feat: add hub sync auth

Author: ellie

Cargo.lock

@@ -14,10 +14,10 @@ use atuin_common::{
 };
 use atuin_common::{
     api::{
-        AddHistoryRequest, ChangePasswordRequest, CountResponse, DeleteHistoryRequest,
-        ErrorResponse, LoginRequest, LoginResponse, MeResponse, RegisterResponse,
-        SendVerificationResponse, StatusResponse, SyncHistoryResponse, VerificationTokenRequest,
-        VerificationTokenResponse,
+        AddHistoryRequest, ChangePasswordRequest, CliCodeResponse, CliVerifyResponse,
+        CountResponse, DeleteHistoryRequest, ErrorResponse, LoginRequest, LoginResponse,
+        MeResponse, RegisterResponse, SendVerificationResponse, StatusResponse,
+        SyncHistoryResponse, VerificationTokenRequest, VerificationTokenResponse,
     },
     record::RecordStatus,
 };
@@ -111,6 +111,40 @@ pub async fn login(address: &str, req: LoginRequest) -> Result<LoginResponse> {
     Ok(session)
 }
 
+/// Request a CLI auth code from the Atuin Hub
+pub async fn hub_request_code(address: &str) -> Result<CliCodeResponse> {
+    let url = make_url(address, "/auth/cli/code")?;
+    let client = reqwest::Client::new();
+
+    let resp = client
+        .post(url)
+        .header(USER_AGENT, APP_USER_AGENT)
+        .header(ATUIN_HEADER_VERSION, ATUIN_CARGO_VERSION)
+        .send()
+        .await?;
+    let resp = handle_resp_error(resp).await?;
+
+    let code_response = resp.json::<CliCodeResponse>().await?;
+    Ok(code_response)
+}
+
+/// Poll to verify the CLI auth code and get the session token
+pub async fn hub_verify_code(address: &str, code: &str) -> Result<CliVerifyResponse> {
+    let url = make_url(address, &format!("/auth/cli/verify?code={}", code))?;
+    let client = reqwest::Client::new();
+
+    let resp = client
+        .get(url)
+        .header(USER_AGENT, APP_USER_AGENT)
+        .header(ATUIN_HEADER_VERSION, ATUIN_CARGO_VERSION)
+        .send()
+        .await?;
+    let resp = handle_resp_error(resp).await?;
+
+    let verify_response = resp.json::<CliVerifyResponse>().await?;
+    Ok(verify_response)
+}
+
 #[cfg(feature = "check-update")]
 pub async fn latest_version() -> Result<Version> {
     use atuin_common::api::IndexResponse;

crates/atuin-client/src/api_client.rs

@@ -4,7 +4,7 @@ use tokio::io::AsyncWriteExt;
 
 use crate::{api_client, settings::Settings};
 
-pub async fn register(
+pub async fn register_classic(
     settings: &Settings,
     username: String,
     email: String,

crates/atuin-client/src/register.rs

@@ -458,7 +458,19 @@ pub struct Settings {
     pub style: Style,
     pub auto_sync: bool,
     pub update_check: bool,
+
+    /// Enables using the Atuin Hub for syncing. This is an alternative sync server, providing
+    /// several auth methods, profile pages, password recovery, and more.
+    ///
+    /// The hub is not currently self-hostable, but will potentially be opened up in the future.
+    pub hub_sync: bool,
+
+    /// The address of the Atuin Hub. Only used when `hub_sync` is enabled.
+    pub hub_address: String,
+
+    /// The sync address for atuin. If `hub_sync` is set, this will be ignored.
     pub sync_address: String,
+
     pub sync_frequency: String,
     pub db_path: String,
     pub record_store_path: String,
@@ -768,6 +780,8 @@ impl Settings {
             .set_default("timezone", "local")?
             .set_default("auto_sync", true)?
             .set_default("update_check", cfg!(feature = "check-update"))?
+            .set_default("hub_sync", false)?
+            .set_default("hub_address", "https://hub.atuin.sh")?
             .set_default("sync_address", "https://api.atuin.sh")?
             .set_default("sync_frequency", "5m")?
             .set_default("search_mode", "fuzzy")?

