npm - @adobe/aio-commerce-lib-auth - Versions diffs - 0.8.1 → 1.0.0 - Mend

@adobe/aio-commerce-lib-auth 0.8.1 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/CHANGELOG.md +15 -0
package/README.md +1 -4
package/bin/cli.mjs +24 -0
package/dist/cjs/chunk-C0xms8kb.cjs +34 -0
package/dist/cjs/commands/index.cjs +162 -84
package/dist/cjs/index.cjs +750 -1
package/dist/es/commands/index.mjs +157 -84
package/dist/es/index.d.mts +0 -2
package/dist/es/index.mjs +737 -1
package/package.json +19 -8
package/dist/cjs/chunk-YD6SZpHm.cjs +0 -1

package/dist/es/index.mjs CHANGED Viewed

@@ -1 +1,737 @@
-import{createHeaderAccessor,getHeader,getHeadersFromParams,parseBearerToken}from"@adobe/aio-commerce-lib-core/headers";import*as v from"valibot";import{array,email,instance,minLength,nonEmpty,nonOptional,object,optional,parse,picklist,pipe,rawTransform,safeParse,string,transform,union,url}from"valibot";import{CommerceSdkValidationError}from"@adobe/aio-commerce-lib-core/error";import aioLibIms from"@adobe/aio-lib-ims";import crypto from"crypto";import OAuth1a from"oauth-1.0a";import{allNonEmpty}from"@adobe/aio-commerce-lib-core/params";function stringValueSchema(name){return v.string(`Expected a string value for '${name}'`)}function parseOrThrow(schema,input,message){let result=v.safeParse(schema,input);if(!result.success)throw new CommerceSdkValidationError(message??`Invalid input`,{issues:result.issues});return result.output}const imsAuthParameter=name=>pipe(string(`Expected a string value for the IMS auth parameter ${name}`),nonEmpty(`Expected a non-empty string value for the IMS auth parameter ${name}`)),stringArray=(name,minimumLength)=>pipe(array(string(),`Expected a string array value for the IMS auth parameter ${name}`),minLength(minimumLength,`Expected at least ${minimumLength} items for the IMS auth parameter ${name}`)),StringArrayTransformSchema=name=>pipe(union([stringArray(name,1),pipe(string(),rawTransform(({dataset:{value:v$1},addIssue,NEVER})=>{if(v$1.startsWith(`[`)&&v$1.endsWith(`]`))try{let parsed=JSON.parse(v$1);return Array.isArray(parsed)?parsed:(addIssue({received:v$1,message:`Expected a valid JSON array for the IMS auth parameter ${name}: ${v$1}`}),NEVER)}catch(error){let errorMessage=error.message;return addIssue({received:v$1,message:`Expected a valid JSON array for the IMS auth parameter ${name}: ${errorMessage}`}),NEVER}return[v$1]}))]),stringArray(`value`,1)),ImsAuthEnvSchema=picklist([`prod`,`stage`]),ImsAuthParamsSchema=object({clientId:imsAuthParameter(`clientId`),clientSecrets:stringArray(`clientSecrets`,1),technicalAccountId:imsAuthParameter(`technicalAccountId`),technicalAccountEmail:pipe(string(`Expected a string value for the IMS auth parameter technicalAccountEmail`),email(`Expected a valid email format for technicalAccountEmail`)),imsOrgId:imsAuthParameter(`imsOrgId`),environment:pipe(optional(ImsAuthEnvSchema)),context:pipe(optional(string())),scopes:stringArray(`scopes`,1)});function __transformStringArray(name,value){if(value===void 0)return;let result=safeParse(StringArrayTransformSchema(name),value);if(!result.success)throw new CommerceSdkValidationError(`Invalid ImsAuthProvider configuration`,{issues:result.issues});return result.output}function __parseImsAuthParams(config){let result=safeParse(ImsAuthParamsSchema,config);if(!result.success)throw new CommerceSdkValidationError(`Invalid ImsAuthProvider configuration`,{issues:result.issues});return result.output}function assertImsAuthParams(config){__parseImsAuthParams(config)}function resolveImsAuthParams(params){return __parseImsAuthParams({clientId:params.AIO_COMMERCE_AUTH_IMS_CLIENT_ID,clientSecrets:__transformStringArray(`AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS`,params.AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS),technicalAccountId:params.AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_ID,technicalAccountEmail:params.AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_EMAIL,imsOrgId:params.AIO_COMMERCE_AUTH_IMS_ORG_ID,scopes:__transformStringArray(`AIO_COMMERCE_AUTH_IMS_SCOPES`,params.AIO_COMMERCE_AUTH_IMS_SCOPES),environment:params.AIO_COMMERCE_AUTH_IMS_ENVIRONMENT,context:params.AIO_COMMERCE_AUTH_IMS_CONTEXT})}function buildImsHeaders(accessToken,apiKey){let imsHeaders={Authorization:`Bearer ${accessToken}`};return apiKey&&(imsHeaders[`x-api-key`]=apiKey),imsHeaders}const IMS_AUTH_TOKEN_PARAM=`AIO_COMMERCE_AUTH_IMS_TOKEN`,IMS_AUTH_API_KEY_PARAM=`AIO_COMMERCE_AUTH_IMS_API_KEY`,ImsAuthParamsInputSchema=v.looseObject({[IMS_AUTH_TOKEN_PARAM]:stringValueSchema(IMS_AUTH_TOKEN_PARAM),[IMS_AUTH_API_KEY_PARAM]:v.optional(stringValueSchema(IMS_AUTH_API_KEY_PARAM))}),ForwardedImsAuthSourceSchema=v.variant(`from`,[v.object({from:v.literal(`headers`),headers:v.record(v.string(),v.optional(v.string()))}),v.object({from:v.literal(`getter`),getHeaders:v.custom(input=>typeof input==`function`,`Expected a function for getHeaders`)}),v.object({from:v.literal(`params`),params:ImsAuthParamsInputSchema})]);function getForwardedImsAuthProvider(source){let