wip: browser based PAT for login

Author: stevensJourney

cli/package.json

@@ -21,6 +21,7 @@
     "@powersync/service-types": "^0.13.3",
     "jose": "^6.1.3",
     "lodash": "^4.17.23",
+    "open": "^11.0.0",
     "ora": "^9.0.0",
     "ts-codec": "^1.3.0",
     "yaml": "^2"

cli/src/commands/login.ts

@@ -1,7 +1,10 @@
 import { confirm, password } from '@inquirer/prompts';
 import { ux } from '@oclif/core';
-
 import { createAccountsHubClient, PowerSyncCommand, Services } from '@powersync/cli-core';
+import { createServer } from 'node:http';
+import { AddressInfo } from 'node:net';
+import open from 'open';
+import ora from 'ora';
 
 export default class Login extends PowerSyncCommand {
   static description =
@@ -55,11 +58,90 @@ export default class Login extends PowerSyncCommand {
       }
     }
 
-    const token = await password({
-      message: 'Enter your API token (https://docs.powersync.com/usage/tools/cli#personal-access-token):',
-      mask: true
+    const shouldOpenBrowser = await confirm({
+      message: 'Do you want to open the browser to create a new token?',
+      default: false
     });
 
+    const token = shouldOpenBrowser
+      ? await new Promise<string>((resolve, reject) => {
+          const server = createServer();
+          const spinner = ora('Waiting for you to create a token in the dashboard…').start();
+          server.once('error', (err) => {
+            spinner.fail();
+            reject(err);
+          });
+
+          // Bind to loopback only so the callback is not reachable from other interfaces
+          server.listen(0, '127.0.0.1', () => {
+            const addressInfo = server.address();
+            if (typeof addressInfo !== 'object' || addressInfo === null || !('port' in addressInfo)) {
+              spinner.fail();
+              reject(new Error('Failed to get address'));
+              return;
+            }
+            const { port } = addressInfo as AddressInfo;
+            // Dashboard will fetch() POST the token to this URL (no redirect; token in body).
+            const responseUrl = `http://127.0.0.1:${port}/response`;
+            open(
+              `https://dashboard.powersync.com/account/access-tokens/create?response_url=${encodeURIComponent(responseUrl)}`
+            );
+          });
+
+          let settled = false;
+          const rejectWith = (err: Error) => {
+            if (settled) return;
+            settled = true;
+            spinner.fail();
+            server.close();
+            reject(err);
+          };
+
+          server.on('request', (req, res) => {
+            if (req.method !== 'POST' || !req.url?.startsWith('/response')) {
+              res.statusCode = 400;
+              res.end();
+              rejectWith(new Error('Invalid request: expected POST /response'));
+              return;
+            }
+            const chunks: Buffer[] = [];
+            req.on('data', (chunk) => chunks.push(chunk));
+            req.on('end', () => {
+              const contentType = req.headers['content-type'] ?? '';
+              if (!contentType.includes('application/json')) {
+                res.statusCode = 400;
+                res.end();
+                rejectWith(new Error('Invalid request: Content-Type must be application/json'));
+                return;
+              }
+              let tokenValue: string | null = null;
+              try {
+                const parsed = JSON.parse(Buffer.concat(chunks).toString('utf-8')) as { token?: string };
+                tokenValue = typeof parsed?.token === 'string' ? parsed.token.trim() : null;
+              } catch {
+                tokenValue = null;
+              }
+              if (tokenValue) {
+                if (settled) return;
+                settled = true;
+                res.statusCode = 200;
+                res.end();
+                spinner.succeed();
+                resolve(tokenValue);
+                server.close();
+              } else {
+                res.statusCode = 400;
+                res.end();
+                rejectWith(new Error('Invalid request: JSON body must include a non-empty "token" string'));
+              }
+            });
+          });
+        })
+      : await password({
+          message: 'Enter your API token (https://docs.powersync.com/usage/tools/cli#personal-access-token):',
+          mask: true
+        });
+
     if (!token?.trim()) {
       this.styledError({ message: 'Token is required.' });
     }

cli/tsconfig.json

@@ -7,6 +7,7 @@
     "strict": true,
     "target": "es2022",
     "moduleResolution": "node16",
+    "types": ["node"],
     "composite": true,
     "paths": {
       "@syncpoint/wkx": ["./src/syncpoint-wkx.d.ts"]

packages/cli-core/src/services/storage/KeychainSecureStorage.ts

@@ -19,7 +19,10 @@ export function createKeychainSecureStorage(): BaseStorage {
           },
           (err: Error | null, password: string) => {
             if (err) {
-              if (err.message?.includes('could not be found') || (err as Error & { code?: number }).code === 44) {
+              if (
+                err.message?.includes('could not be found') ||
+                (err as Error & { code?: string }).code === 'PasswordNotFound'
+              ) {
                 resolve(null);
                 return;
               }