feat: three-token auth flow (session_id + user_code + device_code)

- session_id (clm_sess_...) in browser URL — identifies login attempt - user_code (ABCD-EFGH) visual confirmation — shown in both terminal and browser - device_code (secret) — CLI polls with this, never displayed - CLI accepts stdin paste of JWT token while polling (race) - Web page handles both ?session= and ?code= params Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 12:19:08 +01:00
parent bb1310167e
commit d07cff788c
6 changed files with 35 additions and 22 deletions
--- a/apps/broker/src/index.ts
+++ b/apps/broker/src/index.ts
@@ -4655,6 +4655,7 @@ async function handleDeviceCodeNew(req: IncomingMessage, res: ServerResponse, st

  const dc = generateShortCode(16);
  const uc = generateShortCode(4) + "-" + generateShortCode(4);
+  const sid = "clm_sess_" + generateShortCode(32);
  const expiresAt = new Date(Date.now() + 5 * 60 * 1000);
  const clientIp = (req.headers["x-forwarded-for"] as string)?.split(",")[0]?.trim() ?? req.socket.remoteAddress ?? "unknown";

@@ -4662,6 +4663,7 @@ async function handleDeviceCodeNew(req: IncomingMessage, res: ServerResponse, st
    await db.insert(deviceCodeTable).values({
      deviceCode: dc,
      userCode: uc,
+      sessionId: sid,
      hostname: body.hostname,
      platform: body.platform,
      arch: body.arch,
@@ -4674,10 +4676,12 @@ async function handleDeviceCodeNew(req: IncomingMessage, res: ServerResponse, st
    writeJson(res, 200, {
      device_code: dc,
      user_code: uc,
+      session_id: sid,
      expires_at: expiresAt.toISOString(),
      verification_url: `${baseUrl}/cli-auth`,
+      token_url: `${baseUrl}/token`,
    });
-    log.info("device-code", { route: "POST /cli/device-code", user_code: uc, latency_ms: Date.now() - started });
+    log.info("device-code", { route: "POST /cli/device-code", user_code: uc, session_id: sid, latency_ms: Date.now() - started });
  } catch (e) {
    log.error("device-code", { error: e instanceof Error ? e.message : String(e) });
    writeJson(res, 500, { error: "Failed to create device code" });
@@ -4745,10 +4749,15 @@ async function handleDeviceCodeApprove(req: IncomingMessage, code: string, res:
  }

  try {
-    // Find device code by user_code (browser sends user_code, not device_code)
-    const [entry] = await db.select().from(deviceCodeTable)
+    // Find by session_id first (URL param), fall back to user_code (legacy)
+    let [entry] = await db.select().from(deviceCodeTable)
+      .where(and(eq(deviceCodeTable.sessionId, code), eq(deviceCodeTable.status, "pending")))
+      .limit(1);
+    if (!entry) {
+      [entry] = await db.select().from(deviceCodeTable)
        .where(and(eq(deviceCodeTable.userCode, code), eq(deviceCodeTable.status, "pending")))
        .limit(1);
+    }

    if (!entry) {
      writeJson(res, 404, { error: "Code not found or expired" });
--- a/apps/web/src/app/[locale]/cli-auth/cli-auth-login.tsx
+++ b/apps/web/src/app/[locale]/cli-auth/cli-auth-login.tsx
@@ -8,7 +8,8 @@ interface Props {
 }

 export function CliAuthLogin({ code }: Props) {
-  const redirectTo = `/cli-auth?code=${encodeURIComponent(code)}`;
+  const param = code.startsWith("clm_sess_") ? "session" : "code";
+  const redirectTo = `/cli-auth?${param}=${encodeURIComponent(code)}`;
  const [loading, setLoading] = useState<string | null>(null);
  const [email, setEmail] = useState("");
  const [password, setPassword] = useState("");
--- a/apps/web/src/app/[locale]/cli-auth/device-code-approval.tsx
+++ b/apps/web/src/app/[locale]/cli-auth/device-code-approval.tsx
@@ -21,7 +21,7 @@ export function DeviceCodeApproval({ code, userName }: Props) {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      credentials: "include",
-      body: JSON.stringify({ user_code: code }),
+      body: JSON.stringify({ session_id: code }),
    })
      .then(async (res) => {
        if (res.ok) {
--- a/apps/web/src/app/[locale]/cli-auth/page.tsx
+++ b/apps/web/src/app/[locale]/cli-auth/page.tsx
@@ -13,29 +13,30 @@ export const generateMetadata = getMetadata({
 export default async function CliAuthPage({
  searchParams,
 }: {
-  searchParams: Promise<{ code?: string; port?: string }>;
+  searchParams: Promise<{ code?: string; session?: string; port?: string }>;
 }) {
  const { user } = await getSession();
-  const { code, port } = await searchParams;
+  const { code, session, port } = await searchParams;

