feat: update authentication to be in sync with the VS Code extension (#2281)

Author: tatomyr

.changeset/easy-wolves-visit.md

@@ -0,0 +1,5 @@
+---
+"@redocly/cli": minor
+---
+
+Updated authentication logic to ensure consistency with the VS Code extension's behavior.

packages/cli/src/auth/__tests__/device-flow.test.ts

@@ -2,12 +2,10 @@ import { RedoclyOAuthDeviceFlow } from '../device-flow.js';
 
 describe('RedoclyOAuthDeviceFlow', () => {
   const mockBaseUrl = 'https://test.redocly.com';
-  const mockClientName = 'test-client';
-  const mockVersion = '1.0.0';
   let flow: RedoclyOAuthDeviceFlow;
 
   beforeEach(() => {
-    flow = new RedoclyOAuthDeviceFlow(mockBaseUrl, mockClientName, mockVersion);
+    flow = new RedoclyOAuthDeviceFlow(mockBaseUrl);
   });
 
   describe('verifyToken', () => {

packages/cli/src/auth/__tests__/oauth-client.test.ts

@@ -5,8 +5,6 @@ import * as path from 'node:path';
 import * as os from 'node:os';
 
 describe('RedoclyOAuthClient', () => {
-  const mockClientName = 'test-client';
-  const mockVersion = '1.0.0';
   const mockBaseUrl = 'https://test.redocly.com';
   const mockHomeDir = '/mock/home/dir';
   const mockRedoclyDir = path.join(mockHomeDir, '.redocly');
@@ -18,7 +16,7 @@ describe('RedoclyOAuthClient', () => {
     vi.mock('node:os');
     vi.mocked(os.homedir).mockReturnValue(mockHomeDir);
     process.env.HOME = mockHomeDir;
-    client = new RedoclyOAuthClient(mockClientName, mockVersion);
+    client = new RedoclyOAuthClient();
   });
 
   describe('login', () => {
@@ -51,7 +49,7 @@ describe('RedoclyOAuthClient', () => {
 
       await client.logout();
 
-      expect(fs.rmSync).toHaveBeenCalledWith(path.join(mockRedoclyDir, 'auth.json'));
+      expect(fs.rmSync).toHaveBeenCalledWith(path.join(mockRedoclyDir, 'credentials'));
     });
 
     it('silently fails if token file does not exist', async () => {
@@ -76,40 +74,33 @@ describe('RedoclyOAuthClient', () => {
     });
 
     it('verifies access token if no API key provided', async () => {
-      const mockToken = { access_token: 'test-token' };
-      const mockDeviceFlow = {
-        verifyToken: vi.fn().mockResolvedValue(true),
-      };
-      vi.mocked(RedoclyOAuthDeviceFlow).mockImplementation(() => mockDeviceFlow as any);
-      vi.mocked(fs.readFileSync).mockReturnValue(
-        client['cipher'].update(JSON.stringify(mockToken), 'utf8', 'hex') +
-          client['cipher'].final('hex')
-      );
+      // Mock getAccessToken to return a valid token
+      const getAccessTokenSpy = vi.spyOn(client, 'getAccessToken').mockResolvedValue('test-token');
 
       const result = await client.isAuthorized(mockBaseUrl);
 
       expect(result).toBe(true);
-      expect(mockDeviceFlow.verifyToken).toHaveBeenCalledWith('test-token');
+      expect(getAccessTokenSpy).toHaveBeenCalledWith(mockBaseUrl);
     });
 
