feat: add login via Reunite API

Author: tatomyr

.changeset/tough-apples-attend.md

@@ -0,0 +1,5 @@
+---
+"@redocly/cli": minor
+---
+
+Added login flow based on [OAuth 2.0 Device authorization flow](https://datatracker.ietf.org/doc/html/rfc8628) that uses Reunite API.

jest.config.js

@@ -21,7 +21,7 @@ module.exports = {
       statements: 64,
       branches: 52,
       functions: 63,
-      lines: 65,
+      lines: 64,
     },
   },
   testMatch: ['**/__tests__/**/*.test.ts', '**/*.test.ts'],

packages/cli/src/__tests__/commands/push-region.test.ts

@@ -1,6 +1,6 @@
 import { getMergedConfig } from '@redocly/openapi-core';
 import { handlePush } from '../../commands/push';
-import { promptClientToken } from '../../commands/login';
+import { promptClientToken } from '../../commands/auth';
 import { ConfigFixture } from '../fixtures/config';
 import { Readable } from 'node:stream';
 
@@ -23,7 +23,7 @@ jest.mock('fs', () => ({
 
 // Mock OpenAPI core
 jest.mock('@redocly/openapi-core');
-jest.mock('../../commands/login');
+jest.mock('../../commands/auth');
 jest.mock('../../utils/miscellaneous');
 
 const mockPromptClientToken = promptClientToken as jest.MockedFunction<typeof promptClientToken>;

packages/cli/src/auth/__tests__/device-flow.test.ts

@@ -0,0 +1,73 @@
+import { RedoclyOAuthDeviceFlow } from '../device-flow';
+
+jest.mock('child_process');
+
+describe('RedoclyOAuthDeviceFlow', () => {
+  const mockBaseUrl = 'https://test.redocly.com';
+  const mockClientName = 'test-client';
+  const mockVersion = '1.0.0';
+  let flow: RedoclyOAuthDeviceFlow;
+
+  beforeEach(() => {
+    flow = new RedoclyOAuthDeviceFlow(mockBaseUrl, mockClientName, mockVersion);
+    jest.resetAllMocks();
+  });
+
+  describe('verifyToken', () => {
+    it('returns true for valid token', async () => {
+      jest.spyOn(flow['apiClient'], 'request').mockResolvedValue({
+        json: () => Promise.resolve({ user: { id: '123' } }),
+      } as Response);
+
+      const result = await flow.verifyToken('valid-token');
+      expect(result).toBe(true);
+    });
+
+    it('returns false for invalid token', async () => {
+      jest.spyOn(flow['apiClient'], 'request').mockRejectedValue(new Error('Invalid token'));
+      const result = await flow.verifyToken('invalid-token');
+      expect(result).toBe(false);
+    });
+  });
+
+  describe('verifyApiKey', () => {
+    it('returns true for valid API key', async () => {
+      jest.spyOn(flow['apiClient'], 'request').mockResolvedValue({
+        json: () => Promise.resolve({ success: true }),
+      } as Response);
+
+      const result = await flow.verifyApiKey('valid-key');
+      expect(result).toBe(true);
+    });
+
+    it('returns false for invalid API key', async () => {
+      jest.spyOn(flow['apiClient'], 'request').mockRejectedValue(new Error('Invalid API key'));
+      const result = await flow.verifyApiKey('invalid-key');
+      expect(result).toBe(false);
+    });
+  });
+
+  describe('refreshToken', () => {
+    it('successfully refreshes token', async () => {
+      const mockResponse = {
+        access_token: 'new-token',
+        refresh_token: 'new-refresh',
+        expires_in: 3600,
+      };
+      jest.spyOn(flow['apiClient'], 'request').mockResolvedValue({
+        json: () => Promise.resolve(mockResponse),
+      } as Response);
+
+      const result = await flow.refreshToken('old-refresh-token');
+      expect(result).toEqual(mockResponse);
+    });
+
+    it('throws error when refresh fails', async () => {
+      jest.spyOn(flow['apiClient'], 'request').mockResolvedValue({
+        json: () => Promise.resolve({}),
+      } as Response);
+
+      await expect(flow.refreshToken('invalid-refresh')).rejects.toThrow('Failed to refresh token');
+    });
+  });
+});

