Updated the config to remove the MFA Error handler and updated the login flow in the auth command

Author: cs-raj

.talismanrc

@@ -69,4 +69,12 @@ fileignoreconfig:
   checksum: c300f5c7b5ebe755ef55765331446e619c9efd6f6f18d89a31017594a39acbe6
 - filename: packages/contentstack-auth/test/unit/commands/login.test.ts
   checksum: e8a1e413008e19de3c35cbf85d0d8433f0ac25ddf89d9a5cdd118bbc875321b9
-version: "1.0"
+- filename: packages/contentstack-auth/src/commands/auth/login.ts
+  checksum: 2725fcbfd69f9290182073a362b0c2fa7de625fe6d2e0b0aa732d42678966179
+- filename: packages/contentstack-auth/src/utils/mfa-handler.ts
+  checksum: a61790bd55c565cd56e5ad146816ab0a760f7ccc90c565cf7dff66a97ccef6e1
+- filename: packages/contentstack-config/test/unit/commands/mfa.test.ts
+  checksum: 242491d40c7178132dc60abf3a251254559a002a9377b3038bc4a8b0c4708565
+version: ""
+
+

packages/contentstack-auth/messages/index.json

@@ -50,8 +50,8 @@
   "CLI_AUTH_EXIT_PROCESS": "Exiting the process...",
   "CLI_SELECT_TOKEN_TYPE": "Select the type of token to add",
   "CLI_AUTH_MFA_INVALID_SECRET": "Invalid MFA secret format. Please check your authentication setup.",
-  "CLI_AUTH_MFA_GENERATION_FAILED": "Failed to generate MFA code. Please try again.",
-  "CLI_AUTH_MFA_DECRYPT_FAILED": "Failed to decrypt stored MFA secret. Please try again.",
+  "CLI_AUTH_MFA_GENERATION_FAILED": "Failed to generate MFA code. Proceeding for Manual MFA code input.",
+  "CLI_AUTH_MFA_DECRYPT_FAILED": "Failed to decrypt stored MFA secret. Try Resetting the MFA secret. Proceeding for Manual MFA code input.",
   "CLI_AUTH_MFA_INVALID_CODE": "Invalid authentication code format. Please enter a 6-digit code.",
   "CLI_AUTH_MFA_RECONFIGURE_HINT": "Consider reconfiguring MFA using config:mfa:add command.",
   "CLI_AUTH_SMS_OTP_FAILED": "Failed to send SMS OTP. Please try again or use a different 2FA method.",

packages/contentstack-auth/src/commands/auth/login.ts

@@ -58,9 +58,9 @@ export default class LoginCommand extends BaseCommand<typeof LoginCommand> {
       log.debug('Initializing management API client', this.contextDetails);
       const managementAPIClient = await managementSDKClient({ host: this.cmaHost, skipTokenValidity: true });
       log.debug('Management API client initialized successfully', this.contextDetails);
-      
+
       const { flags: loginFlags } = await this.parse(LoginCommand);
-      log.debug('Token add flags parsed', {...this.contextDetails, flags: loginFlags});
+      log.debug('Token add flags parsed', { ...this.contextDetails, flags: loginFlags });
 
       authHandler.client = managementAPIClient;
       log.debug('Auth handler client set', this.contextDetails);
@@ -77,17 +77,22 @@ export default class LoginCommand extends BaseCommand<typeof LoginCommand> {
         log.debug('Starting basic authentication flow', this.contextDetails);
         const username = loginFlags?.username || (await interactive.askUsername());
         const password = loginFlags?.password || (await interactive.askPassword());
-        log.debug('Credentials obtained', { 
-          ...this.contextDetails, 
-          hasUsername: !!username, 
-          hasPassword: !!password
+        log.debug('Credentials obtained', {
+          ...this.contextDetails,
+          hasUsername: !!username,
+          hasPassword: !!password,
         });
 
         await this.login(username, password);
       }
     } catch (error) {
-      log.debug('Login command failed', { ...this.contextDetails, error });
-      cliux.error('CLI_AUTH_LOGIN_FAILED');
+      log.debug('Login command failed', {
+        ...this.contextDetails,
+        error,
+      });
+      if ((error.message && error.message.includes('2FA')) || error.message.includes('MFA')) {
+        error.message = `${error.message}\nFor more information about MFA, visit: https://www.contentstack.com/docs/developers/security/multi-factor-authentication`;
+      }
       handleAndLogError(error, { ...this.contextDetails });
       process.exit();
     }
@@ -99,10 +104,12 @@ export default class LoginCommand extends BaseCommand<typeof LoginCommand> {
     try {
       log.debug('Calling auth handler login', this.contextDetails);
       let tfaToken: string | undefined;
-      
+
       try {
         tfaToken = await mfaHandler.getMFACode();
-        log.debug('MFA token generated from stored configuration', this.contextDetails);
+        if(tfaToken){
+          log.debug('MFA token generated from stored configuration', this.contextDetails);
+        }
       } catch (error) {
         log.debug('Failed to generate MFA token from config', { ...this.contextDetails, error });
         tfaToken = undefined;

