UNPKG

@capgo/cli

Version:

A CLI to upload to capgo servers

github.com/Cap-go/capgo/tree/main/cli

Cap-go/capgo

135 lines (134 loc) 5.34 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
export declare const GOOGLE_OAUTH_SCOPES_ANDROIDPUBLISHER: readonly ["openid", "https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/androidpublisher"]; export interface GoogleOAuthConfig { clientId: string; /** * Desktop clients receive a "secret" from the Console that isn't truly * confidential; pass it when available — Google accepts the token exchange * with or without it as long as PKCE is used. */ clientSecret?: string; scopes: readonly string[]; /** Extra params to include on the auth URL (e.g. `login_hint`, `prompt`). */ extraAuthParams?: Record<string, string>; } export interface GoogleOAuthTokens { accessToken: string; refreshToken?: string; /** * Unix epoch in milliseconds — the wall-clock time the access token stops * being accepted. Callers should refresh before this. */ expiresAt: number; idToken?: string; scope: string; tokenType: string; } export interface GoogleUserInfo { sub: string; email: string; emailVerified: boolean; name?: string; picture?: string; } export interface RunOAuthFlowOptions { /** * Called once with the authorization URL right before we open it. Useful * for logging the URL in case `open()` fails. */ onAuthUrl?: (url: string) => void; /** Called with user-visible status updates while we wait for the redirect. */ onStatus?: (message: string) => void; /** Overall deadline for the whole flow. Defaults to 5 minutes. */ timeoutMs?: number; /** Abort the flow early — useful for React cleanup. */ signal?: AbortSignal; } export interface PkcePair { verifier: string; challenge: string; method: 'S256'; } /** * Generate a PKCE verifier (43–128 chars of unreserved URL chars) and its * SHA-256 challenge. The verifier must be held until the token exchange. */ export declare function generatePkcePair(): PkcePair; export declare function generateState(): string; export declare function buildAuthUrl(args: { clientId: string; redirectUri: string; scopes: readonly string[]; state: string; codeChallenge: string; extra?: Record<string, string>; }): string; interface RawTokenResponse { access_token: string; expires_in: number; refresh_token?: string; scope: string; token_type: string; id_token?: string; } export declare function parseTokenResponse(raw: RawTokenResponse, now?: number): GoogleOAuthTokens; /** Exchange an authorization code + PKCE verifier for tokens. */ export declare function exchangeAuthCode(args: { config: GoogleOAuthConfig; code: string; codeVerifier: string; redirectUri: string; }): Promise<GoogleOAuthTokens>; /** * Use a stored refresh token to mint a new access token. Refresh tokens may be * revoked by the user at any time; callers should surface a clean re-auth * prompt if this throws. */ export declare function refreshAccessToken(config: GoogleOAuthConfig, refreshToken: string): Promise<GoogleOAuthTokens>; /** Fetch the signed-in user's email and subject (stable Google ID). */ export declare function fetchUserInfo(accessToken: string): Promise<GoogleUserInfo>; /** * Revoke a Google OAuth token. Accepts either an access or refresh token — * revoking a refresh token also invalidates any access tokens minted from it. */ export declare function revokeToken(token: string): Promise<void>; /** * Error thrown by runOAuthFlow when the user approves the consent screen but * deselects one or more requested scopes. The CLI catches this specifically * to route the user back to a "please grant all permissions" re-sign-in step * instead of failing several phases later with confusing API errors. */ export declare class MissingScopesError extends Error { readonly missing: readonly string[]; readonly granted: string; constructor(missing: readonly string[], granted: string); } /** * Compare a space-separated `scope` string from a token response against the * scopes the CLI requested. Returns the subset of requested scopes that the * user did not grant. * * Google's tokeninfo response uses a space-separated, unordered list — the * order in `requestedScopes` is not preserved. Empty strings are filtered out. */ export declare function findMissingScopes(grantedScope: string, requestedScopes: readonly string[]): string[]; export interface LoopbackCallbackResult { /** Authorization code Google returned in the query string. */ code: string; /** * Finishes the browser response with the given HTML. Call this AFTER doing * the token exchange and scope validation so the user sees a result that * reflects the post-exchange state (e.g. "missing permissions") rather than * a generic "you can close this tab" page that's stale by the time it * matters. Idempotent — second call is a no-op. */ finishResponse: (html: string, statusCode?: number) => void; } /** * Run the full browser-based OAuth flow and return tokens. * * Side effects: * - Opens a browser window at Google's consent screen. * - Starts (and later stops) a loopback HTTP server on 127.0.0.1. */ export declare function runOAuthFlow(config: GoogleOAuthConfig, options?: RunOAuthFlowOptions): Promise<GoogleOAuthTokens>; export {};