feat: add Hydra OAuth flow for CLI authentication (#463)

## Summary

Adds a public OAuth2 client flow for CLI token issuance. CLI versions >=
2.12.2 use PKCE-based OAuth with Hydra's public client instead of the
legacy e2b access token flow. The dashboard acts as consent provider for
both the dashboard and CLI OAuth clients.

Paired with: E2B CLI PR replacing access token auth with Hydra OAuth
flow

---------

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

Author: ben-fornefeld

.env.example

@@ -16,6 +16,8 @@ ORY_SDK_URL=https://your-project.projects.oryapis.com
 # ORY_HYDRA_PUBLIC_URL=http://localhost:4444
 ORY_OAUTH2_CLIENT_ID=your_ory_oauth2_client_id
 ORY_OAUTH2_CLIENT_SECRET=your_ory_oauth2_client_secret
+### OAuth2 public client for CLI token issuance (no secret needed)
+ORY_OAUTH2_CLI_CLIENT_ID=your_cli_public_client_id
 ### Access-token audience requested from Ory. Must match the backend JWT audience configuration.
 ORY_OAUTH2_AUDIENCE=https://api.e2b.dev
 ### Ory project admin API token used for IdentityApi lookups

.github/workflows/test.yml

@@ -49,6 +49,7 @@ jobs:
       ORY_SDK_URL: https://test-ory.projects.oryapis.com
       ORY_OAUTH2_CLIENT_ID: test-ory-client-id
       ORY_OAUTH2_CLIENT_SECRET: test-ory-client-secret
+      ORY_OAUTH2_CLI_CLIENT_ID: test-ory-cli-client-id
       ORY_OAUTH2_AUDIENCE: https://api.e2b-test.dev
       ORY_PROJECT_API_TOKEN: test-ory-project-api-token
       DASHBOARD_API_ADMIN_TOKEN: test-dashboard-admin-token

src/app/(auth)/auth/cli/page.tsx

@@ -1,25 +1,49 @@
 import { redirect } from 'next/navigation'
 import { Suspense } from 'react'
 import { AUTH_URLS, PROTECTED_URLS } from '@/configs/urls'
+import type { FeatureFlagContext } from '@/core/modules/feature-flags/context'
+import { featureFlags } from '@/core/modules/feature-flags/feature-flags.server'
 import { createUserTeamsRepository } from '@/core/modules/teams/user-teams-repository.server'
 import { getAuthContext } from '@/core/server/auth'
 import { l, serializeErrorForLog } from '@/core/shared/clients/logger/logger'
 import { isLoopbackUrl } from '@/core/shared/schemas/url'
 import { encodedRedirect } from '@/lib/utils/auth'
 import { generateE2BUserAccessToken } from '@/lib/utils/server'
+import { isVersionGreaterOrEqual } from '@/lib/utils/version'
 import { Alert, AlertDescription, AlertTitle } from '@/ui/primitives/alert'
 import { CloudIcon, LaptopIcon, LinkIcon } from '@/ui/primitives/icons'
 
-// Types
+// Minimum CLI version that supports the OAuth JWT auth flow.
+// CLI versions >= this use the new public-client OAuth flow;
+// older versions fall back to the legacy e2b access token flow.
+// Old binaries (pre-2.13.0) don't send cliVersion at all (it's a new param),
+// so they correctly fall to 'legacy'.
+const MIN_CLI_VERSION_FOR_HYDRA_FLOW = '2.13.0'
+
 type CLISearchParams = Promise<{
   next?: string
+  cliVersion?: string
   state?: string
   error?: string
 }>
 
-// Server Actions
+type CLIFlow = 'hydra' | 'legacy'
+
+function resolveCLIFlow(cliVersion: string | undefined): CLIFlow {
+  if (!cliVersion) return 'legacy'
+  return isVersionGreaterOrEqual(cliVersion, MIN_CLI_VERSION_FOR_HYDRA_FLOW)
+    ? 'hydra'
+    : 'legacy'
+}
 
-async function handleCLIAuth(
+function handleHydraCLIAuth(next: string) {
+  if (!isLoopbackUrl(next)) {
+    throw new Error('Invalid redirect URL')
+  }
+  return redirect(`/api/auth/oauth/cli-start?next=${encodeURIComponent(next)}`)
+}
+
+async function handleLegacyCLIAuth(
   next: string,
   userEmail: string,
   authProviderAccessToken: string
@@ -57,10 +81,9 @@ async function handleCLIAuth(
   return redirect(`${next}?${searchParams.toString()}`)
 }
 
