feat(oauth-login): initial oauth login flow to new oauth provider

Author: jwerle

packages/cli/src/commands/login/apply-login.mts

@@ -2,18 +2,52 @@ import {
   CONFIG_KEY_API_BASE_URL,
   CONFIG_KEY_API_PROXY,
   CONFIG_KEY_API_TOKEN,
+  CONFIG_KEY_AUTH_BASE_URL,
   CONFIG_KEY_ENFORCED_ORGS,
+  CONFIG_KEY_OAUTH_CLIENT_ID,
+  CONFIG_KEY_OAUTH_REDIRECT_URI,
+  CONFIG_KEY_OAUTH_REFRESH_TOKEN,
+  CONFIG_KEY_OAUTH_SCOPES,
+  CONFIG_KEY_OAUTH_TOKEN_EXPIRES_AT,
 } from '../../constants/config.mts'
 import { updateConfigValue } from '../../utils/config.mts'
 
-export function applyLogin(
-  apiToken: string,
-  enforcedOrgs: string[],
-  apiBaseUrl: string | undefined,
-  apiProxy: string | undefined,
-) {
-  updateConfigValue(CONFIG_KEY_ENFORCED_ORGS, enforcedOrgs)
-  updateConfigValue(CONFIG_KEY_API_TOKEN, apiToken)
-  updateConfigValue(CONFIG_KEY_API_BASE_URL, apiBaseUrl)
-  updateConfigValue(CONFIG_KEY_API_PROXY, apiProxy)
+export function applyLogin(params: {
+  apiToken: string
+  enforcedOrgs: string[]
+  apiBaseUrl: string | undefined
+  apiProxy: string | undefined
+  authBaseUrl?: string | null | undefined
+  oauthClientId?: string | null | undefined
+  oauthRedirectUri?: string | null | undefined
+  oauthRefreshToken?: string | null | undefined
+  oauthScopes?: string[] | readonly string[] | null | undefined
+  oauthTokenExpiresAt?: number | null | undefined
+}) {
+  updateConfigValue(CONFIG_KEY_ENFORCED_ORGS, params.enforcedOrgs)
+  updateConfigValue(CONFIG_KEY_API_TOKEN, params.apiToken)
+  updateConfigValue(CONFIG_KEY_API_BASE_URL, params.apiBaseUrl)
+  updateConfigValue(CONFIG_KEY_API_PROXY, params.apiProxy)
+
+  if (params.authBaseUrl !== undefined) {
+    updateConfigValue(CONFIG_KEY_AUTH_BASE_URL, params.authBaseUrl)
+  }
+  if (params.oauthClientId !== undefined) {
+    updateConfigValue(CONFIG_KEY_OAUTH_CLIENT_ID, params.oauthClientId)
+  }
+  if (params.oauthRedirectUri !== undefined) {
+    updateConfigValue(CONFIG_KEY_OAUTH_REDIRECT_URI, params.oauthRedirectUri)
+  }
+  if (params.oauthRefreshToken !== undefined) {
+    updateConfigValue(CONFIG_KEY_OAUTH_REFRESH_TOKEN, params.oauthRefreshToken)
+  }
+  if (params.oauthScopes !== undefined) {
+    updateConfigValue(CONFIG_KEY_OAUTH_SCOPES, params.oauthScopes)
+  }
+  if (params.oauthTokenExpiresAt !== undefined) {
+    updateConfigValue(
+      CONFIG_KEY_OAUTH_TOKEN_EXPIRES_AT,
+      params.oauthTokenExpiresAt,
+    )
+  }
 }

packages/cli/src/commands/login/attempt-login.mts

@@ -2,19 +2,27 @@ import { joinAnd } from '@socketsecurity/lib/arrays'
 import { SOCKET_PUBLIC_API_TOKEN } from '@socketsecurity/lib/constants/socket'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import { confirm, password, select } from '@socketsecurity/lib/stdio/prompts'
+import { isNonEmptyString } from '@socketsecurity/lib/strings'
 
