | | | 20 | const { code, url } = await res.json() as { code: string; url: string; expires_in: number }; |
| 7010ba9 | | | 21 | |
| 7010ba9 | | | 22 | log.info(`Open this URL in your browser:\n\n ${url}\n\nYour code: ${code}`); |
| 7010ba9 | | | 23 | |
| 7010ba9 | | | 24 | const s = spinner(); |
| 7010ba9 | | | 25 | s.start("Waiting for approval"); |
| 7010ba9 | | | 26 | |
| 7010ba9 | | | 27 | // Poll for approval |
| 7010ba9 | | | 28 | for (let i = 0; i < 120; i++) { |
| 7010ba9 | | | 29 | await new Promise((r) => setTimeout(r, 5000)); |
| 7010ba9 | | | 30 | |
| 7010ba9 | | | 31 | const pollRes = await fetch(`${config.hub}/api/auth/device-code/${code}`); |
| 7010ba9 | | | 32 | if (!pollRes.ok) { |
| 7010ba9 | | | 33 | s.stop("Authentication failed"); |
| 7010ba9 | | | 34 | throw new Error("Code expired or invalid"); |
| 7010ba9 | | | 35 | } |
| 7010ba9 | | | 36 | |
| 7010ba9 | | | 37 | const data = await pollRes.json() as { status: string; token?: string }; |
| 7010ba9 | | | 38 | if (data.status === "complete" && data.token) { |
| 7010ba9 | | | 39 | s.stop("Authentication received"); |
| 7010ba9 | | | 40 | return data.token; |
| 7010ba9 | | | 41 | } |
| 7010ba9 | | | 42 | } |
| 7010ba9 | | | 43 | |
| 7010ba9 | | | 44 | s.stop("Authentication timed out"); |
| 7010ba9 | | | 45 | throw new Error("Authentication timed out (10 minutes)"); |
| 7010ba9 | | | 46 | } |
| 7010ba9 | | | 47 | |
| fafa260 | | | 48 | async function provisionTlsCerts(hub: string, token: string) { |
| fafa260 | | | 49 | const s = spinner(); |
| fafa260 | | | 50 | s.start("Downloading TLS certificates"); |
| fafa260 | | | 51 | try { |
| fafa260 | | | 52 | const res = await fetch(`${hub}/api/auth/tls-certs`, { |
| fafa260 | | | 53 | headers: { Authorization: `Bearer ${token}` }, |
| fafa260 | | | 54 | }); |
| fafa260 | | | 55 | if (!res.ok) { |
| fafa260 | | | 56 | s.stop("TLS certificates not available (non-fatal)"); |
| fafa260 | | | 57 | return; |
| fafa260 | | | 58 | } |
| fafa260 | | | 59 | const { ca, cert, key } = await res.json() as { ca: string; cert: string; key: string }; |
| fafa260 | | | 60 | const tlsDir = join(homedir(), ".grove", "tls"); |
| fafa260 | | | 61 | mkdirSync(tlsDir, { recursive: true }); |
| fafa260 | | | 62 | writeFileSync(join(tlsDir, "ca.crt"), ca); |
| fafa260 | | | 63 | writeFileSync(join(tlsDir, "client.crt"), cert); |
| fafa260 | | | 64 | writeFileSync(join(tlsDir, "client.key"), key, { mode: 0o600 }); |
| fafa260 | | | 65 | s.stop("TLS certificates saved"); |
| fafa260 | | | 66 | } catch { |
| fafa260 | | | 67 | s.stop("TLS certificates not available (non-fatal)"); |
| fafa260 | | | 68 | } |
| fafa260 | | | 69 | } |
| fafa260 | | | 70 | |
| 4ae9b20 | | | 71 | async function installSapling(hub: string) { |
| 4ae9b20 | | | 72 | // Only install on Linux — macOS users build from source |
| 4ae9b20 | | | 73 | if (platform() !== "linux") return; |
| 4ae9b20 | | | 74 | |
| 4ae9b20 | | | 75 | // Check if sl is already installed and working |
| 4ae9b20 | | | 76 | try { |
| 4ae9b20 | | | 77 | const version = execSync("sl --version 2>&1", { stdio: "pipe" }).toString(); |
| 4ae9b20 | | | 78 | // Our builds are version 4.x+, old official release is 0.2 |
| 4ae9b20 | | | 79 | if (!version.includes("0.2.")) return; |
| 4ae9b20 | | | 80 | } catch { |
| 4ae9b20 | | | 81 | // sl not found — need to install |
| 4ae9b20 | | | 82 | } |
| 4ae9b20 | | | 83 | |
| 4ae9b20 | | | 84 | const s = spinner(); |
| 4ae9b20 | | | 85 | s.start("Installing Sapling (sl)"); |
| 4ae9b20 | | | 86 | try { |