crates/atuin-client/src/settings.rs

@@ -136,3 +136,18 @@ pub struct MessageResponse {
 pub struct MeResponse {
     pub username: String,
 }
+
+// Hub CLI authentication types
+
+/// Response from POST /auth/cli/code - generates a code for CLI auth
+#[derive(Debug, Serialize, Deserialize)]
+pub struct CliCodeResponse {
+    pub code: String,
+}
+
+/// Response from GET /auth/cli/verify?code=<code> - polls for authorization
+#[derive(Debug, Serialize, Deserialize)]
+pub struct CliVerifyResponse {
+    /// Session token, present only when authorization is complete
+    pub session: Option<String>,
+}

crates/atuin-common/src/api.rs

@@ -83,6 +83,7 @@ tiny-bip39 = "1"
 futures-util = "0.3"
 fuzzy-matcher = "0.3.7"
 colored = "2.0.4"
+open = "5"
 ratatui = "0.29.0"
 tracing = "0.1"
 tracing-subscriber = { workspace = true }

crates/atuin/Cargo.toml

@@ -6,6 +6,7 @@ use atuin_client::settings::Settings;
 
 pub mod change_password;
 pub mod delete;
+mod hub;
 pub mod login;
 pub mod logout;
 pub mod register;
@@ -42,7 +43,7 @@ impl Cmd {
     pub async fn run(self, settings: Settings, store: SqliteStore) -> Result<()> {
         match self.command {
             Commands::Login(l) => l.run(&settings, &store).await,
-            Commands::Register(r) => r.run(&settings).await,
+            Commands::Register(r) => r.run(&settings, &store).await,
             Commands::Logout => logout::run(&settings),
             Commands::Delete => delete::run(&settings).await,
             Commands::ChangePassword(c) => c.run(&settings).await,