 import { applyLogin } from './apply-login.mts'
+import { oauthLogin } from './oauth-login.mts'
 import {
   CONFIG_KEY_API_BASE_URL,
   CONFIG_KEY_API_PROXY,
   CONFIG_KEY_API_TOKEN,
+  CONFIG_KEY_AUTH_BASE_URL,
   CONFIG_KEY_DEFAULT_ORG,
+  CONFIG_KEY_OAUTH_CLIENT_ID,
+  CONFIG_KEY_OAUTH_REDIRECT_URI,
+  CONFIG_KEY_OAUTH_SCOPES,
 } from '../../constants/config.mts'
+import ENV from '../../constants/env.mts'
 import {
   getConfigValueOrUndef,
   isConfigFromFlag,
   updateConfigValue,
 } from '../../utils/config.mts'
+import { deriveAuthBaseUrlFromApiBaseUrl } from '../../utils/auth/oauth.mts'
 import { failMsgWithBadge } from '../../utils/error/fail-msg-with-badge.mts'
 import { getEnterpriseOrgs, getOrgSlugs } from '../../utils/organization.mts'
 import { setupSdk } from '../../utils/socket/sdk.mjs'
@@ -23,27 +31,150 @@ import { setupTabCompletion } from '../install/setup-tab-completion.mts'
 import { fetchOrganization } from '../organization/fetch-organization-list.mts'
 
 import type { Choice } from '@socketsecurity/lib/stdio/prompts'
+import requirements from '../../../data/command-api-requirements.json' with {
+  type: 'json',
+}
 const logger = getDefaultLogger()
 
 type OrgChoice = Choice<string>
 type OrgChoices = OrgChoice[]
 
+type LoginMethod = 'oauth' | 'token'
+
+function getDefaultOAuthScopes(): string[] {
+  const permissions: string[] = []
+  const api = (requirements as any)?.api ?? {}
+  for (const value of Object.values(api) as any[]) {
+    const perms = (value?.permissions ?? []) as unknown
+    if (Array.isArray(perms)) {
+      for (const p of perms) {
+        if (typeof p === 'string' && p) {
+          permissions.push(p)
+        }
+      }
+    }
+  }
+  return [...new Set(permissions)].sort()
+}
+
+function parseScopes(value: unknown): string[] | undefined {
+  if (Array.isArray(value)) {
+    return value
+      .filter((v): v is string => typeof v === 'string' && v.length > 0)
+      .sort()
+  }
+  if (!isNonEmptyString(String(value ?? ''))) {
+    return undefined
+  }
+  const raw = String(value)
+  return raw
+    .split(/[,\s]+/u)
+    .map(s => s.trim())
+    .filter(Boolean)
+}
+
 export async function attemptLogin(
   apiBaseUrl: string | undefined,
   apiProxy: string | undefined,
+  options?: {
+    method?: LoginMethod | undefined
+    authBaseUrl?: string | undefined
+    oauthClientId?: string | undefined
+    oauthRedirectUri?: string | undefined
+    oauthScopes?: string | undefined
+  },
 ) {
   apiBaseUrl ??= getConfigValueOrUndef(CONFIG_KEY_API_BASE_URL) ?? undefined
   apiProxy ??= getConfigValueOrUndef(CONFIG_KEY_API_PROXY) ?? undefined
-  const apiTokenInput = await password({
-    message: `Enter your ${socketDocsLink('/docs/api-keys', 'Socket.dev API token')} (leave blank to use a limited public token)`,
-  })
+  const method: LoginMethod = options?.method ?? 'oauth'
 
-  if (apiTokenInput === undefined) {
-    logger.fail('Canceled by user')
-    return { ok: false, message: 'Canceled', cause: 'Canceled by user' }
-  }
+  let apiToken: string
+  let oauthRefreshToken: string | null | undefined
+  let oauthTokenExpiresAt: number | null | undefined
+  let authBaseUrl: string | null | undefined
+  let oauthClientId: string | null | undefined
+  let oauthRedirectUri: string | null | undefined
+  let oauthScopes: string[] | null | undefined
 
