feat: integreate OKTA authentication

Author: rovilay

cli-typescript/package-lock.json

@@ -26,6 +26,7 @@
   "devDependencies": {
     "@esbuild-kit/esm-loader": "^2.6.5",
     "@types/eslint-plugin-prettier": "^3.1.3",
+    "@types/express": "^5.0.2",
     "@types/node": "^22.13.16",
     "eslint": "^9.24.0",
     "eslint-config-prettier": "^10.1.1",
@@ -41,6 +42,8 @@
     "commander": "^13.1.0",
     "dotenv": "^16.4.7",
     "ethers": "^6.13.5",
+    "express": "^5.1.0",
+    "mkdirp": "^3.0.1",
     "ox": "^0.7.0",
     "viem": "^2.26.3"
   }

cli-typescript/package.json

@@ -55,10 +55,13 @@ export const getNewProjectCmdDescription = (defaultInfo?: string) => {
   `;
 };
 
-const presets = async () => {
+const presets = async (cliCmd: string) => {
   try {
     console.log('Starting prestart tasks...');
 
+    // set cmd name globally
+    process.env.MAGICDROP_CLI_CMD = cliCmd;
+
     setBaseDir();
   } catch (error: any) {
     showError({ text: `An error occurred: ${error.message}` });
@@ -80,14 +83,32 @@ export const createEvmCommand = ({
     .description(`${platform.name} launchpad commands`)
     .aliases(commandAliases);
 
-  newCmd.hook('preAction', async () => {
+  newCmd.hook('preAction', async (_, actionCommand) => {
     try {
-      await presets();
+      await presets(actionCommand.name());
     } catch (error: any) {
       showError({ text: `setup failed - ${error.message}` });
     }
   });
 
+  // subcommand hook; verify if the collection is supported on the platform
+  newCmd.hook('preAction', (_, actionCommand) => {
+    const symbol = actionCommand.args[0];
+
+    if (!SUBCOMMAND_EXCLUDE_LIST.includes(actionCommand.name()) && !!symbol) {
+      const store = getProjectStore(symbol);
+      store.read();
+
+      if (!platform.isChainIdSupported(store.data?.chainId ?? 0)) {
+        showError({
+          text: `collection '${symbol}' not supported on the ${platform.name} platform.`,
+        });
+
+        process.exit(1);
+      }
+    }
+  });
+
   newCmd
     .command('new <symbol>')
     .aliases(['n', 'init'])
@@ -160,23 +181,6 @@ export const createEvmCommand = ({
       ) => await deployAction(platform, symbol, params),
     );
 
-  // subcommand hook; verify if the collection is supported on the platform
-  newCmd.hook('preAction', (_, actionCommand) => {
-    const symbol = actionCommand.args[0];
-    if (!SUBCOMMAND_EXCLUDE_LIST.includes(actionCommand.name()) || !!symbol) {
-      const store = getProjectStore(symbol);
-      store.read();
-
-      if (!platform.isChainIdSupported(store.data?.chainId ?? 0)) {
-        showError({
-          text: `collection '${symbol}' not supported on the ${platform.name} platform.`,
-        });
-
-        process.exit(1);
-      }
-    }
-  });
-
   newCmd
     .command('configure-project <symbol>')
     .description(

cli-typescript/src/cmds/createCommand.ts

@@ -40,7 +40,6 @@ export class ContractManager {
   public client: PublicClient;
   public rpcUrl: string;
   public chain: Chain;
-  private meTurnkeServiceClient: ReturnType<typeof getMETurnkeyServiceClient>;
 
   constructor(
     public chainId: SUPPORTED_CHAINS,
@@ -49,7 +48,6 @@ export class ContractManager {
   ) {
     this.rpcUrl = rpcUrls[this.chainId];
     this.chain = getViemChainByChainId(this.chainId);
-    this.meTurnkeServiceClient = getMETurnkeyServiceClient();
 