-  // Device-code flow: code contains "-" (e.g. "ABCD-EFGH"), no port
-  const isDeviceCode = code && code.includes("-") && !port;
+  // New 3-token flow: ?session=clm_sess_... (session_id in URL)
+  // Legacy flow: ?code=ABCD-EFGH (user_code in URL)
+  const sessionId = session ?? (code && code.startsWith("clm_sess_") ? code : null);
+  const isDeviceCode = sessionId || (code && code.includes("-") && !port);
+  const approvalCode = sessionId ?? code;

-  if (isDeviceCode) {
+  if (isDeviceCode && approvalCode) {
    if (!user) {
-      // NOT logged in → show inline auth form with device code context
      return (
        <main className="min-h-screen bg-[var(--cm-bg,#0a0a0a)] text-[var(--cm-fg,#fafafa)] antialiased flex items-center justify-center">
-          <CliAuthLogin code={code} />
+          <CliAuthLogin code={approvalCode} />
        </main>
      );
    }

-    // Logged in → auto-approve
    return (
      <main className="min-h-screen bg-[var(--cm-bg,#0a0a0a)] text-[var(--cm-fg,#fafafa)] antialiased flex items-center justify-center">
        <DeviceCodeApproval
-          code={code}
+          code={approvalCode}
          userName={user.name ?? user.email}
        />
      </main>
@@ -66,4 +67,3 @@ export default async function CliAuthPage({
    </main>
  );
 }
-
--- a/apps/web/src/app/api/auth/cli/device-code/approve-by-user-code/route.ts
+++ b/apps/web/src/app/api/auth/cli/device-code/approve-by-user-code/route.ts
@@ -13,19 +13,20 @@ export async function POST(request: Request) {
    return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
  }

-  let body: { user_code?: string };
+  let body: { user_code?: string; session_id?: string };
  try {
    body = (await request.json()) as typeof body;
  } catch {
    return NextResponse.json({ error: "Invalid body" }, { status: 400 });
  }

-  if (!body.user_code) {
-    return NextResponse.json({ error: "user_code required" }, { status: 400 });
+  const code = body.session_id ?? body.user_code;
+  if (!code) {
+    return NextResponse.json({ error: "session_id or user_code required" }, { status: 400 });
  }

  // Proxy approve to the broker
-  const brokerRes = await fetch(`${BROKER_URL}/cli/device-code/${body.user_code}/approve`, {
+  const brokerRes = await fetch(`${BROKER_URL}/cli/device-code/${code}/approve`, {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({
--- a/packages/db/src/schema/mesh.ts
+++ b/packages/db/src/schema/mesh.ts
@@ -1125,10 +1125,12 @@ export const deviceCodeStatusEnum = meshSchema.enum("device_code_status", [
 */
 export const deviceCode = meshSchema.table("device_code", {
  id: text().primaryKey().notNull().$defaultFn(generateId),
-  /** Random 16-char code used by CLI to poll. */
+  /** Random 16-char code used by CLI to poll (secret, never shown to user). */
  deviceCode: text().notNull().unique(),
-  /** Human-readable code shown in browser (ABCD-EFGH). */
+  /** Human-readable code shown in both terminal and browser for visual confirmation. */
  userCode: text().notNull(),
+  /** URL-safe session identifier (clm_sess_..., 32 chars). Not secret — appears in browser URL. */
+  sessionId: text().notNull().unique(),
  status: deviceCodeStatusEnum().notNull().default("pending"),
  /** Filled on approve — the authenticated user. */
  userId: text().references(() => user.id, { onDelete: "cascade" }),