feat: support sts token login

BoliangLI · BoliangLI · commit 9702e4bcbbd4 · 2026-03-17T14:12:14.000+08:00
diff --git a/src/commands/login/index.ts b/src/commands/login/index.ts
@@ -15,6 +15,40 @@ import {
 } from '../../utils/fileUtils/index.js';
 import { validateCredentials } from '../../utils/validateCredentials.js';
 
+/** Parse STS token string: "AccessKeyId,AccessKeySecret,SecurityToken" or JSON */
+function parseStsToken(
+  raw: string
+): { accessKeyId: string; accessKeySecret: string; securityToken: string } | null {
+  const s = raw.trim();
+  if (!s) return null;
+  if (s.startsWith('{')) {
+    try {
+      const o = JSON.parse(s) as Record<string, string>;
+      const accessKeyId =
+        o.AccessKeyId ?? o.accessKeyId;
+      const accessKeySecret =
+        o.AccessKeySecret ?? o.accessKeySecret;
+      const securityToken =
+        o.SecurityToken ?? o.securityToken;
+      if (accessKeyId && accessKeySecret && securityToken) {
+        return { accessKeyId, accessKeySecret, securityToken };
+      }
+    } catch {
+      return null;
+    }
+    return null;
+  }
+  const parts = s.split(',').map((p) => p.trim());
+  if (parts.length >= 3) {
+    return {
+      accessKeyId: parts[0],
+      accessKeySecret: parts[1],
+      securityToken: parts.slice(2).join(',').trim()
+    };
+  }
+  return null;
+}
+
 const login: CommandModule = {
   command: 'login',
   describe: `🔑 ${t('login_describe').d('Login to the server')}`,
@@ -29,6 +63,12 @@ const login: CommandModule = {
         alias: 'sk',
         describe: t('login_option_access_key_secret')?.d('AccessKey Secret'),
         type: 'string'
+      })
+      .option('sts-token', {
+        describe: t('login_option_sts_token')?.d(
+          'STS token: AccessKeyId,AccessKeySecret,SecurityToken (comma-separated, one-shot)'
+        ),
+        type: 'string'
       });
   },
   handler: async (argv: ArgumentsCamelCase) => {
@@ -40,10 +80,15 @@ export default login;
 
 export async function handleLogin(argv?: ArgumentsCamelCase): Promise<void> {
   generateDefaultConfig();
-  if (process.env.ESA_ACCESS_KEY_ID && process.env.ESA_ACCESS_KEY_SECRET) {
+  const envSecurityToken = process.env.ESA_SECURITY_TOKEN;
+  if (
+    process.env.ESA_ACCESS_KEY_ID &&
+    process.env.ESA_ACCESS_KEY_SECRET
+  ) {
     const result = await validateCredentials(
       process.env.ESA_ACCESS_KEY_ID,
-      process.env.ESA_ACCESS_KEY_SECRET
+      process.env.ESA_ACCESS_KEY_SECRET,
+      envSecurityToken
     );
     if (result.valid) {
       logger.log(
@@ -58,6 +103,38 @@ export async function handleLogin(argv?: ArgumentsCamelCase): Promise<void> {
     return;
   }
 
+  const stsTokenRaw = argv?.['sts-token'] as string | undefined;
+  if (stsTokenRaw) {
+    const parsed = parseStsToken(stsTokenRaw);
+    if (!parsed) {
+      logger.error(
+        t('login_sts_token_format_invalid').d(
+          'Invalid STS token format. Use: AccessKeyId,AccessKeySecret,SecurityToken'
+        )
+      );
+      return;
+    }
+    const result = await validateCredentials(
+      parsed.accessKeyId,
+      parsed.accessKeySecret,
+      parsed.securityToken
+    );
+    if (result.valid) {
+      logger.success(t('login_success').d('Login success!'));
+      updateCliConfigFile({
+        auth: {
+          accessKeyId: parsed.accessKeyId,
+          accessKeySecret: parsed.accessKeySecret,
+          securityToken: parsed.securityToken
+        },
+        ...(result.endpoint ? { endpoint: result.endpoint } : {})
+      });
+    } else {
+      logger.error(result.message || 'Login failed');
+    }
+    return;
+  }
+
   const accessKeyId = argv?.['access-key-id'] as string;
   const accessKeySecret = argv?.['access-key-secret'] as string;
   if (accessKeyId && accessKeySecret) {
@@ -88,7 +165,8 @@ export async function handleLogin(argv?: ArgumentsCamelCase): Promise<void> {
   ) {
     const loginStatus = await validateCredentials(
       cliConfig.auth.accessKeyId,
-      cliConfig.auth.accessKeySecret
+      cliConfig.auth.accessKeySecret,
+      cliConfig.auth.securityToken
     );
     if (loginStatus.valid) {
       logger.warn(t('login_already').d('You are already logged in.'));
@@ -121,6 +199,63 @@ export async function handleLogin(argv?: ArgumentsCamelCase): Promise<void> {
 }
 