validatedSource=parseOrThrow(ForwardedImsAuthSourceSchema,source,`Invalid forwarded IMS auth source`);switch(validatedSource.from){case`headers`:{let{authorization}=createHeaderAccessor(validatedSource.headers,[`Authorization`]),apiKey=getHeader(validatedSource.headers,`x-api-key`),{token}=parseBearerToken(authorization);return{getAccessToken:()=>token,getHeaders:()=>buildImsHeaders(token,apiKey)}}case`getter`:return{getHeaders:validatedSource.getHeaders,getAccessToken:async()=>{let{token}=parseBearerToken((await validatedSource.getHeaders()).Authorization);return token}};case`params`:{let{params}=validatedSource,accessToken=params[IMS_AUTH_TOKEN_PARAM],apiKey=params[IMS_AUTH_API_KEY_PARAM];return{getAccessToken:()=>accessToken,getHeaders:()=>buildImsHeaders(accessToken,apiKey)}}}}function forwardImsAuthProviderFromRequest(params){return getForwardedImsAuthProvider({from:`headers`,headers:getHeadersFromParams(params)})}function forwardImsAuthProviderFromParams(params){return getForwardedImsAuthProvider({from:`params`,params:parseOrThrow(ImsAuthParamsInputSchema,params,`Missing AIO_COMMERCE_AUTH_IMS_TOKEN in params`)})}function forwardImsAuthProvider(params){try{return forwardImsAuthProviderFromParams(params)}catch{}try{return forwardImsAuthProviderFromRequest(params)}catch{}throw Error(`Can't forward IMS authentication from the given params. Make sure your params contain an AIO_COMMERCE_AUTH_IMS_TOKEN input or an Authorization header with an IMS token.`)}const{context,getToken}=aioLibIms;function toImsAuthConfig(config){return{scopes:config.scopes,env:config?.environment??`prod`,context:config.context??`aio-commerce-lib-auth-creds`,client_id:config.clientId,client_secrets:config.clientSecrets,technical_account_id:config.technicalAccountId,technical_account_email:config.technicalAccountEmail,ims_org_id:config.imsOrgId}}function isImsAuthProvider(provider){return typeof provider==`object`&&!!provider&&`getAccessToken`in provider&&`getHeaders`in provider&&typeof provider.getAccessToken==`function`&&typeof provider.getHeaders==`function`}function getImsAuthProvider(authParams){let getAccessToken=async()=>{let imsAuthConfig=toImsAuthConfig(authParams);return await context.set(imsAuthConfig.context,imsAuthConfig),getToken(imsAuthConfig.context,{})};return{getAccessToken,getHeaders:async()=>buildImsHeaders(await getAccessToken(),authParams.clientId)}}const integrationAuthParameter=name=>pipe(string(`Expected a string value for the Commerce Integration parameter ${name}`),nonEmpty(`Expected a non-empty string value for the Commerce Integration parameter ${name}`)),UrlSchema=pipe(union([pipe(string(`Expected a string for the Adobe Commerce endpoint`),nonEmpty(`Expected a non-empty string for the Adobe Commerce endpoint`),url(`Expected a valid url for the Adobe Commerce endpoint`)),instance(URL)]),transform(url$1=>url$1 instanceof URL?url$1.toString():url$1)),IntegrationAuthParamsSchema=nonOptional(object({consumerKey:integrationAuthParameter(`consumerKey`),consumerSecret:integrationAuthParameter(`consumerSecret`),accessToken:integrationAuthParameter(`accessToken`),accessTokenSecret:integrationAuthParameter(`accessTokenSecret`)}));function isIntegrationAuthProvider(provider){return typeof provider==`object`&&!!provider&&`getHeaders`in provider&&typeof provider.getHeaders==`function`}function getIntegrationAuthProvider(authParams){let oauth=new OAuth1a({consumer:{key:authParams.consumerKey,secret:authParams.consumerSecret},signature_method:`HMAC-SHA256`,hash_function:(baseString,key)=>crypto.createHmac(`sha256`,key).update(baseString).digest(`base64`)}),oauthToken={key:authParams.accessToken,secret:authParams.accessTokenSecret};return{getHeaders:(method,url$1)=>{let urlString=parse(UrlSchema,url$1);return oauth.toHeader(oauth.authorize({url:urlString,method},oauthToken))}}}function __parseIntegrationAuthParams(config){let result=safeParse(IntegrationAuthParamsSchema,config);if(!result.success)throw new CommerceSdkValidationError(`Invalid IntegrationAuthProvider configuration`,{issues:result.issues});return result.output}function assertIntegrationAuthParams(config){__parseIntegrationAuthParams(config)}function resolveIntegrationAuthParams(params){return __parseIntegrationAuthParams({consumerKey:params.AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_KEY,consumerSecret:params.AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_SECRET,accessToken:params.AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN,accessTokenSecret:params.AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN_SECRET})}const IMS_AUTH_PARAMS=[`AIO_COMMERCE_AUTH_IMS_CLIENT_ID`,`AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS`,`AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_ID`,`AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_EMAIL`,`AIO_COMMERCE_AUTH_IMS_ORG_ID`,`AIO_COMMERCE_AUTH_IMS_SCOPES`],INTEGRATION_AUTH_PARAMS=[`AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_KEY`,`AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_SECRET`,`AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN`,`AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN_SECRET`];function resolveAuthParams(params){if(allNonEmpty(params,IMS_AUTH_PARAMS))return{...resolveImsAuthParams(params),strategy:`ims`};if(allNonEmpty(params,INTEGRATION_AUTH_PARAMS))return{...resolveIntegrationAuthParams(params),strategy:`integration`};throw Error(`Can't resolve authentication options for the given params. Please provide either IMS options (${IMS_AUTH_PARAMS.join(`, `)}) or Commerce integration options (${INTEGRATION_AUTH_PARAMS.join(`, `)}).