     // Initialize viem client
     this.client = createPublicClient({
@@ -114,7 +112,8 @@ export class ContractManager {
     value?: bigint;
     gasLimit?: bigint;
   }): Promise<Hex> {
-    return this.meTurnkeServiceClient.sendTransaction(this.symbol, {
+    const meTurnkeyServiceClient = await getMETurnkeyServiceClient();
+    return await meTurnkeyServiceClient.sendTransaction(this.symbol, {
       to,
       data,
       value,

cli-typescript/src/utils/ContractManager.ts

@@ -0,0 +1,87 @@
+import fs from 'fs';
+import * as okta from './okta';
+import { mkdirp } from 'mkdirp';
+import { COLLECTION_DIR } from '../constants';
+
+export const authenticate = async () => {
+  console.log('Authenticating...');
+  const configDir = `${COLLECTION_DIR}/.config/auth`;
+  const configPath = `${configDir}/config.json`;
+
+  // make dir if it does not exist
+  mkdirp.sync(configDir);
+
+  // Load credentials
+  const config: IConfig = fs.existsSync(configPath)
+    ? JSON.parse(fs.readFileSync(configPath, 'utf-8'))
+    : {
+        accessToken: '',
+        refreshToken: '',
+        idToken: '',
+        expires: '2025-05-31T00:00:00.000Z',
+        meApiAdminKey: '',
+      };
+
+  const setToken = (token: okta.IAuth['token']) => {
+    config.accessToken = token.access_token;
+    config.refreshToken = token.refresh_token;
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
+  };
+
+  if (!config.accessToken || !config.refreshToken) {
+    const { token } = await okta.authenticate();
+    setToken(token);
+    return;
+  }
+
+  // Decode the access token and find expiry
+  const decoded = decodeJWT(config.accessToken);
+  const expiry = new Date(decoded.exp * 1000).getTime();
+  const now = new Date().getTime();
+
+  if (now >= expiry) {
+    // Authenticate if expired, and we do not have a valid refresh token
+    if (!(await okta.validToken(config.refreshToken, 'refresh_token'))) {
+      const { token } = await okta.authenticate();
+      setToken(token);
+    } else {
+      // Refresh if expired, and we have a valid refresh token
+      const token = await okta.refresh(config.refreshToken);
+      if (token) setToken(token);
+    }
+  }
+
+  return {
+    Authorization: `Bearer ${config.accessToken}`,
+    'x-bypass-bot-key': 'FDRifjUqk8RH3SRCyRw',
+  };
+};
+
+export const decodeJWT = (token: string) => {
+  return JSON.parse(
+    Buffer.from(token.split('.')[1], 'base64').toString(),
+  ) as DecodedJWT;
+};
+
+export type DecodedJWT = {
+  ver: number;
+  jti: string;
+  iss: string;
+  aud: string;
+  sub: string;
+  iat: number;
+  exp: number;
+  cid: string;
+  uid: string;
+  scp: string[];
+  auth_time: number;
+};
+
+export type IConfig = {
+  accessToken: string;
+  refreshToken: string;
+  idToken: string;
+  expires: string;
+  meApiAdminKey: string;
+  xBypassBotKey: string;
+};

