245 lines
7.1 KiB
TypeScript
245 lines
7.1 KiB
TypeScript
import { intro, note, outro, select, spinner, text, isCancel } from "@clack/prompts";
|
|
|
|
import { ensureAuthProfileStore, upsertAuthProfile } from "../agents/auth-profiles.js";
|
|
import { updateConfig } from "../commands/models/shared.js";
|
|
import { applyAuthProfileConfig } from "../commands/onboard-auth.js";
|
|
import { logConfigUpdated } from "../config/logging.js";
|
|
import type { RuntimeEnv } from "../runtime.js";
|
|
import { stylePromptTitle } from "../terminal/prompt-style.js";
|
|
import {
|
|
normalizeGithubCopilotDomain,
|
|
resolveGithubCopilotBaseUrl,
|
|
resolveGithubCopilotUserAgent,
|
|
} from "./github-copilot-utils.js";
|
|
|
|
const CLIENT_ID = "Ov23li8tweQw6odWQebz";
|
|
const DEFAULT_DOMAIN = "github.com";
|
|
const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000;
|
|
|
|
function getUrls(domain: string) {
|
|
return {
|
|
deviceCodeUrl: `https://${domain}/login/device/code`,
|
|
accessTokenUrl: `https://${domain}/login/oauth/access_token`,
|
|
};
|
|
}
|
|
|
|
type DeviceCodeResponse = {
|
|
device_code: string;
|
|
user_code: string;
|
|
verification_uri: string;
|
|
expires_in: number;
|
|
interval: number;
|
|
};
|
|
|
|
type DeviceTokenResponse =
|
|
| {
|
|
access_token: string;
|
|
token_type: string;
|
|
scope?: string;
|
|
}
|
|
| {
|
|
error: string;
|
|
error_description?: string;
|
|
error_uri?: string;
|
|
};
|
|
|
|
function parseJsonResponse<T>(value: unknown): T {
|
|
if (!value || typeof value !== "object") {
|
|
throw new Error("Unexpected response from GitHub");
|
|
}
|
|
return value as T;
|
|
}
|
|
|
|
async function requestDeviceCode(params: {
|
|
scope: string;
|
|
domain: string;
|
|
}): Promise<DeviceCodeResponse> {
|
|
const body = JSON.stringify({
|
|
client_id: CLIENT_ID,
|
|
scope: params.scope,
|
|
});
|
|
|
|
const res = await fetch(getUrls(params.domain).deviceCodeUrl, {
|
|
method: "POST",
|
|
headers: {
|
|
Accept: "application/json",
|
|
"Content-Type": "application/json",
|
|
"User-Agent": resolveGithubCopilotUserAgent(),
|
|
},
|
|
body,
|
|
});
|
|
|
|
if (!res.ok) {
|
|
throw new Error(`GitHub device code failed: HTTP ${res.status}`);
|
|
}
|
|
|
|
const json = parseJsonResponse<DeviceCodeResponse>(await res.json());
|
|
if (!json.device_code || !json.user_code || !json.verification_uri) {
|
|
throw new Error("GitHub device code response missing fields");
|
|
}
|
|
return json;
|
|
}
|
|
|
|
async function pollForAccessToken(params: {
|
|
domain: string;
|
|
deviceCode: string;
|
|
intervalMs: number;
|
|
expiresAt: number;
|
|
}): Promise<string> {
|
|
const bodyBase = {
|
|
client_id: CLIENT_ID,
|
|
device_code: params.deviceCode,
|
|
grant_type: "urn:ietf:params:oauth:grant-type:device_code",
|
|
};
|
|
const urls = getUrls(params.domain);
|
|
|
|
while (Date.now() < params.expiresAt) {
|
|
const res = await fetch(urls.accessTokenUrl, {
|
|
method: "POST",
|
|
headers: {
|
|
Accept: "application/json",
|
|
"Content-Type": "application/json",
|
|
"User-Agent": resolveGithubCopilotUserAgent(),
|
|
},
|
|
body: JSON.stringify(bodyBase),
|
|
});
|
|
|
|
if (!res.ok) {
|
|
throw new Error(`GitHub device token failed: HTTP ${res.status}`);
|
|
}
|
|
|
|
const json = parseJsonResponse<DeviceTokenResponse>(await res.json());
|
|
if ("access_token" in json && typeof json.access_token === "string") {
|
|
return json.access_token;
|
|
}
|
|
|
|
const err = "error" in json ? json.error : "unknown";
|
|
if (err === "authorization_pending") {
|
|
await new Promise((r) => setTimeout(r, params.intervalMs + OAUTH_POLLING_SAFETY_MARGIN_MS));
|
|
continue;
|
|
}
|
|
if (err === "slow_down") {
|
|
const serverInterval =
|
|
"interval" in json && typeof json.interval === "number" ? json.interval : undefined;
|
|