 export async function interactiveLogin(): Promise<void> {
+  const loginMethod = (await clackSelect({
+    message: t('login_method_select').d('Choose login method'),
+    options: [
+      {
+        label: t('login_method_aksk').d('AK/SK (AccessKey ID + AccessKey Secret)'),
+        value: 'aksk'
+      },
+      {
+        label: t('login_method_sts').d(
+          'STS Token (one-shot: AccessKeyId,AccessKeySecret,SecurityToken)'
+        ),
+        value: 'sts'
+      }
+    ]
+  })) as 'aksk' | 'sts';
+
+  if (isCancel(loginMethod)) {
+    return;
+  }
+
+  if (loginMethod === 'sts') {
+    const stsInput = (await clackText({
+      message: t('login_sts_token_prompt').d(
+        'Enter STS token (AccessKeyId,AccessKeySecret,SecurityToken):'
+      )
+    })) as string;
+    if (isCancel(stsInput)) return;
+    const parsed = parseStsToken(stsInput);
+    if (!parsed) {
+      logger.error(
+        t('login_sts_token_format_invalid').d(
+          'Invalid STS token format. Use: AccessKeyId,AccessKeySecret,SecurityToken'
+        )
+      );
+      return;
+    }
+    const loginStatus = await validateCredentials(
+      parsed.accessKeyId,
+      parsed.accessKeySecret,
+      parsed.securityToken
+    );
+    if (loginStatus.valid) {
+      await updateCliConfigFile({
+        auth: {
+          accessKeyId: parsed.accessKeyId,
+          accessKeySecret: parsed.accessKeySecret,
+          securityToken: parsed.securityToken
+        },
+        ...(loginStatus.endpoint ? { endpoint: loginStatus.endpoint } : {})
+      });
+      logger.success(t('login_success').d('Login success!'));
+    } else {
+      logger.error(loginStatus.message || 'Login failed');
+    }
+    return;
+  }
+
   const styledUrl = chalk.underline.blue(
     'https://ram.console.aliyun.com/manage/ak'
   );
diff --git a/src/commands/logout.ts b/src/commands/logout.ts
@@ -24,10 +24,17 @@ export async function handleLogout() {
   }
 
   if (!cliConfig.auth) {
-    cliConfig.auth = { accessKeyId: '', accessKeySecret: '' };
+    cliConfig.auth = {
+      accessKeyId: '',
+      accessKeySecret: '',
+      securityToken: ''
+    };
   } else {
     cliConfig.auth.accessKeyId = '';
     cliConfig.auth.accessKeySecret = '';
+    if ('securityToken' in cliConfig.auth) {
+      cliConfig.auth.securityToken = '';
+    }
   }
 
   await updateCliConfigFile(cliConfig);
diff --git a/src/commands/utils.ts b/src/commands/utils.ts
@@ -104,23 +104,28 @@ export async function checkIsLoginSuccess(): Promise<boolean> {
     process.env.ESA_ACCESS_KEY_ID || cliConfig?.auth?.accessKeyId;
   let accessKeySecret =
     process.env.ESA_ACCESS_KEY_SECRET || cliConfig?.auth?.accessKeySecret;
+  const securityToken =
+    process.env.ESA_SECURITY_TOKEN || cliConfig?.auth?.securityToken;
 
