CodeForge/.devcontainer/scripts/setup-auth.sh at 7956444b58978d8962323532e3066eecaea998ec · AnExiledDev/CodeForge · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/bin/bash
# SPDX-License-Identifier: GPL-3.0-only
# Copyright (c) 2026 Marcus Krueger
# Configure Git (GitHub CLI) and NPM authentication from .secrets file or environment variables.
# Environment variables override .secrets values, supporting Codespaces secrets and localEnv.
# Auth failure should not block other setup steps, so set -e is intentionally omitted.

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
DEVCONTAINER_DIR="$(dirname "$SCRIPT_DIR")"
SECRETS_FILE="$DEVCONTAINER_DIR/.secrets"

# Source .secrets file if it exists (env vars take precedence via :- defaults below)
if [ -f "$SECRETS_FILE" ]; then
    echo "[setup-auth] Loading tokens from .secrets file"
    set -a
    source "$SECRETS_FILE"
    set +a
else
    echo "[setup-auth] No .secrets file found, using environment variables only"
fi

AUTH_CONFIGURED=false

# --- GitHub CLI auth ---
if [ -n "$GH_TOKEN" ]; then
    echo "[setup-auth] Authenticating GitHub CLI..."
    # Capture token value then unset env var — gh refuses --with-token when
    # GH_TOKEN is already exported (it says "use the env var instead").
    _gh_token="$GH_TOKEN"
    unset GH_TOKEN
    if gh auth login --with-token <<< "$_gh_token" 2>/dev/null; then
        echo "[setup-auth] GitHub CLI authenticated"
        gh auth setup-git 2>/dev/null && echo "[setup-auth] Git credential helper configured"
        AUTH_CONFIGURED=true
    else
        echo "[setup-auth] WARNING: GitHub CLI authentication failed"
    fi
    unset _gh_token
else
    echo "[setup-auth] GH_TOKEN not set, skipping GitHub CLI auth"
fi

# --- Git user config ---
if [ -n "$GH_USERNAME" ]; then
    git config --global user.name "$GH_USERNAME"
    echo "[setup-auth] Git user.name set to $GH_USERNAME"
    unset GH_USERNAME
fi

if [ -n "$GH_EMAIL" ]; then
    git config --global user.email "$GH_EMAIL"
    echo "[setup-auth] Git user.email set to $GH_EMAIL"
    unset GH_EMAIL
fi

# --- NPM auth ---
if [ -n "$NPM_TOKEN" ]; then
    echo "[setup-auth] Configuring NPM registry auth..."
    if npm config set "//registry.npmjs.org/:_authToken=$NPM_TOKEN" 2>/dev/null; then
        echo "[setup-auth] NPM auth token configured"
        AUTH_CONFIGURED=true
    else
        echo "[setup-auth] WARNING: NPM auth configuration failed"
    fi
    unset NPM_TOKEN
else
    echo "[setup-auth] NPM_TOKEN not set, skipping NPM auth"
fi

# --- Claude auth token (from 'claude setup-token') ---
# Long-lived tokens only — generated via: claude setup-token
# Note: After unset, the token remains visible in /proc/<pid>/environ for the
# lifetime of this process. This is a platform limitation of environment variables.
_USERNAME="${SUDO_USER:-${USER:-vscode}}"
_USER_HOME=$(getent passwd "$_USERNAME" 2>/dev/null | cut -d: -f6)
_USER_HOME="${_USER_HOME:-/home/$_USERNAME}"
CLAUDE_CRED_DIR="${CLAUDE_CONFIG_DIR:-${_USER_HOME}/.claude}"
CLAUDE_CRED_FILE="$CLAUDE_CRED_DIR/.credentials.json"
if [ -n "$CLAUDE_AUTH_TOKEN" ]; then
    # Validate token format (claude setup-token produces sk-ant-* tokens)
    if [[ ! "$CLAUDE_AUTH_TOKEN" =~ ^sk-ant- ]]; then
        echo "[setup-auth] WARNING: CLAUDE_AUTH_TOKEN doesn't match expected format (sk-ant-*), skipping"
    elif [ -f "$CLAUDE_CRED_FILE" ]; then
        echo "[setup-auth] .credentials.json already exists, skipping token injection"
        # Verify permissions haven't been tampered with
        perms=$(stat -c %a "$CLAUDE_CRED_FILE" 2>/dev/null)
        if [ -n "$perms" ] && [ "$perms" != "600" ]; then
            echo "[setup-auth] WARNING: .credentials.json has permissions $perms (expected 600), fixing"
            chmod 600 "$CLAUDE_CRED_FILE"
        fi
        AUTH_CONFIGURED=true
    else
        echo "[setup-auth] Creating .credentials.json from CLAUDE_AUTH_TOKEN..."
        # Create directory with restrictive permissions (matches credential file at 600)
        ( umask 077; mkdir -p "$CLAUDE_CRED_DIR" )
        # Escape JSON-special characters in token value (defense against malformed JSON
        # if a token ever contains " or \ — unlikely with sk-ant-* but closes the gap)
        ESCAPED_TOKEN=$(printf '%s' "$CLAUDE_AUTH_TOKEN" | sed 's/\\/\\\\/g; s/"/\\"/g')
        # Write credentials with restrictive permissions from the start (no race window).
        # Uses printf '%s' to avoid shell expansion of token value (defense against
        # metacharacters in the token string — backticks, $(), quotes).
        if ( umask 077; printf '{\n  "claudeAiOauth": {\n    "accessToken": "%s",\n    "refreshToken": "%s",\n    "expiresAt": 9999999999999,\n    "scopes": ["user:inference", "user:profile"]\n  }\n}\n' "$ESCAPED_TOKEN" "$ESCAPED_TOKEN" > "$CLAUDE_CRED_FILE" ); then
            echo "[setup-auth] Claude auth token configured"
            AUTH_CONFIGURED=true
        else
            echo "[setup-auth] WARNING: Failed to write .credentials.json — check permissions on $CLAUDE_CRED_DIR"
        fi
    fi
    unset CLAUDE_AUTH_TOKEN
else
    echo "[setup-auth] CLAUDE_AUTH_TOKEN not set, skipping Claude auth"
fi

# --- Summary ---
if [ "$AUTH_CONFIGURED" = true ]; then
    echo "[setup-auth] Auth configuration complete"
else
    echo "[setup-auth] No tokens provided — auth configuration skipped"
    echo "[setup-auth] To configure, copy .secrets.example to .secrets and fill in your tokens"
fi