Files
2026-07-13 12:58:18 +08:00

212 lines
7.4 KiB
TypeScript

import fs from "node:fs";
import path from "node:path";
/**
* railway-token.ts — Shared resolver for the Railway GraphQL bearer.
*
* The Railway CLI stores the public-GraphQL bearer in `user.accessToken`.
* The shorter `user.token` is a legacy CLI session token that does NOT
* authenticate to the public GraphQL API. Older configs still on disk
* have `user.token` set and `user.accessToken` empty; those callers get
* a one-cycle deprecation warning and still work.
*
* Resolution order matches the first four candidates of
* `showcase/bin/railway` `Auth.token`; the per-project
* `projects.<id>.token` fallback is intentionally not honored (no
* project-scoped tokens here):
* 1. user.accessToken
* 2. accessToken (top-level)
* 3. user.token (legacy → warn)
* 4. token (top-level) (legacy → warn)
*
* Returns undefined when no usable token is present; callers print the
* "set RAILWAY_TOKEN or run `railway login`" error.
*
* This resolver reads ONLY the parsed config object passed in and does
* NOT consult `process.env.RAILWAY_TOKEN` — the caller is responsible
* for the environment-variable lane. Any returned value is trimmed so
* stray whitespace/newlines from `~/.railway/config.json` never reach
* an `Authorization: Bearer <token>` header.
*/
export interface RailwayConfigShape {
user?: {
accessToken?: string;
token?: string;
};
accessToken?: string;
token?: string;
}
export interface ResolverDeps {
warn?: (message: string) => void;
}
const DEPRECATION_MESSAGE =
"[railway-token] WARNING: legacy Railway config field is deprecated: " +
"`user.token` / top-level `token` no longer authenticates the public " +
"GraphQL API. The Railway CLI now writes `user.accessToken`; re-run " +
"`railway login` to refresh ~/.railway/config.json. Support for the " +
"legacy field will be removed in a future release.";
function nonEmpty(v: unknown): v is string {
return typeof v === "string" && v.trim().length > 0;
}
export function resolveRailwayTokenFromConfig(
config: RailwayConfigShape | null | undefined,
deps: ResolverDeps = {},
): string | undefined {
// Defensive guard: config originates from JSON.parse of
// ~/.railway/config.json (untrusted). Reject anything that isn't a
// plain object before property access.
if (config === null || config === undefined) return undefined;
if (typeof config !== "object") return undefined;
if (Array.isArray(config)) return undefined;
const warn = deps.warn ?? ((m: string) => console.warn(m));
const userAccess = config.user?.accessToken;
if (nonEmpty(userAccess)) return userAccess.trim();
const topAccess = config.accessToken;
if (nonEmpty(topAccess)) return topAccess.trim();
const userLegacy = config.user?.token;
if (nonEmpty(userLegacy)) {
warn(DEPRECATION_MESSAGE);
return userLegacy.trim();
}
const topLegacy = config.token;
if (nonEmpty(topLegacy)) {
warn(DEPRECATION_MESSAGE);
return topLegacy.trim();
}
return undefined;
}
/**
* Failure-mode codes for resolveRailwayToken. Each is a distinct,
* actionable diagnostic so callers (and operators reading CI logs) can
* tell exactly WHY token resolution failed:
*
* NO_HOME : $HOME is unset (so ~/.railway/config.json can't
* be located) AND RAILWAY_TOKEN is also unset.
* NO_FILE : $HOME is set but ~/.railway/config.json does
* not exist (and env-var is unset).
* MALFORMED : ~/.railway/config.json exists but JSON.parse
* threw.
* NO_TOKEN_IN_CONFIG : ~/.railway/config.json exists and parses OK
* but contains no usable token at any of the
* four known layers. (Closes the silent-token-
* fallthrough diagnostic gap where the operator
* previously saw the generic "No Railway token
* found" with no hint the file was inspected.)
*/
export type RailwayTokenErrorCode =
| "NO_HOME"
| "NO_FILE"
| "MALFORMED"
| "NO_TOKEN_IN_CONFIG";
export class RailwayTokenError extends Error {
readonly code: RailwayTokenErrorCode;
constructor(code: RailwayTokenErrorCode, message: string) {
super(message);
this.name = "RailwayTokenError";
this.code = code;
}
}
export interface ResolveRailwayTokenOptions extends ResolverDeps {
/** Override $HOME lookup (testing only). */
home?: string;
/** Override env-var lookup (testing only). */
env?: NodeJS.ProcessEnv;
/** Filesystem injection (testing only). */
fs?: Pick<typeof fs, "existsSync" | "readFileSync">;
}
export interface RailwayTokenResolution {
token: string;
source: "env" | "config";
}
/**
* Unified entrypoint shared by redeploy-env.ts and
* verify-railway-image-refs.ts. Encapsulates the previously-duplicated
* getToken() envelope so the four failure modes can have distinct,
* actionable diagnostics in one place.
*
* Resolution order:
* 1. process.env.RAILWAY_TOKEN (returned with source="env")
* 2. ~/.railway/config.json via resolveRailwayTokenFromConfig
* (returned with source="config")
*
* Throws RailwayTokenError with a discriminator `.code` for each failure
* mode (NO_HOME / NO_FILE / MALFORMED / NO_TOKEN_IN_CONFIG). NEVER calls
* process.exit — the script entrypoint is responsible for mapping the
* error to a non-zero exit code so this function stays unit-testable.
*/
export function resolveRailwayToken(
opts: ResolveRailwayTokenOptions = {},
): RailwayTokenResolution {
const env = opts.env ?? process.env;
const fsImpl = opts.fs ?? fs;
// Trim the env-var lane to honor the module's no-whitespace-in-header
// invariant. A `RAILWAY_TOKEN` secret with a trailing newline (common
// from `op read`/heredoc/shell export) would otherwise be returned
// verbatim and produce an invalid `Authorization: Bearer <token>\n`
// header → silent Railway 401. A whitespace-only value is treated as
// UNSET (falls through to the config-file lane).
const envToken = env.RAILWAY_TOKEN;
if (typeof envToken === "string") {
const trimmed = envToken.trim();
if (trimmed.length > 0) {
return { token: trimmed, source: "env" };
}
}
const home = opts.home ?? env.HOME;
if (!home) {
throw new RailwayTokenError(
"NO_HOME",
"No Railway token found. RAILWAY_TOKEN is unset (or whitespace-only) and $HOME is unset so ~/.railway/config.json cannot be located.",
);
}
const configPath = path.join(home, ".railway", "config.json");
if (!fsImpl.existsSync(configPath)) {
throw new RailwayTokenError(
"NO_FILE",
"No Railway token found. Set RAILWAY_TOKEN or run `railway login`.",
);
}
let parsed: unknown;
try {
parsed = JSON.parse(fsImpl.readFileSync(configPath, "utf-8"));
} catch (e) {
const msg = e instanceof Error ? e.message : String(e);
throw new RailwayTokenError(
"MALFORMED",
`Malformed ~/.railway/config.json: ${msg}`,
);
}
const token = resolveRailwayTokenFromConfig(
parsed as RailwayConfigShape | null | undefined,
opts,
);
if (typeof token === "string" && token.length > 0) {
return { token, source: "config" };
}
throw new RailwayTokenError(
"NO_TOKEN_IN_CONFIG",
"No Railway token found: ~/.railway/config.json was found and parsed but contains no usable token (user.accessToken / accessToken / user.token / token). Set RAILWAY_TOKEN or re-run `railway login`.",
);
}