Fix Updated the totp to mfa and added support for env variable

Author: cs-raj

.talismanrc

@@ -1,8 +1,4 @@
 fileignoreconfig:
-- filename: package-lock.json
-  checksum: ddcdc0f28b1df533e26c370f92810f1c877aae48ed2157f8822a1f275adad612
-- filename: pnpm-lock.yaml
-  checksum: c32024bc35de63368636624ef52c1b0cf6c4e1dbcfa93ced09e57f6e8ca454ca
 - filename: packages/contentstack-import-setup/test/unit/backup-handler.test.ts
   checksum: 0582d62b88834554cf12951c8690a73ef3ddbb78b82d2804d994cf4148e1ef93
 - filename: packages/contentstack-import-setup/test/config.json
@@ -46,5 +42,31 @@ fileignoreconfig:
 - filename: packages/contentstack-auth/test/integration/auth.test.ts
   checksum: 96a66c141cf8f83443f967f62be210c3a95e06cf3d6c7bcb25229a4de7f05c5f
 - filename: packages/contentstack-auth/test/unit/commands/login.test.ts
-  checksum: c256cb00cbe8a5f2ded2907677f7a55b4661cd95f1145d7bbd10740702e10e5c
+  checksum: e8a1e413008e19de3c35cbf85d0d8433f0ac25ddf89d9a5cdd118bbc875321b9
+- filename: packages/contentstack-auth/env.example
+  checksum: 72c9ed18a449c42b03ec54795898f6bad4e15d23a3d701c05b96fb17c3bbd93b
+- filename: packages/contentstack-auth/test/unit/utils/mfa-handler.test.ts
+  checksum: 741d0072dbe79d0d0e8ba08c49c796cb31782993a91a0493c399021106b17d72
+- filename: packages/contentstack-config/src/commands/config/mfa/add.ts
+  checksum: db0e4de369f1c08aa1061aa08b3561748e5a87de7fbaf37f8fed49afa2471114
+- filename: packages/contentstack-config/src/services/mfa/mfa.service.ts
+  checksum: c0bf969154a243036c402194d63ada2ada5efa6c5843674293de25f49292ea5b
+- filename: packages/contentstack-auth/src/utils/mfa-handler.ts
+  checksum: 2b813050da41744bda53b0c97617fb5beb0b370c148792a7d21bc4dd4bbae18f
+- filename: packages/contentstack-auth/messages/index.json
+  checksum: 17bc512822ad037c5aaa0439bc6d516511bab0ce9b6153fc923a991579ac9550
+- filename: packages/contentstack-config/test/unit/commands/mfa.test.ts
+  checksum: 444312de89cc9f70647ec23e2322415cc8eb48e4e43456396d123650308680bd
+- filename: packages/contentstack-auth/test/unit/commands/login.test.ts
+  checksum: e8a1e413008e19de3c35cbf85d0d8433f0ac25ddf89d9a5cdd118bbc875321b9
+- filename: package-lock.json
+  checksum: 6d72f17fc014790bbc82bcae559d2b49c42c416c59ad15979af028a27275fe59
+- filename: packages/contentstack-auth/test/unit/commands/login.test.ts
+  checksum: e8a1e413008e19de3c35cbf85d0d8433f0ac25ddf89d9a5cdd118bbc875321b9
+- filename: packages/contentstack/README.md
+  checksum: f82a59b23959a82b0172663fab0aa9d65b16fbcb256652b59f12227b8d4c1d03
+- filename: pnpm-lock.yaml
+  checksum: c300f5c7b5ebe755ef55765331446e619c9efd6f6f18d89a31017594a39acbe6
+- filename: packages/contentstack-auth/test/unit/commands/login.test.ts
+  checksum: e8a1e413008e19de3c35cbf85d0d8433f0ac25ddf89d9a5cdd118bbc875321b9
 version: "1.0"

