feat: update authentication to be in sync with the VS Code extension

Author: tatomyr

packages/cli/src/auth/__tests__/device-flow.test.ts

@@ -2,12 +2,10 @@ import { RedoclyOAuthDeviceFlow } from '../device-flow.js';
 
 describe('RedoclyOAuthDeviceFlow', () => {
   const mockBaseUrl = 'https://test.redocly.com';
-  const mockClientName = 'test-client';
-  const mockVersion = '1.0.0';
   let flow: RedoclyOAuthDeviceFlow;
 
   beforeEach(() => {
-    flow = new RedoclyOAuthDeviceFlow(mockBaseUrl, mockClientName, mockVersion);
+    flow = new RedoclyOAuthDeviceFlow(mockBaseUrl);
   });
 
   describe('verifyToken', () => {

packages/cli/src/auth/__tests__/oauth-client.test.ts

@@ -5,8 +5,6 @@ import * as path from 'node:path';
 import * as os from 'node:os';
 
 describe('RedoclyOAuthClient', () => {
-  const mockClientName = 'test-client';
-  const mockVersion = '1.0.0';
   const mockBaseUrl = 'https://test.redocly.com';
   const mockHomeDir = '/mock/home/dir';
   const mockRedoclyDir = path.join(mockHomeDir, '.redocly');
@@ -18,7 +16,7 @@ describe('RedoclyOAuthClient', () => {
     vi.mock('node:os');
     vi.mocked(os.homedir).mockReturnValue(mockHomeDir);
     process.env.HOME = mockHomeDir;
-    client = new RedoclyOAuthClient(mockClientName, mockVersion);
+    client = new RedoclyOAuthClient();
   });
 
   describe('login', () => {
@@ -51,7 +49,7 @@ describe('RedoclyOAuthClient', () => {
 
       await client.logout();
 
-      expect(fs.rmSync).toHaveBeenCalledWith(path.join(mockRedoclyDir, 'auth.json'));
+      expect(fs.rmSync).toHaveBeenCalledWith(path.join(mockRedoclyDir, 'credentials'));
     });
 
     it('silently fails if token file does not exist', async () => {
@@ -81,15 +79,15 @@ describe('RedoclyOAuthClient', () => {
         verifyToken: vi.fn().mockResolvedValue(true),
       };
       vi.mocked(RedoclyOAuthDeviceFlow).mockImplementation(() => mockDeviceFlow as any);
-      vi.mocked(fs.readFileSync).mockReturnValue(
-        client['cipher'].update(JSON.stringify(mockToken), 'utf8', 'hex') +
-          client['cipher'].final('hex')
-      );
+
+      // Mock the readToken method to return a valid token
+      const readTokenSpy = vi.spyOn(client as any, 'readToken').mockResolvedValue(mockToken);
 
       const result = await client.isAuthorized(mockBaseUrl);
 
       expect(result).toBe(true);
       expect(mockDeviceFlow.verifyToken).toHaveBeenCalledWith('test-token');
+      expect(readTokenSpy).toHaveBeenCalled();
     });
 
     it('returns false if token refresh fails', async () => {
@@ -102,14 +100,34 @@ describe('RedoclyOAuthClient', () => {
         refreshToken: vi.fn().mockRejectedValue(new Error('Refresh failed')),
       };
       vi.mocked(RedoclyOAuthDeviceFlow).mockImplementation(() => mockDeviceFlow as any);
-      vi.mocked(fs.readFileSync).mockReturnValue(
-        client['cipher'].update(JSON.stringify(mockToken), 'utf8', 'hex') +
-          client['cipher'].final('hex')
-      );
+
+      // Mock the readToken method to return a token that needs refresh
+      vi.spyOn(client as any, 'readToken').mockResolvedValue(mockToken);
+      // Mock removeToken to be called when refresh fails
+      const removeTokenSpy = vi.spyOn(client as any, 'removeToken').mockResolvedValue(undefined);
+
+      const result = await client.isAuthorized(mockBaseUrl);
+
+      expect(result).toBe(false);
+      expect(mockDeviceFlow.verifyToken).toHaveBeenCalledWith('old-token');
+      expect(mockDeviceFlow.refreshToken).toHaveBeenCalledWith('refresh-token');
+      expect(removeTokenSpy).toHaveBeenCalled();
+    });
+
+    it('returns false if no token exists', async () => {
+      const mockDeviceFlow = {
+        verifyToken: vi.fn(),
+      };
+      vi.mocked(RedoclyOAuthDeviceFlow).mockImplementation(() => mockDeviceFlow as any);
+
+      // Mock the readToken method to return null (no token)
+      const readTokenSpy = vi.spyOn(client as any, 'readToken').mockResolvedValue(null);
 
