Remove Cloudchamber/Containers auth customisation

Author: penalosa

packages/wrangler/src/cfetch/internal.ts

@@ -142,7 +142,7 @@ function cloneHeaders(
 			: { ...headers };
 }
 
-async function requireLoggedIn(
+export async function requireLoggedIn(
 	complianceConfig: ComplianceConfig
 ): Promise<void> {
 	const loggedIn = await loginOrRefreshIfRequired(complianceConfig);
@@ -151,7 +151,7 @@ async function requireLoggedIn(
 	}
 }
 
-function addAuthorizationHeaderIfUnspecified(
+export function addAuthorizationHeaderIfUnspecified(
 	headers: Record<string, string>,
 	auth: ApiCredentials
 ): void {
@@ -165,7 +165,7 @@ function addAuthorizationHeaderIfUnspecified(
 	}
 }
 
-function addUserAgent(headers: Record<string, string>): void {
+export function addUserAgent(headers: Record<string, string>): void {
 	headers["User-Agent"] = `wrangler/${wranglerVersion}`;
 }
 

packages/wrangler/src/cloudchamber/common.ts

@@ -1,38 +1,27 @@
-import { mkdir } from "fs/promises";
-import { logRaw, space, status, updateStatus } from "@cloudflare/cli";
+import { space, updateStatus } from "@cloudflare/cli";
 import { brandColor, dim } from "@cloudflare/cli/colors";
 import { inputPrompt, spinner } from "@cloudflare/cli/interactive";
 import {
 	ApiError,
 	DeploymentMutationError,
 	OpenAPI,
 } from "@cloudflare/containers-shared";
-import { version as wranglerVersion } from "../../package.json";
+import {
+	addAuthorizationHeaderIfUnspecified,
+	addUserAgent,
+} from "../cfetch/internal";
 import { readConfig } from "../config";
-import { getConfigCache, purgeConfigCaches } from "../config-cache";
-import { containersScope } from "../containers";
 import { getCloudflareApiBaseUrl } from "../environment-variables/misc-variables";
 import { UserError } from "../errors";
 import { isNonInteractiveOrCI } from "../is-interactive";
 import { logger } from "../logger";
-import {
-	DefaultScopeKeys,
-	getAccountFromCache,
-	getAccountId,
-	getAPIToken,
-	getAuthFromEnv,
-	getScopes,
-	logout,
-	reinitialiseAuthTokens,
-	requireAuth,
-	setLoginScopeKeys,
-} from "../user";
+import { requireApiToken, requireAuth } from "../user";
 import { parseByteSize } from "./../parse";
 import { wrap } from "./helpers/wrap";
 import { idToLocationName, loadAccount } from "./locations";
 import type { Config } from "../config";
 import type { CloudchamberConfig, ContainerApp } from "../config/environment";
-import type { Scope } from "../user";
+import type { containersScope } from "../containers";
 import type {
 	CommonYargsOptions,
 	StrictYargsOptionsToInterfaceJSON,
@@ -45,7 +34,7 @@ import type {
 	NetworkParameters,
 } from "@cloudflare/containers-shared";
 
-export const cloudchamberScope: Scope = "cloudchamber:write";
+export const cloudchamberScope = "cloudchamber:write" as const;
 
 export type CommonCloudchamberConfiguration = { json: boolean };
 
@@ -107,7 +96,7 @@ export function handleFailure<
 		: never,
 >(
 	cb: (args: CommandArgumentsObject, config: Config) => Promise<void>,
-	scope: Scope
+	scope: typeof cloudchamberScope | typeof containersScope
 ): (
 	args: CommonYargsOptions &
 		CommandArgumentsObject &
@@ -146,21 +135,15 @@ export async function loadAccountSpinner({ json }: { json?: boolean }) {
  * Gets the API URL depending if the user is using old/admin based authentication.
  *
  */
-async function getAPIUrl(config: Config, scope: Scope) {
+async function getAPIUrl(
+	config: Config,
+	accountId: string,
+	scope: typeof cloudchamberScope | typeof containersScope
+) {
 	const api = getCloudflareApiBaseUrl(config);
-	// This one will probably be cache'd already so it won't ask for the accountId again
-	const accountId = config.account_id || (await getAccountId(config));
-	const endpoint =
-		scope === cloudchamberScope
-			? "cloudchamber"
-			: scope === containersScope
-				? "containers"
-				: null;
-	if (endpoint === null) {
-		throw new UserError(
-			"unexpected scope for command: " + JSON.stringify(scope)
-		);
-	}
+
+	const endpoint = scope === cloudchamberScope ? "cloudchamber" : "containers";
+
 	return `${api}/accounts/${accountId}/${endpoint}`;
 }
 