-  const apiToken = apiTokenInput || SOCKET_PUBLIC_API_TOKEN
+  if (method === 'token') {
+    const apiTokenInput = await password({
+      message: `Enter your ${socketDocsLink('/docs/api-keys', 'Socket.dev API token')} (leave blank to use a limited public token)`,
+    })
+
+    if (apiTokenInput === undefined) {
+      logger.fail('Canceled by user')
+      return { ok: false, message: 'Canceled', cause: 'Canceled by user' }
+    }
+
+    apiToken = apiTokenInput || SOCKET_PUBLIC_API_TOKEN
+
+    // Explicitly disable OAuth refresh flow when using a legacy org-wide token.
+    oauthRefreshToken = null
+    oauthTokenExpiresAt = null
+    authBaseUrl = null
+    oauthClientId = null
+    oauthRedirectUri = null
+    oauthScopes = null
+  } else {
+    const resolvedAuthBaseUrl =
+      options?.authBaseUrl ||
+      ENV.SOCKET_CLI_AUTH_BASE_URL ||
+      getConfigValueOrUndef(CONFIG_KEY_AUTH_BASE_URL) ||
+      deriveAuthBaseUrlFromApiBaseUrl(apiBaseUrl)
+
+    if (!isNonEmptyString(resolvedAuthBaseUrl)) {
+      process.exitCode = 1
+      logger.fail(
+        'OAuth auth base URL is not configured. Provide --auth-base-url or set SOCKET_CLI_AUTH_BASE_URL.',
+      )
+      return
+    }
+
+    const resolvedClientId =
+      options?.oauthClientId ||
+      ENV.SOCKET_CLI_OAUTH_CLIENT_ID ||
+      getConfigValueOrUndef(CONFIG_KEY_OAUTH_CLIENT_ID) ||
+      'socket-cli'
+
+    const resolvedRedirectUri =
+      options?.oauthRedirectUri ||
+      ENV.SOCKET_CLI_OAUTH_REDIRECT_URI ||
+      getConfigValueOrUndef(CONFIG_KEY_OAUTH_REDIRECT_URI) ||
+      'http://127.0.0.1:53682/callback'
+
+    const resolvedScopes =
+      parseScopes(
+        options?.oauthScopes ||
+          ENV.SOCKET_CLI_OAUTH_SCOPES ||
+          getConfigValueOrUndef(CONFIG_KEY_OAUTH_SCOPES) ||
+          getDefaultOAuthScopes(),
+      ) ?? []
+
+    logger.log(
+      `Opening your browser to complete login (client_id: ${resolvedClientId})...`,
+    )
+
+    const oauthResult = await oauthLogin({
+      authBaseUrl: resolvedAuthBaseUrl,
+      clientId: resolvedClientId,
+      redirectUri: resolvedRedirectUri,
+      scopes: resolvedScopes,
+      apiProxy,
+    })
+    if (!oauthResult.ok) {
+      process.exitCode = 1
+      logger.fail(failMsgWithBadge(oauthResult.message, oauthResult.cause))
+      return
+    }
+
+    apiToken = oauthResult.data.accessToken
+    oauthRefreshToken = oauthResult.data.refreshToken
+    oauthTokenExpiresAt = oauthResult.data.expiresAt
+    authBaseUrl = resolvedAuthBaseUrl
+    oauthClientId = resolvedClientId
+    oauthRedirectUri = resolvedRedirectUri
+    oauthScopes = resolvedScopes
+  }
 
   const sockSdkCResult = await setupSdk({ apiBaseUrl, apiProxy, apiToken })
   if (!sockSdkCResult.ok) {
@@ -155,7 +286,18 @@ export async function attemptLogin(
 
   const previousPersistedToken = getConfigValueOrUndef(CONFIG_KEY_API_TOKEN)
   try {
-    applyLogin(apiToken, enforcedOrgs, apiBaseUrl, apiProxy)
+    applyLogin({
+      apiToken,
+      enforcedOrgs,
+      apiBaseUrl,
+      apiProxy,
+      authBaseUrl,
+      oauthClientId,
+      oauthRedirectUri,
+      oauthRefreshToken,
+      oauthScopes,
+      oauthTokenExpiresAt,
+    })
     logger.success(
       `API credentials ${previousPersistedToken === apiToken ? 'refreshed' : previousPersistedToken ? 'updated' : 'set'}`,
     )

packages/cli/src/commands/login/cmd-login.mts

@@ -20,7 +20,7 @@ const logger = getDefaultLogger()
 
 export const CMD_NAME = 'login'
 