       const result = await client.isAuthorized(mockBaseUrl);
 
       expect(result).toBe(false);
+      expect(readTokenSpy).toHaveBeenCalled();
+      expect(mockDeviceFlow.verifyToken).not.toHaveBeenCalled();
     });
   });
 });

packages/cli/src/auth/device-flow.ts

@@ -13,9 +13,10 @@ export type AuthToken = {
 
 export class RedoclyOAuthDeviceFlow {
   private apiClient: ReuniteApiClient;
+  private clientName = 'redocly-cli';
 
-  constructor(private baseUrl: string, private clientName: string, private version: string) {
-    this.apiClient = new ReuniteApiClient(this.version, 'login');
+  constructor(private baseUrl: string) {
+    this.apiClient = new ReuniteApiClient('login');
   }
 
   async run() {
@@ -82,7 +83,7 @@ export class RedoclyOAuthDeviceFlow {
     }
   }
 
-  async refreshToken(refreshToken: string) {
+  async refreshToken(refreshToken?: string) {
     const response = await this.sendRequest(`/device-rotate-token`, 'POST', {
       grant_type: 'refresh_token',
       client_name: this.clientName,
@@ -163,7 +164,7 @@ export class RedoclyOAuthDeviceFlow {
     body: Record<string, unknown> | undefined = undefined,
     headers: Record<string, string> = {}
   ) {
-    url = `${this.baseUrl}${url}`;
+    url = `${this.baseUrl}/api${url}`;
     const response = await this.apiClient.request(url, {
       body: body ? JSON.stringify(body) : body,
       method,

packages/cli/src/auth/oauth-client.ts

@@ -1,7 +1,7 @@
 import { homedir } from 'node:os';
-import * as path from 'node:path';
+import path from 'node:path';
 import { mkdirSync, existsSync, writeFileSync, readFileSync, rmSync } from 'node:fs';
-import * as crypto from 'node:crypto';
+import crypto from 'node:crypto';
 import { Buffer } from 'node:buffer';
 import { logger } from '@redocly/openapi-core';
 import { type AuthToken, RedoclyOAuthDeviceFlow } from './device-flow.js';
@@ -10,35 +10,32 @@ const SALT = '4618dbc9-8aed-4e27-aaf0-225f4603e5a4';
 const CRYPTO_ALGORITHM = 'aes-256-cbc';
 
 export class RedoclyOAuthClient {
-  private dir: string;
-  private cipher: crypto.Cipher;
-  private decipher: crypto.Decipher;
-
-  constructor(private clientName: string, private version: string) {
-    this.dir = path.join(homedir(), '.redocly');
-    if (!existsSync(this.dir)) {
-      mkdirSync(this.dir);
-    }
+  private static readonly TOKEN_FILE = 'credentials';
+  private static readonly LEGACY_TOKEN_FILE = 'auth.json';
+
+  private readonly dir: string;
+  private readonly key: Buffer;
+  private readonly iv: Buffer;
+
+  constructor() {
+    const homeDirPath = homedir();
+
+    this.dir = path.join(homeDirPath, '.redocly');
+    mkdirSync(this.dir, { recursive: true });
+
+    this.key = crypto.createHash('sha256').update(`${homeDirPath}${SALT}`).digest(); // 32-byte key
+    this.iv = crypto.createHash('md5').update(homeDirPath).digest(); // 16-byte IV
+
+    // TODO: Remove this after few months
+    const legacyTokenPath = path.join(this.dir, RedoclyOAuthClient.LEGACY_TOKEN_FILE);
 