packages/contentstack-auth/src/utils/auth-handler.ts

@@ -48,18 +48,18 @@ class AuthHandler {
         try {
           await this.requestSMSOTP(loginPayload);
         } catch (error) {
-          log.error('SMS OTP request failed', { module: 'auth-handler', error });
+          log.debug('SMS OTP request failed', { module: 'auth-handler', error });
           cliux.print('CLI_AUTH_SMS_OTP_FAILED', { color: 'yellow' });
-          handleAndLogError(error, { module: 'auth-handler' });
+          throw error;
         }
       }
 
       log.debug('Requesting OTP input', { module: 'auth-handler', channel: otpChannel });
       return await askOTP();
     } catch (error) {
-      log.error('2FA flow failed', { module: 'auth-handler', error });
+      log.debug('2FA flow failed', { module: 'auth-handler', error });
       cliux.print('CLI_AUTH_2FA_FAILED', { color: 'yellow' });
-      handleAndLogError(error, { module: 'auth-handler' });
+      throw error;
     }
   }
 
@@ -75,8 +75,7 @@ class AuthHandler {
       log.debug('SMS OTP request successful', { module: 'auth-handler' });
       cliux.print('CLI_AUTH_LOGIN_SECURITY_CODE_SEND_SUCCESS');
     } catch (error) {
-      log.error('SMS OTP request failed', { module: 'auth-handler', error });
-      handleAndLogError(error, { module: 'auth-handler' });
+      log.debug('SMS OTP request failed', { module: 'auth-handler', error });
       throw error;
     }
   }
@@ -136,7 +135,6 @@ class AuthHandler {
                 return;
               }
             } else {
-              log.debug('Login failed - no user found', { module: 'auth-handler', result });
               log.debug('Login failed - no user found', { module: 'auth-handler', result });
               cliux.print('CLI_AUTH_LOGIN_NO_USER', { color: 'yellow' });
               handleAndLogError(new Error(messageHandler.parse('CLI_AUTH_LOGIN_NO_USER')), { module: 'auth-handler' });

packages/contentstack-auth/src/utils/mfa-handler.ts

@@ -36,14 +36,18 @@ class MFAHandler {
    */
   generateMFACode(secret: string): string {
     log.debug('Generating MFA code from provided secret', { module: 'mfa-handler' });
-    
+
     try {
       // Validate and normalize secret
       const normalizedSecret = secret.toUpperCase();
       if (!this.isValidBase32(normalizedSecret)) {
         log.debug('Invalid MFA secret format', { module: 'mfa-handler' });
         cliux.print('CLI_AUTH_MFA_INVALID_SECRET', { color: 'yellow' });
-        throw new Error(messageHandler.parse('CLI_AUTH_MFA_INVALID_SECRET'));
+        cliux.print(
+          'For more information about MFA, visit: https://www.contentstack.com/docs/developers/security/multi-factor-authentication',
+          { color: 'yellow' },
+        );
+        process.exit(1);
       }
 
       // Generate MFA code
@@ -70,8 +74,17 @@ class MFAHandler {
     const envSecret = process.env.CONTENTSTACK_MFA_SECRET;
     if (envSecret) {
       log.debug('Found MFA secret in environment variable', { module: 'mfa-handler' });
-      secret = envSecret;
-      source = 'environment variable';
+      if (!this.isValidBase32(envSecret.toUpperCase())) {
+        log.debug('Invalid MFA secret format from environment variable', { module: 'mfa-handler' });
+        cliux.print('CLI_AUTH_MFA_INVALID_SECRET', { color: 'yellow' });
+        cliux.print(
+          'For more information about MFA, visit: https://www.contentstack.com/docs/developers/security/multi-factor-authentication',
+          { color: 'yellow' },
+        );
+      } else {
+        secret = envSecret;
+        source = 'environment variable';
+      }
     }
 
