fix: address PR #116 review comments

- Validate OAuth state parameter in listenForCallback (CSRF protection)
- Fix PowerShell URL injection in openBrowser by passing URL via $args[0]
- Fix status command to fall through to stored credentials on invalid env var
- Apply username from live fetchKeyStatus response in status command
- Persist username/tier/expires_at from login and rotate exchange responses
- Fix httpsRequest to respect URL port and add 30s request timeout
- Fix docs: QH URL default and validation_warning scope

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mrdailey99

docs/mcp.md

@@ -200,7 +200,7 @@ sf provar auth clear
 | Variable                 | Purpose                               | Default                                           |
 | ------------------------ | ------------------------------------- | ------------------------------------------------- |
 | `PROVAR_API_KEY`         | API key for Quality Hub validation    | None — falls back to `~/.provar/credentials.json` |
-| `PROVAR_QUALITY_HUB_URL` | Override the Quality Hub API base URL | Production URL                                    |
+| `PROVAR_QUALITY_HUB_URL` | Override the Quality Hub API base URL | Dev API Gateway URL (`/dev`)                      |
 
 ---
 
@@ -371,7 +371,7 @@ Validates an XML test case for schema correctness (validity score) and best prac
 | `best_practices_violations`      | array          | Best-practices violations with `rule_id`, `severity`, `weight`, `message` |
 | `best_practices_rules_evaluated` | integer        | How many best-practices rules were checked                                |
 | `validation_source`              | string         | `quality_hub`, `local`, or `local_fallback` — see Authentication section  |
-| `validation_warning`             | string         | Present when `validation_source` is `local_fallback` — explains why       |
+| `validation_warning`             | string         | Present when `validation_source` is `local` (onboarding) or `local_fallback` (explains why API failed) |
 
 **Key schema rules:** TC_001 (missing XML declaration), TC_002 (malformed XML), TC_003 (wrong root element), TC_010/011/012 (missing/invalid id/guid), TC_031 (invalid apiCall guid), TC_034/035 (non-integer testItemId).
 

src/commands/provar/auth/login.ts

@@ -65,7 +65,7 @@ export default class SfProvarAuthLogin extends SfCommand<void> {
     loginFlowClient.openBrowser(authorizeUrl.toString());
 
     this.log('\nWaiting for authentication... (Ctrl-C to cancel)');
-    const authCode = await loginFlowClient.listenForCallback(port);
+    const authCode = await loginFlowClient.listenForCallback(port, state);
 
     // ── Step 5: Exchange code for Cognito tokens ────────────────────────────
     const tokens = await loginFlowClient.exchangeCodeForTokens({
@@ -81,7 +81,11 @@ export default class SfProvarAuthLogin extends SfCommand<void> {
     const keyData = await qualityHubClient.exchangeTokenForKey(tokens.access_token, baseUrl);
 
     // ── Step 7: Persist the pv_k_ key ──────────────────────────────────────
-    writeCredentials(keyData.api_key, keyData.prefix, 'cognito');
+    writeCredentials(keyData.api_key, keyData.prefix, 'cognito', {
+      username: keyData.username,
+      tier: keyData.tier,
+      expires_at: keyData.expires_at,
+    });
 
     this.log(`\nAuthenticated as ${keyData.username} (${keyData.tier} tier)`);
     this.log(`API key stored (prefix: ${keyData.prefix}). Valid until ${keyData.expires_at}.`);

src/commands/provar/auth/rotate.ts

@@ -30,7 +30,11 @@ export default class SfProvarAuthRotate extends SfCommand<void> {
 
     try {
       const keyData = await qualityHubClient.rotateKey(stored.api_key, baseUrl);
-      writeCredentials(keyData.api_key, keyData.prefix, 'cognito');
+      writeCredentials(keyData.api_key, keyData.prefix, 'cognito', {
+        username: keyData.username,
+        tier: keyData.tier,
+        expires_at: keyData.expires_at,
+      });
       this.log(`API key rotated (new prefix: ${keyData.prefix}). Valid until ${keyData.expires_at}.`);
       this.log("  Run 'sf provar auth status' to verify.");
     } catch (err) {