`)}export{assertImsAuthParams,assertIntegrationAuthParams,forwardImsAuthProvider,getForwardedImsAuthProvider,getImsAuthProvider,getIntegrationAuthProvider,isImsAuthProvider,isIntegrationAuthProvider,resolveAuthParams};
+import { createHeaderAccessor, getHeader, getHeadersFromParams, parseBearerToken } from "@adobe/aio-commerce-lib-core/headers";
+import * as v from "valibot";
+import { array, email, instance, minLength, nonEmpty, nonOptional, object, optional, parse, picklist, pipe, rawTransform, safeParse, string, transform, union, url } from "valibot";
+import { CommerceSdkValidationError } from "@adobe/aio-commerce-lib-core/error";
+import aioLibIms from "@adobe/aio-lib-ims";
+import crypto from "crypto";
+import OAuth1a from "oauth-1.0a";
+import { allNonEmpty } from "@adobe/aio-commerce-lib-core/params";
+//#region ../../packages-private/common-utils/source/valibot/schemas.ts
+/**
+* A schema for a string value.
+* @param name The name of the field this schema refers to.
+*/
+function stringValueSchema(name) {
+	return v.string(`Expected a string value for '${name}'`);
+}
+//#endregion
+//#region ../../packages-private/common-utils/source/valibot/utils.ts
+/**
+* Parses the input using the provided schema and throws a {@link CommerceSdkValidationError} error if the input is invalid.
+* @param schema - The schema to use for parsing.
+* @param input - The input to parse.
+* @param message - Optional custom error message for the validation error.
+*/
+function parseOrThrow(schema, input, message) {
+	const result = v.safeParse(schema, input);
+	if (!result.success) throw new CommerceSdkValidationError(message ?? "Invalid input", { issues: result.issues });
+	return result.output;
+}
+//#endregion
+//#region source/lib/ims-auth/schema.ts
+/**
+* Creates a validation schema for a required IMS auth string parameter.
+* @param name The name of the parameter for error messages.
+* @returns A validation pipeline that ensures the parameter is a non-empty string.
+*/
+const imsAuthParameter = (name) => pipe(string(`Expected a string value for the IMS auth parameter ${name}`), nonEmpty(`Expected a non-empty string value for the IMS auth parameter ${name}`));
+/**
+* Creates a validation schema for an IMS auth string array parameter.
+* @param name The name of the parameter for error messages.
+* @param minimumLength The minimum length of the array.
+* @returns A validation pipeline that ensures the parameter is an array of strings.
+*/
+const stringArray = (name, minimumLength) => {
+	return pipe(array(string(), `Expected a string array value for the IMS auth parameter ${name}`), minLength(minimumLength, `Expected at least ${minimumLength} items for the IMS auth parameter ${name}`));
+};
+/**
+* Schema for transforming a value that may be a JSON string array or a single string into an array.
+* This schema handles the transformation of App Builder action inputs that may come as JSON strings.
+*/
+const StringArrayTransformSchema = (name) => pipe(union([stringArray(name, 1), pipe(string(), rawTransform(({ dataset: { value: v }, addIssue, NEVER }) => {
+	if (v.startsWith("[") && v.endsWith("]")) try {
+		const parsed = JSON.parse(v);
+		if (!Array.isArray(parsed)) {
+			addIssue({
+				received: v,
+				message: `Expected a valid JSON array for the IMS auth parameter ${name}: ${v}`
+			});
+			return NEVER;
+		}
+		return parsed;
+	} catch (error) {
+		const errorMessage = error.message;
+		addIssue({
+			received: v,
+			message: `Expected a valid JSON array for the IMS auth parameter ${name}: ${errorMessage}`
+		});
+		return NEVER;
+	}
+	return [v];
+}))]), stringArray("value", 1));
+/** Validation schema for IMS auth environment values. */
+const ImsAuthEnvSchema = picklist(["prod", "stage"]);
+/** Defines the schema to validate the necessary parameters for the IMS auth service. */
+const ImsAuthParamsSchema = object({
+	clientId: imsAuthParameter("clientId"),
+	clientSecrets: stringArray("clientSecrets", 1),
+	technicalAccountId: imsAuthParameter("technicalAccountId"),
+	technicalAccountEmail: pipe(string("Expected a string value for the IMS auth parameter technicalAccountEmail"), email("Expected a valid email format for technicalAccountEmail")),
+	imsOrgId: imsAuthParameter("imsOrgId"),
+	environment: pipe(optional(ImsAuthEnvSchema)),
+	context: pipe(optional(string())),
+	scopes: stringArray("scopes", 1)
+});
+//#endregion
+//#region source/lib/ims-auth/utils.ts
+/**
+* Transforms a value using the string array transformation schema.
