Added support for OAuth2 and improved error handling

[stevenbarash]

Added

• OAuth2 (PKCE) login via browser with local HTTP callback.
  • New command: login-oauth (opens browser, handles local callback, exchanges code → tokens).
  • Options:
    • -p, --projectId <projectId> (required)
    • -b, --baseUrl <url> (default https://api.descope.com)
    • -c, --callbackPort <port> (default 8088)
    • -o, --output <session|refresh|json> (default session)
• New CLI commands (not present on upstream main):
  • validate — validate session token; prints { ok, sub, exp }.
  • validate-and-refresh — validate session; if invalid, refresh with provided refresh token.
• Test suite (Vitest) covering OAuth flow and CLI commands.
• Linting and formatting stack (ESLint + @typescript-eslint + Prettier) with scripts to run them.

Changed

• Existing commands retained and enhanced:
  • login (existed): streamlined to signUpOrIn.email then verify.email; clearer prompts and errors.
  • me (existed upstream or feature-equivalent): standardized to print JSON to stdout and exit with non‑zero on failure.
  • refresh (existed upstream or feature-equivalent): standardized to print the new session JWT to stdout and exit with non‑zero on failure.
• CLI program refactored for modularity (buildProgram, run) and clearer stdout-focused outputs.
• README expanded with full command docs (OTP and OAuth), token handling, and examples.
• Scripts/tooling modernized:
  • test: build then run tests; test:watch.
  • lint: run ESLint (with Prettier integration).
  • start.sh: builds before running the CLI.
• TypeScript config updated to explicitly include src/**/*.

Removed

• Legacy helper module replaced by the new modular CLI structure (unifying OTP and OAuth flows).

Security and hardening

• OAuth flow uses PKCE S256 and state validation to mitigate CSRF/code interception.
• Scopes limited to openid profile email.
• Local callback server ensures best-effort cleanup of connections.
• No token cache on disk; tokens are emitted to stdout only when a command requests them.

Dependency updates

• Runtime:
  • @descope/node-sdk → 1.7.15
  • commander → 14.0.1
  • node-fetch → 3.3.2
  • rimraf → 6.0.1
  • @types/node → 24.5.1
• Tooling:
  • typescript → 5.9.2
  • eslint → 9.35.0, @typescript-eslint/* → 8.44.0
  • prettier → 3.6.2, eslint-plugin-prettier → 5.5.4
  • vitest → 1.6.0

Usage (npm)

• Install: npm install
• Build: npm run build
• OTP login: node build/index.js login -p <PROJECT_ID> -e <EMAIL>
• OAuth login (session): node build/index.js login-oauth -p <PROJECT_ID> -o session
• OAuth login (refresh): node build/index.js login-oauth -p <PROJECT_ID> -o refresh
• OAuth login (json): node build/index.js login-oauth -p <PROJECT_ID> -o json
• Me: node build/index.js me -p <PROJECT_ID> -r <REFRESH_TOKEN>
• Validate: node build/index.js validate -p <PROJECT_ID> -s <SESSION_JWT>
• Refresh: node build/index.js refresh -p <PROJECT_ID> -r <REFRESH_TOKEN>
• Validate and refresh: node build/index.js validate-and-refresh -p <PROJECT_ID> -s <SESSION_JWT> -r <REFRESH_TOKEN>

Notes

• Upstream main focused on OTP-based CLI and included refresh/me functionality conceptually; this branch adds OAuth PKCE and introduces validate/validate-and-refresh, while standardizing outputs and error handling for existing commands.

[Copilot]

Pull Request Overview

This PR adds OAuth2 authentication with PKCE support and improves error handling for a CLI authentication tool. The changes modernize the codebase with TypeScript, testing infrastructure, and standardized command outputs.

• OAuth2 PKCE login via browser with local HTTP callback server
• New CLI commands for token validation, refresh, and user info retrieval
• Comprehensive test suite and linting/formatting stack

Reviewed Changes

Copilot reviewed 10 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/index.ts	Complete rewrite of CLI program with modular structure and new OAuth2/validation commands
src/auth.ts	New OAuth2 PKCE implementation with browser integration and local callback server
src/descopeCli.ts	Legacy helper module removed
test/cli.test.ts	New test suite covering CLI commands with mocked dependencies
test/auth.test.ts	New test suite for OAuth2 flow with HTTP server mocking
package.json	Updated dependencies and added test/lint scripts
README.md	Comprehensive documentation with command examples and usage instructions
.eslintrc.json	ESLint configuration for TypeScript
renovate.json	Renovate configuration for dependency updates
start.sh	Build step added before running CLI

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

This error check uses the wrong response object. It should check jwt instead of res since jwt is the response from the verify operation, not res which is from the signUpOrIn operation.

Suggested change

	if (!res.ok) {
	console.log(`Error ${res.error?.errorCode}: ${res.error?.errorDescription}`);
	if (!jwt.ok) {
	console.log(`Error ${jwt.error?.errorCode}: ${jwt.error?.errorDescription}`);

[Copilot]

This unused constant should be removed since it's not referenced anywhere in the code and the comment suggests it's meant to be removed.

Suggested change

const LIVE = false; // remove live-mode test functionality

[gaokevin1]

Overall looks good, just a few minor comments.

[gaokevin1]

Wondering why we don't use a library here, instead of doing all of this manually?

Is there a particular reason we wouldn't use a common OIDC client (based on Node), other than that we should have one ourselves so it's better to show it this way?

[stevenbarash]

Good idea - agreed that a standard library would be better