login fixed

pranavcodeant · pranavcodeant · commit 6693e94b5574 · 2026-05-21T15:57:55.000+05:30
diff --git a/mcpb/manifest.json b/mcpb/manifest.json
@@ -2,7 +2,7 @@
   "manifest_version": "0.3",
   "name": "codeant",
   "display_name": "CodeAnt AI",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Drive CodeAnt AI security scans and code review from Claude — org-wide secret triage, cross-repo SAST/SCA findings, on-demand scans, and local PR review.",
   "long_description": "CodeAnt AI inside Claude. Ask things like \"how many critical SAST findings do I have across my org?\", \"show every exposed secret in payments-service\", or \"review my staged changes\" — Claude calls the CodeAnt API directly via this MCP server.\n\nIncludes 11 read-only tools (orgs, repos, scan history, scan metadata, findings, dismissed alerts, PRs, comments, comment search, local review) and 2 opt-in write tools (trigger a scan, resolve a PR conversation) gated behind a setting.\n\nRequires a CodeAnt account. Sign up at https://codeant.ai and grab an API key from your settings page.",
   "author": {
@@ -62,16 +62,18 @@
     { "name": "codeant_pr_comments", "description": "List comments on a PR/MR with optional filters." },
     { "name": "codeant_comments_search", "description": "Search across CodeAnt review comments by free-text query." },
     { "name": "codeant_review_local", "description": "Run a CodeAnt AI review on local working-copy changes." },
+    { "name": "codeant_login", "description": "Open app.codeant.ai in the browser and poll until the user completes sign-in; saves the resulting API token." },
     { "name": "codeant_scans_start", "description": "Trigger a new scan run (write — gated behind read_only=false)." },
     { "name": "codeant_pr_resolve", "description": "Resolve a PR conversation thread (write — gated behind read_only=false)." }
   ],
   "user_config": {
     "api_token": {
       "type": "string",
       "title": "CodeAnt API token",
-      "description": "Find this in your CodeAnt account settings at app.codeant.ai. Required.",
-      "required": true,
-      "sensitive": true
+      "description": "Optional. Leave blank and run the `codeant_login` tool to sign in through your browser instead. Otherwise paste a token from your CodeAnt account settings at app.codeant.ai.",
+      "required": false,
+      "sensitive": true,
+      "default": ""
     },
     "base_url": {
       "type": "string",
diff --git a/src/mcp/server.js b/src/mcp/server.js
@@ -12,6 +12,8 @@ import { runDismissed } from '../commands/scans/dismissed.js';
 import { runStartScan } from '../commands/scans/start-scan.js';
 import { runReviewHeadless } from '../reviewHeadless.js';
 import * as scm from '../scm/index.js';
+import { isAlreadyLoggedIn, runLoginFlow } from '../utils/loginFlow.js';
+import { getConfigValue } from '../utils/config.js';
 
 const require = createRequire(import.meta.url);
 const pkg = require('../../package.json');
@@ -63,7 +65,26 @@ async function captureStdout(fn) {
   return chunks.join('');
 }
 
+async function ensureAuthenticated() {
+  const envToken = process.env.CODEANT_API_TOKEN;
+  if (envToken && envToken.trim()) return;
+  if (isAlreadyLoggedIn()) {
+    process.env.CODEANT_API_TOKEN = getConfigValue('apiKeyV2');
+    return;
+  }
+
+  console.error('[codeant-mcp] No API token configured — opening browser for sign-in.');
+  try {
+    const { loginUrl } = await runLoginFlow();
+    console.error(`[codeant-mcp] Login complete. (URL was ${loginUrl})`);
+  } catch (err) {
+    console.error(`[codeant-mcp] Login failed: ${err.message}. The server will start anyway; call the codeant_login tool to retry.`);
+  }
+}
+
 export async function startMcpServer() {
+  await ensureAuthenticated();
+
   const server = new McpServer({ name: 'codeant', version: pkg.version });
   const readOnly = isReadOnly();
 
@@ -370,6 +391,29 @@ export async function startMcpServer() {
     }
   );
 
