npm - @corti/sdk - Versions diffs - 1.0.0-alpha → 1.0.0-alpha.1 - Mend

@corti/sdk 1.0.0-alpha → 1.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (399) hide show

package/dist/cjs/custom/OAuthAuthProvider.d.ts ADDED Viewed

@@ -0,0 +1,99 @@
+import type * as Corti from "../api/index.js";
+import type { BaseClientOptions } from "../BaseClient.js";
+import * as core from "../core/index.js";
+import { CLIENT_ID_PARAM, CLIENT_SECRET_PARAM, CODE_PARAM, CODE_VERIFIER_PARAM, PASSWORD_PARAM, REDIRECT_URI_PARAM, USERNAME_PARAM } from "./utils/oauthAuthHelpers.js";
+/** Patch: Re-export for consumers; implementation shared with OAuthRopcAuthProvider, OAuthAuthCodeAuthProvider and OAuthPkceAuthProvider. */
+export { BUFFER_IN_MINUTES, CLIENT_ID_PARAM, CLIENT_ID_REQUIRED_ERROR_MESSAGE, CLIENT_SECRET_PARAM, CLIENT_SECRET_REQUIRED_ERROR_MESSAGE, CODE_PARAM, CODE_VERIFIER_PARAM, getExpiresAt, PASSWORD_PARAM, PASSWORD_REQUIRED_ERROR_MESSAGE, REDIRECT_URI_PARAM, USERNAME_PARAM, USERNAME_REQUIRED_ERROR_MESSAGE, } from "./utils/oauthAuthHelpers.js";
+declare const TOKEN_PARAM: "token";
+export declare class OAuthAuthProvider implements core.AuthProvider {
+    private readonly options;
+    /**
+     * Patch: Use CortiAuth (real token endpoint) instead of AuthClient (fake-token).
+     */
+    private readonly authClient;
+    private accessToken;
+    private expiresAt;
+    private refreshPromise;
+    private storedRefreshToken;
+    private refreshExpiresAt;
+    constructor(options: OAuthAuthProvider.Options & OAuthAuthProvider.ClientCredentials);
+    static canCreate(options?: Partial<OAuthAuthProvider.ClientCredentials & BaseClientOptions>): boolean;
+    private clientIdSupplier;
+    private clientSecretSupplier;
+    getAuthRequest({ endpointMetadata, }?: {
+        endpointMetadata?: core.EndpointMetadata;
+    }): Promise<core.AuthRequest>;
+    private getToken;
+    private refresh;
+}
+export declare class OAuthTokenOverrideAuthProvider implements core.AuthProvider {
+    private readonly authClient;
+    private readonly _tokenSupplier;
+    private readonly _clientIdSupplier;
+    private readonly _refreshAccessToken;
+    private accessToken;
+    private expiresAt;
+    private storedRefreshToken;
+    private refreshExpiresAt;
+    private _seedPromise;
+    constructor(options: OAuthAuthProvider.TokenOverride & BaseClientOptions);
+    static canCreate(options?: Partial<OAuthAuthProvider.TokenOverride & BaseClientOptions>): options is OAuthAuthProvider.TokenOverride & BaseClientOptions;
+    getAuthRequest({ endpointMetadata, }?: {
+        endpointMetadata?: core.EndpointMetadata;
+    }): Promise<core.AuthRequest>;
+}
+export declare namespace OAuthAuthProvider {
+    const AUTH_SCHEME: "OAuth";
+    /** Patch: Message extended to mention ROPC (clientId, username, password). */