crates/atuin/src/command/client/account.rs

@@ -0,0 +1,182 @@
+use std::io::{self, Write};
+use std::path::PathBuf;
+use std::time::Duration;
+
+use eyre::{bail, Context, Result};
+use indicatif::{ProgressBar, ProgressStyle};
+use tokio::fs::File;
+use tokio::io::AsyncWriteExt;
+
+use atuin_client::api_client;
+use atuin_client::encryption::{decode_key, encode_key, load_key, Key};
+use atuin_client::record::sqlite_store::SqliteStore;
+use atuin_client::record::store::Store;
+use atuin_client::settings::Settings;
+
+/// Timeout for the entire auth flow (10 minutes)
+const AUTH_TIMEOUT: Duration = Duration::from_secs(600);
+/// How often to poll for verification
+const POLL_INTERVAL: Duration = Duration::from_secs(2);
+
+/// Run the Hub authentication flow.
+///
+/// This is used by both `register` and `login` commands when `hub_sync` is enabled.
+/// The flow is identical for both since the Hub web UI handles registration vs login.
+pub async fn run(settings: &Settings, store: &SqliteStore) -> Result<()> {
+    println!("Authenticating with Atuin Hub...");
+
+    // 1. Request a code from the hub
+    let code_response = api_client::hub_request_code(&settings.hub_address)
+        .await
+        .context("Failed to request authentication code from Hub")?;
+
+    let code = &code_response.code;
+    let auth_url = format!("{}/auth/cli?code={}", settings.hub_address, code);
+
+    // 2. Try to open the browser and print the URL regardless
+    println!("\nOpening your browser to complete authentication...");
+    println!("If it doesn't open, visit this URL:\n");
+    println!("  {auth_url}\n");
+
+    if let Err(e) = open::that(&auth_url) {
+        tracing::debug!("Failed to open browser: {}", e);
+    }
+
+    // 3. Poll for verification with a spinner
+    let spinner = ProgressBar::new_spinner();
+    spinner.set_style(
+        ProgressStyle::default_spinner()
+            .tick_chars("⠋⠙⠹⠸⠼⠴⠦⠧⠇⠏")
+            .template("{spinner:.cyan} {msg}")
+            .expect("valid template"),
+    );
+    spinner.set_message("Waiting for authorization...");
+    spinner.enable_steady_tick(Duration::from_millis(100));
+
+    let start = std::time::Instant::now();
+    let session = loop {
+        if start.elapsed() > AUTH_TIMEOUT {
+            spinner.finish_with_message("Timed out");
+            bail!("Authentication timed out. Please try again.");
+        }
+
+        tokio::time::sleep(POLL_INTERVAL).await;
+
+        match api_client::hub_verify_code(&settings.hub_address, code).await {
+            Ok(verify_response) => {
+                if let Some(session) = verify_response.session {
+                    spinner.finish_with_message("Authorized!");
+                    break session;
+                }
+                // Still pending, continue polling
+            }
+            Err(e) => {
+                // Log the error but keep polling - could be transient
+                tracing::debug!("Verification poll failed: {}", e);
+            }
+        }
+    };
+
+    // 4. Save the session token
+    let session_path = settings.session_path.as_str();
+    let mut file = File::create(session_path)
+        .await
+        .context("Failed to create session file")?;
+    file.write_all(session.as_bytes())
+        .await
+        .context("Failed to write session file")?;
+
+    // 5. Handle encryption key - always prompt
+    // Users will always have a key file by this point (created on first atuin usage)
+    // But it might not be the right key for this account if they registered elsewhere
+    let key_path = PathBuf::from(settings.key_path.as_str());
+
+    println!();
+    println!(
+        "If you have already registered on another machine, you will need your encryption key."
+    );
+    println!("Run 'atuin key' on your other machine to retrieve it.");
+    println!();
+
+    let key_input = read_key_input()?;
+
+    if let Some(encoded_key) = key_input {
+        // User provided a key - check if we need to re-encrypt
+        let current_key: [u8; 32] = load_key(settings)?.into();
+        let new_key: [u8; 32] = decode_key(encoded_key.clone())
+            .context("Could not decode provided key")?
+            .into();
+
+        if new_key != current_key {
+            println!("\nRe-encrypting local store with new key...");
+
+            store.re_encrypt(&current_key, &new_key).await?;
+
+            println!("Writing new key");
+            let mut file = File::create(&key_path)
+                .await
+                .context("Failed to create key file")?;
+            file.write_all(encoded_key.as_bytes())
+                .await
+                .context("Failed to write key file")?;
+        }
+    }
+    // If user pressed Enter, we just use the existing key (nothing to do)
+
+    println!("\nAuthentication successful!");
+    println!();
+    println!("IMPORTANT: Please make a note of your key (run 'atuin key') and keep it safe.");
+    println!("You will need it to log in on other devices, and we cannot help recover it if you lose it.");
+
+    Ok(())
+}
+
+/// Prompt the user for an encryption key.
+/// Returns `Some(encoded_key)` if they provided one, None if they pressed Enter.
+fn read_key_input() -> Result<Option<String>> {
+    print!("Enter your encryption key, or press Enter if you don't already have one: ");
+    io::stdout().flush()?;
+
+    let mut input = String::new();
+    io::stdin().read_line(&mut input)?;
+    let input = input.trim();
+
+    if input.is_empty() {
+        return Ok(None);
+    }
+
+    // The key may be EITHER base64, or a bip mnemonic
+    // Try to normalize to base64
+    let encoded = match bip39::Mnemonic::from_phrase(input, bip39::Language::English) {
+        Ok(mnemonic) => encode_key(Key::from_slice(mnemonic.entropy()))?,
+        Err(err) => {
+            match err.downcast_ref::<bip39::ErrorKind>() {
+                Some(bip_err) => {
+                    match bip_err {
+                        // Not a valid mnemonic word - assume they copied the base64 key
+                        bip39::ErrorKind::InvalidWord => input.to_string(),
+                        bip39::ErrorKind::InvalidChecksum => {
+                            bail!("Key mnemonic was not valid")
+                        }
+                        bip39::ErrorKind::InvalidKeysize(_)
+                        | bip39::ErrorKind::InvalidWordLength(_)
+                        | bip39::ErrorKind::InvalidEntropyLength(_, _) => {
+                            bail!("Key was not the correct length")
+                        }
+                    }
+                }
+                _ => {
+                    // Unknown error - assume they copied the base64 key
+                    input.to_string()
+                }
+            }
+        }
+    };
+
+    // Validate the key
+    if decode_key(encoded.clone()).is_err() {
+        bail!("The provided key was invalid");
+    }
+
+    Ok(Some(encoded))
+}