feat: add ep login command for browser-based authentication

PaulJPhilp · claude · PaulJPhilp · commit ff53e10356ea · 2026-02-26T17:58:26.000-05:00
Opens browser to EffectTalk.dev, captures API key via local callback
server, and saves credentials to ~/.config/ep-cli/config.json.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/packages/ep-cli/src/__tests__/login-command.test.ts b/packages/ep-cli/src/__tests__/login-command.test.ts
@@ -0,0 +1,101 @@
+/**
+ * Tests for the login command and config writer.
+ */
+
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { Effect } from "effect";
+import { existsSync, mkdirSync, readFileSync, rmSync } from "node:fs";
+import path from "node:path";
+import { tmpdir } from "node:os";
+import { resolveConfigPath, writeConfig } from "../services/config/writer.js";
+
+describe("resolveConfigPath", () => {
+  const originalEnv = { ...process.env };
+
+  afterEach(() => {
+    process.env = { ...originalEnv };
+  });
+
+  it("uses EP_CONFIG_FILE when set", () => {
+    process.env.EP_CONFIG_FILE = "/custom/path/config.json";
+    expect(resolveConfigPath()).toBe("/custom/path/config.json");
+  });
+
+  it("ignores empty EP_CONFIG_FILE", () => {
+    process.env.EP_CONFIG_FILE = "   ";
+    const result = resolveConfigPath();
+    expect(result).not.toBe("   ");
+    expect(result).toContain("ep-cli");
+  });
+
+  it("uses XDG_CONFIG_HOME when set", () => {
+    delete process.env.EP_CONFIG_FILE;
+    process.env.XDG_CONFIG_HOME = "/xdg/config";
+    expect(resolveConfigPath()).toBe("/xdg/config/ep-cli/config.json");
+  });
+
+  it("falls back to ~/.config", () => {
+    delete process.env.EP_CONFIG_FILE;
+    delete process.env.XDG_CONFIG_HOME;
+    const result = resolveConfigPath();
+    expect(result).toContain(".config");
+    expect(result).toContain("ep-cli");
+    expect(result).toContain("config.json");
+  });
+});
+
+describe("writeConfig", () => {
+  let testDir: string;
+  const originalEnv = { ...process.env };
+
+  beforeEach(() => {
+    testDir = path.join(tmpdir(), `ep-cli-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    mkdirSync(testDir, { recursive: true });
+    process.env.EP_CONFIG_FILE = path.join(testDir, "config.json");
+  });
+
+  afterEach(() => {
+    process.env = { ...originalEnv };
+    if (existsSync(testDir)) {
+      rmSync(testDir, { recursive: true, force: true });
+    }
+  });
+
+  it("writes config with apiKey, email, and updatedAt", async () => {
+    const configPath = await Effect.runPromise(
+      writeConfig({ apiKey: "test-key-123", email: "test@example.com" })
+    );
+
+    expect(existsSync(configPath)).toBe(true);
+    const content = JSON.parse(readFileSync(configPath, "utf8"));
+    expect(content.apiKey).toBe("test-key-123");
+    expect(content.email).toBe("test@example.com");
+    expect(content.updatedAt).toBeDefined();
+    expect(() => new Date(content.updatedAt)).not.toThrow();
+  });
+
+  it("creates parent directories if missing", async () => {
+    const nestedPath = path.join(testDir, "nested", "dir", "config.json");
+    process.env.EP_CONFIG_FILE = nestedPath;
+
+    await Effect.runPromise(
+      writeConfig({ apiKey: "key", email: "e@x.com" })
+    );
+
+    expect(existsSync(nestedPath)).toBe(true);
+  });
+
+  it("overwrites existing config", async () => {
+    await Effect.runPromise(
+      writeConfig({ apiKey: "old-key", email: "old@x.com" })
+    );
+    await Effect.runPromise(
+      writeConfig({ apiKey: "new-key", email: "new@x.com" })
+    );
+
+    const configPath = resolveConfigPath();
+    const content = JSON.parse(readFileSync(configPath, "utf8"));
+    expect(content.apiKey).toBe("new-key");
+    expect(content.email).toBe("new@x.com");
+  });
+});
diff --git a/packages/ep-cli/src/commands/login-command.ts b/packages/ep-cli/src/commands/login-command.ts
@@ -0,0 +1,163 @@
+/**
+ * Login Command
+ *
+ * Opens the browser to EffectTalk.dev for authentication and captures
+ * the API key via a local callback server.
+ */
+
+import { Command } from "@effect/cli";
+import { Console, Duration, Effect } from "effect";
+import { randomBytes } from "node:crypto";
+import { createServer, type IncomingMessage, type Server, type ServerResponse } from "node:http";
+import { writeConfig } from "../services/config/writer.js";
+
+const AUTH_BASE_URL = "https://effecttalk.dev/cli/auth";
+const PRIMARY_PORT = 4567;
+const FALLBACK_PORT = 4568;
+const TIMEOUT = Duration.minutes(5);
+
+interface AuthResult {
+  readonly apiKey: string;
+  readonly email: string;
+}
+
+/**
+ * Try to start an HTTP server on the given port.
+ * Returns an Effect that fails if the port is busy.
+ */
+const tryListen = (server: Server, port: number): Effect.Effect<number, Error> =>
