|
| 1 | +/** |
| 2 | + * Parse a provider auth token out of interactive CLI output captured through |
| 3 | + * a PTY (`script(1)`). |
| 4 | + * |
| 5 | + * Secret this module hides: the menagerie of PTY-capture artifacts that |
| 6 | + * corrupt an otherwise whitespace-free secret. A real terminal wraps long |
| 7 | + * lines, pads with spaces, and interleaves ANSI/control sequences, so a token |
| 8 | + * the CLI printed as one string lands in the capture split across lines with |
| 9 | + * escape codes embedded. Provider login itself succeeds — only our parse of |
| 10 | + * the human-oriented output fails. |
| 11 | + * |
| 12 | + * A normalize step strips the capture artifacts; the extractor matches the |
| 13 | + * token shape against the clean string. A future provider adds its own |
| 14 | + * extractor here rather than regexing raw `script(1)` output. |
| 15 | + * |
| 16 | + * Runnable as a CLI for the bash callers that can't import TS: |
| 17 | + * tsx setup/lib/captured-token.ts claude <capture-file> |
| 18 | + * Prints the token and exits 0, or exits 1 with nothing on stdout. |
| 19 | + */ |
| 20 | +import fs from 'fs'; |
| 21 | +import { pathToFileURL } from 'url'; |
| 22 | + |
| 23 | +/* eslint-disable no-control-regex -- these patterns exist precisely to match |
| 24 | + the ESC/control bytes a PTY capture is full of. */ |
| 25 | +// CSI sequences (colors, cursor moves): ESC [ , optional private '?' / |
| 26 | +// parameter bytes, optional intermediate bytes, one final byte. Stripped |
| 27 | +// explicitly because a colour reset mid-token (sk…\x1b[0m…AA) would otherwise |
| 28 | +// leave a `[` that breaks the token's character run. |
| 29 | +const CSI = /\x1b\[[0-9;?]*[ -/]*[@-~]/g; |
| 30 | +// Everything <= space (control bytes incl. any stray ESC, CR/LF, tabs, and the |
| 31 | +// wrap-padding spaces inserted mid-token) plus DEL. Tokens contain none of these. |
| 32 | +const CONTROL_AND_SPACE = /[\x00-\x20\x7f]/g; |
| 33 | +/* eslint-enable no-control-regex */ |
| 34 | + |
| 35 | +/** |
| 36 | + * Collapse PTY-capture artifacts so a whitespace-free secret printed across |
| 37 | + * wrapped lines becomes a single contiguous string. Drops ALL whitespace by |
| 38 | + * design — these captures exist only to recover a token, never prose. |
| 39 | + */ |
| 40 | +function normalizeCapturedTerminalOutput(raw: string): string { |
| 41 | + return raw.replace(CSI, '').replace(CONTROL_AND_SPACE, ''); |
| 42 | +} |
| 43 | + |
| 44 | +// Claude subscription OAuth tokens: sk-ant-oat<base64url>AA. Bounded length |
| 45 | +// keeps a greedy match from running off the end of the token. |
| 46 | +const CLAUDE_OAUTH_TOKEN = /sk-ant-oat[A-Za-z0-9_-]{80,500}AA/g; |
| 47 | + |
| 48 | +/** |
| 49 | + * Extract the Claude OAuth token from a PTY capture of `claude setup-token`, |
| 50 | + * or `null` if none is present. Returns the LAST match — setup-token can echo |
| 51 | + * partial/intermediate output before the final token. Placeholder strings like |
| 52 | + * `<token>` never match (they lack the `sk-ant-oat` prefix). |
| 53 | + */ |
| 54 | +export function extractClaudeOAuthToken(raw: string): string | null { |
| 55 | + const matches = normalizeCapturedTerminalOutput(raw).match(CLAUDE_OAUTH_TOKEN); |
| 56 | + return matches ? matches[matches.length - 1] : null; |
| 57 | +} |
| 58 | + |
| 59 | +function runCli(argv: string[]): number { |
| 60 | + const [provider, file] = argv; |
| 61 | + if (provider !== 'claude' || !file) { |
| 62 | + process.stderr.write('usage: captured-token.ts claude <capture-file>\n'); |
| 63 | + return 2; |
| 64 | + } |
| 65 | + const token = extractClaudeOAuthToken(fs.readFileSync(file, 'utf-8')); |
| 66 | + if (!token) return 1; |
| 67 | + process.stdout.write(token); |
| 68 | + return 0; |
| 69 | +} |
| 70 | + |
| 71 | +if (import.meta.url === pathToFileURL(process.argv[1] ?? '').href) { |
| 72 | + process.exit(runCli(process.argv.slice(2))); |
| 73 | +} |
0 commit comments