improve PAT login with encryption for edge cases.

Author: stevensJourney

cli/package.json

@@ -8,6 +8,7 @@
   },
   "bugs": "https://github.com/powersync-ja/cli/issues",
   "dependencies": {
+    "@fastify/cors": "^10.0.0",
     "@inquirer/prompts": "^7.2.0",
     "@oclif/core": "^4",
     "@oclif/plugin-help": "^6",
@@ -21,6 +22,7 @@
     "@powersync/service-types": "^0.13.3",
     "jose": "^6.1.3",
     "lodash": "^4.17.23",
+    "fastify": "^5.0.0",
     "open": "^11.0.0",
     "ora": "^9.0.0",
     "ts-codec": "^1.3.0",

cli/src/api/login-server.ts

@@ -0,0 +1,136 @@
+import cors from '@fastify/cors';
+import { env } from '@powersync/cli-core';
+import Fastify from 'fastify';
+import { createDecipheriv, createPrivateKey, createPublicKey, generateKeyPairSync, privateDecrypt } from 'node:crypto';
+import open from 'open';
+
+/** Hybrid encryption format from dashboard: [encrypted_cek (256)] [iv (12)] [ciphertext] [tag (16)]. */
+const RSA_ENCRYPTED_KEY_BYTES = 256;
+const IV_BYTES = 12;
+const GCM_TAG_BYTES = 16;
+
+/** Decode base64 or base64url (URL-safe) to bytes. Accepts standard base64 or base64url from query params. */
+function decodeBase64Payload(payload: string): Buffer {
+  const base64 = payload.replace(/-/g, '+').replace(/_/g, '/');
+  const pad = base64.length % 4;
+  const padded = pad === 0 ? base64 : base64 + '='.repeat(4 - pad);
+  return Buffer.from(padded, 'base64');
+}
+
+/**
+ * Decrypt a token encrypted by the dashboard with the hybrid scheme (RSA-OAEP-wrapped CEK + AES-256-GCM).
+ * Payload is base64 or base64url: decoded = encrypted_cek (256 bytes) || iv (12) || ciphertext || auth_tag (16).
+ * Uses Node crypto for RSA-OAEP and AES-GCM decryption.
+ */
+function decryptTokenFromDashboard(base64Payload: string, privateKeyPem: string): string {
+  const raw = decodeBase64Payload(base64Payload.trim());
+  if (raw.length < RSA_ENCRYPTED_KEY_BYTES + IV_BYTES + GCM_TAG_BYTES) {
+    throw new Error('Payload too short');
+  }
+  const encryptedCek = raw.subarray(0, RSA_ENCRYPTED_KEY_BYTES);
+  const iv = raw.subarray(RSA_ENCRYPTED_KEY_BYTES, RSA_ENCRYPTED_KEY_BYTES + IV_BYTES);
+  const ciphertextWithTag = raw.subarray(RSA_ENCRYPTED_KEY_BYTES + IV_BYTES);
+  const ciphertext = ciphertextWithTag.subarray(0, ciphertextWithTag.length - GCM_TAG_BYTES);
+  const tag = ciphertextWithTag.subarray(-GCM_TAG_BYTES);
+
+  const keyObject = createPrivateKey({ key: privateKeyPem, format: 'pem' });
+  const cek = privateDecrypt({ key: keyObject, oaepHash: 'sha256' }, encryptedCek);
+
+  const decipher = createDecipheriv('aes-256-gcm', cek, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString('utf-8');
+}
+
+/**
+ * Server login handshake (asymmetric encryption)
+ *
+ * Flow:
+ * 1. CLI starts a local HTTP server and generates an ephemeral RSA keypair.
+ * 2. CLI opens the dashboard with a base64-encoded `request` param containing
+ *    { redirect_url, public_key }. The dashboard learns where to send the token
+ *    and how to encrypt it.
+ * 3. User creates a token in the dashboard. The dashboard encrypts the token
+ *    with the CLI's public key and redirects the browser to redirect_url with
+ *    the encrypted token in the query string (GET), so the secret never appears in history.