package-lock.json

@@ -18,7 +18,7 @@ $ npm install -g @contentstack/cli-auth
 $ csdx COMMAND
 running command...
 $ csdx (--version)
-@contentstack/cli-auth/1.5.1 darwin-arm64 node-v22.13.1
+@contentstack/cli-auth/1.6.0 darwin-arm64 node-v23.11.0
 $ csdx --help [COMMAND]
 USAGE
   $ csdx COMMAND

packages/contentstack-auth/README.md

@@ -6,3 +6,4 @@ BRANCH_ENABLED_DELIVERY_TOKEN
 BRANCH_DISABLED_DELIVERY_TOKEN
 BRANCH_ENABLED_ENVIRONMENT
 BRANCH_DISABLED_ENVIRONMENT
+CONTENTSTACK_MFA_SECRET

packages/contentstack-auth/env.example

@@ -49,5 +49,16 @@
   "CLI_AUTH_TOKENS_VALIDATION_INVALID_API_KEY": "Invalid api key",
   "CLI_AUTH_EXIT_PROCESS": "Exiting the process...",
   "CLI_SELECT_TOKEN_TYPE": "Select the type of token to add",
-  "CLI_AUTH_ENTER_BRANCH": "Enter branch name"
+  "CLI_AUTH_MFA_INVALID_SECRET": "Invalid MFA secret format. Please check your authentication setup.",
+  "CLI_AUTH_MFA_GENERATION_FAILED": "Failed to generate MFA code. Please try again.",
+  "CLI_AUTH_MFA_DECRYPT_FAILED": "Failed to decrypt stored MFA secret. Please try again.",
+  "CLI_AUTH_MFA_INVALID_CODE": "Invalid authentication code format. Please enter a 6-digit code.",
+  "CLI_AUTH_MFA_RECONFIGURE_HINT": "Consider reconfiguring MFA using config:mfa:add command.",
+  "CLI_AUTH_SMS_OTP_FAILED": "Failed to send SMS OTP. Please try again or use a different 2FA method.",
+  "CLI_AUTH_2FA_FAILED": "Two-factor authentication failed. Please try again.",
+  "CLI_AUTH_LOGIN_NO_USER": "No user found with the provided credentials.",
+  "CLI_AUTH_LOGIN_NO_CREDENTIALS": "No credentials provided for login. Please provide email and password.",
+  "CLI_AUTH_LOGOUT_NO_TOKEN": "No auth token found for logout. Please login first.",
+  "CLI_AUTH_TOKEN_VALIDATION_FAILED": "Token validation failed. Please login again.",
+  "CLI_AUTH_TOKEN_VALIDATION_NO_TOKEN": "No auth token found for validation. Please login first."
 }

packages/contentstack-auth/messages/index.json

@@ -10,7 +10,7 @@ import {
   messageHandler,
 } from '@contentstack/cli-utilities';
 import { User } from '../../interfaces';
-import { authHandler, interactive, totpHandler } from '../../utils';
+import { authHandler, interactive, mfaHandler } from '../../utils';
 import { BaseCommand } from '../../base-command';
 
 export default class LoginCommand extends BaseCommand<typeof LoginCommand> {
@@ -101,10 +101,10 @@ export default class LoginCommand extends BaseCommand<typeof LoginCommand> {
       let tfaToken: string | undefined;
 
       try {
-        tfaToken = await totpHandler.getTOTPCode();
-        log.debug('TOTP token generated from stored configuration', this.contextDetails);
+        tfaToken = await mfaHandler.getMFACode();
+        log.debug('MFA token generated from stored configuration', this.contextDetails);
       } catch (error) {
-        log.debug('Failed to generate TOTP token from config', { ...this.contextDetails, error });
+        log.debug('Failed to generate MFA token from config', { ...this.contextDetails, error });
         tfaToken = undefined;
       }
 

packages/contentstack-auth/src/commands/auth/login.ts

@@ -1,4 +1,4 @@
-import { cliux, CLIError, log, cliErrorHandler } from '@contentstack/cli-utilities';
+import { cliux, log, handleAndLogError, messageHandler } from '@contentstack/cli-utilities';
 import { User } from '../interfaces';
 import { askOTPChannel, askOTP } from './interactive';
 