     if (!secret) {
@@ -98,13 +111,12 @@ class MFAHandler {
         log.debug('Failed to generate MFA code', { module: 'mfa-handler', error, source });
         cliux.print('CLI_AUTH_MFA_GENERATION_FAILED', { color: 'yellow' });
         cliux.print('CLI_AUTH_MFA_RECONFIGURE_HINT');
-        handleAndLogError(new Error(messageHandler.parse('CLI_AUTH_MFA_GENERATION_FAILED')), { module: 'mfa-handler' });
+        cliux.print(
+          'For more information about MFA, visit: https://www.contentstack.com/docs/developers/security/multi-factor-authentication',
+          { color: 'yellow' },
+        );
       }
     }
-
-    // No secret available, ask for manual input
-    log.debug('No MFA secret found, requesting manual input', { module: 'mfa-handler' });
-    return this.getManualMFACode();
   }
 
   /**
@@ -147,4 +159,3 @@ class MFAHandler {
 }
 
 export default new MFAHandler();
-

packages/contentstack-config/src/commands/config/mfa/add.ts

@@ -1,7 +1,6 @@
-import { cliux } from '@contentstack/cli-utilities';
+import { cliux, handleAndLogError } from '@contentstack/cli-utilities';
 import { BaseCommand } from '../../../base-command';
 import { MFAService } from '../../../services/mfa/mfa.service';
-import { MFAError } from '../../../services/mfa/mfa.types';
 
 export default class AddMFACommand extends BaseCommand<typeof AddMFACommand> {
   static readonly description = 'Add MFA secret for 2FA authentication';
@@ -25,7 +24,9 @@ export default class AddMFACommand extends BaseCommand<typeof AddMFACommand> {
       const envSecret = process.env.CONTENTSTACK_MFA_SECRET;
       if (envSecret) {
         if (!this.mfaService.validateSecret(envSecret)) {
-          throw new MFAError('Invalid secret format in environment variable');
+          cliux.error('Invalid secret format in environment variable. The secret must be a valid Base32 string of at least 16 characters.');
+          cliux.print('For more information about MFA, visit: https://www.contentstack.com/docs/developers/security/multi-factor-authentication', { color: 'yellow' });
+          process.exit(1);
         }
         cliux.print('Using MFA secret from environment variable');
         return;
@@ -42,15 +43,18 @@ export default class AddMFACommand extends BaseCommand<typeof AddMFACommand> {
             process.exit(1);
           }
           if (!this.mfaService.validateSecret(input)) {
-            cliux.error('Invalid secret format');
+            cliux.error('Invalid secret format. The secret must be a valid Base32 string of at least 16 characters.');
+            cliux.print('For more information about MFA, visit: https://www.contentstack.com/docs/developers/security/multi-factor-authentication', { color: 'yellow' });
             process.exit(1);
           }
           return true;
         },
       });
 
       if (!secret || !this.mfaService.validateSecret(secret)) {
-        throw new MFAError('Invalid secret format');
+        cliux.error('Invalid secret format. The secret must be a valid Base32 string of at least 16 characters.');
+        cliux.print('For more information about MFA, visit: https://www.contentstack.com/docs/developers/security/multi-factor-authentication', { color: 'yellow' });
+        process.exit(1);
       }
 
       // Check if MFA configuration already exists
@@ -74,18 +78,12 @@ export default class AddMFACommand extends BaseCommand<typeof AddMFACommand> {
         this.mfaService.storeConfig({ secret: encryptedSecret });
         cliux.success('Secret has been stored successfully');
       } catch (error) {
-        if (error instanceof MFAError) {
-          throw error;
-        }
-        throw new MFAError('Failed to store secret');
+        handleAndLogError(error, { module: 'config:mfa:add' });
+        process.exit(1);
       }
     } catch (error) {
-      if (error instanceof MFAError) {
-        cliux.error(error.message);
-      } else {
-        cliux.error('Failed to store secret');
-      }
-      throw error;
+      handleAndLogError(error, { module: 'config:mfa:add' });
+      process.exit(1);
     }
   }
 }

packages/contentstack-config/src/commands/config/mfa/remove.ts

@@ -1,7 +1,6 @@
-import { cliux } from '@contentstack/cli-utilities';
+import { cliux, handleAndLogError } from '@contentstack/cli-utilities';
 import { BaseCommand } from '../../../base-command';
 import { MFAService } from '../../../services/mfa/mfa.service';
-import { MFAError } from '../../../services/mfa/mfa.types';
 import { Flags } from '@oclif/core';
 
