refactor(cli): add experimental auth flow for login command (#3753)

* refactor(cli): add experimental auth flow for login command

* fix: types

* fix: remove type reference imports

* refactor(mc-scripts): extract callback into separate module

* refactor: handle response_mode query

* docs: changesets

Author: emmenko

.changeset/odd-trainers-serve.md

@@ -0,0 +1,5 @@
+---
+'@commercetools-frontend/mc-scripts': patch
+---
+
+Support experimental auth flow with identity for `login` command.

packages/mc-scripts/package.json

@@ -87,11 +87,13 @@
     "graphql-tag": "^2.12.6",
     "html-webpack-plugin": "5.6.0",
     "json-loader": "0.5.7",
+    "jwt-decode": "3.1.2",
     "lodash": "4.17.21",
     "mini-css-extract-plugin": "2.9.0",
     "moment": "^2.29.4",
     "moment-locales-webpack-plugin": "1.2.0",
     "node-fetch": "2.7.0",
+    "open": "^10.1.0",
     "postcss": "8.4.38",
     "postcss-custom-media": "8.0.2",
     "postcss-custom-properties": "12.1.4",

packages/mc-scripts/src/commands/login.ts

@@ -1,12 +1,39 @@
+import crypto from 'node:crypto';
+import type { Server } from 'node:http';
+import process from 'node:process';
 import chalk from 'chalk';
 import prompts from 'prompts';
 import { processConfig } from '@commercetools-frontend/application-config';
+import pkgJson from '../../package.json';
 import { getAuthToken } from '../utils/auth';
+import { createAuthCallbackServer } from '../utils/auth-callback';
 import CredentialsStorage from '../utils/credentials-storage';
 
 const credentialsStorage = new CredentialsStorage();
+const port = 3001;
+const clientIdentifier = `mc-scripts-${pkgJson.version}`;
+
+const startServer = (server: Server) =>
+  new Promise((resolve, reject) => {
+    server
+      .listen(port)
+      .on('listening', resolve)
+      .on('error', (error) => {
+        console.error('Problem starting server', error);
+        return reject(error);
+      })
+      .on('close', () => {
+        process.exit();
+      });
+  });
+
+const generateRandomHash = (length: number = 16) =>
+  crypto.randomBytes(length).toString('hex');
 
 async function run() {
+  const shouldUseExperimentalIdentityAuthFlow =
+    process.env.ENABLE_EXPERIMENTAL_IDENTITY_AUTH_FLOW === 'true';
+
   const applicationConfig = await processConfig();
   const { mcApiUrl } = applicationConfig.env;
 
@@ -18,27 +45,67 @@ async function run() {
     return;
   }
 
-  console.log(`Enter the login credentials:`);
+  if (shouldUseExperimentalIdentityAuthFlow) {
+    const open = await import('open');
 
-  const { email } = await prompts({
-    type: 'text',
-    name: 'email',
-    message: 'Email',
-  });
-  const { password } = await prompts({
-    type: 'invisible',
-    name: 'password',
-    message: 'Password (hidden)',
-  });
+    const state = generateRandomHash();
+    const nonce = generateRandomHash();
 
-  if (!email || !password) {
-    throw new Error(`Missing email or password values. Aborting.`);
-  }
+    const authUrl = new URL('/login/authorize', mcApiUrl);
+    authUrl.searchParams.set('response_type', 'id_token');
+    authUrl.searchParams.set('response_mode', 'query');
+    authUrl.searchParams.set('client_id', `__local:${clientIdentifier}`);
+    authUrl.searchParams.set(
+      'scope',
+      [
+        'openid',
+        // 'project_key:??',
+      ].join(' ')
+    );
+    authUrl.searchParams.set('state', state);
+    authUrl.searchParams.set('nonce', nonce);
 
-  const credentials = await getAuthToken(mcApiUrl, { email, password });
-  credentialsStorage.setToken(mcApiUrl, credentials);
+    const server = createAuthCallbackServer({
+      clientIdentifier,
+      state,
+      nonce,
+      onSuccess: (tokenContext) => {
+        credentialsStorage.setToken(mcApiUrl, tokenContext);
 