+* @param value - The value to transform (may be a JSON string, single string, or array).
+* @throws {CommerceSdkValidationError} If the transformation fails.
+*
+* @internal
+*/
+function __transformStringArray(name, value) {
+	if (value === void 0) return;
+	const result = safeParse(StringArrayTransformSchema(name), value);
+	if (!result.success) throw new CommerceSdkValidationError("Invalid ImsAuthProvider configuration", { issues: result.issues });
+	return result.output;
+}
+/**
+* Parses the provided configuration for an {@link ImsAuthProvider}.
+* @param config - The configuration to parse.
+* @throws {CommerceSdkValidationError} If the configuration is invalid.
+*
+* @internal
+*/
+function __parseImsAuthParams(config) {
+	const result = safeParse(ImsAuthParamsSchema, config);
+	if (!result.success) throw new CommerceSdkValidationError("Invalid ImsAuthProvider configuration", { issues: result.issues });
+	return result.output;
+}
+/**
+* Asserts the provided configuration for an {@link ImsAuthProvider}.
+* @param config The configuration to validate.
+* @throws {CommerceSdkValidationError} If the configuration is invalid.
+* @example
+* ```typescript
+* const config = {
+*   clientId: "your-client-id",
+*   clientSecrets: ["your-client-secret"],
+*   technicalAccountId: "your-technical-account-id",
+*   technicalAccountEmail: "your-account@example.com",
+*   imsOrgId: "your-ims-org-id@AdobeOrg",
+*   scopes: ["AdobeID", "openid"],
+*   environment: "prod", // or "stage"
+*   context: "my-app-context"
+* };
+*
+* // This will validate the config and throw if invalid
+* assertImsAuthParams(config);
+*```
+* @example
+* ```typescript
+* // Example of a failing assert:
+* try {
+*   assertImsAuthParams({
+*     clientId: "valid-client-id",
+*     // Missing required fields like clientSecrets, technicalAccountId, etc.
+*   });
+* } catch (error) {
+*   console.error(error.message); // "Invalid ImsAuthProvider configuration"
+*   console.error(error.issues); // Array of validation issues
+* }
+* ```
+*/
+function assertImsAuthParams(config) {
+	__parseImsAuthParams(config);
+}
+/**
+* Resolves an {@link ImsAuthParams} from the given App Builder action inputs.
+* @param params The App Builder action inputs to resolve the IMS authentication parameters from.
+* @throws {CommerceSdkValidationError} If the parameters are invalid and cannot be resolved.
+*
+* @example
+* ```typescript
+* // Some App Builder runtime action that needs IMS authentication
+* export function main(params) {
+*   const imsAuthProvider = getImsAuthProvider(resolveImsAuthParams(params));
+*
+*   // Get headers for API requests
+*   const headers = await authProvider.getHeaders();
+*   const response = await fetch('https://api.adobe.io/some-endpoint', {
+*     headers: await authProvider.getHeaders()
+*   });
+* }
+* ```
+*/
+function resolveImsAuthParams(params) {
+	return __parseImsAuthParams({
+		clientId: params.AIO_COMMERCE_AUTH_IMS_CLIENT_ID,
+		clientSecrets: __transformStringArray("AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS", params.AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS),
+		technicalAccountId: params.AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_ID,
+		technicalAccountEmail: params.AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_EMAIL,
+		imsOrgId: params.AIO_COMMERCE_AUTH_IMS_ORG_ID,
+		scopes: __transformStringArray("AIO_COMMERCE_AUTH_IMS_SCOPES", params.AIO_COMMERCE_AUTH_IMS_SCOPES),
+		environment: params.AIO_COMMERCE_AUTH_IMS_ENVIRONMENT,
+		context: params.AIO_COMMERCE_AUTH_IMS_CONTEXT
+	});
+}
+/**
+* Shorthand to build IMS authentication headers.
+* @param accessToken - The token to use in the Authorization header.
+* @param apiKey - The API key to include in the x-api-key header (optional).
+*/
+function buildImsHeaders(accessToken, apiKey) {
+	const imsHeaders = { Authorization: `Bearer ${accessToken}` };
+	if (apiKey) imsHeaders["x-api-key"] = apiKey;
+	return imsHeaders;
+}
+//#endregion
+//#region source/lib/ims-auth/forwarding.ts
+const IMS_AUTH_TOKEN_PARAM = "AIO_COMMERCE_AUTH_IMS_TOKEN";
+const IMS_AUTH_API_KEY_PARAM = "AIO_COMMERCE_AUTH_IMS_API_KEY";
+const ImsAuthParamsInputSchema = v.looseObject({
+	[IMS_AUTH_TOKEN_PARAM]: stringValueSchema(IMS_AUTH_TOKEN_PARAM),
+	[IMS_AUTH_API_KEY_PARAM]: v.optional(stringValueSchema(IMS_AUTH_API_KEY_PARAM))
+});
+const ForwardedImsAuthSourceSchema = v.variant("from", [
+	v.object({
+		from: v.literal("headers"),
+		headers: v.record(v.string(), v.optional(v.string()))
+	}),
+	v.object({
+		from: v.literal("getter"),
+		getHeaders: v.custom((input) => typeof input === "function", "Expected a function for getHeaders")
+	}),
+	v.object({
+		from: v.literal("params"),
+		params: ImsAuthParamsInputSchema
+	})
+]);
+/**
+* Creates an {@link ImsAuthProvider} by forwarding authentication credentials from various sources.