-// UI Components
 function CLIIcons() {
   return (
-    <p className="flex items-center justify-center gap-4 text-3xl  tracking-tight sm:text-4xl">
+    <p className="flex items-center justify-center gap-4 text-3xl tracking-tight sm:text-4xl">
       <span className="text-fg-tertiary">
         <LaptopIcon className="size-8" />
       </span>
@@ -86,98 +109,123 @@ function ErrorAlert({ message }: { message: string }) {
 function SuccessState() {
   return (
     <>
-      <h2 className="text-brand-400 ">Successfully linked</h2>
+      <h2 className="text-brand-400">Successfully linked</h2>
       <div>You can close this page and start using CLI.</div>
     </>
   )
 }
 
-// Main Component
 export default async function CLIAuthPage({
   searchParams,
 }: {
   searchParams: CLISearchParams
 }) {
-  const { next, state, error } = await searchParams
+  const { next, cliVersion, state, error } = await searchParams
   const authContext = await getAuthContext()
 
   if (state === 'success') {
     return <SuccessState />
   }
 
-  // Validate redirect URL
   if (!next || !isLoopbackUrl(next)) {
     l.error(
       {
         key: 'cli_auth:invalid_redirect_url',
         user_id: authContext?.user.id,
-        context: {
-          next,
-        },
+        context: { next },
       },
       `Invalid redirect URL: ${next}`
     )
     redirect(PROTECTED_URLS.DASHBOARD)
   }
 
-  // If user is not authenticated, redirect to sign in with return URL
   if (!authContext) {
-    const searchParams = new URLSearchParams({
-      returnTo: `${AUTH_URLS.CLI}?${new URLSearchParams({ next }).toString()}`,
-    })
-    redirect(`${AUTH_URLS.SIGN_IN}?${searchParams.toString()}`)
+    const returnToParams = new URLSearchParams({ next })
+    if (cliVersion) returnToParams.set('cliVersion', cliVersion)
+    return redirect(
+      `${AUTH_URLS.SIGN_IN}?returnTo=${encodeURIComponent(
+        `${AUTH_URLS.CLI}?${returnToParams.toString()}`
+      )}`
+    )
   }
 
-  // Handle CLI callback if authenticated
-  if (!error && next && authContext) {
-    try {
-      if (!authContext.user.email) {
-        throw new Error('No user email found')
-      }
-
-      return await handleCLIAuth(
-        next,
-        authContext.user.email,
-        authContext.accessToken
-      )
-    } catch (err) {
-      if (err instanceof Error && err.message.includes('NEXT_REDIRECT')) {
-        throw err
-      }
-
-      l.error(
-        {
-          key: 'cli_auth:unexpected_error',
-          error: serializeErrorForLog(err),
-          user_id: authContext.user.id,
-          context: {
-            next,
-          },
-        },
-        `Unexpected error during CLI authentication: ${err instanceof Error ? err.message : String(err)}`
-      )
+  const flow = resolveCLIFlow(cliVersion)
 
-      return encodedRedirect('error', '/auth/cli', (err as Error).message, {
-        next,
-      })
+  if (flow === 'legacy') {
+    const flagContext: FeatureFlagContext = {
+      user: {
+        id: authContext.user.id,
+        email: authContext.user.email ?? undefined,
+      },
+    }
+    const tokenProvisioningDisabled = await featureFlags.isEnabled(
+      'disableE2BAccessTokenProvisioning',
+      flagContext
+    )
+
+    if (tokenProvisioningDisabled) {
+      const errorUrl = new URL(next)
+      errorUrl.searchParams.set(
+        'error',
+        'CLI update required. Run: npm install -g @e2b/cli@latest'
+      )
+      return redirect(errorUrl.toString())
     }
   }
 
