pirQ|dZddlZddlZddlZddlZddlZddlZddlZddlm Z m Z ddl m Z ddl mZddlmZddlmZmZmZddlZddlZdZd Zd Zd Ze ejjjd z Zd ZGddZGddZ GddZ!e!Z"Gdde Z#GddZ$de$fdZ%dS)aOAuth2 authentication for WHOOP API with secure token storage. Supports hybrid storage: macOS Keychain (primary) + file fallback (for cron jobs). IMPORTANT: WHOOP uses rotating refresh tokens. Each successful refresh returns a NEW refresh token and invalidates the old one. This means: - Only one process should refresh at a time (file locking) - Tokens must be saved immediately after refresh - If refresh fails with 400, the refresh token is likely invalid and re-auth is needed N) HTTPServerBaseHTTPRequestHandler)Path)Thread)Optional) urlencodeparse_qsurlparsez,https://api.prod.whoop.com/oauth/oauth2/authz-https://api.prod.whoop.com/oauth/oauth2/tokenz whoop-mcpz .tokens.jsonz9read:recovery read:sleep read:cycles read:workout offlinec zeZdZdZededededefdZede e fdZ ed d Z dS) KeychainTokenStoragez*Secure token storage using macOS Keychain. access_token refresh_token expires_atreturnc tj|||d}tjtd|dS#t $r}t d|Yd}~dSd}~wwxYw)zAStore OAuth tokens securely in keychain. Returns True on success.rrrtokensTzKeychain storage failed: NF)jsondumpskeyring set_password SERVICE_NAME Exceptionprint)rrr token_dataes j/Users/kimhansen/Desktop/03 Workspace/ceo-agents/chl-effectiveness/mcp-servers/whoop/src/whoop_mcp/auth.py store_tokensz!KeychainTokenStorage.store_tokens0s  ,!.(%%J  x D D D4    1a11 2 2 255555 s37 AAAc tjtd}|rtj|Sn#t $r }Yd}~nd}~wwxYwdS)zRetrieve tokens from keychain.rN)r get_passwordrrloadsr)rrs r get_tokenszKeychainTokenStorage.get_tokens?sg  -lHEEJ .z*--- .    DDDD ts/3 AANc tjtddS#tjj$rYdSt $rYdSwxYw)zRemove tokens from keychain.rN)rdelete_passwordrerrorsPasswordDeleteErrorrr clear_tokensz!KeychainTokenStorage.clear_tokensKs`   #L( ; ; ; ; ;~1    DD    DD sA AArN __name__ __module__ __qualname____doc__ staticmethodstrfloatboolrrdictr#r*r(r)rr r -s44 3 s  RV   \     \ \r)r c eZdZdZed dededededef dZede e fd Z ed d Z dS) FileTokenStoragea File-based token storage for non-GUI contexts (cron jobs). Stores tokens in a JSON file with 600 permissions for security. This is a fallback when keychain is not accessible. Uses file locking to prevent race conditions with rotating refresh tokens. Nrrr refreshed_atrc ||||ptjd}tttdz}t |d5}t j|t j tttdz}| tj |dtj |tjtjz|tt j|t jn6#t j|t jwxYw dddn #1swxYwYdS#t&$r}t)d |Yd}~d Sd}~wwxYw) zFStore OAuth tokens in file with file locking. Returns True on success.rrrr8.lockwz.tmp)indentNTzFile storage failed: F)timerr2 TOKEN_FILEopenfcntlflockfilenoLOCK_EX write_textrroschmodstatS_IRUSRS_IWUSRrenameLOCK_UNrr) rrrr8r lock_filelf temp_filers rrzFileTokenStorage.store_tokens^s  ,!.( , ; JS__w677Ii%% < BIIKK777< $S__v%= > >I((Jq)I)I)IJJJHY t|(CDDD$$Z000K U];;;;EK U];;;;; < < < < < < < < < < < < < < <4    -!-- . . .55555 sUAF2F BE2F 3E;;F ? F FFFF F?"F::F?c~ trtttdz}t |d5}t j|t j tj t t j|t j cdddS#t j|t j wxYw#1swxYwYn#t$rYnwxYwdS)z,Retrieve tokens from file with file locking.r;r<N)r@existsrr2rArBrCrDLOCK_SHrr" read_textrMr)rNrOs rr#zFileTokenStorage.get_tokens{sP   "" @ Z7!:;; )S))@RK U];;;@#z**>*>*@*@AA BIIKK??? @@@@@@@@  BIIKK???? @@@@@@@@     D tsNAD-2D!*C+-1D! D-+3DD!!D%%D-(D%)D-- D:9D:c trtdSdS#t$rYdSwxYw)zRemove token file.N)r@rRunlinkrr(r)rr*zFileTokenStorage.clear_tokenss_   "" $!!