+*
+* @param source The source of the credentials to forward, as a {@link ForwardedImsAuthSource}.
+* @returns An {@link ImsAuthProvider} instance that returns the forwarded access token and headers.
+*
+* @throws {CommerceSdkValidationError} If the source object is invalid.
+* @throws {CommerceSdkValidationError} If `from: "headers"` is used and the `Authorization` header is missing.
+* @throws {CommerceSdkValidationError} If `from: "headers"` is used and the `Authorization` header is not in Bearer token format.
+* @throws {CommerceSdkValidationError} If `from: "params"` is used and `AIO_COMMERCE_AUTH_IMS_TOKEN` is missing or empty.
+*
+* @example
+* ```typescript
+* import { getForwardedImsAuthProvider } from "@adobe/aio-commerce-lib-auth";
+*
+* // From raw headers (e.g. from an HTTP request).
+* const provider1 = getForwardedImsAuthProvider({
+*   from: "headers",
+*   headers: params.__ow_headers,
+* });
+*
+* // From async getter (e.g. fetch from secret manager)
+* const provider2 = getForwardedImsAuthProvider({
+*   from: "getter",
+*   getHeaders: async () => {
+*     const token = await secretManager.getSecret("ims-token");
+*     return { Authorization: `Bearer ${token}` };
+*   },
+* });
+*
+* // From a params object (using AIO_COMMERCE_AUTH_IMS_TOKEN and AIO_COMMERCE_AUTH_IMS_API_KEY keys)
+* const provider3 = getForwardedImsAuthProvider({
+*   from: "params",
+*   params: actionParams,
+* });
+*
+* // Use the provider
+* const token = await provider1.getAccessToken();
+* const headers = await provider1.getHeaders();
+* ```
+*/
+function getForwardedImsAuthProvider(source) {
+	const validatedSource = parseOrThrow(ForwardedImsAuthSourceSchema, source, "Invalid forwarded IMS auth source");
+	switch (validatedSource.from) {
+		case "headers": {
+			const { authorization } = createHeaderAccessor(validatedSource.headers, ["Authorization"]);
+			const apiKey = getHeader(validatedSource.headers, "x-api-key");
+			const { token } = parseBearerToken(authorization);
+			return {
+				getAccessToken: () => token,
+				getHeaders: () => buildImsHeaders(token, apiKey)
+			};
+		}
+		case "getter": return {
+			getHeaders: validatedSource.getHeaders,
+			getAccessToken: async () => {
+				const { token } = parseBearerToken((await validatedSource.getHeaders()).Authorization);
+				return token;
+			}
+		};
+		case "params": {
+			const { params } = validatedSource;
+			const accessToken = params[IMS_AUTH_TOKEN_PARAM];
+			const apiKey = params[IMS_AUTH_API_KEY_PARAM];
+			return {
+				getAccessToken: () => accessToken,
+				getHeaders: () => buildImsHeaders(accessToken, apiKey)
+			};
+		}
+	}
+}
+/**
+* Creates an {@link ImsAuthProvider} by forwarding authentication credentials from incoming
+* runtime action request headers.
+*
+* This is a convenience wrapper around {@link getForwardedImsAuthProvider} for the common case
+* of forwarding credentials from Adobe I/O Runtime action parameters.
+*
+* @param params The runtime action parameters containing the `__ow_headers` object with authentication headers.
+* @returns An {@link ImsAuthProvider} instance that returns the forwarded access token and headers.
+*
+* @throws {Error} If the `Authorization` header is missing from the request headers.
+* @throws {Error} If the `Authorization` header is not in the correct Bearer token format.
+*
+* @example
+* ```typescript
+* import { forwardImsAuthProviderFromRequest } from "@adobe/aio-commerce-lib-auth";
+*
+* // In an Adobe I/O Runtime action
+* async function main(params) {
+*   // params.__ow_headers contains: { Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."}
+*
+*   // Forward the authentication from the incoming request
+*   const authProvider = forwardImsAuthProviderFromRequest(params);
+*
+*   // Get the forwarded access token
+*   const token = await authProvider.getAccessToken();
+*   console.log(token); // "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."
+*
+*   // Get headers for downstream API requests
+*   const headers = await authProvider.getHeaders();
+*   console.log(headers);
+*   // {
+*   //   Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
+*   //   "x-api-key": "client-id-from-request" // Only if present in original request
+*   // }
+*
+*   // Use the forwarded credentials in downstream API calls
+*   const response = await fetch('...', {
+*     headers: await authProvider.getHeaders()
+*   });
+*
+*   return { statusCode: 200, body: await response.json() };
+* }
+* ```
+*/
+function forwardImsAuthProviderFromRequest(params) {
+	return getForwardedImsAuthProvider({
+		from: "headers",
+		headers: getHeadersFromParams(params)
+	});
+}
+/**
+* Creates an {@link ImsAuthProvider} by forwarding authentication credentials from a params object.
+*
+* This is a convenience wrapper around {@link getForwardedImsAuthProvider} for the common case
+* of forwarding credentials from runtime action parameters. It reads:
+* - `AIO_COMMERCE_AUTH_IMS_TOKEN` for the access token (required)
+* - `AIO_COMMERCE_AUTH_IMS_API_KEY` for the API key (optional)
+*
+* @param params The params object containing the authentication credentials.