@@ -48,19 +48,18 @@ class AuthHandler {
         try {
           await this.requestSMSOTP(loginPayload);
         } catch (error) {
-          log.debug('SMS OTP request failed', { module: 'auth-handler', error });
-          throw new CLIError('Failed to send SMS OTP. Please try again or use a different 2FA method.');
+          log.error('SMS OTP request failed', { module: 'auth-handler', error });
+          cliux.print('CLI_AUTH_SMS_OTP_FAILED', { color: 'yellow' });
+          handleAndLogError(error, { module: 'auth-handler' });
         }
       }
 
       log.debug('Requesting OTP input', { module: 'auth-handler', channel: otpChannel });
       return await askOTP();
     } catch (error) {
-      log.debug('2FA flow failed', { module: 'auth-handler', error });
-      if (error instanceof CLIError) {
-        throw error;
-      }
-      throw new CLIError('Failed to complete 2FA authentication. Please try again.');
+      log.error('2FA flow failed', { module: 'auth-handler', error });
+      cliux.print('CLI_AUTH_2FA_FAILED', { color: 'yellow' });
+      handleAndLogError(error, { module: 'auth-handler' });
     }
   }
 
@@ -76,9 +75,9 @@ class AuthHandler {
       log.debug('SMS OTP request successful', { module: 'auth-handler' });
       cliux.print('CLI_AUTH_LOGIN_SECURITY_CODE_SEND_SUCCESS');
     } catch (error) {
-      log.debug('SMS OTP request failed', { module: 'auth-handler', error });
-      const err = cliErrorHandler.classifyError(error);
-      throw new CLIError(err);
+      log.error('SMS OTP request failed', { module: 'auth-handler', error });
+      handleAndLogError(error, { module: 'auth-handler' });
+      throw error;
     }
   }
 
@@ -130,19 +129,23 @@ class AuthHandler {
                 resolve(await this.login(email, password, tfToken));
               } catch (error) {
                 log.debug('Login with TFA token failed', { module: 'auth-handler', error });
-                const err = cliErrorHandler.classifyError(error);
-                reject(new CLIError(err));
+                handleAndLogError(error, { module: 'auth-handler' });
+                log.debug('2FA authentication failed', { module: 'auth-handler', error });
+                cliux.print('CLI_AUTH_2FA_FAILED', { color: 'yellow' });
+                handleAndLogError(error, { module: 'auth-handler' });
                 return;
               }
             } else {
               log.debug('Login failed - no user found', { module: 'auth-handler', result });
-              reject(new CLIError({ message: 'No user found with the credentials' }));
+              log.debug('Login failed - no user found', { module: 'auth-handler', result });
+              cliux.print('CLI_AUTH_LOGIN_NO_USER', { color: 'yellow' });
+              handleAndLogError(new Error(messageHandler.parse('CLI_AUTH_LOGIN_NO_USER')), { module: 'auth-handler' });
             }
           })
           .catch((error: any) => {
             log.debug('Login API call failed', { module: 'auth-handler', error: error.message || error });
-            const err = cliErrorHandler.classifyError(error);
-            reject(new CLIError(err));
+            cliux.print('CLI_AUTH_LOGIN_FAILED', { color: 'yellow' });
+            handleAndLogError(error, { module: 'auth-handler' });
           });
       } else {
         const hasEmail = !!email;
@@ -152,7 +155,9 @@ class AuthHandler {
           hasEmail,
           hasCredentials,
         });
-        reject(new CLIError('No credential found to login'));
+        log.debug('Login failed - missing credentials', { module: 'auth-handler', hasEmail, hasCredentials });
+        cliux.print('CLI_AUTH_LOGIN_NO_CREDENTIALS', { color: 'yellow' });
+        handleAndLogError(new Error(messageHandler.parse('CLI_AUTH_LOGIN_NO_CREDENTIALS')), { module: 'auth-handler' });
       }
     });
   }
@@ -177,12 +182,13 @@ class AuthHandler {
           })
           .catch((error: Error) => {
             log.debug('Logout API call failed', { module: 'auth-handler', error: error.message });
-            const err = cliErrorHandler.classifyError(error);
-            reject(new CLIError(err));
+            cliux.print('CLI_AUTH_LOGOUT_FAILED', { color: 'yellow' });
+            handleAndLogError(error, { module: 'auth-handler' });
           });
       } else {
         log.debug('Logout failed - no auth token provided', { module: 'auth-handler' });
-        reject(new CLIError('No auth token found to logout'));
+        cliux.print('CLI_AUTH_LOGOUT_NO_TOKEN', { color: 'yellow' });
+        handleAndLogError(new Error(messageHandler.parse('CLI_AUTH_LOGOUT_NO_TOKEN')), { module: 'auth-handler' });
       }
     });
   }
@@ -207,12 +213,15 @@ class AuthHandler {
           })
           .catch((error: Error) => {
             log.debug('Token validation failed', { module: 'auth-handler', error: error.message });
-            const err = cliErrorHandler.classifyError(error);
-            reject(new CLIError(err));
+            cliux.print('CLI_AUTH_TOKEN_VALIDATION_FAILED', { color: 'yellow' });
+            handleAndLogError(error, { module: 'auth-handler' });
           });
       } else {
         log.debug('Token validation failed - no auth token provided', { module: 'auth-handler' });
-        reject(new CLIError('No auth token found to validate'));
+        cliux.print('CLI_AUTH_TOKEN_VALIDATION_NO_TOKEN', { color: 'yellow' });
+        handleAndLogError(new Error(messageHandler.parse('CLI_AUTH_TOKEN_VALIDATION_NO_TOKEN')), {
+          module: 'auth-handler',
+        });
       }
     });
   }