const nextInterval = serverInterval ? serverInterval * 1000 : params.intervalMs + 5000;
|
|
await new Promise((r) => setTimeout(r, nextInterval + OAUTH_POLLING_SAFETY_MARGIN_MS));
|
|
continue;
|
|
}
|
|
if (err === "expired_token") {
|
|
throw new Error("GitHub device code expired; run login again");
|
|
}
|
|
if (err === "access_denied") {
|
|
throw new Error("GitHub login cancelled");
|
|
}
|
|
throw new Error(`GitHub device flow error: ${err}`);
|
|
}
|
|
|
|
throw new Error("GitHub device code expired; run login again");
|
|
}
|
|
|
|
export async function githubCopilotLoginCommand(
|
|
opts: { profileId?: string; yes?: boolean },
|
|
runtime: RuntimeEnv,
|
|
) {
|
|
if (!process.stdin.isTTY) {
|
|
throw new Error("github-copilot login requires an interactive TTY.");
|
|
}
|
|
|
|
intro(stylePromptTitle("GitHub Copilot login"));
|
|
|
|
const profileId = opts.profileId?.trim() || "github-copilot:github";
|
|
const store = ensureAuthProfileStore(undefined, {
|
|
allowKeychainPrompt: false,
|
|
});
|
|
|
|
if (store.profiles[profileId] && !opts.yes) {
|
|
note(
|
|
`Auth profile already exists: ${profileId}\nRe-running will overwrite it.`,
|
|
stylePromptTitle("Existing credentials"),
|
|
);
|
|
}
|
|
|
|
const deployment = await select({
|
|
message: "Select GitHub deployment type",
|
|
options: [
|
|
{ label: "GitHub.com", value: DEFAULT_DOMAIN, hint: "Public" },
|
|
{ label: "GitHub Enterprise", value: "enterprise", hint: "Data residency or self-hosted" },
|
|
],
|
|
});
|
|
if (isCancel(deployment)) {
|
|
throw new Error("GitHub login cancelled");
|
|
}
|
|
|
|
let domain = DEFAULT_DOMAIN;
|
|
let enterpriseDomain: string | null = null;
|
|
if (deployment === "enterprise") {
|
|
const enterpriseInput = await text({
|
|
message: "Enter your GitHub Enterprise URL or domain",
|
|
placeholder: "company.ghe.com or https://company.ghe.com",
|
|
validate: (value) => {
|
|
if (!value) return "URL or domain is required";
|
|
return normalizeGithubCopilotDomain(value) ? undefined : "Enter a valid URL or domain";
|
|
},
|
|
});
|
|
if (isCancel(enterpriseInput)) {
|
|
throw new Error("GitHub login cancelled");
|
|
}
|
|
const normalized = normalizeGithubCopilotDomain(enterpriseInput);
|
|
if (!normalized) {
|
|
throw new Error("Invalid GitHub Enterprise URL/domain");
|
|
}
|
|
enterpriseDomain = normalized;
|
|
domain = normalized;
|
|
}
|
|
|
|
const spin = spinner();
|
|
spin.start("Requesting device code from GitHub...");
|
|
const device = await requestDeviceCode({ scope: "read:user", domain });
|
|
spin.stop("Device code ready");
|
|
|
|
note(
|
|
[`Visit: ${device.verification_uri}`, `Code: ${device.user_code}`].join("\n"),
|
|
stylePromptTitle("Authorize"),
|
|
);
|
|
|
|
const expiresAt = Date.now() + device.expires_in * 1000;
|
|
const intervalMs = Math.max(1000, device.interval * 1000);
|
|
|
|
const polling = spinner();
|
|
polling.start("Waiting for GitHub authorization...");
|
|
const accessToken = await pollForAccessToken({
|
|
domain,
|
|
deviceCode: device.device_code,
|
|
intervalMs,
|
|
expiresAt,
|
|
});
|
|
polling.stop("GitHub access token acquired");
|
|
|
|
upsertAuthProfile({
|
|
profileId,
|
|
credential: {
|
|
type: "oauth",
|
|
provider: "github-copilot",
|
|
refresh: accessToken,
|
|
access: accessToken,
|
|
// Copilot access tokens are treated as non-expiring (see resolveApiKeyForProfile).
|
|
expires: 0,
|
|
enterpriseUrl: enterpriseDomain ?? undefined,
|
|
},
|
|
});
|
|
|
|
await updateConfig((cfg) =>
|
|
applyAuthProfileConfig(cfg, {
|
|
provider: "github-copilot",
|
|
profileId,
|
|
mode: "oauth",
|
|
}),
|
|
);
|
|
|
|
logConfigUpdated(runtime);
|
|
runtime.log(`Auth profile: ${profileId} (github-copilot/oauth)`);
|
|
runtime.log(`Base URL: ${resolveGithubCopilotBaseUrl(enterpriseDomain ?? undefined)}`);
|
|
|
|
outro("Done");
|
|
}
|