What is this? This is a simple node.js server for authenticating with the Tesla servers to obtain both bearer access and refresh tokens, as well as owner-api access tokens.
How does it work? Tesla is constantly seeking ways to make their sign in more secure, and when they do, third party solutions tends to break. I finally came to the conclusion that the best way forward is to use the official sign in flow as much as possible. An added benefit to this decision is that users email, password, and MFA codes are never entered or proxied through this server, they are only used directly on the official secure Tesla page. The drawback is that it requires an additional manual step by the user at the end.
Why a server? The Tesla APIs are only intended for the official Tesla App, therefore there are deliberate limitations that prevent the ease of use for third party solutions. One of those limitations is that CORS prevents any other domain than tesla.com to access the API directly from a browser. Calling the API from a node.js server works fine.
Is it safe? Yes. But don't just trust my word, verify!