-    const homeDirPath = process.env.HOME as string;
-    const hash = crypto.createHash('sha256');
-    hash.update(`${homeDirPath}${SALT}`);
-    const hashHex = hash.digest('hex');
-
-    const key = Buffer.alloc(
-      32,
-      Buffer.from(hashHex).toString('base64')
-    ).toString() as crypto.CipherKey;
-    const iv = Buffer.alloc(
-      16,
-      Buffer.from(process.env.HOME as string).toString('base64')
-    ).toString() as crypto.BinaryLike;
-    this.cipher = crypto.createCipheriv(CRYPTO_ALGORITHM, key, iv);
-    this.decipher = crypto.createDecipheriv(CRYPTO_ALGORITHM, key, iv);
+    if (existsSync(legacyTokenPath)) {
+      rmSync(legacyTokenPath);
+    }
   }
 
-  async login(baseUrl: string) {
-    const deviceFlow = new RedoclyOAuthDeviceFlow(baseUrl, this.clientName, this.version);
+  public async login(baseUrl: string) {
+    const deviceFlow = new RedoclyOAuthDeviceFlow(baseUrl);
 
     const token = await deviceFlow.run();
     if (!token) {
@@ -47,66 +44,95 @@ export class RedoclyOAuthClient {
     this.saveToken(token);
   }
 
-  async logout() {
+  public async logout() {
     try {
       this.removeToken();
     } catch (err) {
       // do nothing
     }
   }
 
-  async isAuthorized(baseUrl: string, apiKey?: string) {
-    const deviceFlow = new RedoclyOAuthDeviceFlow(baseUrl, this.clientName, this.version);
-
+  public async isAuthorized(reuniteUrl: string, apiKey?: string): Promise<boolean> {
     if (apiKey) {
-      return await deviceFlow.verifyApiKey(apiKey);
+      const deviceFlow = new RedoclyOAuthDeviceFlow(reuniteUrl);
+      return deviceFlow.verifyApiKey(apiKey);
     }
 
+    const token = await this.getToken(reuniteUrl);
+
+    return Boolean(token);
+  }
+
+  public getToken = async (reuniteUrl: string): Promise<AuthToken | null> => {
+    const deviceFlow = new RedoclyOAuthDeviceFlow(reuniteUrl);
     const token = await this.readToken();
+
     if (!token) {
-      return false;
+      return null;
     }
 
-    const isValidAccessToken = await deviceFlow.verifyToken(token.access_token);
+    const isValid = await deviceFlow.verifyToken(token.access_token);
 
-    if (isValidAccessToken) {
-      return true;
+    if (isValid) {
+      return token;
     }
 
     try {
       const newToken = await deviceFlow.refreshToken(token.refresh_token);
       await this.saveToken(newToken);
+      return newToken;
     } catch {
-      return false;
+      await this.removeToken();
+      return null;
     }
+  };
 
-    return true;
+  private get tokenPath() {
+    return path.join(this.dir, RedoclyOAuthClient.TOKEN_FILE);
   }
 
-  private async saveToken(token: AuthToken) {
+  private async saveToken(token: AuthToken): Promise<void> {
     try {
-      const encrypted =
-        this.cipher.update(JSON.stringify(token), 'utf8', 'hex') + this.cipher.final('hex');
-      writeFileSync(path.join(this.dir, 'auth.json'), encrypted);
+      const encrypted = this.encryptToken(token);
+      writeFileSync(this.tokenPath, encrypted, 'utf8');
     } catch (error) {
       logger.error(`Error saving tokens: ${error}`);
     }
   }
 
-  private async readToken() {
+  private async readToken(): Promise<AuthToken | null> {
+    if (!existsSync(this.tokenPath)) {
+      return null;
+    }
+
     try {
-      const token = readFileSync(path.join(this.dir, 'auth.json'), 'utf8');
-      const decrypted = this.decipher.update(token, 'hex', 'utf8') + this.decipher.final('utf8');
-      return decrypted ? JSON.parse(decrypted) : null;
+      const encrypted = readFileSync(this.tokenPath, 'utf8');
+      return this.decryptToken(encrypted);
     } catch {
       return null;
     }
   }
 