     it('returns false if token refresh fails', async () => {
-      const mockToken = {
-        access_token: 'old-token',
-        refresh_token: 'refresh-token',
-      };
-      const mockDeviceFlow = {
-        verifyToken: vi.fn().mockResolvedValue(false),
-        refreshToken: vi.fn().mockRejectedValue(new Error('Refresh failed')),
-      };
-      vi.mocked(RedoclyOAuthDeviceFlow).mockImplementation(() => mockDeviceFlow as any);
-      vi.mocked(fs.readFileSync).mockReturnValue(
-        client['cipher'].update(JSON.stringify(mockToken), 'utf8', 'hex') +
-          client['cipher'].final('hex')
-      );
+      // Mock getAccessToken to return null (indicating refresh failed)
+      const getAccessTokenSpy = vi.spyOn(client, 'getAccessToken').mockResolvedValue(null);
+
+      const result = await client.isAuthorized(mockBaseUrl);
+
+      expect(result).toBe(false);
+      expect(getAccessTokenSpy).toHaveBeenCalledWith(mockBaseUrl);
+    });
+
+    it('returns false if no token exists', async () => {
+      // Mock getAccessToken to return null (no token)
+      const getAccessTokenSpy = vi.spyOn(client, 'getAccessToken').mockResolvedValue(null);
 
       const result = await client.isAuthorized(mockBaseUrl);
 
       expect(result).toBe(false);
+      expect(getAccessTokenSpy).toHaveBeenCalledWith(mockBaseUrl);
     });
   });
 });

packages/cli/src/auth/device-flow.ts

@@ -4,18 +4,19 @@ import { logger } from '@redocly/openapi-core';
 import { ReuniteApiClient } from '../reunite/api/api-client.js';
 import { DEFAULT_FETCH_TIMEOUT } from '../utils/constants.js';
 
-export type AuthToken = {
+export type Credentials = {
   access_token: string;
-  refresh_token?: string;
-  token_type?: string;
-  expires_in?: number;
+  refresh_token: string;
+  expires_in: number;
+  token_type?: string; // from login response
 };
 
 export class RedoclyOAuthDeviceFlow {
   private apiClient: ReuniteApiClient;
+  private clientName = 'redocly-cli';
 
-  constructor(private baseUrl: string, private clientName: string, private version: string) {
-    this.apiClient = new ReuniteApiClient(this.version, 'login');
+  constructor(private baseUrl: string) {
+    this.apiClient = new ReuniteApiClient('login');
   }
 
   async run() {
@@ -59,7 +60,7 @@ export class RedoclyOAuthDeviceFlow {
     }
   }
 
-  async verifyToken(accessToken: string) {
+  async verifyToken(accessToken: string): Promise<boolean> {
     try {
       const response = await this.sendRequest('/session', 'GET', undefined, {
         Cookie: `accessToken=${accessToken};`,
@@ -82,7 +83,7 @@ export class RedoclyOAuthDeviceFlow {
     }
   }
 
-  async refreshToken(refreshToken: string) {
+  async refreshToken(refreshToken?: string) {
     const response = await this.sendRequest(`/device-rotate-token`, 'POST', {
       grant_type: 'refresh_token',
       client_name: this.clientName,
@@ -103,7 +104,7 @@ export class RedoclyOAuthDeviceFlow {
     deviceCode: string,
     interval: number,
     expiresIn: number
-  ): Promise<AuthToken> {
+  ): Promise<Credentials> {
     return new Promise((resolve, reject) => {
       const intervalId = setInterval(async () => {
         const response = await this.getAccessToken(deviceCode);
@@ -158,12 +159,12 @@ export class RedoclyOAuthDeviceFlow {
   }
 
   private async sendRequest(
-    url: string,
+    path: string,
     method: string = 'GET',
     body: Record<string, unknown> | undefined = undefined,
     headers: Record<string, string> = {}
   ) {
-    url = `${this.baseUrl}${url}`;
+    const url = `${this.baseUrl}/api${path}`;
     const response = await this.apiClient.request(url, {
       body: body ? JSON.stringify(body) : body,
       method,

packages/cli/src/auth/oauth-client.ts

@@ -1,112 +1,133 @@
 import { homedir } from 'node:os';
-import * as path from 'node:path';
+import path from 'node:path';
 import { mkdirSync, existsSync, writeFileSync, readFileSync, rmSync } from 'node:fs';
-import * as crypto from 'node:crypto';
+import crypto from 'node:crypto';
 import { Buffer } from 'node:buffer';
 import { logger } from '@redocly/openapi-core';
-import { type AuthToken, RedoclyOAuthDeviceFlow } from './device-flow.js';
+import { type Credentials, RedoclyOAuthDeviceFlow } from './device-flow.js';
 