+* @returns An {@link ImsAuthProvider} instance that returns the access token and headers from the params.
+*
+* @throws {CommerceSdkValidationError} If `AIO_COMMERCE_AUTH_IMS_TOKEN` is not set or is empty.
+*
+* @example
+* ```typescript
+* import { forwardImsAuthProviderFromParams } from "@adobe/aio-commerce-lib-auth";
+*
+* // In an Adobe I/O Runtime action
+* async function main(params) {
+*   // params contains: { AIO_COMMERCE_AUTH_IMS_TOKEN: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..." }
+*   const authProvider = forwardImsAuthProviderFromParams(params);
+*
+*   // Get the access token
+*   const token = await authProvider.getAccessToken();
+*
+*   // Get headers for downstream API requests
+*   const headers = await authProvider.getHeaders();
+*   // {
+*   //   Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
+*   //   "x-api-key": "my-api-key" // Only if AIO_COMMERCE_AUTH_IMS_API_KEY is set
+*   // }
+* }
+* ```
+*/
+function forwardImsAuthProviderFromParams(params) {
+	return getForwardedImsAuthProvider({
+		from: "params",
+		params: parseOrThrow(ImsAuthParamsInputSchema, params, "Missing AIO_COMMERCE_AUTH_IMS_TOKEN in params")
+	});
+}
+/**
+* Creates an {@link ImsAuthProvider} by forwarding authentication credentials from runtime action parameters.
+*
+* This function automatically detects the source of credentials by trying multiple strategies in order:
+* 1. **Params token** - Looks for `AIO_COMMERCE_AUTH_IMS_TOKEN` (and optionally `AIO_COMMERCE_AUTH_IMS_API_KEY`) in the params object
+* 2. **HTTP headers** - Falls back to extracting the `Authorization` header from `__ow_headers`
+*
+* Use this function when building actions that receive authenticated requests and need to forward
+* those credentials to downstream services (proxy pattern).
+*
+* @param params The runtime action parameters object. Can contain either:
+*   - `AIO_COMMERCE_AUTH_IMS_TOKEN` and optionally `AIO_COMMERCE_AUTH_IMS_API_KEY` for direct token forwarding
+*   - `__ow_headers` with an `Authorization` header for HTTP request forwarding
+* @returns An {@link ImsAuthProvider} instance that returns the forwarded access token and headers.
+*
+* @throws {Error} If neither a valid token param nor Authorization header is found.
+*
+* @example
+* ```typescript
+* import { forwardImsAuthProvider } from "@adobe/aio-commerce-lib-auth";
+*
+* export async function main(params: Record<string, unknown>) {
+*   // Automatically detects credentials from params or headers
+*   const authProvider = forwardImsAuthProvider(params);
+*
+*   // Get the access token
+*   const token = await authProvider.getAccessToken();
+*
+*   // Get headers for downstream API requests
+*   const headers = await authProvider.getHeaders();
+*   // {
+*   //   Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
+*   //   "x-api-key": "my-api-key" // Only if available
+*   // }
+*
+*   // Use the forwarded credentials in downstream API calls
+*   const response = await fetch("https://api.adobe.io/some-endpoint", {
+*     headers,
+*   });
+*
+*   return { statusCode: 200, body: await response.json() };
+* }
+* ```
+*/
+function forwardImsAuthProvider(params) {
+	try {
+		return forwardImsAuthProviderFromParams(params);
+	} catch {}
+	try {
+		return forwardImsAuthProviderFromRequest(params);
+	} catch {}
+	throw new Error("Can't forward IMS authentication from the given params. Make sure your params contain an AIO_COMMERCE_AUTH_IMS_TOKEN input or an Authorization header with an IMS token.");
+}
+//#endregion
+//#region source/lib/ims-auth/provider.ts
+const { context, getToken } = aioLibIms;
+/**
+* Converts IMS auth configuration properties to snake_case format.
+* @param config The IMS auth configuration with camelCase properties.
+* @returns The configuration with snake_case properties.
+*/
+function toImsAuthConfig(config) {
+	return {
+		scopes: config.scopes,
+		env: config?.environment ?? "prod",
+		context: config.context ?? "aio-commerce-lib-auth-creds",
+		client_id: config.clientId,
+		client_secrets: config.clientSecrets,
+		technical_account_id: config.technicalAccountId,
+		technical_account_email: config.technicalAccountEmail,
+		ims_org_id: config.imsOrgId
+	};
+}
+/**
+* Type guard to check if a value is an ImsAuthProvider instance.
+*
+* @param provider The value to check.
+* @returns `true` if the value is an ImsAuthProvider, `false` otherwise.
+*
+* @example
+* ```typescript
+* import { getImsAuthProvider, isImsAuthProvider } from "@adobe/aio-commerce-lib-auth";
+*
+* // Imagine you have an object that it's not strictly typed as ImsAuthProvider.
+* const provider = getImsAuthProvider({ ... }) as unknown;
+*
+* if (isImsAuthProvider(provider)) {
+*   // TypeScript knows provider is ImsAuthProvider
+*   const token = await provider.getAccessToken();
+* }
+* ```
+*/
+function isImsAuthProvider(provider) {
+	return typeof provider === "object" && provider !== null && "getAccessToken" in provider && "getHeaders" in provider && typeof provider.getAccessToken === "function" && typeof provider.getHeaders === "function";
+}
+/**
+* Creates an {@link ImsAuthProvider} based on the provided configuration.