##### $ $    DD s28 AANr+r,r(r)rr7r7Vs3s]bnr\8    \ \r)r7c $eZdZdZeddededededdf dZedee fd Z edd Z edd e d e de fdZed e de fdZedd e d e de fdZede fdZede fdZdS)HybridTokenStoragea Hybrid token storage: tries keychain first, falls back to file. - GUI contexts (MCP server in terminal): Keychain works, file is backup - Non-GUI contexts (cron jobs): Keychain fails, file is used When storing, writes to BOTH to keep them in sync. Nrrrr8rc|ptj}t|||}t||||}|s|st ddSdS)z'Store tokens in both keychain and file.z0Failed to store tokens in both keychain and fileN)r?r rr7 RuntimeError)rrrr8 keychain_okfile_oks rrzHybridTokenStorage.store_tokenss~$2ty{{ *77 mU_`` "// mZYeff S7 SQRR R S S S Sr)cnt}|r|StS)z,Get tokens, trying keychain first then file.)r r#r7rs rr#zHybridTokenStorage.get_tokenss6&0022  M **,,,r)cjttdS)z)Clear tokens from both storage locations.N)r r*r7r(r)rr*zHybridTokenStorage.clear_tokenss. ))+++%%'''''r),rbuffer_secondscb|dd}tj||z kS)z5Check if access token is expired (with 5 min buffer).rrgetr?rrbrs ris_token_expiredz#HybridTokenStorage.is_token_expired-ZZ a00 y{{j>9::r)c|d|dddz }tj|z dz }|tkS)zCheck if refresh token is likely expired (based on when we last refreshed). WHOOP refresh tokens have a limited lifetime (~7 days). If we haven't refreshed in that time, the refresh token is probably invalid. r8rriQ)rer?REFRESH_TOKEN_LIFETIME_DAYS)rr8days_since_refreshs ris_refresh_token_likely_expiredz2HybridTokenStorage.is_refresh_token_likely_expiredsMzz.&**\12M2MPT2TUU "ikkL8YG!$???r)Xcb|dd}tj||z kS)z>Check if we should proactively refresh (10 min before expiry).rrrdrfs rshould_proactively_refreshz-HybridTokenStorage.should_proactively_refreshrhr)ct}|r.t|d|d|dSdS)z?Copy tokens from keychain to file (for setting up cron access).rrrF)r r#r7rr_s rsync_keychain_to_filez(HybridTokenStorage.sync_keychain_to_filesT&0022  #00~&'|$  ur)ct}t}|du|r|dndd|dut t |r|dndddS)z6Get status of both storage backends (for diagnostics).Nr) availabler)rtpathr)keychainfile)r r#r7rer2r@)keychain_tokens file_tokenss rget_storage_statusz%HybridTokenStorage.get_storage_statuss/99;;&1133 -D8CR\o11,???X\ )4J?JTkool;;;PT   r)rWr+)ra)rn)r-r.r/r0r1r2r3rrr5r#r*intr4rgrmrprrrzr(r)rrYrYsSS3SsSS]bSnrSSS\S----\-(((\( ;;;s;T;;;\; @@@@@\@;;4;;t;;;\;  4   \     \   r)rYczeZdZUdZdZeeed<dZeeed<dZ eeed<dZ defdZ d Z dS) OAuthCallbackHandlerz HTTP handler for OAuth callback.Nauthorization_codestateerrorct|j}t|j}d|vr/|ddt_|ddSd|vrV|ddt_|ddgdt_ |ddS|ddS) z"Handle OAuth callback GET request.rrz0Authorization failed. You can close this window.coderNz4Authorization successful! You can close this window.z-Invalid callback. Missing authorization code.) r rur queryr}r_send_responser~rer)selfparsedparamss rdo_GETzOAuthCallbackHandler.do_GETs$)$$&,'' f  )/); &    R S S S S S v  6 WHOOP Authorization

z.

N) send_response send_header end_headerswfilewriteencode)rrhtmls rrz#OAuthCallbackHandler._send_response s 3 555       '''''r)cdS)zSuppress HTTP server logs.Nr()rformatargss r log_messagez OAuthCallbackHandler.log_messages r)) r-r.r/r0r~rr2__annotations__rrrrrr(r)rr}r}s**(, ,,,E8C=E8C= Q Q Q(c((((      r)r}ceZdZdZddededefdZedejfdZ de efd Z dd ed e de e fd ZdefdZdedefdZdefdZddZdS) WhoopAuthz$WHOOP OAuth2 authentication handler.http://localhost:8765/callback client_id client_secret redirect_uric>||_||_||_d|_dSrW)rrr _http_client)rrrrs r__init__zWhoopAuth.