provision TLS certs during grove auth login

Hub API serves client certs at GET /api/auth/tls-certs (authenticated).
CLI downloads ca.crt, client.crt, client.key to ~/.grove/tls/ after login.
Mount /data/grove/tls read-only into hub-api container.

Anton Kaminsky22d agofafa2604c117parent 15612e6

4 files changed+56-1

cli/package.json

@@ -1,6 +1,6 @@
1	1	{
2	2	"name": "grove-scm",
3		"version": "0.1.2",
	3	"version": "0.1.3",
4	4	"description": "CLI for Grove — self-hosted source control built on Sapling and Mononoke",
5	5	"type": "module",
6	6	"bin": {
7	7

cli/src/commands/auth-login.ts

@@ -1,4 +1,7 @@
1	1	import { intro, outro, spinner, log } from "@clack/prompts";
	2	import { mkdirSync, writeFileSync, existsSync } from "node:fs";
	3	import { join } from "node:path";
	4	import { homedir } from "node:os";
2	5	import { waitForAuthCallback } from "../auth-server.js";
3	6	import { loadConfig, saveConfig } from "../config.js";
4	7
@@ -41,6 +44,29 @@
41	44	throw new Error("Authentication timed out (10 minutes)");
42	45	}
43	46
	47	async function provisionTlsCerts(hub: string, token: string) {
	48	const s = spinner();
	49	s.start("Downloading TLS certificates");
	50	try {
	51	const res = await fetch(`${hub}/api/auth/tls-certs`, {
	52	headers: { Authorization: `Bearer ${token}` },
	53	});
	54	if (!res.ok) {
	55	s.stop("TLS certificates not available (non-fatal)");
	56	return;
	57	}
	58	const { ca, cert, key } = await res.json() as { ca: string; cert: string; key: string };
	59	const tlsDir = join(homedir(), ".grove", "tls");
	60	mkdirSync(tlsDir, { recursive: true });
	61	writeFileSync(join(tlsDir, "ca.crt"), ca);
	62	writeFileSync(join(tlsDir, "client.crt"), cert);
	63	writeFileSync(join(tlsDir, "client.key"), key, { mode: 0o600 });
	64	s.stop("TLS certificates saved");
	65	} catch {
	66	s.stop("TLS certificates not available (non-fatal)");
	67	}
	68	}
	69
44	70	export async function authLogin(args: string[]) {
45	71	const config = await loadConfig();
46	72
@@ -58,6 +84,7 @@
58	84	const token = await deviceCodeFlow(config);
59	85	config.token = token;
60	86	await saveConfig(config);
	87	await provisionTlsCerts(config.hub, token);
61	88	outro("Authenticated! Token saved to ~/.grove/config.json");
62	89	} catch (err: any) {
63	90	log.error(err.message);
@@ -85,6 +112,7 @@
85	112	s.stop("Authentication received");
86	113	config.token = token;
87	114	await saveConfig(config);
	115	await provisionTlsCerts(config.hub, token);
88	116	outro("Authenticated! Token saved to ~/.grove/config.json");
89	117	} catch (err: any) {
90	118	s.stop("Authentication failed");
91	119

hub/docker-compose.yml

@@ -116,6 +116,7 @@
116	116	image: localhost:5000/grove-hub-api:latest
117	117	volumes:
118	118	- hub-data:/data
	119	- /data/grove/tls:/data/grove/tls:ro
119	120	environment:
120	121	- PORT=4000
121	122	- DATABASE_PATH=/data/hub.db
122	123

hub-api/src/routes/auth.ts

@@ -358,6 +358,32 @@
358	358	},
359	359	});
360	360
	361	// ── TLS client certificates (for Sapling mTLS with Mononoke) ────
	362
	363	const TLS_DIR = process.env.TLS_DIR ?? "/data/grove/tls";
	364
	365	app.get("/tls-certs", {
	366	preHandler: [(app as any).authenticate],
	367	handler: async (_request, reply) => {
	368	const { readFileSync, existsSync } = await import("fs");
	369	const { join } = await import("path");
	370
	371	const caPath = join(TLS_DIR, "ca.crt");
	372	const certPath = join(TLS_DIR, "client.crt");
	373	const keyPath = join(TLS_DIR, "client.key");
	374
	375	if (!existsSync(caPath) \|\| !existsSync(certPath) \|\| !existsSync(keyPath)) {
	376	return reply.code(503).send({ error: "TLS certificates not configured on this instance" });
	377	}
	378
	379	return {
	380	ca: readFileSync(caPath, "utf-8"),
	381	cert: readFileSync(certPath, "utf-8"),
	382	key: readFileSync(keyPath, "utf-8"),
	383	};
	384	},
	385	});
	386
361	387	// ── Get current user ─────────────────────────────────────────────
362	388
363	389	app.get("/me", {
364	390