+  // ─── Auth (always registered — login is needed even in read-only mode) ───
+  server.registerTool(
+    'codeant_login',
+    {
+      title: 'Sign in to CodeAnt AI',
+      description: 'Opens app.codeant.ai in the user\'s browser and waits up to 10 minutes for them to complete sign-in. Tell the user to check their browser and finish the flow there. On success the API token is saved to ~/.codeant/config.json (apiKeyV2) and set on the running MCP process, so subsequent tool calls are authenticated without restart. Returns { alreadyLoggedIn: true } immediately if a token is already configured, unless `force` is true.',
+      inputSchema: {
+        force: z.boolean().optional().describe('Re-authenticate even if a token is already configured. Default false.'),
+      },
+      annotations: { ...WRITE_NON_DESTRUCTIVE, idempotentHint: true },
+    },
+    async ({ force }) => {
+      try {
+        if (!force && isAlreadyLoggedIn()) {
+          return ok({ alreadyLoggedIn: true });
+        }
+        const { token, loginUrl } = await runLoginFlow();
+        const masked = token ? `${token.slice(0, 8)}…` : null;
+        return ok({ status: 'success', loginUrl, token: masked });
+      } catch (err) { return fail(err); }
+    }
+  );
+
   // ─── Write-side tools (gated behind CODEANT_READ_ONLY=0) ─────────────────
   if (!readOnly) {
     server.registerTool(
diff --git a/src/utils/loginFlow.js b/src/utils/loginFlow.js
@@ -0,0 +1,74 @@
+import { randomUUID } from 'crypto';
+import { getConfigValue, setConfigValue } from './config.js';
+import { getBaseUrl } from './baseUrl.js';
+
+const DEFAULT_POLL_INTERVAL = 10_000;
+const DEFAULT_TIMEOUT = 10 * 60 * 1000;
+
+export function isAlreadyLoggedIn() {
+  return !!getConfigValue('apiKeyV2');
+}
+
+export async function startLoginFlow() {
+  const token = randomUUID();
+  const baseUrl = getBaseUrl();
+  const loginUrl = `https://app.codeant.ai?ideLoginToken=${token}`;
+  const pollUrl = `${baseUrl}/extension/login/status?apiKey=${token}`;
+
+  let browserOpened = false;
+  try {
+    const { default: open } = await import('open');
+    await open(loginUrl);
+    browserOpened = true;
+  } catch {
+    // Caller can fall back to printing loginUrl.
+  }
+
+  return { token, loginUrl, pollUrl, browserOpened };
+}
+
+export async function awaitLoginCompletion({
+  token,
+  pollUrl,
+  pollIntervalMs = DEFAULT_POLL_INTERVAL,
+  timeoutMs = DEFAULT_TIMEOUT,
+  signal,
+} = {}) {
+  if (!token || !pollUrl) {
+    throw new Error('awaitLoginCompletion requires token and pollUrl');
+  }
+
+  const deadline = Date.now() + timeoutMs;
+
+  while (Date.now() < deadline) {
+    if (signal?.aborted) throw new Error('Login aborted');
+
+    try {
+      const response = await fetch(pollUrl);
+      const data = await response.json();
+      if (data.status === 'yes') {
+        setConfigValue('apiKeyV2', token);
+        process.env.CODEANT_API_TOKEN = token;
+        return { ok: true, token };
+      }
+    } catch {
+      // Network blip — keep polling.
+    }
+
+    const remaining = deadline - Date.now();
+    if (remaining <= 0) break;
+    await new Promise((resolve) => setTimeout(resolve, Math.min(pollIntervalMs, remaining)));
+  }
+
+  throw new Error('Login timed out. Please try again.');
+}
+
+export async function runLoginFlow({
+  pollIntervalMs = DEFAULT_POLL_INTERVAL,
+  timeoutMs = DEFAULT_TIMEOUT,
+  signal,
+} = {}) {
+  const { token, loginUrl, pollUrl, browserOpened } = await startLoginFlow();
+  const result = await awaitLoginCompletion({ token, pollUrl, pollIntervalMs, timeoutMs, signal });
+  return { ...result, loginUrl, browserOpened };
+}