src/commands/provar/auth/status.ts

@@ -24,20 +24,19 @@ export default class SfProvarAuthStatus extends SfCommand<void> {
 
     if (envKey) {
       if (!envKey.startsWith('pv_k_')) {
-        this.log('API key misconfigured.');
+        this.log('Warning: PROVAR_API_KEY is set but invalid (does not start with "pv_k_").');
+        this.log(`  Value:    "${envKey.substring(0, 10)}..." — ignored for API calls.`);
+        this.log('  Fix: update PROVAR_API_KEY to a valid pv_k_ key from https://success.provartesting.com');
+        this.log('');
+        // Fall through to check stored credentials (matches resolveApiKey behaviour)
+      } else {
+        this.log('API key configured');
         this.log('  Source:   environment variable (PROVAR_API_KEY)');
-        this.log(`  Value:    "${envKey.substring(0, 10)}..." does not start with "pv_k_"`);
+        this.log(`  Prefix:   ${envKey.substring(0, 12)}`);
         this.log('');
-        this.log('  Validation mode: local only (invalid key — not used for API calls)');
-        this.log('  Fix: update PROVAR_API_KEY to a valid pv_k_ key from https://success.provartesting.com');
+        this.log('  Validation mode: Quality Hub API');
         return;
       }
-      this.log('API key configured');
-      this.log('  Source:   environment variable (PROVAR_API_KEY)');
-      this.log(`  Prefix:   ${envKey.substring(0, 12)}`);
-      this.log('');
-      this.log('  Validation mode: Quality Hub API');
-      return;
     }
 
     const stored = readStoredCredentials();
@@ -48,6 +47,7 @@ export default class SfProvarAuthStatus extends SfCommand<void> {
       try {
         const live = await qualityHubClient.fetchKeyStatus(stored.api_key, getQualityHubBaseUrl());
         liveValid = live.valid;
+        if (live.username) stored.username = live.username;
         if (live.tier) stored.tier = live.tier;
         if (live.expires_at) stored.expires_at = live.expires_at;
       } catch {

src/services/auth/credentials.ts

@@ -38,7 +38,12 @@ export function readStoredCredentials(): StoredCredentials | null {
   }
 }
 
-export function writeCredentials(key: string, prefix: string, source: StoredCredentials['source']): void {
+export function writeCredentials(
+  key: string,
+  prefix: string,
+  source: StoredCredentials['source'],
+  extra?: { username?: string; tier?: string; expires_at?: string }
+): void {
   if (!key.startsWith(KEY_PREFIX)) {
     throw new Error(`Invalid API key format. Keys must start with "${KEY_PREFIX}".`);
   }
@@ -49,6 +54,9 @@ export function writeCredentials(key: string, prefix: string, source: StoredCred
     prefix,
     set_at: new Date().toISOString(),
     source,
+    ...(extra?.username ? { username: extra.username } : {}),
+    ...(extra?.tier ? { tier: extra.tier } : {}),
+    ...(extra?.expires_at ? { expires_at: extra.expires_at } : {}),
   };
   // mode: 0o600 sets permissions atomically on file creation (POSIX).
   // chmodSync handles re-runs on existing files. Both are no-ops on Windows.