__init__!s'"*(48r)rcR|jtjd|_|jS)zLazy-load HTTP client.Ng>@timeout)rhttpxClientrs r http_clientzWhoopAuth.http_client's+   $ % T : : :D   r)c6t}|sdSt|rMtdtdtdt|ds|dSdSt|st|rZ||d}|r|dSt|dstd |dSdS|dS) zGet a valid access token, refreshing if necessary. Uses proactive refresh (before expiry) to reduce failure risk. Nz(WARNING: Refresh token likely expired (>z days old).z%Run setup_auth.py to re-authenticate.rrbrrz7Refresh failed but current token still valid, using it.) TokenStorager#rmrrkrgrp_refresh_tokens)rr new_tokenss rget_valid_access_tokenz WhoopAuth.get_valid_access_token.s- ((** 4  7 7 ? ?  e=Xeee f f f 9 : : :000JJ .n--4  2 26 : : l>[>[\b>c>c --f_.EFFJ 2!.11000JJ .OPPPn--4n%%r)rr retry_countc t tttdz} t|d5}t j|tjtjz t }|r[t |ds?|t j|tj cdddS|r| d|n|}|jt d||j|jddd i }|jd kr|jr|ni}| d d } t-d| dddt|vrdt-dt-dt-dt-dt-dt t j|tj ddddS||} t5j| ddz} t5j} t| d| d|| | t t j|tj cdddS#t j|tj wxYw#1swxYwYdS#t8$r|dkryt-dt5jdt } | r t | ds| cYS|||dzcYSt-dYdSt>j $rO}t-d |j!j|j!jrt-d!|j!jYd}~dSd}~wtD$r}t-d"|Yd}~dSd}~wwxYw)#aRefresh the access token using refresh token. IMPORTANT: WHOOP uses rotating refresh tokens. Each successful refresh returns a NEW refresh token and invalidates the old one. We must: 1. Use file locking to prevent concurrent refreshes 2. Save the new tokens immediately 3. Handle 400 errors (invalid refresh token) by prompting re-auth z .refresh.lockr<<rNr) grant_typerrr Content-Type!application/x-www-form-urlencodeddataheadersi error_hintz Token refresh failed (400): error_descriptionz Unknown errorinvalidz1 The refresh token is invalid. This happens when:z4 1. Another process already used this refresh tokenz( 2. The refresh token expired (~7 days)z 3. WHOOP revoked the tokenz' Run setup_auth.py to re-authenticate. expires_inrjrr:z0Another process is refreshing tokens, waiting...r=z&Timeout waiting for token refresh lockzToken refresh HTTP error: z Response: zToken refresh failed: )#rr2r@rArBrCrDrELOCK_NBrr#rgrMrerpost TOKEN_URLrr status_codetextrrlowerr*raise_for_statusr?rBlockingIOErrorsleeprrHTTPStatusErrorresponser)rrrrNrOcurrent_tokenscurrent_refreshr error_datarrrr8rrs rrzWhoopAuth._refresh_tokensNsZ?:;; O i%%6 < BIIKK)FGGG4<%1%<%<%>%>N%.l.K.KNkm.K.n.n.-^K U];;;m6 <6 <6 <6 <6 <6 <6 <6 <]k&}n&8&8-&X&X&Xp}O#/44!*9-<)--1-?  "01T U 5  H +s228@ %MX]]___2 %/^^L"%E%E uz~~Nacr?s?suuvvv$J(=(=(?(???!"VWWW!"XYYY!"LMMM!"@AAA!"MNNN(55777#&K U];;;m6 <6 <6 <6 <6 <6 <6 <6 >> ====>>>!!! 3'''  %  F*>*DFF G G G5#6  2 3 3 35  % . . 9 : : :5--.B.UVVVr)rc  |jtd||j|j|jdddi}||}tj| ddz}t |d|d | td d S#t$r}td |Yd}~dSd}~wwxYw)z.Exchange authorization code for access tokens.r~)rrrrrrrrrrjrrrz=Authorization successful! Tokens stored in keychain and file.TzToken exchange failed: NF)rrrrrrrrr?rerrrr)rrrrrrs rrz#WhoopAuth._exchange_code_for_tokenss ',,"6 $($5!%%)%7 ()LM-  H  % % ' ' '==??Dtxx d'C'CCJ  % %!.1"?3% &    Q R R R4    /A// 0 0 055555 sCC C.C))C.c.|duS)z%Check if we have valid authorization.N)rrs r is_authorizedzWhoopAuth.is_authorizeds**,,D88r)NcVttddS)zClear stored tokens.z&Authorization revoked. Tokens cleared.N)rr*rrs rrevokezWhoopAuth.revokes)!!### 677777r))r)rr+)r-r.r/r0r2rpropertyrrrrrr{r5rr4rrrrr(r)rrrs?..99#9c99999 !U\!!!X! & &&&&@ZZSZsZ8TX>ZZZZx2W$2W2W2W2Whcd>9t9999888888r)rrcnddlm}tjtjt ddd}||tjd}tjd}tjdd}|r|std t|||S) z5Create WhoopAuth instance from environment variables.r) load_dotenvz..z.envWHOOP_CLIENT_IDWHOOP_CLIENT_SECRETWHOOP_REDIRECT_URIrzcMissing WHOOP credentials. Set WHOOP_CLIENT_ID and WHOOP_CLIENT_SECRET in environment or .env file.) dotenvrrGrurdirname__file__getenv ValueErrorr)renv_pathrrrs rget_auth_from_envrs""""""w||BGOOH55tT6JJHK +,,II344M913STTL  M  +   Y | < <rs    ::::::::6666666666   : ;  T(^^ " ) 0> A  E&&&&&&&&R<<<<<<<<~W W W W W W W W v" ( ( ( ( ( 1( ( ( Vf8f8f8f8f8f8f8f8R=9======r)