feat: use new login scheme which supports Safari

Author: roncohen

packages/cli/commands/auth.ts

@@ -4,17 +4,17 @@ import ora from "ora";
 
 import { authStore } from "../stores/auth.js";
 import { configStore } from "../stores/config.js";
-import { authenticateUser } from "../utils/auth.js";
+import { waitForAccessToken } from "../utils/auth.js";
 import { handleError } from "../utils/errors.js";
 
 export const loginAction = async () => {
-  const baseUrl = configStore.getConfig("baseUrl");
-  const spinner = ora(`Logging in to ${chalk.cyan(baseUrl)}...`).start();
+  const { baseUrl, apiUrl } = configStore.getConfig();
+
   try {
-    await authenticateUser(baseUrl);
-    spinner.succeed(`Logged in to ${chalk.cyan(baseUrl)} successfully! 🎉`);
+    await waitForAccessToken(baseUrl, apiUrl);
+    console.log(`Logged in to ${chalk.cyan(baseUrl)} successfully! 🎉`);
   } catch (error) {
-    spinner.fail("Login failed.");
+    console.error("Login failed.");
     void handleError(error, "Login");
   }
 };

packages/cli/utils/auth.ts

@@ -1,102 +1,128 @@
+import crypto from "crypto";
 import http from "http";
+import chalk from "chalk";
 import open from "open";
 
 import { authStore } from "../stores/auth.js";
 import { configStore } from "../stores/config.js";
 
 import { loginUrl } from "./constants.js";
 
-function corsHeaders(baseUrl: string): Record<string, string> {
-  return {
-    "Access-Control-Allow-Origin": baseUrl,
-    "Access-Control-Allow-Methods": "GET",
-    "Access-Control-Allow-Headers": "Authorization",
-  };
-}
-
-export async function authenticateUser(baseUrl: string) {
-  return new Promise<string>((resolve, reject) => {
-    let isResolved = false;
+const successUrl = (baseUrl: string) => `${baseUrl}/cli-login/success`;
+const errorUrl = (baseUrl: string, error: string) =>
+  `${baseUrl}/cli-login/error?error=${error}`;
 
-    const server = http.createServer(async (req, res) => {
-      const url = new URL(req.url ?? "/", "http://127.0.0.1");
-      const headers = corsHeaders(baseUrl);
+interface waitForAccessToken {
+  accessToken: string;
+  expiresAt: Date;
+}
 
-      // Ensure we don't process requests after resolution
-      if (isResolved) {
-        res.writeHead(503, headers).end();
-        return;
-      }
+export async function waitForAccessToken(baseUrl: string, apiUrl: string) {
+  let resolve: (args: waitForAccessToken) => void,
+    reject: (arg0: Error) => void;
+  const promise = new Promise<waitForAccessToken>((res, rej) => {
+    resolve = res;
+    reject = rej;
+  });
 
-      if (url.pathname !== "/cli-login") {
-        res.writeHead(404).end("Invalid path");
-        cleanupAndReject(new Error("Could not authenticate: Invalid path"));
-        return;
-      }
+  // PCKE code verifier and challenge
+  const codeVerifier = crypto.randomUUID();
+  const codeChallenge = crypto
+    .createHash("sha256")
+    .update(codeVerifier)
+    .digest("base64")
+    .replace(/=/g, "")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_");
+
+  const timeout = setTimeout(() => {
+    cleanupAndReject(new Error("Authentication timed out after 30 seconds"));
+  }, 30000);
+
+  function cleanupAndReject(error: Error) {
+    cleanup();
+    reject(error);
+  }
 
-      // Handle preflight request
-      if (req.method === "OPTIONS") {
-        res.writeHead(200, headers);
-        res.end();
-        return;
-      }
+  function cleanup() {
+    clearTimeout(timeout);
+    server.close();
+    server.closeAllConnections();
+  }
 
-      if (!req.headers.authorization?.startsWith("Bearer ")) {
-        res.writeHead(400, headers).end("Could not authenticate");
-        cleanupAndReject(new Error("Could not authenticate"));
-        return;
-      }
+  const server = http.createServer(async (req, res) => {
+    const url = new URL(req.url ?? "/", "http://127.0.0.1");
 