-  private async removeToken() {
-    const tokenPath = path.join(this.dir, 'auth.json');
-    if (existsSync(tokenPath)) {
-      rmSync(tokenPath);
+  private async removeToken(): Promise<void> {
+    if (existsSync(this.tokenPath)) {
+      rmSync(this.tokenPath);
     }
   }
+
+  private encryptToken(token: AuthToken): string {
+    const cipher = crypto.createCipheriv(CRYPTO_ALGORITHM, this.key, this.iv);
+    const encrypted = Buffer.concat([cipher.update(JSON.stringify(token), 'utf8'), cipher.final()]);
+
+    return encrypted.toString('hex');
+  }
+
+  private decryptToken(encryptedToken: string): AuthToken {
+    const decipher = crypto.createDecipheriv(CRYPTO_ALGORITHM, this.key, this.iv);
+    const decrypted = Buffer.concat([
+      decipher.update(Buffer.from(encryptedToken, 'hex')),
+      decipher.final(),
+    ]);
+
+    return JSON.parse(decrypted.toString('utf8'));
+  }
 }

packages/cli/src/commands/auth.ts

@@ -10,11 +10,10 @@ export type LoginArgv = {
   config?: string;
 };
 
-export async function handleLogin({ argv, version, config }: CommandArgs<LoginArgv>) {
-  const residency = argv.residency || config?.resolvedConfig?.residency;
-  const reuniteUrl = getReuniteUrl(residency);
+export async function handleLogin({ argv, config }: CommandArgs<LoginArgv>) {
+  const reuniteUrl = getReuniteUrl(config, argv.residency);
   try {
-    const oauthClient = new RedoclyOAuthClient('redocly-cli', version);
+    const oauthClient = new RedoclyOAuthClient();
     await oauthClient.login(reuniteUrl);
   } catch {
     if (argv.residency) {
@@ -29,8 +28,8 @@ export type LogoutArgv = {
   config?: string;
 };
 
-export async function handleLogout({ version }: CommandArgs<LogoutArgv>) {
-  const oauthClient = new RedoclyOAuthClient('redocly-cli', version);
+export async function handleLogout() {
+  const oauthClient = new RedoclyOAuthClient();
   oauthClient.logout();
 
   logger.output('Logged out from the Redocly account. ✋ \n');

packages/cli/src/reunite/api/__tests__/api.client.test.ts

@@ -1,5 +1,6 @@
 import { red, yellow } from 'colorette';
 import { ReuniteApi, PushPayload, ReuniteApiError } from '../api-client.js';
+import { version } from '../../../utils/package.js';
 
 const originalFetch = global.fetch;
 
@@ -22,15 +23,14 @@ describe('ApiClient', () => {
   const testDomain = 'test-domain.com';
   const testOrg = 'test-org';
   const testProject = 'test-project';
-  const version = '1.0.0';
   const command = 'push';
   const expectedUserAgent = `redocly-cli/${version} ${command}`;
 
   describe('getDefaultBranch()', () => {
     let apiClient: ReuniteApi;
 
     beforeEach(() => {
-      apiClient = new ReuniteApi({ domain: testDomain, apiKey: testToken, version, command });
+      apiClient = new ReuniteApi({ domain: testDomain, apiKey: testToken, command });
     });
 
     it('should get default project branch', async () => {
@@ -111,7 +111,7 @@ describe('ApiClient', () => {
     let apiClient: ReuniteApi;
 
     beforeEach(() => {
-      apiClient = new ReuniteApi({ domain: testDomain, apiKey: testToken, version, command });
+      apiClient = new ReuniteApi({ domain: testDomain, apiKey: testToken, command });
     });
 
     it('should upsert remote', async () => {
@@ -216,7 +216,7 @@ describe('ApiClient', () => {
     let apiClient: ReuniteApi;
 
     beforeEach(() => {
-      apiClient = new ReuniteApi({ domain: testDomain, apiKey: testToken, version, command });
+      apiClient = new ReuniteApi({ domain: testDomain, apiKey: testToken, command });
     });
 
     it('should push to remote', async () => {
@@ -352,7 +352,7 @@ describe('ApiClient', () => {
     let apiClient: ReuniteApi;
 
     beforeEach(() => {
-      apiClient = new ReuniteApi({ domain: testDomain, apiKey: testToken, version, command });
+      apiClient = new ReuniteApi({ domain: testDomain, apiKey: testToken, command });
     });
 
     it.each(endpointMocks)(