-const description = 'Setup Socket CLI with an API token and defaults'
+const description = 'Authenticate Socket CLI and store credentials'
 
 const hidden = false
 
@@ -41,6 +41,11 @@ async function run(
     hidden,
     flags: {
       ...commonFlags,
+      method: {
+        type: 'string',
+        default: 'oauth',
+        description: 'Login method: oauth (default) or token (legacy)',
+      },
       apiBaseUrl: {
         type: 'string',
         default: '',
@@ -51,6 +56,29 @@ async function run(
         default: '',
         description: 'Proxy to use when making connection to API server',
       },
+      authBaseUrl: {
+        type: 'string',
+        default: '',
+        description:
+          'OAuth authorization server base URL (defaults to derived from apiBaseUrl)',
+      },
+      oauthClientId: {
+        type: 'string',
+        default: '',
+        description: 'OAuth client_id (defaults to socket-cli)',
+      },
+      oauthRedirectUri: {
+        type: 'string',
+        default: '',
+        description:
+          'OAuth redirect URI (must match registered redirect URIs for client)',
+      },
+      oauthScopes: {
+        type: 'string',
+        default: '',
+        description:
+          'OAuth scopes to request (space or comma separated; defaults to CLI-required scopes)',
+      },
     },
     help: (command, config) => `
     Usage
@@ -59,13 +87,16 @@ async function run(
     API Token Requirements
       ${getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME}`)}
 
-    Logs into the Socket API by prompting for an API token
+    Logs into the Socket API using a browser-based OAuth flow (default).
+    Use --method=token to enter an API token manually (legacy).
 
     Options
       ${getFlagListOutput(config.flags)}
 
     Examples
       $ ${command}
+      $ ${command} --method=token
+      $ ${command} --auth-base-url=https://api.socket.dev --oauth-client-id=socket-cli
       $ ${command} --api-proxy=http://localhost:1234
   `,
   }
@@ -86,14 +117,47 @@ async function run(
 
   if (!isInteractive()) {
     throw new InputError(
-      'Cannot prompt for credentials in a non-interactive shell. Use SOCKET_CLI_API_TOKEN environment variable instead',
+      'Cannot complete interactive login in a non-interactive shell. Use SOCKET_CLI_API_TOKEN environment variable instead',
     )
   }
 
-  const { apiBaseUrl, apiProxy } = cli.flags as unknown as {
+  const {
+    apiBaseUrl,
+    apiProxy,
+    authBaseUrl,
+    method,
+    oauthClientId,
+    oauthRedirectUri,
+    oauthScopes,
+  } = cli.flags as unknown as {
     apiBaseUrl?: string | undefined
     apiProxy?: string | undefined
+    authBaseUrl?: string | undefined
+    method?: string | undefined
+    oauthClientId?: string | undefined
+    oauthRedirectUri?: string | undefined
+    oauthScopes?: string | undefined
+  }
+
+  let normalizedMethod: 'oauth' | 'token' | undefined
+  if (method === 'oauth' || method === 'token') {
+    normalizedMethod = method
+  } else if (!method) {
+    normalizedMethod = undefined
+  } else {
+    normalizedMethod = undefined
+  }
+  if (method && !normalizedMethod) {
+    throw new InputError(
+      `Invalid --method value: ${method}. Expected "oauth" or "token".`,
+    )
   }
 
-  await attemptLogin(apiBaseUrl, apiProxy)
+  await attemptLogin(apiBaseUrl, apiProxy, {
+    method: normalizedMethod,
+    authBaseUrl: authBaseUrl || undefined,
+    oauthClientId: oauthClientId || undefined,
+    oauthRedirectUri: oauthRedirectUri || undefined,
+    oauthScopes: oauthScopes || undefined,
+  })
 }