+* @param authParams An {@link ImsAuthParams} parameter that contains the configuration for the {@link ImsAuthProvider}.
+* @returns An {@link ImsAuthProvider} instance that can be used to get access token and auth headers.
+* @example
+* ```typescript
+* const config = {
+*   clientId: "your-client-id",
+*   clientSecrets: ["your-client-secret"],
+*   technicalAccountId: "your-technical-account-id",
+*   technicalAccountEmail: "your-account@example.com",
+*   imsOrgId: "your-ims-org-id@AdobeOrg",
+*   scopes: ["AdobeID", "openid"],
+*   environment: "prod",
+*   context: "my-app-context"
+* };
+*
+* const authProvider = getImsAuthProvider(config);
+*
+* // Get access token
+* const token = await authProvider.getAccessToken();
+* console.log(token); // "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."
+*
+* // Get headers for API requests
+* const headers = await authProvider.getHeaders();
+* console.log(headers);
+* // {
+* //   Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
+* //   "x-api-key": "your-client-id"
+* // }
+*
+* // Use headers in API calls
+* const response = await fetch('https://api.adobe.io/some-endpoint', {
+*   headers: await authProvider.getHeaders()
+* });
+* ```
+*/
+function getImsAuthProvider(authParams) {
+	const getAccessToken = async () => {
+		const imsAuthConfig = toImsAuthConfig(authParams);
+		await context.set(imsAuthConfig.context, imsAuthConfig);
+		return getToken(imsAuthConfig.context, {});
+	};
+	const getHeaders = async () => {
+		return buildImsHeaders(await getAccessToken(), authParams.clientId);
+	};
+	return {
+		getAccessToken,
+		getHeaders
+	};
+}
+//#endregion
+//#region source/lib/integration-auth/schema.ts
+/**
+* Creates a validation schema for a required Commerce Integration string parameter.
+* @param name The name of the parameter for error messages.
+* @returns A validation pipeline that ensures the parameter is a non-empty string.
+*/
+const integrationAuthParameter = (name) => pipe(string(`Expected a string value for the Commerce Integration parameter ${name}`), nonEmpty(`Expected a non-empty string value for the Commerce Integration parameter ${name}`));
+/** Validation schema for the Adobe Commerce endpoint base URL. */
+const BaseUrlSchema = pipe(string("Expected a string for the Adobe Commerce endpoint"), nonEmpty("Expected a non-empty string for the Adobe Commerce endpoint"), url("Expected a valid url for the Adobe Commerce endpoint"));
+/** Validation schema that accepts either a URL string or URL instance and normalizes to string. */
+const UrlSchema = pipe(union([BaseUrlSchema, instance(URL)]), transform((url) => {
+	if (url instanceof URL) return url.toString();
+	return url;
+}));
+/**
+* The schema for the Commerce Integration parameters.
+* This is used to validate the parameters passed to the Commerce Integration provider.
+*/
+const IntegrationAuthParamsSchema = nonOptional(object({
+	consumerKey: integrationAuthParameter("consumerKey"),
+	consumerSecret: integrationAuthParameter("consumerSecret"),
+	accessToken: integrationAuthParameter("accessToken"),
+	accessTokenSecret: integrationAuthParameter("accessTokenSecret")
+}));
+//#endregion
+//#region source/lib/integration-auth/provider.ts
+/**
+* Type guard to check if a value is an IntegrationAuthProvider instance.
+*
+* @param provider The value to check.
+* @returns `true` if the value is an IntegrationAuthProvider, `false` otherwise.
+*
+* @example
+* ```typescript
+* import { getIntegrationAuthProvider, isIntegrationAuthProvider } from "@adobe/aio-commerce-lib-auth";
+*
+* // Imagine you have an object that it's not strictly typed as IntegrationAuthProvider.
+* const provider = getIntegrationAuthProvider({ ... }) as unknown;
+*
+* if (isIntegrationAuthProvider(provider)) {
+*   // TypeScript knows provider is IntegrationAuthProvider
+*   const headers = provider.getHeaders("GET", "https://api.example.com");
+* }
+* ```
+*/
+function isIntegrationAuthProvider(provider) {
+	return typeof provider === "object" && provider !== null && "getHeaders" in provider && typeof provider.getHeaders === "function";
+}
+/**
+* Creates an {@link IntegrationAuthProvider} based on the provided configuration.
+* @param authParams The configuration for the integration.
+* @returns An {@link IntegrationAuthProvider} instance that can be used to get auth headers.
+* @example
+* ```typescript
+* const config = {
+*   consumerKey: "your-consumer-key",
+*   consumerSecret: "your-consumer-secret",
+*   accessToken: "your-access-token",
+*   accessTokenSecret: "your-access-token-secret"
+* };
+*
+* const authProvider = getIntegrationAuthProvider(config);
+*
+* // Get OAuth headers for a REST API call
+* const headers = authProvider.getHeaders("GET", "https://your-store.com/rest/V1/products");
+* console.log(headers); // { Authorization: "OAuth oauth_consumer_key=..., oauth_signature=..." }
+*
+* // Can also be used with URL objects
+* const url = new URL("https://your-store.com/rest/V1/customers");
+* const postHeaders = authProvider.getHeaders("POST", url);
+* ```
+*/
+function getIntegrationAuthProvider(authParams) {
+	const oauth = new OAuth1a({
+		consumer: {
+			key: authParams.consumerKey,
+			secret: authParams.consumerSecret
+		},
+		signature_method: "HMAC-SHA256",
+		hash_function: (baseString, key) => crypto.createHmac("sha256", key).update(baseString).digest("base64")
+	});
+	const oauthToken = {
+		key: authParams.accessToken,
+		secret: authParams.accessTokenSecret
+	};
+	return { getHeaders: (method, url) => {
+		const urlString = parse(UrlSchema, url);
+		return oauth.toHeader(oauth.authorize({
+			url: urlString,
+			method
+		}, oauthToken));
+	} };
+}
+//#endregion
+//#region source/lib/integration-auth/utils.ts
+/**
+* Parses the provided configuration for an {@link IntegrationAuthProvider}.