-  console.log(chalk.green(`Login successful.\n`));
+        console.log();
+        console.log(chalk.green(`Login successful.`));
+        console.log();
+      },
+    });
+    await startServer(server);
+
+    await open.default(authUrl.toString());
+
+    console.log('Waiting for the OIDC authentication to complete...');
+  } else {
+    console.log(`Enter the login credentials:`);
+
+    const { email } = await prompts({
+      type: 'text',
+      name: 'email',
+      message: 'Email',
+    });
+    const { password } = await prompts({
+      type: 'invisible',
+      name: 'password',
+      message: 'Password (hidden)',
+    });
+
+    if (!email || !password) {
+      throw new Error(`Missing email or password values. Aborting.`);
+    }
+
+    const credentials = await getAuthToken(mcApiUrl, { email, password });
+    credentialsStorage.setToken(mcApiUrl, credentials);
+
+    console.log(chalk.green(`Login successful.`));
+    console.log();
+  }
 }
 
 export default run;

packages/mc-scripts/src/utils/auth-callback.ts

@@ -0,0 +1,60 @@
+import http from 'node:http';
+import jwtDecode from 'jwt-decode';
+import type { TMcCliAuthToken } from '../types';
+
+type TAuthCallbackServerOptions = {
+  clientIdentifier: string;
+  state: string;
+  nonce: string;
+  onSuccess: (tokenContext: TMcCliAuthToken) => void;
+};
+type TSessionToken = { exp: number; nonce: string };
+
+function createAuthCallbackServer(options: TAuthCallbackServerOptions) {
+  const server = http.createServer(async (request, response) => {
+    try {
+      if (request.url?.includes(`/${options.clientIdentifier}/oidc/callback`)) {
+        const incomingUrl = new URL(request.url, 'http://localhost');
+        const sessionToken = incomingUrl.searchParams.get('sessionToken');
+        const requestedState = incomingUrl.searchParams.get('state');
+
+        if (!sessionToken) {
+          throw new Error('Invalid authentication flow (missing sessionToken)');
+        }
+        const decodedSessionToken = jwtDecode<TSessionToken>(sessionToken);
+
+        if (decodedSessionToken?.nonce !== options.nonce) {
+          throw new Error('Invalid authentication flow (nonce mismatch)');
+        }
+        if (requestedState !== options.state) {
+          throw new Error('Invalid authentication flow (state mismatch)');
+        }
+
+        options.onSuccess({
+          token: sessionToken,
+          expiresAt: decodedSessionToken.exp,
+        });
+
+        response.setHeader('content-type', 'text/html');
+        response.end('Success!');
+
+        server.close();
+      }
+    } catch (error) {
+      response.setHeader('content-type', 'text/html');
+      if (error instanceof Error) {
+        console.error(error.message);
+        response.end(error.message);
+      } else {
+        console.error(error);
+        response.end(`Invalid authentication flow.`);
+      }
+
+      server.close();
+    }
+  });
+
+  return server;
+}
+
+export { createAuthCallbackServer };

packages/mc-scripts/src/utils/graphql-requests.ts

@@ -1,7 +1,10 @@
 import chalk from 'chalk';
 import { type DocumentNode, print } from 'graphql';
 import { ClientError, GraphQLClient, type Variables } from 'graphql-request';
-import { GRAPHQL_TARGETS } from '@commercetools-frontend/constants';
+import {
+  GRAPHQL_TARGETS,
+  SUPPORTED_HEADERS,
+} from '@commercetools-frontend/constants';
 import type {
   TFetchMyOrganizationsFromCliQuery,
   TFetchMyOrganizationsFromCliQueryVariables,
@@ -112,18 +115,26 @@ async function requestWithTokenRetry<Data, QueryVariables extends Variables>(
   requestOptions: {
     variables?: QueryVariables;
     mcApiUrl: string;
-    headers: HeadersInit;
+    headers: Record<string, string>;
   },
   retryCount: number = 0
 ): Promise<Data> {
+  const shouldUseExperimentalIdentityAuthFlow =
+    process.env.ENABLE_EXPERIMENTAL_IDENTITY_AUTH_FLOW === 'true';
+
   const token = credentialsStorage.getToken(requestOptions.mcApiUrl);
 
+  const tokenHeader: Record<string, string | null> =
+    shouldUseExperimentalIdentityAuthFlow
+      ? { [SUPPORTED_HEADERS.AUTHORIZATION]: `Bearer ${token}` }
+      : { 'x-mc-cli-access-token': token };
+
   const client = new GraphQLClient(`${requestOptions.mcApiUrl}/graphql`, {
     headers: {
       Accept: 'application/json',
       'Content-Type': 'application/json',
       'x-user-agent': userAgent,
-      ...(token ? { 'x-mc-cli-access-token': token } : {}),
+      ...(token ? tokenHeader : {}),
       ...requestOptions.headers,
     },
   });