 export default class RemoveMFACommand extends BaseCommand<typeof RemoveMFACommand> {
@@ -32,16 +31,10 @@ export default class RemoveMFACommand extends BaseCommand<typeof RemoveMFAComman
       const { flags } = await this.parse(RemoveMFACommand);
 
       let config;
-      try {
-        config = this.mfaService.getStoredConfig();
-        if (!config?.secret) {
-          throw new MFAError('Failed to remove secret configuration');
-        }
-      } catch (error) {
-        if (error instanceof MFAError) {
-          throw error;
-        }
-        throw new MFAError('Failed to remove secret configuration');
+      config = this.mfaService.getStoredConfig();
+      if (!config?.secret) {
+        cliux.error('No MFA configuration found');
+        process.exit(1);
       }
 
       // Verify the configuration is valid
@@ -76,16 +69,12 @@ export default class RemoveMFACommand extends BaseCommand<typeof RemoveMFAComman
         this.mfaService.removeConfig();
         cliux.success('Secret has been removed successfully');
       } catch (error) {
-        this.logger.error('Failed to remove secret configuration', { error });
-        throw new MFAError('Failed to remove secret configuration');
+        handleAndLogError(error, { module: 'config:mfa:remove' });
+        process.exit(1);
       }
     } catch (error) {
-      if (error instanceof MFAError) {
-        cliux.error(error.message);
-      } else {
-        cliux.error('Failed to remove secret configuration');
-      }
-      throw error;
+      handleAndLogError(error, { module: 'config:mfa:remove' });
+      process.exit(1);
     }
   }
 }

packages/contentstack-config/src/services/mfa/mfa.service.ts

@@ -1,6 +1,6 @@
-import { configHandler, NodeCrypto, log } from '@contentstack/cli-utilities';
+import { configHandler, NodeCrypto, log, cliux } from '@contentstack/cli-utilities';
 import { authenticator } from 'otplib';
-import { MFAConfig, MFAError } from './mfa.types';
+import { MFAConfig } from './mfa.types';
 import { IMFAService } from './mfa-service.interface';
 
 export class MFAService implements IMFAService {
@@ -58,7 +58,7 @@ export class MFAService implements IMFAService {
       return this.encrypter.encrypt(secret.trim().toUpperCase());
     } catch (error) {
       this.logger.error('Secret encryption failed', { error });
-      throw new MFAError('Failed to encrypt secret');
+      throw new Error('Failed to encrypt secret');
     }
   }
 
@@ -67,7 +67,7 @@ export class MFAService implements IMFAService {
       return this.encrypter.decrypt(encryptedSecret);
     } catch (error) {
       this.logger.error('Secret decryption failed', { error });
-      throw new MFAError('Failed to decrypt secret');
+      throw new Error('Failed to decrypt secret');
     }
   }
 
@@ -88,7 +88,7 @@ export class MFAService implements IMFAService {
       return config?.secret ? config as MFAConfig : null;
     } catch (error) {
       this.logger.error('Failed to read config', { error });
-      throw new MFAError('Failed to read configuration');
+      throw new Error('Failed to read configuration');
     }
   }
 
@@ -101,7 +101,7 @@ export class MFAService implements IMFAService {
       configHandler.set('mfa', updatedConfig);
     } catch (error) {
       this.logger.error('Failed to store config', { error });
-      throw new MFAError('Failed to store configuration');
+      throw new Error('Failed to store configuration');
     }
   }
 
@@ -110,7 +110,7 @@ export class MFAService implements IMFAService {
       configHandler.delete('mfa');
     } catch (error) {
       this.logger.error('Failed to remove config', { error });
-      throw new MFAError('Failed to remove configuration');
+      throw new Error('Failed to remove configuration');
     }
   }
 
@@ -119,7 +119,7 @@ export class MFAService implements IMFAService {
       return authenticator.generate(secret.trim().toUpperCase());
     } catch (error) {
       this.logger.error('Failed to generate code', { error });
-      throw new MFAError('Failed to generate code');
+      throw new Error('Failed to generate code');
     }
   }
 

packages/contentstack-config/src/services/mfa/mfa.types.ts

@@ -6,12 +6,4 @@ export interface MFAConfig {
 export interface MFAValidationResult {
   isValid: boolean;
   error?: string;
-}
-
-export class MFAError extends Error {
-  constructor(message: string) {
-    super(message);
-    this.name = 'MFAError';
-    Object.setPrototypeOf(this, MFAError.prototype);
-  }
 }