Skip to content

Commit 58b114f

Browse files
feat(webapp): seed a local CLI personal access token (#4135)
## Summary Getting the CLI talking to a local instance meant the browser magic-link login, which is no good when you're driving things headlessly (an agent, a container, or just no browser to hand). The seed already prints dev secret keys for the batch-limit orgs, so it now also mints a personal access token for the seeded `local@trigger.dev` user and prints a ready-to-run `export TRIGGER_ACCESS_TOKEN=...` next to them. Re-seeding stays idempotent: it decrypts and reprints the existing `local-dev-cli` token rather than piling up a new one on every run. <!-- GitButler Footer Boundary Top --> --- This is **part 2 of 2 in a stack** made with GitButler: - <kbd>&nbsp;2&nbsp;</kbd> #4135 👈 - <kbd>&nbsp;1&nbsp;</kbd> #4137 <!-- GitButler Footer Boundary Bottom --> --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
1 parent a1d14e7 commit 58b114f

2 files changed

Lines changed: 56 additions & 0 deletions

File tree

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
---
2+
area: webapp
3+
type: improvement
4+
---
5+
6+
The db seed now mints (and prints) a Personal Access Token for the seeded
7+
`local@trigger.dev` user. This lets the CLI authenticate against a local
8+
instance via `TRIGGER_ACCESS_TOKEN` without the browser magic-link flow, which
9+
matters for headless/agent onboarding. Idempotent: re-seeding decrypts and
10+
reprints the existing `local-dev-cli` token instead of creating new ones.

apps/webapp/seed.ts

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@ import { createOrganization } from "./app/models/organization.server";
33
import { createProject } from "./app/models/project.server";
44
import type { Organization, Prisma, User } from "@trigger.dev/database";
55
import { AuthenticationMethod } from "@trigger.dev/database";
6+
import { encryptToken, decryptToken, hashToken } from "./app/utils/tokens.server";
7+
import { env } from "./app/env.server";
8+
import { randomBytes } from "node:crypto";
69

710
async function seed() {
811
console.log("🌱 Starting seed...");
@@ -86,11 +89,54 @@ async function seed() {
8689
console.log(`User: ${user.email}`);
8790
console.log(`Organization: ${organization.title} (${organization.slug})`);
8891
console.log(`Projects: ${referenceProjects.map((p) => p.name).join(", ")}`);
92+
93+
// The PAT is an admin credential. Only mint and print it when seeding a local
94+
// instance, so a stray non-local `db:seed` can't leak it to stdout/logs.
95+
const localHostnames = new Set(["localhost", "127.0.0.1", "[::1]"]);
96+
const isLocalInstance =
97+
env.NODE_ENV !== "production" && localHostnames.has(new URL(env.APP_ORIGIN).hostname);
98+
if (isLocalInstance) {
99+
const localPat = await ensureLocalCliPat(user);
100+
console.log(`\n🔑 CLI access token for ${user.email} (name: ${localPat.name}):`);
101+
console.log(` ${localPat.token}`);
102+
console.log(` Point the CLI at this local instance without a browser login:`);
103+
console.log(` export TRIGGER_ACCESS_TOKEN=${localPat.token}`);
104+
console.log(` export TRIGGER_API_URL=${env.APP_ORIGIN}`);
105+
}
89106
console.log("\n⚠️ Note: in your triggerdotdev/references clone, set TRIGGER_PROJECT_REF in:");
90107
console.log(` - projects/d3-chat/.env: TRIGGER_PROJECT_REF=proj_cdmymsrobxmcgjqzhdkq`);
91108
console.log(` - projects/realtime-streams/.env: TRIGGER_PROJECT_REF=proj_klxlzjnzxmbgiwuuwhvb`);
92109
}
93110

111+
// Mints (or reuses) a Personal Access Token for the seeded local user so the
112+
// CLI can authenticate against this instance without the browser magic-link
113+
// flow. Idempotent: on re-seed we decrypt and reprint the existing token
114+
// rather than piling up new ones. The token is created inline (rather than via
115+
// personalAccessToken.server) so the seed doesn't pull the RBAC/service module
116+
// graph into its import chain.
117+
async function ensureLocalCliPat(user: User) {
118+
const name = "local-dev-cli";
119+
const existing = await prisma.personalAccessToken.findFirst({
120+
where: { userId: user.id, name, revokedAt: null },
121+
});
122+
if (existing) {
123+
const enc = existing.encryptedToken as { nonce: string; ciphertext: string; tag: string };
124+
return { name, token: decryptToken(enc.nonce, enc.ciphertext, enc.tag, env.ENCRYPTION_KEY) };
125+
}
126+
const token = `tr_pat_${randomBytes(20).toString("hex")}`;
127+
const body = token.slice("tr_pat_".length);
128+
await prisma.personalAccessToken.create({
129+
data: {
130+
name,
131+
userId: user.id,
132+
encryptedToken: encryptToken(token, env.ENCRYPTION_KEY),
133+
hashedToken: hashToken(token),
134+
obfuscatedToken: `tr_pat_${body.slice(0, 4)}${"•".repeat(18)}${body.slice(-4)}`,
135+
},
136+
});
137+
return { name, token };
138+
}
139+
94140
async function createBatchLimitOrgs(user: User) {
95141
const org1 = await findOrCreateOrganization("batch-limit-org-1", user, {
96142
batchQueueConcurrencyConfig: { processingConcurrency: 1 },

0 commit comments

Comments
 (0)