-      const token = req.headers.authorization.slice("Bearer ".length);
-      headers["Content-Type"] = "application/json";
-      res.writeHead(200, headers);
-      res.end(JSON.stringify({ result: "success" }));
-
-      try {
-        await authStore.setToken(baseUrl, token);
-        cleanupAndResolve(token);
-      } catch (error) {
-        cleanupAndReject(
-          error instanceof Error ? error : new Error("Failed to store token"),
-        );
-      }
-    });
+    if (url.pathname !== "/cli-login") {
+      res.writeHead(404).end("Invalid path");
+      cleanupAndReject(new Error("Could not authenticate: Invalid path"));
+      return;
+    }
 
-    const timeout = setTimeout(() => {
-      cleanupAndReject(new Error("Authentication timed out after 60 seconds"));
-    }, 60000);
+    const fullUrl = new URL(`http://localhost${req.url}`);
 
-    function cleanupAndResolve(token: string) {
-      if (isResolved) return;
-      isResolved = true;
-      cleanup();
-      resolve(token);
-    }
+    const code = fullUrl.searchParams.get("code");
 
-    function cleanupAndReject(error: Error) {
-      if (isResolved) return;
-      isResolved = true;
-      cleanup();
-      reject(error);
+    if (!code) {
+      res.writeHead(400).end("Could not authenticate");
+      cleanupAndReject(new Error("Could not authenticate: no code provided"));
+      return;
     }
 
-    function cleanup() {
-      clearTimeout(timeout);
-      server.close();
-      // Force-close any remaining connections
-      server.getConnections((err, count) => {
-        if (err || count === 0) return;
-        server.closeAllConnections();
-      });
-    }
+    const response = await fetch(`${apiUrl}/oauth/cli/access-token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        code,
+        codeVerifier,
+      }),
+    });
 
-    server.listen();
-    const address = server.address();
-    if (address && typeof address === "object") {
-      const port = address.port;
-      void open(loginUrl(baseUrl, port));
+    if (!response.ok) {
+      res
+        .writeHead(302, {
+          location: errorUrl(
+            baseUrl,
+            "Could not authenticate: Unable to fetch access token",
+          ),
+        })
+        .end("Could not authenticate");
+      cleanupAndReject(new Error("Could not authenticate"));
+      return;
     }
+    res
+      .writeHead(302, {
+        location: successUrl(baseUrl),
+      })
+      .end("Authentication successful");
+
+    const jsonResponse = await response.json();
+
+    cleanup();
+    resolve({
+      accessToken: jsonResponse.accessToken,
+      expiresAt: new Date(jsonResponse.expiresAt),
+    });
   });
+
+  server.listen();
+  const address = server.address();
+  if (address == null || typeof address !== "object") {
+    throw new Error("Could not start server");
+  }
+
+  const port = address.port;
+  const browserUrl = loginUrl(apiUrl, port, codeChallenge);
+
+  console.log(
+    `Opened web browser to facilitate login: ${chalk.cyan(browserUrl)}`,
+  );
+
+  void open(browserUrl);
+
+  return promise;
 }
 
 export async function authRequest<T = Record<string, unknown>>(
@@ -110,7 +136,8 @@ export async function authRequest<T = Record<string, unknown>>(
   const token = authStore.getToken(baseUrl);
 
   if (!token) {
-    await authenticateUser(baseUrl);
+    const accessToken = await waitForAccessToken(baseUrl, apiUrl);
+    await authStore.setToken(baseUrl, accessToken.accessToken);
     return authRequest(url, options);
   }
 
@@ -133,7 +160,7 @@ export async function authRequest<T = Record<string, unknown>>(
     if (response.status === 401) {
       await authStore.setToken(baseUrl, undefined);
       if (retryCount < 1) {
-        await authenticateUser(baseUrl);
+        await waitForAccessToken(baseUrl, apiUrl);
         return authRequest(url, options, retryCount + 1);
       }
     }

packages/cli/utils/constants.ts

@@ -14,6 +14,9 @@ export const DEFAULT_TYPES_OUTPUT = join("gen", "features.ts");
 
 export const chalkBrand = chalk.hex("#847CFB");
 
-export const loginUrl = (baseUrl: string, localPort: number) =>
-  `${baseUrl}/login?redirect_url=` +
-  encodeURIComponent("/cli-login?port=" + localPort);
+export const loginUrl = (
+  baseUrl: string,
+  localPort: number,
+  codeChallenge: string,
+) =>
+  `${baseUrl}/oauth/cli/authorize?port=${localPort}&codeChallenge=${codeChallenge}`;