src/services/auth/loginFlow.ts

@@ -82,9 +82,9 @@ export function openBrowser(url: string): void {
       execFile('open', [url]);
       break;
     case 'win32':
-      // cmd.exe interprets '&' in URLs as a command separator, truncating the URL.
-      // PowerShell's Start-Process passes the URL as a single argument without shell interpretation.
-      execFile('powershell.exe', ['-NoProfile', '-Command', `Start-Process '${url}'`]);
+      // Pass the URL via $args[0] so it is never interpolated into the -Command
+      // string — avoids quote-breaking and injection risk from special characters.
+      execFile('powershell.exe', ['-NoProfile', '-Command', 'Start-Process $args[0]', '-args', url]);
       break;
     default:
       execFile('xdg-open', [url]);
@@ -97,13 +97,27 @@ export function openBrowser(url: string): void {
  * Spin up a temporary localhost HTTP server that accepts exactly one callback
  * from Cognito's Hosted UI, extracts the auth code, and shuts down.
  */
-export function listenForCallback(port: number): Promise<string> {
+export function listenForCallback(port: number, expectedState?: string): Promise<string> {
   return new Promise((resolve, reject) => {
     const server = http.createServer((req, res) => {
       const parsed = new URL(req.url ?? '/', `http://localhost:${port}`);
       const code = parsed.searchParams.get('code');
       const error = parsed.searchParams.get('error');
       const description = parsed.searchParams.get('error_description');
+      const callbackState = parsed.searchParams.get('state');
+
+      if (expectedState && callbackState !== expectedState) {
+        res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
+        res.end(
+          '<html><body style="font-family:sans-serif;padding:2rem;max-width:480px">' +
+            '<h2 style="color:#c23934">Authentication failed</h2>' +
+            '<p>Invalid state parameter — possible CSRF attack. Please try again.</p>' +
+            '</body></html>'
+        );
+        server.close();
+        reject(new Error('OAuth callback state mismatch — possible CSRF. Try again.'));
+        return;
+      }
 
       res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
       res.end(
@@ -166,6 +180,8 @@ export async function exchangeCodeForTokens(opts: {
 
 // ── Internal HTTPS helper ─────────────────────────────────────────────────────
 
+const REQUEST_TIMEOUT_MS = 30_000;
+
 function httpsPost(
   url: string,
   body: string,
@@ -176,6 +192,7 @@ function httpsPost(
     const req = https.request(
       {
         hostname: parsed.hostname,
+        port: parsed.port || undefined,
         path: parsed.pathname + parsed.search,
         method: 'POST',
         headers: {
@@ -191,6 +208,9 @@ function httpsPost(
         res.on('end', () => resolve({ status: res.statusCode ?? 0, responseBody: data }));
       }
     );
+    req.setTimeout(REQUEST_TIMEOUT_MS, () => {
+      req.destroy(new Error(`Cognito token exchange timed out after ${REQUEST_TIMEOUT_MS / 1000}s`));
+    });
     req.on('error', reject);
     req.write(body);
     req.end();
@@ -208,6 +228,6 @@ export const loginFlowClient = {
   generateState,
   findAvailablePort,
   openBrowser,
-  listenForCallback,
+  listenForCallback: listenForCallback as (port: number, expectedState?: string) => Promise<string>,
   exchangeCodeForTokens,
 };

src/services/qualityHub/client.ts

@@ -242,6 +242,8 @@ function isOk(status: number): boolean {
   return status >= 200 && status < 300;
 }
 
+const REQUEST_TIMEOUT_MS = 30_000;
+
 function httpsRequest(
   url: string,
   method: string,
@@ -252,6 +254,7 @@ function httpsRequest(
     const parsed = new NodeURL(url);
     const opts = {
       hostname: parsed.hostname,
+      port: parsed.port || undefined,
       path: parsed.pathname + parsed.search,
       method,
       headers: {
@@ -266,6 +269,9 @@ function httpsRequest(
       });
       res.on('end', () => resolve({ status: res.statusCode ?? 0, responseBody: data }));
     });
+    req.setTimeout(REQUEST_TIMEOUT_MS, () => {
+      req.destroy(new Error(`Quality Hub API request timed out after ${REQUEST_TIMEOUT_MS / 1000}s`));
+    });
     req.on('error', reject);
     if (body) req.write(body);
     req.end();