packages/cli/src/auth/__tests__/oauth-client.test.ts

@@ -0,0 +1,117 @@
+import { RedoclyOAuthClient } from '../oauth-client';
+import { RedoclyOAuthDeviceFlow } from '../device-flow';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+
+jest.mock('node:fs');
+jest.mock('node:os');
+jest.mock('../device-flow');
+
+describe('RedoclyOAuthClient', () => {
+  const mockClientName = 'test-client';
+  const mockVersion = '1.0.0';
+  const mockBaseUrl = 'https://test.redocly.com';
+  const mockHomeDir = '/mock/home/dir';
+  const mockRedoclyDir = path.join(mockHomeDir, '.redocly');
+  let client: RedoclyOAuthClient;
+
+  beforeEach(() => {
+    jest.resetAllMocks();
+    (os.homedir as jest.Mock).mockReturnValue(mockHomeDir);
+    process.env.HOME = mockHomeDir;
+    client = new RedoclyOAuthClient(mockClientName, mockVersion);
+  });
+
+  describe('login', () => {
+    it('successfully logs in and saves token', async () => {
+      const mockToken = { access_token: 'test-token' };
+      const mockDeviceFlow = {
+        run: jest.fn().mockResolvedValue(mockToken),
+      };
+      (RedoclyOAuthDeviceFlow as jest.Mock).mockImplementation(() => mockDeviceFlow);
+
+      await client.login(mockBaseUrl);
+
+      expect(mockDeviceFlow.run).toHaveBeenCalled();
+      expect(fs.writeFileSync).toHaveBeenCalled();
+    });
+
+    it('throws error when login fails', async () => {
+      const mockDeviceFlow = {
+        run: jest.fn().mockResolvedValue(null),
+      };
+      (RedoclyOAuthDeviceFlow as jest.Mock).mockImplementation(() => mockDeviceFlow);
+
+      await expect(client.login(mockBaseUrl)).rejects.toThrow('Failed to login');
+    });
+  });
+
+  describe('logout', () => {
+    it('removes token file if it exists', async () => {
+      (fs.existsSync as jest.Mock).mockReturnValue(true);
+
+      await client.logout();
+
+      expect(fs.rmSync).toHaveBeenCalledWith(path.join(mockRedoclyDir, 'auth.json'));
+    });
+
+    it('silently fails if token file does not exist', async () => {
+      (fs.existsSync as jest.Mock).mockReturnValue(false);
+
+      await expect(client.logout()).resolves.not.toThrow();
+      expect(fs.rmSync).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('isAuthorized', () => {
+    it('verifies API key if provided', async () => {
+      const mockDeviceFlow = {
+        verifyApiKey: jest.fn().mockResolvedValue(true),
+      };
+      (RedoclyOAuthDeviceFlow as jest.Mock).mockImplementation(() => mockDeviceFlow);
+
+      const result = await client.isAuthorized(mockBaseUrl, 'test-api-key');
+
+      expect(result).toBe(true);
+      expect(mockDeviceFlow.verifyApiKey).toHaveBeenCalledWith('test-api-key');
+    });
+
+    it('verifies access token if no API key provided', async () => {
+      const mockToken = { access_token: 'test-token' };
+      const mockDeviceFlow = {
+        verifyToken: jest.fn().mockResolvedValue(true),
+      };
+      (RedoclyOAuthDeviceFlow as jest.Mock).mockImplementation(() => mockDeviceFlow);
+      (fs.readFileSync as jest.Mock).mockReturnValue(
+        client['cipher'].update(JSON.stringify(mockToken), 'utf8', 'hex') +
+          client['cipher'].final('hex')
+      );
+
+      const result = await client.isAuthorized(mockBaseUrl);
+
+      expect(result).toBe(true);
+      expect(mockDeviceFlow.verifyToken).toHaveBeenCalledWith('test-token');
+    });
+
+    it('returns false if token refresh fails', async () => {
+      const mockToken = {
+        access_token: 'old-token',
+        refresh_token: 'refresh-token',
+      };
+      const mockDeviceFlow = {
+        verifyToken: jest.fn().mockResolvedValue(false),
+        refreshToken: jest.fn().mockRejectedValue(new Error('Refresh failed')),
+      };
+      (RedoclyOAuthDeviceFlow as jest.Mock).mockImplementation(() => mockDeviceFlow);
+      (fs.readFileSync as jest.Mock).mockReturnValue(
+        client['cipher'].update(JSON.stringify(mockToken), 'utf8', 'hex') +
+          client['cipher'].final('hex')
+      );
+
+      const result = await client.isAuthorized(mockBaseUrl);
+
+      expect(result).toBe(false);
+    });
+  });
+});