+    const AUTH_CONFIG_ERROR_MESSAGE: string;
+    type ClientCredentials = {
+        [CLIENT_ID_PARAM]: core.Supplier<string>;
+        [CLIENT_SECRET_PARAM]: core.Supplier<string>;
+    };
+    /**
+     * Patch: tokenType and expiresIn made optional — the provider only strictly needs accessToken.
+     * Mirrors AuthTokenResponse but relaxes the two required fields so custom refresh functions
+     * don't need to return fields the provider doesn't use.
+     */
+    type ExpectedTokenResponse = Omit<Corti.AuthTokenResponse, "tokenType" | "expiresIn"> & {
+        tokenType?: string;
+        expiresIn?: number;
+    };
+    /** Patch: Custom refresh function — sync or async, receives the last known refresh token. */
+    type RefreshAccessTokenFunction = (refreshToken?: string) => Promise<OAuthAuthProvider.ExpectedTokenResponse> | OAuthAuthProvider.ExpectedTokenResponse;
+    type TokenOverride = {
+        [TOKEN_PARAM]?: core.Supplier<string>;
+        /** Patch: Custom callback called to obtain/renew the access token. Takes priority over built-in clientId+refreshToken path. */
+        refreshAccessToken?: OAuthAuthProvider.RefreshAccessTokenFunction;
+        expiresIn?: number;
+        refreshToken?: string;
+        refreshExpiresIn?: number;
+        clientId?: core.Supplier<string>;
+        /** Patch: Pre-seeded token response from resolveClientOptions — avoids a second refreshAccessToken call on first API request. */
+        initialTokenResponse?: Promise<OAuthAuthProvider.ExpectedTokenResponse>;
+    };
+    /** Patch: ROPC grant credentials (clientId + username + password) */
+    type RopcCredentials = {
+        [CLIENT_ID_PARAM]: core.Supplier<string>;
+        [USERNAME_PARAM]: core.Supplier<string>;
+        [PASSWORD_PARAM]: core.Supplier<string>;
+    };
+    /** Patch: Authorization code credentials (clientId + clientSecret + code + redirectUri) */
+    type AuthCodeCredentials = {
+        [CLIENT_ID_PARAM]: core.Supplier<string>;
+        [CLIENT_SECRET_PARAM]: core.Supplier<string>;
+        [CODE_PARAM]: core.Supplier<string>;
+        [REDIRECT_URI_PARAM]: core.Supplier<string>;
+    };
+    /** Patch: PKCE credentials (clientId + code + redirectUri; no clientSecret) */
+    type PkceCredentials = {
+        [CLIENT_ID_PARAM]: core.Supplier<string>;
+        [CODE_PARAM]: core.Supplier<string>;
+        [REDIRECT_URI_PARAM]: core.Supplier<string>;
+        [CODE_VERIFIER_PARAM]?: core.Supplier<string>;
+    };
+    /** Patch: Include RopcCredentials, AuthCodeCredentials and PkceCredentials so CortiClient can use those auth flows. */
+    type AuthOptions = ClientCredentials | TokenOverride | RopcCredentials | AuthCodeCredentials | PkceCredentials;
+    type Options = BaseClientOptions & AuthOptions;
+    function createInstance(options: Options): core.AuthProvider;
+}