packages/contentstack-auth/src/utils/auth-handler.ts

@@ -1,4 +1,4 @@
 export { default as authHandler } from './auth-handler';
-export { default as totpHandler } from './totp-handler';
+export { default as mfaHandler } from './mfa-handler';
 export * as interactive from './interactive';
 export * as tokenValidation from './tokens-validation';

packages/contentstack-auth/src/utils/index.ts

@@ -0,0 +1,150 @@
+import { cliux, configHandler, NodeCrypto, log, handleAndLogError, messageHandler } from '@contentstack/cli-utilities';
+import { authenticator } from 'otplib';
+import { askOTP } from './interactive';
+
+/**
+ * @class
+ * MFA handler for managing multi-factor authentication
+ */
+class MFAHandler {
+  private readonly encrypter: NodeCrypto;
+
+  constructor() {
+    this.encrypter = new NodeCrypto();
+  }
+
+  /**
+   * Validates if a string is a valid base32 secret
+   * @param secret The secret to validate
+   * @returns true if valid, false otherwise
+   */
+  private isValidBase32(secret: string): boolean {
+    // Base32 string must:
+    // 1. Contain only uppercase letters A-Z and digits 2-7
+    // 2. Be at least 16 characters long (before padding)
+    // 3. Have valid padding (no single = character)
+    const base32Regex = /^[A-Z2-7]+(?:={2,6})?$/;
+    const nonPaddedLength = secret.replace(/=+$/, '').length;
+    return base32Regex.test(secret) && nonPaddedLength >= 16;
+  }
+
+  /**
+   * Generates an MFA code from a provided secret
+   * @param secret The MFA secret to use
+   * @returns string The generated MFA code
+   * @throws Error if the secret is invalid or code generation fails
+   */
+  generateMFACode(secret: string): string {
+    log.debug('Generating MFA code from provided secret', { module: 'mfa-handler' });
+    
+    try {
+      // Validate and normalize secret
+      const normalizedSecret = secret.toUpperCase();
+      if (!this.isValidBase32(normalizedSecret)) {
+        log.debug('Invalid MFA secret format', { module: 'mfa-handler' });
+        cliux.print('CLI_AUTH_MFA_INVALID_SECRET', { color: 'yellow' });
+        throw new Error(messageHandler.parse('CLI_AUTH_MFA_INVALID_SECRET'));
+      }
+
+      // Generate MFA code
+      const code = authenticator.generate(normalizedSecret);
+      log.debug('Generated MFA code successfully', { module: 'mfa-handler' });
+      return code;
+    } catch (error) {
+      log.debug('Failed to generate MFA code', { module: 'mfa-handler', error });
+      cliux.print('CLI_AUTH_MFA_GENERATION_FAILED', { color: 'yellow' });
+      throw new Error(messageHandler.parse('CLI_AUTH_MFA_GENERATION_FAILED'));
+    }
+  }
+
+  /**
+   * Gets MFA code from stored configuration
+   * @returns Promise<string> The MFA code
+   * @throws Error if MFA code generation fails
+   */
+  async getMFACode(): Promise<string> {
+    log.debug('Getting MFA code', { module: 'mfa-handler' });
+    let secret: string | undefined;