cli-typescript/src/utils/auth/index.ts

@@ -0,0 +1,192 @@
+/**
+ * Authenticate using okta
+ *
+ * TODO: we forked this file from cli/ to unblock eth tooling. Refactor this into a shared lib.
+ */
+
+import axios from 'axios';
+import { createHash, randomBytes } from 'crypto';
+import express from 'express';
+import open from 'open';
+import { stringify } from 'querystring';
+
+export const OKTA = {
+  oktaOrgUrl: 'https://magiceden.okta.com',
+  clientId: '0oaczwrqrdhJTKiuC696',
+  scopes: 'openid email profile offline_access',
+};
+
+const redirectUri = 'http://localhost:30033/login/callback';
+
+/**
+ * Okta PKCE config
+ */
+export const getInfo = async (accessToken: string): Promise<boolean> => {
+  const client = axios.create({
+    baseURL: OKTA.oktaOrgUrl,
+  });
+
+  const info = await client
+    .post(
+      '/oauth2/v1/introspect',
+      stringify({
+        token: accessToken,
+        client_id: OKTA.clientId,
+        token_type_hint: 'access_token',
+      }),
+    )
+    .then((res) => res.data);
+
+  return info;
+};
+
+export const validToken = async (
+  token: string,
+  tokenType: 'access_token' | 'refresh_token',
+): Promise<boolean> => {
+  const client = axios.create({
+    baseURL: OKTA.oktaOrgUrl,
+  });
+
+  const info = await client
+    .post<IAuth['info']>(
+      '/oauth2/v1/introspect',
+      stringify({
+        token: token,
+        client_id: OKTA.clientId,
+        token_type_hint: tokenType,
+      }),
+    )
+    .then((res) => res.data);
+
+  return info!.active;
+};
+
+export const refresh = async (
+  refreshToken: string,
+): Promise<IAuth['refresh']> => {
+  const client = axios.create({
+    baseURL: OKTA.oktaOrgUrl,
+  });
+
+  const token = await client
+    .post(
+      '/oauth2/v1/token',
+      stringify({
+        grant_type: 'refresh_token',
+        redirect_uri: redirectUri,
+        scope: OKTA.scopes,
+        client_id: OKTA.clientId,
+        refresh_token: refreshToken,
+      }),
+    )
+    .then((res) => res.data);
+
+  return token;
+};
+
+export const authenticate = async (): Promise<IAuth> => {
+  const verifier = randomBytes(64).toString('base64url');
+  const verifierSha = base64url(
+    createHash('sha256').update(verifier).digest('base64'),
+  );
+
+  const code: string = await new Promise((resolve, reject) => {
+    const server = express()
+      .get('/login/callback', (req, res) => {
+        try {
+          resolve(req.query.code as string);
+          res.json({ message: 'Thank you. You can close this tab.' });
+        } catch (err) {
+          reject(err);
+        } finally {
+          server.close();
+        }
+      })
+      .listen(30033);
+
+    open(
+      `${OKTA.oktaOrgUrl}/oauth2/v1/authorize?${stringify({
+        client_id: OKTA.clientId,
+        response_type: 'code',
+        scope: OKTA.scopes,
+        redirect_uri: redirectUri,
+        state: randomBytes(32).toString('base64url'),
+        code_challenge_method: 'S256',
+        code_challenge: verifierSha,
+      })}`,
+    );
+  });
+
+  const client = axios.create({
+    baseURL: OKTA.oktaOrgUrl,
+  });
+
+  const token = (await client
+    .post<{ access_token: string }>(
+      '/oauth2/v1/token',
+      stringify({
+        grant_type: 'authorization_code',
+        redirect_uri: redirectUri,
+        client_id: OKTA.clientId,
+        code,
+        code_verifier: verifier,
+      }),
+    )
+    .then((res) => res.data)) as IAuth['token'];
+
+  return { code, token } as unknown as IAuth;
+};
+
+const base64url = (str: string) =>
+  str.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+
+export type IAuth = {
+  code: string;
+
+  token: {
+    token_type: string;
+    expires_in: number;
+    access_token: string;
+    scope: string;
+    refresh_token: string;
+    id_token: string;
+  };
+
+  user?: {
+    sub: string;
+    name: string;
+    locale: string;
+    email: string;
+    preferred_username: string;
+    given_name: string;
+    family_name: string;
+    zoneinfo: string;
+    updated_at: number;
+    email_verified: boolean;
+  };
+
+  info?: {
+    active: boolean;
+    scope: string;
+    username: string;
+    exp: number;
+    iat: number;
+    sub: string;
+    aud: string;
+    iss: string;
+    jti: string;
+    token_type: string;
+    client_id: string;
+    uid: string;
+  };
+
+  refresh?: {
+    token_type: string;
+    expires_in: number;
+    access_token: string;
+    scope: string;
+    refresh_token: string;
+    id_token: string;
+  };
+};