Blame · auth-login.ts

59e6667	1	import { intro, outro, spinner, log } from "@clack/prompts";
fafa260	2	import { mkdirSync, writeFileSync, existsSync } from "node:fs";
fafa260	3	import { join } from "node:path";
fafa260	4	import { homedir } from "node:os";
e93a978	5	import { waitForAuthCallback } from "../auth-server.js";
e93a978	6	import { loadConfig, saveConfig } from "../config.js";
e93a978	7
7010ba9	8	function isHeadless(): boolean {
7010ba9	9	// SSH session, no display, or explicitly requested
7010ba9	10	return !!(process.env.SSH_CLIENT \|\| process.env.SSH_TTY \|\| process.env.SSH_CONNECTION);
7010ba9	11	}
7010ba9	12
7010ba9	13	async function deviceCodeFlow(config: { hub: string; token?: string }) {
7010ba9	14	// Request a device code from the hub
7010ba9	15	const res = await fetch(`${config.hub}/api/auth/device-code`, { method: "POST" });
7010ba9	16	if (!res.ok) {
7010ba9	17	throw new Error(`Failed to start device code flow: ${res.statusText}`);
7010ba9	18	}
7010ba9	19	const { code, url } = await res.json() as { code: string; url: string; expires_in: number };
7010ba9	20
7010ba9	21	log.info(`Open this URL in your browser:\n\n ${url}\n\nYour code: ${code}`);
7010ba9	22
7010ba9	23	const s = spinner();
7010ba9	24	s.start("Waiting for approval");
7010ba9	25
7010ba9	26	// Poll for approval
7010ba9	27	for (let i = 0; i < 120; i++) {
7010ba9	28	await new Promise((r) => setTimeout(r, 5000));
7010ba9	29
7010ba9	30	const pollRes = await fetch(`${config.hub}/api/auth/device-code/${code}`);
7010ba9	31	if (!pollRes.ok) {
7010ba9	32	s.stop("Authentication failed");
7010ba9	33	throw new Error("Code expired or invalid");
7010ba9	34	}
7010ba9	35
7010ba9	36	const data = await pollRes.json() as { status: string; token?: string };
7010ba9	37	if (data.status === "complete" && data.token) {
7010ba9	38	s.stop("Authentication received");
7010ba9	39	return data.token;
7010ba9	40	}
7010ba9	41	}
7010ba9	42
7010ba9	43	s.stop("Authentication timed out");
7010ba9	44	throw new Error("Authentication timed out (10 minutes)");
7010ba9	45	}
7010ba9	46
fafa260	47	async function provisionTlsCerts(hub: string, token: string) {
fafa260	48	const s = spinner();
fafa260	49	s.start("Downloading TLS certificates");
fafa260	50	try {
fafa260	51	const res = await fetch(`${hub}/api/auth/tls-certs`, {
fafa260	52	headers: { Authorization: `Bearer ${token}` },
fafa260	53	});
fafa260	54	if (!res.ok) {
fafa260	55	s.stop("TLS certificates not available (non-fatal)");
fafa260	56	return;
fafa260	57	}
fafa260	58	const { ca, cert, key } = await res.json() as { ca: string; cert: string; key: string };
fafa260	59	const tlsDir = join(homedir(), ".grove", "tls");
fafa260	60	mkdirSync(tlsDir, { recursive: true });
fafa260	61	writeFileSync(join(tlsDir, "ca.crt"), ca);
fafa260	62	writeFileSync(join(tlsDir, "client.crt"), cert);
fafa260	63	writeFileSync(join(tlsDir, "client.key"), key, { mode: 0o600 });
fafa260	64	s.stop("TLS certificates saved");
fafa260	65	} catch {
fafa260	66	s.stop("TLS certificates not available (non-fatal)");
fafa260	67	}
fafa260	68	}
fafa260	69
e93a978	70	export async function authLogin(args: string[]) {
e93a978	71	const config = await loadConfig();
e93a978	72
e93a978	73	// Allow --hub flag to override hub URL
e93a978	74	const hubIdx = args.indexOf("--hub");
e93a978	75	if (hubIdx !== -1 && args[hubIdx + 1]) {
e93a978	76	config.hub = args[hubIdx + 1];
e93a978	77	}
e93a978	78
59e6667	79	intro("grove auth login");
e93a978	80
7010ba9	81	if (isHeadless()) {
7010ba9	82	// Device code flow for remote/headless environments
7010ba9	83	try {
7010ba9	84	const token = await deviceCodeFlow(config);
7010ba9	85	config.token = token;
7010ba9	86	await saveConfig(config);
fafa260	87	await provisionTlsCerts(config.hub, token);
7010ba9	88	outro("Authenticated! Token saved to ~/.grove/config.json");
7010ba9	89	} catch (err: any) {
7010ba9	90	log.error(err.message);
7010ba9	91	process.exit(1);
7010ba9	92	}
7010ba9	93	return;
7010ba9	94	}
7010ba9	95
7010ba9	96	// Browser-based flow for local environments
ff43545	97	const { port, result } = await waitForAuthCallback();
e93a978	98
e93a978	99	const callbackUrl = encodeURIComponent(`http://localhost:${port}/callback`);
e93a978	100	const authUrl = `${config.hub}/cli-auth?callback=${callbackUrl}`;
e93a978	101
59e6667	102	log.info(`If the browser doesn't open, visit:\n${authUrl}`);
e93a978	103
e93a978	104	const open = (await import("open")).default;
e93a978	105	await open(authUrl);
e93a978	106
59e6667	107	const s = spinner();
59e6667	108	s.start("Waiting for authentication in browser");
e93a978	109
e93a978	110	try {
e93a978	111	const { token } = await result;
59e6667	112	s.stop("Authentication received");
e93a978	113	config.token = token;
e93a978	114	await saveConfig(config);
fafa260	115	await provisionTlsCerts(config.hub, token);
59e6667	116	outro("Authenticated! Token saved to ~/.grove/config.json");
e93a978	117	} catch (err: any) {
59e6667	118	s.stop("Authentication failed");
59e6667	119	log.error(err.message);
e93a978	120	process.exit(1);
e93a978	121	}
e93a978	122	}