packages/cli/src/auth/device-flow.ts

@@ -0,0 +1,175 @@
+import { blue, green } from 'colorette';
+import * as childProcess from 'child_process';
+import { ReuniteApiClient } from '../reunite/api/api-client';
+
+export type AuthToken = {
+  access_token: string;
+  refresh_token?: string;
+  token_type?: string;
+  expires_in?: number;
+};
+
+export class RedoclyOAuthDeviceFlow {
+  private apiClient: ReuniteApiClient;
+
+  constructor(private baseUrl: string, private clientName: string, private version: string) {
+    this.apiClient = new ReuniteApiClient(this.version, 'login');
+  }
+
+  async run() {
+    const code = await this.getDeviceCode();
+    process.stdout.write(
+      'Attempting to automatically open the SSO authorization page in your default browser.\n'
+    );
+    process.stdout.write(
+      'If the browser does not open or you wish to use a different device to authorize this request, open the following URL:\n\n'
+    );
+    process.stdout.write(blue(code.verificationUri));
+    process.stdout.write(`\n\n`);
+    process.stdout.write(`Then enter the code:\n\n`);
+    process.stdout.write(blue(code.userCode));
+    process.stdout.write(`\n\n`);
+
+    this.openBrowser(code.verificationUriComplete);
+
+    const accessToken = await this.pollingAccessToken(
+      code.deviceCode,
+      code.interval,
+      code.expiresIn
+    );
+    process.stdout.write(green('✅ Logged in\n\n'));
+
+    return accessToken;
+  }
+
+  private openBrowser(url: string) {
+    try {
+      const cmd =
+        process.platform === 'win32'
+          ? `start ${url}`
+          : process.platform === 'darwin'
+          ? `open ${url}`
+          : `xdg-open ${url}`;
+
+      childProcess.execSync(cmd);
+    } catch {
+      // silently fail if browser cannot be opened
+    }
+  }
+
+  async verifyToken(accessToken: string) {
+    try {
+      const response = await this.sendRequest('/session', 'GET', undefined, {
+        Cookie: `accessToken=${accessToken};`,
+      });
+
+      return !!response.user;
+    } catch {
+      return false;
+    }
+  }
+
+  async verifyApiKey(apiKey: string) {
+    try {
+      const response = await this.sendRequest('/api-keys-verify', 'POST', {
+        apiKey,
+      });
+      return !!response.success;
+    } catch {
+      return false;
+    }
+  }
+
+  async refreshToken(refreshToken: string) {
+    const response = await this.sendRequest(`/device-rotate-token`, 'POST', {
+      grant_type: 'refresh_token',
+      client_name: this.clientName,
+      refresh_token: refreshToken,
+    });
+
+    if (!response.access_token) {
+      throw new Error('Failed to refresh token');
+    }
+    return {
+      access_token: response.access_token,
+      refresh_token: response.refresh_token,
+      expires_in: response.expires_in,
+    };
+  }
+
+  private async pollingAccessToken(
+    deviceCode: string,
+    interval: number,
+    expiresIn: number
+  ): Promise<AuthToken> {
+    return new Promise((resolve, reject) => {
+      const intervalId = setInterval(async () => {
+        const response = await this.getAccessToken(deviceCode);
+        if (response.access_token) {
+          clearInterval(intervalId);
+          clearTimeout(timeoutId);
+          resolve(response);
+        }
+        if (response.error && response.error !== 'authorization_pending') {
+          clearInterval(intervalId);
+          clearTimeout(timeoutId);
+          reject(response.error_description);
+        }
+      }, interval * 1000);
+
+      const timeoutId = setTimeout(async () => {
+        clearInterval(intervalId);
+        clearTimeout(timeoutId);
+        reject('Authorization has expired. Please try again.');
+      }, expiresIn * 1000);
+    });
+  }
+
+  private async getAccessToken(deviceCode: string) {
+    return await this.sendRequest('/device-token', 'POST', {
+      client_name: this.clientName,
+      device_code: deviceCode,
+      grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+    });
+  }
+
+  private async getDeviceCode() {
+    const {
+      device_code: deviceCode,
+      user_code: userCode,
+      verification_uri: verificationUri,
+      verification_uri_complete: verificationUriComplete,
+      interval = 10,
+      expires_in: expiresIn = 300,
+    } = await this.sendRequest('/device-authorize', 'POST', {
+      client_name: this.clientName,
+    });
+
+    return {
+      deviceCode,
+      userCode,
+      verificationUri,
+      verificationUriComplete,
+      interval,
+      expiresIn,
+    };
+  }
+
+  private async sendRequest(
+    url: string,
+    method: string = 'GET',
+    body: Record<string, unknown> | undefined = undefined,
+    headers: Record<string, string> = {}
+  ) {
+    url = `${this.baseUrl}${url}`;
+    const response = await this.apiClient.request(url, {
+      body: body ? JSON.stringify(body) : body,
+      method,
+      headers: { 'Content-Type': 'application/json', ...headers },
+    });
+    if (response.status === 204) {
+      return { success: true };
+    }
+    return await response.json();
+  }
+}