+  Effect.async<number, Error>((resume) => {
+    server.once("error", (err: NodeJS.ErrnoException) => {
+      resume(Effect.fail(new Error(`Port ${port} unavailable: ${err.code}`)));
+    });
+    server.listen(port, "127.0.0.1", () => {
+      resume(Effect.succeed(port));
+    });
+  });
+
+/**
+ * Open a URL in the user's default browser.
+ */
+const openBrowser = (url: string): Effect.Effect<void, Error> =>
+  Effect.try({
+    try: () => {
+      const { exec } = require("node:child_process") as typeof import("node:child_process");
+      const cmd =
+        process.platform === "darwin"
+          ? "open"
+          : process.platform === "win32"
+            ? "start"
+            : "xdg-open";
+      exec(`${cmd} "${url}"`);
+    },
+    catch: (error) =>
+      error instanceof Error ? error : new Error(`Failed to open browser: ${String(error)}`),
+  });
+
+/**
+ * Wait for the authentication callback on the local server.
+ */
+const waitForCallback = (
+  server: Server,
+  port: number,
+  expectedState: string,
+): Effect.Effect<AuthResult, Error> =>
+  Effect.async<AuthResult, Error>((resume) => {
+    server.on("request", (req: IncomingMessage, res: ServerResponse) => {
+      const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+
+      if (url.pathname !== "/callback") {
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Not Found");
+        return;
+      }
+
+      const state = url.searchParams.get("state");
+      if (state !== expectedState) {
+        res.writeHead(403, { "Content-Type": "text/plain" });
+        res.end("Invalid state parameter");
+        return;
+      }
+
+      const apiKey = url.searchParams.get("apiKey") ?? "";
+      const email = url.searchParams.get("email") ?? "";
+
+      if (!apiKey) {
+        res.writeHead(400, { "Content-Type": "text/plain" });
+        res.end("Missing apiKey parameter");
+        resume(Effect.fail(new Error("Callback received without apiKey")));
+        return;
+      }
+
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(
+        "<html><body style=\"font-family:system-ui;text-align:center;padding:2em\">" +
+        "<h1>Success!</h1><p>You can close this tab and return to the terminal.</p>" +
+        "</body></html>"
+      );
+
+      resume(Effect.succeed({ apiKey, email }));
+    });
+  });
+
+/**
+ * Shut down the HTTP server.
+ */
+const closeServer = (server: Server): Effect.Effect<void> =>
+  Effect.async<void>((resume) => {
+    server.close(() => {
+      resume(Effect.succeed(void 0));
+    });
+  });
+
+export const loginCommand = Command.make("login").pipe(
+  Command.withDescription("Authenticate with EffectTalk.dev"),
+  Command.withHandler(() =>
+    Effect.gen(function* () {
+      const state = randomBytes(32).toString("hex");
+      const server = createServer();
+
+      // Try primary port, fall back to secondary
+      const port = yield* tryListen(server, PRIMARY_PORT).pipe(
+        Effect.orElse(() => tryListen(server, FALLBACK_PORT)),
+        Effect.mapError(() => new Error(
+          `Could not start local server on port ${PRIMARY_PORT} or ${FALLBACK_PORT}. ` +
+          "Please free one of these ports and try again."
+        )),
+      );
+
+      const authUrl = `${AUTH_BASE_URL}?state=${state}&port=${port}`;
+
+      yield* Console.log("\nAuthenticating with EffectTalk...");
+      yield* Console.log("Your browser should open automatically.\n");
+      yield* Console.log(`If it doesn't, open this URL manually:`);
+      yield* Console.log(`  ${authUrl}\n`);
+      yield* Console.log("Waiting for authentication... (timeout: 5 minutes)\n");
+
+      // Open browser (best-effort — don't fail if it can't open)
+      yield* openBrowser(authUrl).pipe(Effect.catchAll(() => Effect.void));
+
+      // Wait for callback with timeout
+      const result = yield* waitForCallback(server, port, state).pipe(
+        Effect.timeout(TIMEOUT),
+        Effect.catchTag("TimeoutException", () =>
+          Effect.fail(new Error(
+            "Authentication timed out after 5 minutes.\n" +
+            "Run `ep login` again to retry."
+          ))
+        ),
+        Effect.ensuring(closeServer(server)),
+      );
+
+      // Write credentials to config file
+      const configPath = yield* writeConfig({
+        apiKey: result.apiKey,
+        email: result.email,
+      });
+
+      const displayEmail = result.email || "unknown";
+      yield* Console.log(`Success! Authenticated as ${displayEmail}.`);
+      yield* Console.log(`   API key saved to ${configPath}`);
+    })
+  )
+);
diff --git a/packages/ep-cli/src/index.ts b/packages/ep-cli/src/index.ts
@@ -16,6 +16,7 @@ import { CLI } from "./constants.js";
 