 const SALT = '4618dbc9-8aed-4e27-aaf0-225f4603e5a4';
 const CRYPTO_ALGORITHM = 'aes-256-cbc';
 
 export class RedoclyOAuthClient {
-  private dir: string;
-  private cipher: crypto.Cipher;
-  private decipher: crypto.Decipher;
-
-  constructor(private clientName: string, private version: string) {
-    this.dir = path.join(homedir(), '.redocly');
-    if (!existsSync(this.dir)) {
-      mkdirSync(this.dir);
-    }
+  public static readonly CREDENTIALS_FILE = 'credentials';
+
+  private readonly dir: string;
+  private readonly key: Buffer;
+  private readonly iv: Buffer;
+
+  constructor() {
+    const homeDirPath = homedir();
 
-    const homeDirPath = process.env.HOME as string;
-    const hash = crypto.createHash('sha256');
-    hash.update(`${homeDirPath}${SALT}`);
-    const hashHex = hash.digest('hex');
-
-    const key = Buffer.alloc(
-      32,
-      Buffer.from(hashHex).toString('base64')
-    ).toString() as crypto.CipherKey;
-    const iv = Buffer.alloc(
-      16,
-      Buffer.from(process.env.HOME as string).toString('base64')
-    ).toString() as crypto.BinaryLike;
-    this.cipher = crypto.createCipheriv(CRYPTO_ALGORITHM, key, iv);
-    this.decipher = crypto.createDecipheriv(CRYPTO_ALGORITHM, key, iv);
+    this.dir = path.join(homeDirPath, '.redocly');
+    mkdirSync(this.dir, { recursive: true });
+
+    this.key = crypto.createHash('sha256').update(`${homeDirPath}${SALT}`).digest(); // 32-byte key
+    this.iv = crypto.createHash('md5').update(homeDirPath).digest(); // 16-byte IV
   }
 
-  async login(baseUrl: string) {
-    const deviceFlow = new RedoclyOAuthDeviceFlow(baseUrl, this.clientName, this.version);
+  public async login(baseUrl: string) {
+    const deviceFlow = new RedoclyOAuthDeviceFlow(baseUrl);
 
-    const token = await deviceFlow.run();
-    if (!token) {
+    const credentials = await deviceFlow.run();
+    if (!credentials) {
       throw new Error('Failed to login');
     }
-    this.saveToken(token);
+    this.saveCredentials(credentials);
   }
 
-  async logout() {
+  public async logout() {
     try {
-      this.removeToken();
+      this.removeCredentials();
     } catch (err) {
       // do nothing
     }
   }
 
-  async isAuthorized(baseUrl: string, apiKey?: string) {
-    const deviceFlow = new RedoclyOAuthDeviceFlow(baseUrl, this.clientName, this.version);
-
+  public async isAuthorized(reuniteUrl: string, apiKey?: string): Promise<boolean> {
     if (apiKey) {
-      return await deviceFlow.verifyApiKey(apiKey);
+      const deviceFlow = new RedoclyOAuthDeviceFlow(reuniteUrl);
+      return deviceFlow.verifyApiKey(apiKey);
     }
 
-    const token = await this.readToken();
-    if (!token) {
-      return false;
+    const accessToken = await this.getAccessToken(reuniteUrl);
+
+    return Boolean(accessToken);
+  }
+
+  public getAccessToken = async (reuniteUrl: string): Promise<string | null> => {
+    const deviceFlow = new RedoclyOAuthDeviceFlow(reuniteUrl);
+    const credentials = await this.readCredentials();
+
+    if (!credentials) {
+      return null;
     }
 
-    const isValidAccessToken = await deviceFlow.verifyToken(token.access_token);
+    const isValid = await deviceFlow.verifyToken(credentials.access_token);
 
