cairn_cli/cli/

auth.rs

use clap::{Args, Subcommand};
use serde_json::json;

use crate::client::BackpacClient;
use crate::config::Credentials;
use crate::crypto;
use crate::errors::CairnError;

use super::{output_json, Cli};

#[derive(Args, Debug)]
pub struct AuthArgs {
    #[command(subcommand)]
    pub command: AuthCommands,
}

#[derive(Subcommand, Debug)]
pub enum AuthCommands {
    /// Request a cryptographic challenge for wallet signing.
    Challenge {
        /// Wallet address to authenticate
        #[arg(long)]
        wallet: String,

        /// Chain family (e.g., eip155:1, solana:mainnet)
        #[arg(long)]
        chain: String,

        /// DID identifier for the agent
        #[arg(long)]
        did: String,
    },

    /// Submit signed challenge to receive a JWT.
    Connect {
        /// Wallet address
        #[arg(long)]
        wallet: String,

        /// Chain family
        #[arg(long)]
        chain: String,

        /// DID identifier
        #[arg(long)]
        did: String,

        /// Nonce from the challenge response
        #[arg(long)]
        nonce: String,

        /// Signature (hex or base58) of the challenge message
        #[arg(long)]
        signature: String,

        /// Path to private key file for auto-signing (optional)
        #[arg(long)]
        key_file: Option<String>,
    },

    /// Refresh the current JWT token.
    Refresh,

    /// Check the status of the current authentication session.
    Status,
}

impl AuthArgs {
    pub async fn execute(&self, cli: &Cli) -> Result<(), CairnError> {
        match &self.command {
            AuthCommands::Challenge {
                wallet,
                chain,
                did,
            } => {
                let client = BackpacClient::new(cli.jwt.as_deref(), cli.api_url.as_deref());
                let body = json!({
                    "walletAddress": wallet,
                    "chain": chain,
                    "did": did
                });
                let result = client.post("/v1/agents/challenge", &body).await?;
                output_json(&result, &cli.output);
                Ok(())
            }

            AuthCommands::Connect {
                wallet,
                chain,
                did,
                nonce,
                signature,
                key_file,
            } => {
                let client = BackpacClient::new(cli.jwt.as_deref(), cli.api_url.as_deref());

                // If key_file is provided, auto-sign the challenge
                let sig = if let Some(kf) = key_file {
                    let key_bytes = crypto::read_key_file(kf)?;
                    let challenge_msg = format!(
                        "Welcome to Backpac Agent Access.\n\n\
                         Please sign this message to verify ownership of this wallet and establish a session.\n\n\
                         Wallet: {}\nDID: {}\nChain: {}\nNonce: {}",
                        wallet.to_lowercase(),
                        did,
                        chain,
                        nonce
                    );
                    if chain.starts_with("eip155:") {
                        crypto::sign_eip4361_message(&challenge_msg, &hex::encode(&key_bytes))?
                    } else {
                        // Ed25519: extract secret key (first 32 bytes for Solana 64-byte keypairs)
                        let secret = if key_bytes.len() == 64 {
                            &key_bytes[..32]
                        } else {
                            &key_bytes
                        };
                        let sig_bytes = crypto::ed25519_sign(challenge_msg.as_bytes(), secret)?;
                        bs58::encode(sig_bytes).into_string()
                    }
                } else {
                    signature.clone()
                };

                let body = json!({
                    "walletAddress": wallet,
                    "chain": chain,
                    "did": did,
                    "nonce": nonce,
                    "signature": sig
                });
                let result = client.post("/v1/agents/connect", &body).await?;

                // Persist credentials
                if let Some(jwt) = result.get("token").and_then(|v| v.as_str()) {
                    let creds = Credentials {
                        jwt: jwt.to_string(),
                        agent_id: result
                            .get("agentId")
                            .and_then(|v| v.as_str())
                            .map(String::from),
                        wallet: Some(wallet.clone()),
                        expires_at: result
                            .get("expires_at")
                            .and_then(|v| v.as_str())
                            .map(String::from),
                    };
                    creds.save()?;
                }

                output_json(&result, &cli.output);
                Ok(())
            }

            AuthCommands::Refresh => {
                let client = BackpacClient::new(cli.jwt.as_deref(), cli.api_url.as_deref());
                let result = client.post("/v1/agents/refresh", &json!({})).await?;

                // Update saved credentials with new JWT
                if let Some(jwt) = result.get("jwt").and_then(|v| v.as_str()) {
                    if let Some(mut creds) = Credentials::load() {
                        creds.jwt = jwt.to_string();
                        creds.expires_at = result
                            .get("expires_at")
                            .and_then(|v| v.as_str())
                            .map(String::from);
                        creds.save()?;
                    }
                }

                output_json(&result, &cli.output);
                Ok(())
            }

            AuthCommands::Status => {
                let client = BackpacClient::new(cli.jwt.as_deref(), cli.api_url.as_deref());
                let result = client.get("/v1/agents/status").await?;
                output_json(&result, &cli.output);
                Ok(())
            }
        }
    }
}