-  return (
-    <div className="p-6 text-center">
-      <CLIIcons />
-      <h2 className="mt-6 text-base leading-7">
-        Linking CLI with your account
-      </h2>
-      <div className="text-fg-tertiary mt-12 leading-8">
-        <Suspense fallback={<div>Loading...</div>}>
-          {error ? (
+  if (error) {
+    return (
+      <div className="p-6 text-center">
+        <CLIIcons />
+        <h2 className="mt-6 text-base leading-7">
+          Linking CLI with your account
+        </h2>
+        <div className="text-fg-tertiary mt-12 leading-8">
+          <Suspense fallback={<div>Loading...</div>}>
             <ErrorAlert message={error} />
-          ) : (
-            <div>Authorizing CLI...</div>
-          )}
-        </Suspense>
+          </Suspense>
+        </div>
       </div>
-    </div>
-  )
+    )
+  }
+
+  try {
+    if (flow === 'hydra') {
+      return handleHydraCLIAuth(next)
+    }
+
+    if (!authContext.user.email) {
+      throw new Error('No user email found')
+    }
+
+    return await handleLegacyCLIAuth(
+      next,
+      authContext.user.email,
+      authContext.accessToken
+    )
+  } catch (err) {
+    if (err instanceof Error && err.message.includes('NEXT_REDIRECT')) {
+      throw err
+    }
+
+    l.error(
+      {
+        key: 'cli_auth:unexpected_error',
+        error: serializeErrorForLog(err),
+        user_id: authContext.user.id,
+        context: { next, flow },
+      },
+      `Unexpected error during CLI authentication: ${err instanceof Error ? err.message : String(err)}`
+    )
+
+    const redirectParams: Record<string, string> = { next }
+    if (cliVersion) redirectParams.cliVersion = cliVersion
+
+    return encodedRedirect(
+      'error',
+      '/auth/cli',
+      (err as Error).message,
+      redirectParams
+    )
+  }
 }

src/app/api/auth/oauth/cli-callback/route.ts

@@ -0,0 +1,109 @@
+import 'server-only'
+
+import { type NextRequest, NextResponse } from 'next/server'
+import { getAuthContext } from '@/core/server/auth'
+import {
+  buildRevokeEndpoint,
+  buildTokenEndpoint,
+  CLI_OAUTH_CALLBACK_PATH,
+  CLI_OAUTH_FLOW_COOKIE,
+  exchangeCliCallback,
+  openCliFlowState,
+  readCliOAuthEnv,
+} from '@/core/server/auth/ory/cli-oauth'
+import { isLoopbackUrl } from '@/core/shared/schemas/url'
+
+// Hydra redirects here with ?code after SSO. We exchange the code (validating
+// state + PKCE), then redirect to the CLI's localhost with the tokens.
+// The user must have an active Kratos session — Hydra used SSO to issue the
+// code without a login prompt.
+export async function GET(request: NextRequest) {
+  const origin = request.nextUrl.origin
+
+  const flow = await openCliFlowState(
+    request.cookies.get(CLI_OAUTH_FLOW_COOKIE)?.value
+  )
+
+  if (!flow || !isLoopbackUrl(flow.next)) {
+    return finalize(
+      new NextResponse('Invalid or expired flow state', { status: 400 }),
+      origin
+    )
+  }
+
+  const authContext = await getAuthContext()
+  if (!authContext) {
+    return finalize(
+      redirectWithParams(flow.next, { error: 'Not authenticated' }),
+      origin
+    )
+  }
+
+  if (!authContext.user.email) {
+    return finalize(
+      redirectWithParams(flow.next, { error: 'No user email found' }),
+      origin
+    )
+  }
+
+  let env: ReturnType<typeof readCliOAuthEnv>
+  try {
+    env = readCliOAuthEnv()
+  } catch (error) {
+    return finalize(
+      redirectWithParams(flow.next, {
+        error: `OAuth configuration error: ${error instanceof Error ? error.message : String(error)}`,
+      }),
+      origin
+    )
+  }
+  const redirectUri = `${origin}${CLI_OAUTH_CALLBACK_PATH}`
+
+  let tokens: Awaited<ReturnType<typeof exchangeCliCallback>>
+  try {
+    tokens = await exchangeCliCallback({
+      currentUrl: new URL(request.url),
+      expectedState: flow.state,
+      codeVerifier: flow.codeVerifier,
+      redirectUri,
+    })
+  } catch (error) {
+    return finalize(
+      redirectWithParams(flow.next, {
+        error: `Token exchange failed: ${error instanceof Error ? error.message : String(error)}`,
+      }),
+      origin
+    )
+  }
+
+  const tokenEndpoint = buildTokenEndpoint(env.issuer.href)
+  const revokeEndpoint = buildRevokeEndpoint(env.issuer.href)
+
+  return finalize(
+    redirectWithParams(flow.next, {
+      email: authContext.user.email,
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken ?? '',
+      tokenEndpoint: tokenEndpoint,
+      revokeEndpoint: revokeEndpoint,
+      clientId: env.clientId,
+    }),
+    origin
+  )
+}
+
+function redirectWithParams(
+  next: string,
+  params: Record<string, string>
+): NextResponse {
+  const url = new URL(next)
+  for (const [key, value] of Object.entries(params)) {
+    url.searchParams.set(key, value)
+  }
+  return NextResponse.redirect(url)
+}
+
+function finalize(response: NextResponse, _origin: string): NextResponse {
+  response.cookies.delete(CLI_OAUTH_FLOW_COOKIE)
+  return response
+}