 // Commands
 import { installCommand } from "./commands/install-commands.js";
+import { loginCommand } from "./commands/login-command.js";
 import { listCommand, searchCommand, showCommand } from "./commands/pattern-repo-commands.js";
 import { skillsCommand } from "./commands/skills-commands.js";
 
@@ -133,6 +134,7 @@ export const rootCommand = Command.make("ep").pipe(
     showCommand,
     installCommand,
     skillsCommand,
+    loginCommand,
   ])
 );
 
@@ -247,7 +249,7 @@ const isDirectExecution = (() => {
   return false;
 })();
 
-const ROOT_COMMANDS = ["search", "list", "show", "install", "skills"] as const;
+const ROOT_COMMANDS = ["search", "list", "show", "install", "skills", "login"] as const;
 const NESTED_COMMANDS: Record<string, readonly string[]> = {
   install: ["add", "list"],
   skills: ["list", "preview", "validate", "stats"],
diff --git a/packages/ep-cli/src/services/config/writer.ts b/packages/ep-cli/src/services/config/writer.ts
@@ -0,0 +1,64 @@
+/**
+ * Config file path resolution and writing utilities.
+ */
+
+import { Effect } from "effect";
+import { existsSync, mkdirSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import path from "node:path";
+
+/**
+ * Resolve the path to the ep-cli config file.
+ *
+ * Priority:
+ * 1. EP_CONFIG_FILE environment variable
+ * 2. $XDG_CONFIG_HOME/ep-cli/config.json
+ * 3. ~/.config/ep-cli/config.json
+ */
+export const resolveConfigPath = (): string => {
+  const explicit = process.env.EP_CONFIG_FILE;
+  if (explicit && explicit.trim().length > 0) {
+    return explicit;
+  }
+
+  const configHome = process.env.XDG_CONFIG_HOME || path.join(homedir(), ".config");
+  return path.join(configHome, "ep-cli", "config.json");
+};
+
+/**
+ * Write credentials to the ep-cli config file.
+ *
+ * Creates the parent directory if it doesn't exist and sets
+ * file permissions to 0o600 (owner read/write only).
+ */
+export const writeConfig = (data: {
+  readonly apiKey: string;
+  readonly email: string;
+}): Effect.Effect<string, Error> =>
+  Effect.try({
+    try: () => {
+      const configPath = resolveConfigPath();
+      const dir = path.dirname(configPath);
+
+      if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+      }
+
+      const content = JSON.stringify(
+        {
+          apiKey: data.apiKey,
+          email: data.email,
+          updatedAt: new Date().toISOString(),
+        },
+        null,
+        2
+      );
+
+      writeFileSync(configPath, content, { mode: 0o600 });
+      return configPath;
+    },
+    catch: (error) =>
+      error instanceof Error
+        ? error
+        : new Error(`Failed to write config: ${String(error)}`),
+  });
diff --git a/packages/ep-cli/src/services/pattern-api/service.ts b/packages/ep-cli/src/services/pattern-api/service.ts
@@ -4,28 +4,17 @@
 
 import { Effect } from "effect";
 import { existsSync, readFileSync } from "node:fs";
-import { homedir } from "node:os";
-import path from "node:path";
 import type {
   PatternApiService,
   PatternDetail,
   PatternSearchParams,
   PatternSummary,
 } from "./api.js";
+import { resolveConfigPath } from "../config/writer.js";
 
 const DEFAULT_API_BASE_URL = "https://effect-patterns-mcp-server-buddybuilder.vercel.app";
 const DEFAULT_TIMEOUT_MS = 10_000;
 
-const resolveConfigPath = () => {
-  const explicit = process.env.EP_CONFIG_FILE;
-  if (explicit && explicit.trim().length > 0) {
-    return explicit;
-  }
-
-  const configHome = process.env.XDG_CONFIG_HOME || path.join(homedir(), ".config");
-  return path.join(configHome, "ep-cli", "config.json");
-};
-
 const readApiKeyFromFile = (filePath: string): string => {
   const content = readFileSync(filePath, "utf8").trim();
   if (!content) {
