add a credential manager utility to manage keys/tokens

brijeshb42 · brijeshb42 · commit 41719f2641f3 · 2025-09-25T12:50:13.000+05:30
diff --git a/packages/code-infra/package.json b/packages/code-infra/package.json
@@ -21,6 +21,10 @@
       "types": "./build/utils/changelog.d.mts",
       "default": "./src/utils/changelog.mjs"
     },
+    "./credentials": {
+      "types": "./build/utils/credentials.d.mts",
+      "default": "./src/utils/credentials.mjs"
+    },
     "./eslint": {
       "types": "./build/eslint/index.d.mts",
       "default": "./src/eslint/index.mjs"
diff --git a/packages/code-infra/src/utils/credentials.mjs b/packages/code-infra/src/utils/credentials.mjs
@@ -0,0 +1,311 @@
+/**
+ * Secure credential storage for CLI tools
+ *
+ * This file was generated by Claude Code to provide encrypted credential storage
+ * for the MUI code infrastructure tools. It uses machine-specific encryption
+ * to balance security and usability for local development.
+ *
+ * @generated by Claude Code
+ */
+
+import crypto from 'node:crypto';
+import fs from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { createInterface } from 'node:readline';
+
+const CONFIG_DIR = path.join(os.homedir(), '.config', 'mui-code-infra');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'credentials.enc');
+const MACHINE_KEY_FILE = path.join(CONFIG_DIR, '.machine');
+const ALGORITHM = 'aes-256-gcm';
+
+/**
+ * Gets or creates a machine-specific key for encryption. Not the most secure method,
+ * but balances security and usability for local development and stops malicious scripts
+ * from reading tokens from env variables or config files.
+ * A script will have to specifically target this machine or this package to get the keys.
+ *
+ * @returns {Promise<string>} The machine key
+ */
+async function getMachineKey() {
+  try {
+    // Try to read existing machine key
+    const existingKey = await fs.readFile(MACHINE_KEY_FILE, 'utf8');
+    return existingKey.trim();
+  } catch (error) {
+    // Generate new machine key from system info
+    const hostname = os.hostname();
+    const username = os.userInfo().username;
+    const platform = os.platform();
+    const arch = os.arch();
+
+    // Create a deterministic but unique key for this machine/user
+    const machineInfo = `${hostname}:${username}:${platform}:${arch}`;
+    const machineKey = crypto.createHash('sha256').update(machineInfo).digest('hex');
+
+    // Store it for consistency
+    await fs.writeFile(MACHINE_KEY_FILE, machineKey, { mode: 0o600 });
+
+    return machineKey;
+  }
+}
+
+/**
+ * Derives an encryption key from machine key using PBKDF2
+ * @param {string} machineKey - The machine key to derive from
+ * @param {Buffer} salt - The salt for key derivation
+ * @returns {Buffer} The derived key
+ */
+function deriveKey(machineKey, salt) {
+  return crypto.pbkdf2Sync(machineKey, salt, 100000, 32, 'sha256');
+}
+
+/**
+ * Encrypts data using AES-256-GCM
+ * @param {string} data - The data to encrypt
+ * @param {string} machineKey - The machine key to use for encryption
+ * @returns {Object} The encrypted data with metadata
+ */
+function encryptData(data, machineKey) {
+  const salt = crypto.randomBytes(32);
+  const iv = crypto.randomBytes(16);
+  const key = deriveKey(machineKey, salt);
+
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  cipher.setAAD(Buffer.from('mui-code-infra'));
+
+  let encrypted = cipher.update(data, 'utf8', 'hex');
+  encrypted += cipher.final('hex');
+
+  const authTag = cipher.getAuthTag();
+
+  return {
+    encrypted,
+    salt: salt.toString('hex'),
+    iv: iv.toString('hex'),
+    authTag: authTag.toString('hex'),
+  };
+}
+
+/**
+ * Decrypts data using AES-256-GCM
+ * @param {{encrypted: string, salt: string, iv: string, authTag: string}} encryptedData - The encrypted data with metadata
+ * @param {string} machineKey - The machine key to use for decryption
+ * @returns {string} The decrypted data
+ */
+function decryptData(encryptedData, machineKey) {
+  const salt = Buffer.from(encryptedData.salt, 'hex');
+  const iv = Buffer.from(encryptedData.iv, 'hex');
+  const authTag = Buffer.from(encryptedData.authTag, 'hex');
+  const key = deriveKey(machineKey, salt);
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAAD(Buffer.from('mui-code-infra'));
+  decipher.setAuthTag(authTag);
+
+  let decrypted = decipher.update(encryptedData.encrypted, 'hex', 'utf8');
+  decrypted += decipher.final('utf8');
+
+  return decrypted;
+}
+
+/**
+ * Prompts user for input securely (hidden input for passwords)
+ * @param {string} question - The question to ask
+ * @param {boolean} hidden - Whether to hide the input
+ * @returns {Promise<string>} The user's input
+ */
+function promptUser(question, hidden = false) {
+  return new Promise((resolve) => {
+    if (hidden) {
+      // For hidden input, use a simpler approach that works better across terminals
+      process.stdout.write(question);
+
+      const stdin = process.stdin;
+      stdin.setRawMode(true);
+      stdin.resume();
+      stdin.setEncoding('utf8');
+
+      let password = '';
+
+      /**
+       * @param {string} char
+       */
+      const onData = (char) => {
+        switch (char) {
+          case '\n':
+          case '\r':
+          case '\u0004': // Ctrl+D
+            stdin.setRawMode(false);
+            stdin.removeListener('data', onData);