+ * 4. CLI receives GET /response?token=<base64> (see decryptTokenFromDashboard), decrypts it,
+ *    and stores the plaintext token.
+ *
+ * Why encryption:
+ * In some cases the dashboard needs to hand the token back via a URL (e.g.
+ * redirect or opening the CLI callback URL in the browser). If we sent the
+ * token in the query string or fragment, it would appear in browser history,
+ * logs, and referrers. Encrypting with the CLI's public key ensures only this
+ * CLI instance can decrypt the token; the value that might appear in a URL or
+ * in transit is ciphertext, not the secret.
+ */
+export async function startPATLoginServer(): Promise<{
+  address: string;
+  tokenPromise: Promise<string>;
+}> {
+  const { publicKey: publicKeyPem, privateKey: privateKeyPem } = generateKeyPairSync('rsa', {
+    modulusLength: 2048,
+    publicKeyEncoding: { type: 'spki', format: 'pem' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+  });
+  const publicKeyJwk = createPublicKey(publicKeyPem).export({ format: 'jwk' }) as JsonWebKey;
+
+  let settled = false;
+  let resolveToken!: (value: string) => void;
+  let rejectToken!: (err: Error) => void;
+  const tokenPromise = new Promise<string>((resolve, reject) => {
+    resolveToken = resolve;
+    rejectToken = reject;
+  });
+
+  const app = Fastify({ logger: false });
+  const allowOrigin = env._PS_DASHBOARD_URL.replace(/\/$/, '');
+  await app.register(cors, { origin: allowOrigin });
+
+  app.get<{ Querystring: { token?: string } }>('/response', async (request, reply) => {
+    const rawToken = typeof request.query?.token === 'string' ? request.query.token.trim() : null;
+    if (!rawToken) {
+      await reply.status(400).send({ error: 'Missing or empty "token" query parameter' });
+      if (!settled) {
+        settled = true;
+        rejectToken(new Error('Invalid request: GET /response must include a non-empty "token" query parameter'));
+      }
+      return;
+    }
+    let tokenValue: string;
+    try {
+      tokenValue = decryptTokenFromDashboard(rawToken, privateKeyPem);
+    } catch {
+      await reply.status(400).send({ error: 'Failed to decrypt token from dashboard' });
+      if (!settled) {
+        settled = true;
+        rejectToken(new Error('Failed to decrypt token from dashboard'));
+      }
+      return;
+    }
+    if (settled) return;
+    settled = true;
+    await reply.status(200).send();
+    resolveToken(tokenValue);
+    await app.close();
+  });
+
+  app.setErrorHandler((err, _request, reply) => {
+    if (!settled) {
+      settled = true;
+      rejectToken(err instanceof Error ? err : new Error(String(err)));
+    }
+    void reply.status(500).send({ error: 'Internal server error' });
+  });
+
+  const address = await app.listen({ port: 0, host: '127.0.0.1' });
+  const responseUrl = `${address}/response`;
+  const requestPayload: { redirect_url: string; public_key: JsonWebKey } = {
+    redirect_url: responseUrl,
+    public_key: publicKeyJwk
+  };
+  const requestBase64 = Buffer.from(JSON.stringify(requestPayload), 'utf-8').toString('base64');
+
+  open(`${env._PS_DASHBOARD_URL}/account/access-tokens/create?request=${encodeURIComponent(requestBase64)}`);
+
+  return { address, tokenPromise };
+}