-    if (isValidAccessToken) {
-      return true;
+    if (isValid) {
+      return credentials.access_token;
     }
 
     try {
-      const newToken = await deviceFlow.refreshToken(token.refresh_token);
-      await this.saveToken(newToken);
+      const newCredentials = await deviceFlow.refreshToken(credentials.refresh_token);
+      await this.saveCredentials(newCredentials);
+
+      return newCredentials.access_token;
     } catch {
-      return false;
+      return null;
     }
+  };
 
-    return true;
+  private get credentialsPath() {
+    return path.join(this.dir, RedoclyOAuthClient.CREDENTIALS_FILE);
   }
 
-  private async saveToken(token: AuthToken) {
+  private async saveCredentials(credentials: Credentials): Promise<void> {
     try {
-      const encrypted =
-        this.cipher.update(JSON.stringify(token), 'utf8', 'hex') + this.cipher.final('hex');
-      writeFileSync(path.join(this.dir, 'auth.json'), encrypted);
+      const encryptedCredentials = this.encryptCredentials(credentials);
+      writeFileSync(this.credentialsPath, encryptedCredentials, 'utf8');
     } catch (error) {
-      logger.error(`Error saving tokens: ${error}`);
+      logger.error(`Failed to save credentials: ${error.message}`);
     }
   }
 
-  private async readToken() {
+  private async readCredentials(): Promise<Credentials | null> {
+    if (!existsSync(this.credentialsPath)) {
+      return null;
+    }
+
     try {
-      const token = readFileSync(path.join(this.dir, 'auth.json'), 'utf8');
-      const decrypted = this.decipher.update(token, 'hex', 'utf8') + this.decipher.final('utf8');
-      return decrypted ? JSON.parse(decrypted) : null;
+      const encryptedCredentials = readFileSync(this.credentialsPath, 'utf8');
+      return this.decryptCredentials(encryptedCredentials);
     } catch {
       return null;
     }
   }
 
-  private async removeToken() {
-    const tokenPath = path.join(this.dir, 'auth.json');
-    if (existsSync(tokenPath)) {
-      rmSync(tokenPath);
+  private async removeCredentials(): Promise<void> {
+    if (existsSync(this.credentialsPath)) {
+      rmSync(this.credentialsPath);
     }
   }
+
+  private encryptCredentials(credentials: Credentials): string {
+    const cipher = crypto.createCipheriv(CRYPTO_ALGORITHM, this.key, this.iv);
+    const encrypted = Buffer.concat([
+      cipher.update(JSON.stringify(credentials), 'utf8'),
+      cipher.final(),
+    ]);
+
+    return encrypted.toString('hex');
+  }
+
+  private decryptCredentials(encryptedCredentials: string): Credentials {
+    const decipher = crypto.createDecipheriv(CRYPTO_ALGORITHM, this.key, this.iv);
+    const decrypted = Buffer.concat([
+      decipher.update(Buffer.from(encryptedCredentials, 'hex')),
+      decipher.final(),
+    ]);
+
+    return JSON.parse(decrypted.toString('utf8'));
+  }
 }

packages/cli/src/commands/auth.ts

@@ -10,11 +10,10 @@ export type LoginArgv = {
   config?: string;
 };
 
-export async function handleLogin({ argv, version, config }: CommandArgs<LoginArgv>) {
-  const residency = argv.residency || config?.resolvedConfig?.residency;
-  const reuniteUrl = getReuniteUrl(residency);
+export async function handleLogin({ argv, config }: CommandArgs<LoginArgv>) {
+  const reuniteUrl = getReuniteUrl(config, argv.residency);
   try {
-    const oauthClient = new RedoclyOAuthClient('redocly-cli', version);
+    const oauthClient = new RedoclyOAuthClient();
     await oauthClient.login(reuniteUrl);
   } catch {
     if (argv.residency) {
@@ -29,8 +28,8 @@ export type LogoutArgv = {
   config?: string;
 };
 
-export async function handleLogout({ version }: CommandArgs<LogoutArgv>) {
-  const oauthClient = new RedoclyOAuthClient('redocly-cli', version);
+export async function handleLogout() {
+  const oauthClient = new RedoclyOAuthClient();
   oauthClient.logout();
 
   logger.output('Logged out from the Redocly account. ✋ \n');