@@ -190,83 +173,19 @@ export async function promiseSpinner<T>(
 export async function fillOpenAPIConfiguration(
 	config: Config,
 	json: boolean,
-	scope: Scope
+	scope: typeof containersScope | typeof cloudchamberScope
 ) {
 	const headers: Record<string, string> =
 		OpenAPI.HEADERS !== undefined ? { ...OpenAPI.HEADERS } : {};
 
-	// if the config cache folder doesn't exist, it means that there is not a node_modules folder in the tree
-	if (Object.keys(getConfigCache("wrangler-account.json")).length === 0) {
-		await wrap(mkdir("node_modules", {}));
-		purgeConfigCaches();
-	}
-
-	const scopes = getScopes();
-	const needsToken = !scopes?.some((s) => s === scope);
-	const neededScopes: Scope[] = [scope];
-	const scopesToSet: Scope[] =
-		scopes == undefined
-			? neededScopes.concat(DefaultScopeKeys)
-			: neededScopes.concat(scopes);
-
-	if (getAuthFromEnv() && needsToken) {
-		setLoginScopeKeys(scopesToSet);
-		// Wrangler will try to retrieve the oauth token and refresh it
-		// for its internal fetch call even if we have AuthFromEnv.
-		// Let's mock it
-		reinitialiseAuthTokens({
-			expiration_time: "2300-01-01:00:00:00+00:00",
-			oauth_token: "_",
-		});
-	} else {
-		if (needsToken && scopes) {
-			logRaw(
-				status.warning +
-					" We need to re-authenticate to add a required token..."
-			);
-			// cache account id
-			await getAccountId(config);
-			const account = getAccountFromCache();
-			config.account_id = account?.id ?? config.account_id;
-			await promiseSpinner(logout(), { json, message: "Revoking token" });
-			purgeConfigCaches();
-			reinitialiseAuthTokens({});
-		}
-
-		setLoginScopeKeys(scopesToSet);
-
-		// Require either login, or environment variables being set to authenticate
-		//
-		// This will prompt the user for an accountId being chosen if they haven't configured the account id yet
-		const [, err] = await wrap(requireAuth(config));
-		if (err) {
-			throw new UserError(
-				`authenticating with the Cloudflare API: ${err.message}`
-			);
-		}
-	}
-
-	// Get the loaded API token
-	const token = getAPIToken();
-	if (!token) {
-		throw new UserError("unexpected apiToken not existing in credentials");
-	}
-
-	const val = "apiToken" in token ? token.apiToken : null;
-	// Don't try to support this method of authentication
-	if (!val) {
-		throw new UserError(
-			"we don't allow for authKey/email credentials, use `wrangler login` or CLOUDFLARE_API_TOKEN env variable to authenticate"
-		);
-	}
+	const accountId = await requireAuth(config);
+	const auth = requireApiToken();
+	addAuthorizationHeaderIfUnspecified(headers, auth);
+	addUserAgent(headers);
 
-	headers["Authorization"] = `Bearer ${val}`;
-	// These are being set by the internal fetch of wrangler, but we are not using it
-	// due to our OpenAPI codegenerated client.
-	headers["User-Agent"] = `wrangler/${wranglerVersion}`;
 	OpenAPI.CREDENTIALS = "omit";
 	if (OpenAPI.BASE.length === 0) {
-		const [base, errApiURL] = await wrap(getAPIUrl(config, scope));
+		const [base, errApiURL] = await wrap(getAPIUrl(config, accountId, scope));
 		if (errApiURL) {
 			throw new UserError("getting the API url: " + errApiURL.message);
 		}

packages/wrangler/src/cloudchamber/images/images.ts

@@ -22,12 +22,13 @@ import {
 } from "../common";
 import { wrap } from "../helpers/wrap";
 import type { Config } from "../../config";
-import type { Scope } from "../../user";
+import type { containersScope } from "../../containers";
 import type {
 	CommonYargsArgvJSON,
 	CommonYargsArgvSanitizedJSON,
 	StrictYargsOptionsToInterfaceJSON,
 } from "../../yargs-types";
+import type { cloudchamberScope } from "../common";
 import type { ImageRegistryPermissions } from "@cloudflare/containers-shared";
 
 function configureImageRegistryOptionalYargs(yargs: CommonYargsArgvJSON) {
@@ -61,7 +62,10 @@ function credentialsImageRegistryYargs(yargs: CommonYargsArgvJSON) {
 		});
 }
 