| 4ae9b20 | | | 87 | const binary = `sl-linux-${arch() === "x64" ? "x86_64" : arch()}`; |
| 4ae9b20 | | | 88 | const res = await fetch(`${hub}/downloads/${binary}`); |
| 4ae9b20 | | | 89 | if (!res.ok) { |
| 4ae9b20 | | | 90 | s.stop("Sapling binary not available yet (non-fatal)"); |
| 4ae9b20 | | | 91 | return; |
| 4ae9b20 | | | 92 | } |
| 4ae9b20 | | | 93 | const buf = Buffer.from(await res.arrayBuffer()); |
| 4ae9b20 | | | 94 | const dest = "/usr/local/bin/sl"; |
| 4ae9b20 | | | 95 | writeFileSync(dest, buf); |
| 4ae9b20 | | | 96 | chmodSync(dest, 0o755); |
| 4ae9b20 | | | 97 | s.stop("Sapling (sl) installed"); |
| 4ae9b20 | | | 98 | } catch { |
| 4ae9b20 | | | 99 | s.stop("Could not install Sapling (non-fatal)"); |
| 4ae9b20 | | | 100 | } |
| 4ae9b20 | | | 101 | } |
| 4ae9b20 | | | 102 | |
| e93a978 | | | 103 | export async function authLogin(args: string[]) { |
| e93a978 | | | 104 | const config = await loadConfig(); |
| e93a978 | | | 105 | |
| e93a978 | | | 106 | // Allow --hub flag to override hub URL |
| e93a978 | | | 107 | const hubIdx = args.indexOf("--hub"); |
| e93a978 | | | 108 | if (hubIdx !== -1 && args[hubIdx + 1]) { |
| e93a978 | | | 109 | config.hub = args[hubIdx + 1]; |
| e93a978 | | | 110 | } |
| e93a978 | | | 111 | |
| 59e6667 | | | 112 | intro("grove auth login"); |
| e93a978 | | | 113 | |
| 7010ba9 | | | 114 | if (isHeadless()) { |
| 7010ba9 | | | 115 | // Device code flow for remote/headless environments |
| 7010ba9 | | | 116 | try { |
| 7010ba9 | | | 117 | const token = await deviceCodeFlow(config); |
| 7010ba9 | | | 118 | config.token = token; |
| 7010ba9 | | | 119 | await saveConfig(config); |
| fafa260 | | | 120 | await provisionTlsCerts(config.hub, token); |
| 4ae9b20 | | | 121 | await installSapling(config.hub); |
| 7010ba9 | | | 122 | outro("Authenticated! Token saved to ~/.grove/config.json"); |
| 7010ba9 | | | 123 | } catch (err: any) { |
| 7010ba9 | | | 124 | log.error(err.message); |
| 7010ba9 | | | 125 | process.exit(1); |
| 7010ba9 | | | 126 | } |
| 7010ba9 | | | 127 | return; |
| 7010ba9 | | | 128 | } |
| 7010ba9 | | | 129 | |
| 7010ba9 | | | 130 | // Browser-based flow for local environments |
| ff43545 | | | 131 | const { port, result } = await waitForAuthCallback(); |
| e93a978 | | | 132 | |
| e93a978 | | | 133 | const callbackUrl = encodeURIComponent(`http://localhost:${port}/callback`); |
| e93a978 | | | 134 | const authUrl = `${config.hub}/cli-auth?callback=${callbackUrl}`; |
| e93a978 | | | 135 | |
| 59e6667 | | | 136 | log.info(`If the browser doesn't open, visit:\n${authUrl}`); |
| e93a978 | | | 137 | |
| e93a978 | | | 138 | const open = (await import("open")).default; |
| e93a978 | | | 139 | await open(authUrl); |
| e93a978 | | | 140 | |
| 59e6667 | | | 141 | const s = spinner(); |
| 59e6667 | | | 142 | s.start("Waiting for authentication in browser"); |
| e93a978 | | | 143 | |
| e93a978 | | | 144 | try { |
| e93a978 | | | 145 | const { token } = await result; |
| 59e6667 | | | 146 | s.stop("Authentication received"); |
| e93a978 | | | 147 | config.token = token; |
| e93a978 | | | 148 | await saveConfig(config); |
| fafa260 | | | 149 | await provisionTlsCerts(config.hub, token); |
| 4ae9b20 | | | 150 | await installSapling(config.hub); |
| 59e6667 | | | 151 | outro("Authenticated! Token saved to ~/.grove/config.json"); |
| e93a978 | | | 152 | } catch (err: any) { |
| 59e6667 | | | 153 | s.stop("Authentication failed"); |
| 59e6667 | | | 154 | log.error(err.message); |
| e93a978 | | | 155 | process.exit(1); |
| e93a978 | | | 156 | } |
| e93a978 | | | 157 | } |