+            stdin.pause();
+            process.stdout.write('\n');
+            resolve(password);
+            break;
+          case '\u0003': // Ctrl+C
+            process.exit(1);
+            break;
+          case '\u007f': // Backspace
+            if (password.length > 0) {
+              password = password.slice(0, -1);
+              process.stdout.write('\b \b');
+            }
+            break;
+          default:
+            if (char >= ' ') {
+              // Printable characters
+              password += char;
+              process.stdout.write('*');
+            }
+            break;
+        }
+      };
+
+      stdin.on('data', onData);
+    } else {
+      // For visible input, use standard readline
+      const rl = createInterface({
+        input: process.stdin,
+        output: process.stdout,
+      });
+
+      rl.question(question, (answer) => {
+        rl.close();
+        resolve(answer.trim());
+      });
+    }
+  });
+}
+
+/**
+ * Gets a credential from encrypted storage, prompting user if not found
+ * @param {string} key - The credential key to retrieve
+ * @param {string} [promptMessage] - Custom prompt message for the credential
+ * @returns {Promise<string>} The credential value
+ */
+export async function getCredential(key, promptMessage) {
+  try {
+    await fs.mkdir(CONFIG_DIR, { recursive: true, mode: 0o700 });
+
+    // Get machine-specific encryption key
+    const machineKey = await getMachineKey();
+
+    /** @type {Record<string, string>} */
+    let credentials = {};
+
+    try {
+      const encryptedContent = await fs.readFile(CONFIG_FILE, 'utf8');
+      const encryptedData = JSON.parse(encryptedContent);
+
+      const decryptedContent = decryptData(encryptedData, machineKey);
+      credentials = JSON.parse(decryptedContent);
+    } catch (/** @type {any} */ error) {
+      if (error.code !== 'ENOENT') {
+        throw new Error('Failed to decrypt credentials. The credentials file may be corrupted.');
+      }
+      // File doesn't exist, will create it
+    }
+
+    if (credentials[key]) {
+      return credentials[key];
+    }
+
+    // Credential doesn't exist, prompt user for it
+    const defaultPrompt = `Enter ${key}: `;
+    const userPrompt = promptMessage || defaultPrompt;
+    const credentialValue = await promptUser(
+      userPrompt,
+      key.toLowerCase().includes('token') || key.toLowerCase().includes('password'),
+    );
+
+    // Store the new credential
+    credentials[key] = credentialValue;
+
+    const encryptedData = encryptData(JSON.stringify(credentials), machineKey);
+    await fs.writeFile(CONFIG_FILE, JSON.stringify(encryptedData), { mode: 0o600 });
+
+    return credentialValue;
+  } catch (/** @type {any} */ error) {
+    throw new Error(`Failed to get credential '${key}': ${error.message}`);
+  }
+}
+
+/**
+ * Clears all stored credentials and removes the credential storage directory
+ * @returns {Promise<void>}
+ */
+export async function clearCredentials() {
+  try {
+    await fs.rm(CONFIG_DIR, { recursive: true, force: true });
+  } catch (/** @type {any} */ error) {
+    throw new Error(`Failed to clear credentials: ${error.message}`);
+  }
+}
+
+/**
+ * Lists all stored credential keys (without showing the values)
+ * @returns {Promise<string[]>} Array of credential keys
+ */
+export async function listCredentials() {
+  try {
+    // Get machine-specific encryption key
+    const machineKey = await getMachineKey();
+
+    const encryptedContent = await fs.readFile(CONFIG_FILE, 'utf8');
+    const encryptedData = JSON.parse(encryptedContent);
+
+    const decryptedContent = decryptData(encryptedData, machineKey);
+    const credentials = JSON.parse(decryptedContent);
+
+    return Object.keys(credentials);
+  } catch (/** @type {any} */ error) {
+    if (error.code === 'ENOENT') {
+      return []; // No credentials stored yet
+    }
+    throw new Error(`Failed to list credentials: ${error.message}`);
+  }
+}
+
+/**
+ * Removes a specific credential by key
+ * @param {string} key - The credential key to remove
+ * @returns {Promise<boolean>} True if credential was found and removed, false if not found
+ */
+export async function removeCredential(key) {
+  try {
+    await fs.mkdir(CONFIG_DIR, { recursive: true, mode: 0o700 });
+
+    // Get machine-specific encryption key
+    const machineKey = await getMachineKey();
+
+    /** @type {Record<string, string>} */
+    let credentials = {};
+
+    try {
+      const encryptedContent = await fs.readFile(CONFIG_FILE, 'utf8');
+      const encryptedData = JSON.parse(encryptedContent);
+
+      const decryptedContent = decryptData(encryptedData, machineKey);
+      credentials = JSON.parse(decryptedContent);
+    } catch (/** @type {any} */ error) {
+      if (error.code === 'ENOENT') {
+        return false; // No credentials file exists
+      }
+      throw error;
+    }
+
+    if (!credentials[key]) {
+      return false; // Credential doesn't exist
+    }
+
+    delete credentials[key];
+
+    // Save updated credentials
+    const encryptedData = encryptData(JSON.stringify(credentials), machineKey);
+    await fs.writeFile(CONFIG_FILE, JSON.stringify(encryptedData), { mode: 0o600 });
+
+    return true;
+  } catch (/** @type {any} */ error) {
+    throw new Error(`Failed to remove credential '${key}': ${error.message}`);
+  }
+}