-export const registriesCommand = (yargs: CommonYargsArgvJSON, scope: Scope) => {
+export const registriesCommand = (
+	yargs: CommonYargsArgvJSON,
+	scope: typeof containersScope | typeof cloudchamberScope
+) => {
 	return yargs
 		.command(
 			"configure",

packages/wrangler/src/cloudchamber/images/list.ts

@@ -5,12 +5,13 @@ import {
 import { logger } from "../../logger";
 import { handleFailure, promiseSpinner } from "../common";
 import type { Config } from "../../config";
-import type { Scope } from "../../user";
+import type { containersScope } from "../../containers";
 import type {
 	CommonYargsArgvJSON,
 	CommonYargsArgvSanitizedJSON,
 	StrictYargsOptionsToInterfaceJSON,
 } from "../../yargs-types";
+import type { cloudchamberScope } from "../common";
 import type { ImageRegistryPermissions } from "@cloudflare/containers-shared";
 
 interface CatalogResponse {
@@ -22,7 +23,10 @@ interface TagsResponse {
 	tags: string[];
 }
 
-export const imagesCommand = (yargs: CommonYargsArgvJSON, scope: Scope) => {
+export const imagesCommand = (
+	yargs: CommonYargsArgvJSON,
+	scope: typeof containersScope | typeof cloudchamberScope
+) => {
 	return yargs
 		.command(
 			"list",

packages/wrangler/src/cloudchamber/ssh/ssh.ts

@@ -24,12 +24,13 @@ import {
 import { wrap } from "../helpers/wrap";
 import { validatePublicSSHKeyCLI, validateSSHKey } from "./validate";
 import type { Config } from "../../config";
-import type { Scope } from "../../user";
+import type { containersScope } from "../../containers";
 import type {
 	CommonYargsArgvJSON,
 	CommonYargsArgvSanitizedJSON,
 	StrictYargsOptionsToInterfaceJSON,
 } from "../../yargs-types";
+import type { cloudchamberScope } from "../common";
 import type {
 	ListSSHPublicKeys,
 	SSHPublicKeyID,
@@ -107,7 +108,10 @@ export async function sshPrompts(
 	return key || undefined;
 }
 
-export const sshCommand = (yargs: CommonYargsArgvJSON, scope: Scope) => {
+export const sshCommand = (
+	yargs: CommonYargsArgvJSON,
+	scope: typeof cloudchamberScope | typeof containersScope
+) => {
 	return yargs
 		.command(
 			"list",

packages/wrangler/src/containers/index.ts

@@ -14,11 +14,10 @@ import {
 	listCommand,
 	listYargs,
 } from "./containers";
-import type { Scope } from "../user";
 import type { CommonYargsArgvJSON, CommonYargsOptions } from "../yargs-types";
 import type { CommandModule } from "yargs";
 
-export const containersScope: Scope = "containers:write";
+export const containersScope = "containers:write" as const;
 
 export const containers = (
 	yargs: CommonYargsArgvJSON,

packages/wrangler/src/user/user.ts

@@ -361,24 +361,16 @@ const DefaultScopes = {
 		"See and change Cloudflare Pipelines configurations and data",
 	"secrets_store:write":
 		"See and change secrets + stores within the Secrets Store",
-} as const;
-
-const OptionalScopes = {
-	"cloudchamber:write": "Manage Cloudchamber",
 	"containers:write": "Manage Workers Containers",
+	"cloudchamber:write": "Manage Cloudchamber",
 } as const;
 
-const AllScopes = {
-	...DefaultScopes,
-	...OptionalScopes,
-};
-
 /**
  * The possible keys for a Scope.
  *
  * "offline_access" is automatically included.
  */
-export type Scope = keyof typeof AllScopes;
+export type Scope = keyof typeof DefaultScopes;
 
 export let DefaultScopeKeys = Object.keys(DefaultScopes) as Scope[];
 
@@ -1216,7 +1208,7 @@ export function listScopes(message = "💁 Available scopes:"): void {
 	logger.log(message);
 	const data = DefaultScopeKeys.map((scope: Scope) => ({
 		Scope: scope,
-		Description: AllScopes[scope],
+		Description: DefaultScopes[scope],
 	}));
 	logger.table(data);
 	// TODO: maybe a good idea to show usage here