   if (accessKeyId && accessKeySecret) {
-    const result = await validateCredentials(accessKeyId, accessKeySecret);
+    const result = await validateCredentials(
+      accessKeyId,
+      accessKeySecret,
+      securityToken
+    );
     const server = await ApiService.getInstance();
     if (result.valid) {
+      const auth: { accessKeyId: string; accessKeySecret: string; securityToken?: string } = {
+        accessKeyId,
+        accessKeySecret
+      };
+      if (securityToken) auth.securityToken = securityToken;
       server.updateConfig({
-        auth: {
-          accessKeyId,
-          accessKeySecret
-        },
+        auth,
         endpoint: result.endpoint
       });
       api.updateConfig({
-        auth: {
-          accessKeyId,
-          accessKeySecret
-        },
+        auth,
         endpoint: result.endpoint
       });
       return true;
diff --git a/src/i18n/locales.json b/src/i18n/locales.json
@@ -1075,6 +1075,30 @@
     "en": "AccessKey Secret (SK)",
     "zh_CN": "AccessKey Secret (SK)"
   },
+  "login_option_sts_token": {
+    "en": "STS token: AccessKeyId,AccessKeySecret,SecurityToken (comma-separated, one-shot)",
+    "zh_CN": "STS 临时凭证：AccessKeyId,AccessKeySecret,SecurityToken（逗号分隔，一次性输入）"
+  },
+  "login_sts_token_prompt": {
+    "en": "Enter STS token (AccessKeyId,AccessKeySecret,SecurityToken):",
+    "zh_CN": "请输入 STS 凭证（AccessKeyId,AccessKeySecret,SecurityToken）："
+  },
+  "login_sts_token_format_invalid": {
+    "en": "Invalid STS token format. Use: AccessKeyId,AccessKeySecret,SecurityToken",
+    "zh_CN": "STS 凭证格式错误，请使用：AccessKeyId,AccessKeySecret,SecurityToken"
+  },
+  "login_method_select": {
+    "en": "Choose login method",
+    "zh_CN": "选择登录方式"
+  },
+  "login_method_aksk": {
+    "en": "AK/SK (AccessKey ID + AccessKey Secret)",
+    "zh_CN": "AK/SK（AccessKey ID + AccessKey Secret）"
+  },
+  "login_method_sts": {
+    "en": "STS Token (one-shot: AccessKeyId,AccessKeySecret,SecurityToken)",
+    "zh_CN": "STS 临时凭证（一次性输入：AccessKeyId,AccessKeySecret,SecurityToken）"
+  },
   "login_option_skip_login": {
     "en": "Skip login",
     "zh_CN": "跳过登录"
diff --git a/src/libs/api.ts b/src/libs/api.ts
@@ -29,7 +29,10 @@ class Client {
       accessKeyId: config.auth?.accessKeyId,
       accessKeySecret: config.auth?.accessKeySecret,
       endpoint: config.endpoint,
-      userAgent: CLI_USER_AGENT
+      userAgent: CLI_USER_AGENT,
+      ...(config.auth?.securityToken
+        ? { securityToken: config.auth.securityToken }
+        : {})
     });
     return new ESA.default(apiConfig as any);
   }
diff --git a/src/libs/apiService.ts b/src/libs/apiService.ts
@@ -58,7 +58,10 @@ export class ApiService {
       accessKeyId: cliConfig.auth?.accessKeyId,
       accessKeySecret: cliConfig.auth?.accessKeySecret,
       endpoint: cliConfig.endpoint,
-      userAgent: CLI_USER_AGENT
+      userAgent: CLI_USER_AGENT,
+      ...(cliConfig.auth?.securityToken
+        ? { securityToken: cliConfig.auth.securityToken }
+        : {})
     });
 
     this.client = new $OpenApi.default.default(apiConfig);
@@ -77,7 +80,10 @@ export class ApiService {
       accessKeyId: newConfig.auth?.accessKeyId,
       accessKeySecret: newConfig.auth?.accessKeySecret,
       endpoint: newConfig.endpoint,
-      userAgent: CLI_USER_AGENT
+      userAgent: CLI_USER_AGENT,
+      ...(newConfig.auth?.securityToken
+        ? { securityToken: newConfig.auth.securityToken }
+        : {})
     });
     this.client = new $OpenApi.default.default(apiConfig);
   }
diff --git a/src/utils/fileUtils/index.ts b/src/utils/fileUtils/index.ts
@@ -305,7 +305,8 @@ export const getApiConfig = () => {
   let defaultConfig = {
     auth: {
       accessKeyId: '',
-      accessKeySecret: ''
+      accessKeySecret: '',
+      securityToken: undefined as string | undefined
     },
     endpoint: `esa.cn-hangzhou.aliyuncs.com`
   };
@@ -319,7 +320,8 @@ export const getApiConfig = () => {
   const config = {
     auth: {
       accessKeyId: combinedConfig.auth?.accessKeyId,
-      accessKeySecret: combinedConfig.auth?.accessKeySecret
+      accessKeySecret: combinedConfig.auth?.accessKeySecret,
+      securityToken: combinedConfig.auth?.securityToken
     },
     endpoint: combinedConfig.endpoint
   };
diff --git a/src/utils/fileUtils/interface.ts b/src/utils/fileUtils/interface.ts
@@ -1,6 +1,8 @@
 export interface AuthConfig {
   accessKeyId: string;
   accessKeySecret: string;
+  /** STS 临时凭证中的 SecurityToken，使用 STS 登录时必填 */
+  securityToken?: string;
 }
 
 export interface ProjectConfig {
diff --git a/src/utils/validateCredentials.ts b/src/utils/validateCredentials.ts

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,8 @@`
`1`	`1`	`export interface AuthConfig {`
`2`	`2`	`accessKeyId: string;`
`3`	`3`	`accessKeySecret: string;`
	`4`	`+ /** STS 临时凭证中的 SecurityToken，使用 STS 登录时必填 */`
	`5`	`+ securityToken?: string;`
`4`	`6`	`}`
`5`	`7`
`6`	`8`	`export interface ProjectConfig {`