+* @param config - The configuration to parse.
+* @throws {CommerceSdkValidationError} If the configuration is invalid.
+*
+* @internal
+*/
+function __parseIntegrationAuthParams(config) {
+	const result = safeParse(IntegrationAuthParamsSchema, config);
+	if (!result.success) throw new CommerceSdkValidationError("Invalid IntegrationAuthProvider configuration", { issues: result.issues });
+	return result.output;
+}
+/**
+* Asserts the provided configuration for an Adobe Commerce {@link IntegrationAuthProvider}.
+* @param config The configuration to validate.
+* @throws {CommerceSdkValidationError} If the configuration is invalid.
+* @example
+* ```typescript
+* const config = {
+*   consumerKey: "your-consumer-key",
+*   consumerSecret: "your-consumer-secret",
+*   accessToken: "your-access-token",
+*   accessTokenSecret: "your-access-token-secret"
+* };
+*
+* // This will validate the config and throw if invalid
+* assertIntegrationAuthParams(config);
+* ```
+* @example
+* ```typescript
+* // Example of a failing assert:
+* try {
+*   assertIntegrationAuthParams({
+*     consumerKey: "valid-consumer-key",
+*     // Missing required fields like consumerSecret, accessToken, accessTokenSecret
+*   });
+* } catch (error) {
+*   console.error(error.message); // "Invalid IntegrationAuthProvider configuration"
+*   console.error(error.issues); // Array of validation issues
+* }
+* ```
+*/
+function assertIntegrationAuthParams(config) {
+	__parseIntegrationAuthParams(config);
+}
+/**
+* Resolves an {@link IntegrationAuthParams} from the given App Builder action inputs.
+* @param params The App Builder action inputs to resolve the Integration authentication parameters from.
+* @throws {CommerceSdkValidationError} If the parameters are invalid and cannot be resolved.
+*
+* @example
+* ```typescript
+* export function main(params) {
+*   const resolvedParams = resolveIntegrationAuthParams(params);
+*   console.log(resolvedParams); // { consumerKey: "your-consumer-key", consumerSecret: "your-consumer-secret", accessToken: "your-access-token", accessTokenSecret: "your-access-token-secret" }
+* }
+* ```
+*/
+function resolveIntegrationAuthParams(params) {
+	return __parseIntegrationAuthParams({
+		consumerKey: params.AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_KEY,
+		consumerSecret: params.AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_SECRET,
+		accessToken: params.AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN,
+		accessTokenSecret: params.AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN_SECRET
+	});
+}
+//#endregion
+//#region source/lib/utils.ts
+const IMS_AUTH_PARAMS = [
+	"AIO_COMMERCE_AUTH_IMS_CLIENT_ID",
+	"AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS",
+	"AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_ID",
+	"AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_EMAIL",
+	"AIO_COMMERCE_AUTH_IMS_ORG_ID",
+	"AIO_COMMERCE_AUTH_IMS_SCOPES"
+];
+const INTEGRATION_AUTH_PARAMS = [
+	"AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_KEY",
+	"AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_SECRET",
+	"AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN",
+	"AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN_SECRET"
+];
+/**
+* Automatically detects and resolves authentication parameters from App Builder action inputs.
+* Attempts to resolve IMS authentication first, then falls back to Integration authentication.
+*
+* @param params The App Builder action inputs containing authentication parameters.
+* @throws {CommerceSdkValidationError} If the parameters are invalid.
+* @throws {Error} If neither IMS nor Integration authentication parameters can be resolved.
+* @example
+* ```typescript
+* // Automatic detection (will use IMS if IMS params are present, otherwise Integration)
+* export function main(params) {
+*   const authProvider = resolveAuthParams(params);
+*   console.log(authProvider.strategy); // "ims" or "integration"
+* }
+* ```
+*/
+function resolveAuthParams(params) {
+	if (allNonEmpty(params, IMS_AUTH_PARAMS)) return {
+		...resolveImsAuthParams(params),
+		strategy: "ims"
+	};
+	if (allNonEmpty(params, INTEGRATION_AUTH_PARAMS)) return {
+		...resolveIntegrationAuthParams(params),
+		strategy: "integration"
+	};
+	throw new Error(`Can't resolve authentication options for the given params. Please provide either IMS options (${IMS_AUTH_PARAMS.join(", ")}) or Commerce integration options (${INTEGRATION_AUTH_PARAMS.join(", ")}).`);
+}
+//#endregion
+export { assertImsAuthParams, assertIntegrationAuthParams, forwardImsAuthProvider, getForwardedImsAuthProvider, getImsAuthProvider, getIntegrationAuthProvider, isImsAuthProvider, isIntegrationAuthProvider, resolveAuthParams };