+    let source: string;
+
+    const envSecret = process.env.CONTENTSTACK_MFA_SECRET;
+    if (envSecret) {
+      log.debug('Found MFA secret in environment variable', { module: 'mfa-handler' });
+      secret = envSecret;
+      source = 'environment variable';
+    }
+
+    if (!secret) {
+      log.debug('Checking stored MFA secret', { module: 'mfa-handler' });
+      const mfaConfig = configHandler.get('mfa');
+      if (mfaConfig?.secret) {
+        try {
+          secret = this.encrypter.decrypt(mfaConfig.secret);
+          source = 'stored configuration';
+        } catch (error) {
+          log.debug('Failed to decrypt stored MFA secret', { module: 'mfa-handler', error });
+          cliux.print('CLI_AUTH_MFA_DECRYPT_FAILED', { color: 'yellow' });
+          handleAndLogError(new Error(messageHandler.parse('CLI_AUTH_MFA_DECRYPT_FAILED')), { module: 'mfa-handler' });
+        }
+      }
+    }
+
+    if (secret) {
+      try {
+        const code = this.generateMFACode(secret);
+        log.debug('Generated MFA code', { module: 'mfa-handler', source });
+        return code;
+      } catch (error) {
+        log.debug('Failed to generate MFA code', { module: 'mfa-handler', error, source });
+        cliux.print('CLI_AUTH_MFA_GENERATION_FAILED', { color: 'yellow' });
+        cliux.print('CLI_AUTH_MFA_RECONFIGURE_HINT');
+        handleAndLogError(new Error(messageHandler.parse('CLI_AUTH_MFA_GENERATION_FAILED')), { module: 'mfa-handler' });
+      }
+    }
+
+    // No secret available, ask for manual input
+    log.debug('No MFA secret found, requesting manual input', { module: 'mfa-handler' });
+    return this.getManualMFACode();
+  }
+
+  /**
+   * Gets MFA code through manual user input
+   * @returns Promise<string> The MFA code
+   * @throws Error if code format is invalid
+   */
+  async getManualMFACode(): Promise<string> {
+    const code = await askOTP();
+    if (!/^\d{6}$/.test(code)) {
+      log.debug('Invalid MFA code format', { module: 'mfa-handler', code });
+      cliux.print('CLI_AUTH_MFA_INVALID_CODE', { color: 'yellow' });
+      handleAndLogError(new Error(messageHandler.parse('CLI_AUTH_MFA_INVALID_CODE')), { module: 'mfa-handler' });
+    }
+    return code;
+  }
+
+  /**
+   * Validates an MFA code format
+   * @param code The MFA code to validate
+   * @returns boolean True if valid, false otherwise
+   */
+  isValidMFACode(code: string): boolean {
+    return /^\d{6}$/.test(code);
+  }
+
+  /**
+   * Handles MFA authentication flow
+   * @returns Promise<string> The valid MFA code
+   */
+  async handleMFAAuth(): Promise<string> {
+    try {
+      return await this.getMFACode();
+    } catch (error) {
+      log.debug('MFA code generation failed, falling back to manual input', { module: 'mfa-handler', error });
+      handleAndLogError(error, { module: 'mfa-handler' });
+      return this.getManualMFACode();
+    }
+  }
+}
+
+export default new MFAHandler();
+