cli/src/commands/login.ts

@@ -1,114 +1,7 @@
 import { confirm, password } from '@inquirer/prompts';
 import { ux } from '@oclif/core';
-import { createAccountsHubClient, env, PowerSyncCommand, Services } from '@powersync/cli-core';
-import { createServer } from 'node:http';
-import { AddressInfo } from 'node:net';
-import open from 'open';
-
-async function startServer(): Promise<{
-  address: string;
-  tokenPromise: Promise<string>;
-}> {
-  const server = createServer();
-
-  const address = await new Promise<string>((resolve, reject) => {
-    server.once('error', (err) => {
-      reject(err);
-    });
-
-    server.listen(0, '127.0.0.1', () => {
-      const addressInfo = server.address();
-      if (typeof addressInfo !== 'object' || addressInfo === null || !('port' in addressInfo)) {
-        reject(new Error('Failed to get address'));
-        return;
-      }
-      const { port } = addressInfo as AddressInfo;
-      resolve(`http://127.0.0.1:${port}`);
-      // Dashboard will fetch() POST the token to this URL (no redirect; token in body).
-      const baseResponseUrl = `http://127.0.0.1:${port}`;
-      resolve(baseResponseUrl);
-    });
-  });
-
-  return {
-    address,
-    tokenPromise: new Promise<string>((resolve, reject) => {
-      const responseUrl = `${address}/response`;
-      open(`${env._PS_DASHBOARD_URL}/account/access-tokens/create?response_url=${encodeURIComponent(responseUrl)}`);
-
-      server.once('error', (err) => {
-        reject(err);
-      });
-
-      let settled = false;
-      const rejectWith = (err: Error) => {
-        if (settled) return;
-        settled = true;
-        server.close();
-        reject(err);
-      };
-
-      // Allow dashboard origin for CORS (fetch from dashboard to this callback)
-      const allowOrigin = env._PS_DASHBOARD_URL.replace(/\/$/, '');
-      const corsHeaders = {
-        'Access-Control-Allow-Origin': allowOrigin,
-        'Access-Control-Allow-Methods': 'POST, OPTIONS',
-        'Access-Control-Allow-Headers': 'Content-Type'
-      };
-      const setCors = (res: import('node:http').ServerResponse) => {
-        for (const [k, v] of Object.entries(corsHeaders)) res.setHeader(k, v);
-      };
-
-      server.on('request', (req, res) => {
-        const path = req.url?.split('?')[0] ?? '';
-        if (req.method === 'OPTIONS' && path === '/response') {
-          setCors(res);
-          res.statusCode = 204;
-          res.end();
-          return;
-        }
-        if (req.method !== 'POST' || path !== '/response') {
-          setCors(res);
-          res.statusCode = 400;
-          res.end();
-          rejectWith(new Error('Invalid request: expected POST /response'));
-          return;
-        }
-        setCors(res);
-        const chunks: Buffer[] = [];
-        req.on('data', (chunk) => chunks.push(chunk));
-        req.on('end', () => {
-          const contentType = req.headers['content-type'] ?? '';
-          if (!contentType.includes('application/json')) {
-            res.statusCode = 400;
-            res.end();
-            rejectWith(new Error('Invalid request: Content-Type must be application/json'));
-            return;
-          }
-          let tokenValue: string | null = null;
-          try {
-            const parsed = JSON.parse(Buffer.concat(chunks).toString('utf-8')) as { token?: string };
-            tokenValue = typeof parsed?.token === 'string' ? parsed.token.trim() : null;
-          } catch {
-            tokenValue = null;
-          }
-          if (tokenValue) {
-            if (settled) return;
-            settled = true;
-            res.statusCode = 200;
-            res.end();
-            resolve(tokenValue);
-            server.close();
-          } else {
-            res.statusCode = 400;
-            res.end();
-            rejectWith(new Error('Invalid request: JSON body must include a non-empty "token" string'));
-          }
-        });
-      });
-    })
-  };
-}
+import { createAccountsHubClient, PowerSyncCommand, Services } from '@powersync/cli-core';
+import { startPATLoginServer } from '../api/login-server.js';
 
 export default class Login extends PowerSyncCommand {
   static description =
@@ -136,12 +29,7 @@ export default class Login extends PowerSyncCommand {
 
     const existingToken = await authentication.getToken();
     if (existingToken) {
-      this.log(
-        ux.colorize(
-          'blue',
-          'An existing token was found. This existing token has access to the following organizations:'
-        )
-      );
+      this.log('An existing token was found. This existing token has access to the following organizations:');
       try {
         this.log(ux.colorize('gray', await listOrgs()));
       } catch (err) {
@@ -171,7 +59,7 @@ export default class Login extends PowerSyncCommand {
 
     // Allows aborting the prompt if the server returns the token
     const abortPromptController = new AbortController();
-    const serverResponse = openBrowser ? await startServer() : null;
+    const serverResponse = openBrowser ? await startPATLoginServer() : null;
     if (serverResponse) {
       this.log(
         `Waiting on ${ux.colorize('blue', serverResponse.address)} for you to create a token in the dashboard...`