puter/bin/phishin-auth-token at main · somasis/puter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/usr/bin/env bash
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p bash curl jq libsecret

# keep-sorted start skip_lines=1 prefix_order=type,,>,||
type \
    curl \
    jq \
    secret-tool \
    >/dev/null \
    || exit 1
# keep-sorted end

# shellcheck disable=SC2120
usage() {
    # shellcheck disable=SC2059
    [[ "$#" -eq 0 ]] || printf "$@" >&2

    cat >&2 <<EOF
usage: ${0##*/} [-f]

Authenticate to Phish.in using environment variables, printing a token
on successful authentication, or a previous successful token from the
system's secret store.

options:
    -f      Force authenticating and getting a new token, even if there
            is already a token in the secret store.

environment variables:
    \$PHISHIN_USER_EMAIL_COMMAND${PHISHIN_USER_EMAIL_COMMAND:+ (current: $PHISHIN_USER_EMAIL_COMMAND)}
    \$PHISHIN_USER_EMAIL${PHISHIN_USER_EMAIL:+ (current: $PHISHIN_USER_EMAIL)}
        The email which will be used to authenticate to Phish.in.
    \$PHISHIN_USER_PASSWORD_COMMAND${PHISHIN_USER_PASSWORD_COMMAND:+ (current: $PHISHIN_USER_PASSWORD_COMMAND)}
    \$PHISHIN_USER_PASSWORD
        The password which will be used to authenticate to Phish.in.

see also: the Phish.in project <https://phish.in>.

Kylie McClain <kylie@somas.is>
EOF
    [[ "$#" -eq 0 ]] || exit 1
    exit 64 # EX_USAGE
}

curl_authed() {
    # shellcheck disable=SC2016
    [[ -v PHISHIN_USER_TOKEN ]] || usage 'error: no $PHISHIN_USER_TOKEN set\n'

    curl \
        --variable %PHISHIN_USER_TOKEN \
        --expand-header 'X-Auth-Token: {{PHISHIN_USER_TOKEN}}' \
        "$@"
}

phishin_refresh_token() {
    local -
    set +x

    if [[ -n "${PHISHIN_USER_EMAIL_COMMAND:-}" ]] && [[ -z "${PHISHIN_USER_EMAIL:-}" ]]; then
        PHISHIN_USER_EMAIL=$(eval "$PHISHIN_USER_EMAIL_COMMAND")
    fi

    : "${PHISHIN_USER_EMAIL:?error: no Phish.in user email provided in \$PHISHIN_USER_EMAIL or by \$PHISHIN_USER_EMAIL_COMMAND}"

    if [[ -n "${PHISHIN_USER_PASSWORD_COMMAND:-}" ]] && [[ -z "${PHISHIN_USER_PASSWORD:-}" ]]; then
        PHISHIN_USER_PASSWORD=$(eval "$PHISHIN_USER_PASSWORD_COMMAND")
    fi

    : "${PHISHIN_USER_PASSWORD:?error: no Phish.in user password provided in \$PHISHIN_USER_PASSWORD or by \$PHISHIN_USER_PASSWORD_COMMAND}"

    export PHISHIN_USER_EMAIL PHISHIN_USER_PASSWORD

    local payload
    payload=$(jq -nc '
        {
            "email": env.PHISHIN_USER_EMAIL,
            "password": env.PHISHIN_USER_PASSWORD
        }
    ')

    if ! curl --no-progress-meter --fail-with-body -X POST --json @- \
        'https://phish.in/api/v2/auth/login' <<<"$payload"; then
        printf 'error: failed while fetching token\n' >&2
        exit 1
    fi
}

phishin_auth() {
    local response

    : "${PHISHIN_USER_TOKEN:=$(
        secret-tool lookup 'phishin-auth-token' "${PHISHIN_USER_EMAIL}"
    )}"
    export PHISHIN_USER_TOKEN

    if [[ "$force" == true ]] || [[ -z "${PHISHIN_USER_TOKEN:-}" ]] \
        || ! curl_authed --no-progress-meter --fail-with-body \
            'https://phish.in/api/v2/auth/user' >/dev/null; then
        # need to reauthenticate, because either there's no token, or the token
        # is invalid, or the password has changed, or whatever...
        printf 'refreshing Phish.in token...\n' >&2

        response=$(phishin_refresh_token)

        PHISHIN_USER_TOKEN=$(
            jq -cre '.jwt' <<<"${response}" \
                | tr -d '\n' \
                | secret-tool store \
                    --label "Phish.in user token (managed by phishin-auth-token)" \
                    "phishin-auth-token" "$PHISHIN_USER_EMAIL"
        )

        export PHISHIN_USER_TOKEN
    fi

    printf '%s' "${PHISHIN_USER_TOKEN}"
}

force=false
while getopts :f opt; do
    case "$opt" in
        f) force=true ;;
        *) usage 'error: invalid argument -- %s\n' "${opt}" ;;
    esac
done
shift $((OPTIND - 1))

if ! [[ -v PHISHIN_USER_TOKEN ]]; then
    if ! [[ -v PHISHIN_USER_EMAIL ]] && ! [[ -v PHISHIN_USER_EMAIL_COMMAND ]]; then
        printf 'error: one of $PHISHIN_USER_EMAIL or $PHISHIN_USER_EMAIL_COMMAND should be set\n' >&2
        exit 1
    fi

    if ! [[ -v PHISHIN_USER_PASSWORD ]] && ! [[ -v PHISHIN_USER_PASSWORD_COMMAND ]]; then
        printf 'error: one of $PHISHIN_USER_PASSWORD or $PHISHIN_USER_PASSWORD_COMMAND should be set\n' >&2
        exit 1
    fi
fi

phishin_auth