package/dist/cjs/custom/OAuthAuthProvider.js ADDED Viewed

@@ -0,0 +1,290 @@
+"use strict";
+// This file was auto-generated by Fern from our API Definition.
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthTokenOverrideAuthProvider = exports.OAuthAuthProvider = exports.USERNAME_REQUIRED_ERROR_MESSAGE = exports.USERNAME_PARAM = exports.REDIRECT_URI_PARAM = exports.PASSWORD_REQUIRED_ERROR_MESSAGE = exports.PASSWORD_PARAM = exports.getExpiresAt = exports.CODE_VERIFIER_PARAM = exports.CODE_PARAM = exports.CLIENT_SECRET_REQUIRED_ERROR_MESSAGE = exports.CLIENT_SECRET_PARAM = exports.CLIENT_ID_REQUIRED_ERROR_MESSAGE = exports.CLIENT_ID_PARAM = exports.BUFFER_IN_MINUTES = void 0;
+const core = __importStar(require("../core/index.js"));
+const CortiAuth_js_1 = require("./CortiAuth.js");
+const OAuthAuthCodeAuthProvider_js_1 = require("./OAuthAuthCodeAuthProvider.js");
+const OAuthPkceAuthProvider_js_1 = require("./OAuthPkceAuthProvider.js");
+const OAuthRopcAuthProvider_js_1 = require("./OAuthRopcAuthProvider.js");
+const oauthAuthHelpers_js_1 = require("./utils/oauthAuthHelpers.js");
+const errors = __importStar(require("../errors/index.js"));
+/** Patch: Re-export for consumers; implementation shared with OAuthRopcAuthProvider, OAuthAuthCodeAuthProvider and OAuthPkceAuthProvider. */
+var oauthAuthHelpers_js_2 = require("./utils/oauthAuthHelpers.js");
+Object.defineProperty(exports, "BUFFER_IN_MINUTES", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.BUFFER_IN_MINUTES; } });
+Object.defineProperty(exports, "CLIENT_ID_PARAM", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.CLIENT_ID_PARAM; } });
+Object.defineProperty(exports, "CLIENT_ID_REQUIRED_ERROR_MESSAGE", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.CLIENT_ID_REQUIRED_ERROR_MESSAGE; } });
+Object.defineProperty(exports, "CLIENT_SECRET_PARAM", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.CLIENT_SECRET_PARAM; } });
+Object.defineProperty(exports, "CLIENT_SECRET_REQUIRED_ERROR_MESSAGE", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.CLIENT_SECRET_REQUIRED_ERROR_MESSAGE; } });
+Object.defineProperty(exports, "CODE_PARAM", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.CODE_PARAM; } });
+Object.defineProperty(exports, "CODE_VERIFIER_PARAM", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.CODE_VERIFIER_PARAM; } });
+Object.defineProperty(exports, "getExpiresAt", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.getExpiresAt; } });
+Object.defineProperty(exports, "PASSWORD_PARAM", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.PASSWORD_PARAM; } });
+Object.defineProperty(exports, "PASSWORD_REQUIRED_ERROR_MESSAGE", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.PASSWORD_REQUIRED_ERROR_MESSAGE; } });
+Object.defineProperty(exports, "REDIRECT_URI_PARAM", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.REDIRECT_URI_PARAM; } });
+Object.defineProperty(exports, "USERNAME_PARAM", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.USERNAME_PARAM; } });
+Object.defineProperty(exports, "USERNAME_REQUIRED_ERROR_MESSAGE", { enumerable: true, get: function () { return oauthAuthHelpers_js_2.USERNAME_REQUIRED_ERROR_MESSAGE; } });
+const TOKEN_PARAM = "token";
+const TOKEN_PARAM_REQUIRED_ERROR_MESSAGE = `${TOKEN_PARAM} is required. Please provide it in options.`;
+class OAuthAuthProvider {
+    constructor(options) {
+        this.options = options;
+        /**
+         * Patch: Use CortiAuth (real token endpoint) instead of AuthClient (fake-token).
+         */
+        this.authClient = new CortiAuth_js_1.CortiAuth(options);
+        this.expiresAt = new Date();
+    }
+    static canCreate(options) {
+        return (options === null || options === void 0 ? void 0 : options[oauthAuthHelpers_js_1.CLIENT_ID_PARAM]) != null && (options === null || options === void 0 ? void 0 : options[oauthAuthHelpers_js_1.CLIENT_SECRET_PARAM]) != null;
+    }
+    clientIdSupplier() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata, } = {}) {
+            const supplier = this.options[oauthAuthHelpers_js_1.CLIENT_ID_PARAM];
+            if (supplier == null) {
+                throw new errors.CortiError({
+                    message: oauthAuthHelpers_js_1.CLIENT_ID_REQUIRED_ERROR_MESSAGE,
+                });
+            }
+            return core.EndpointSupplier.get(supplier, { endpointMetadata });
+        });
+    }
+    clientSecretSupplier() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata, } = {}) {
+            const supplier = this.options[oauthAuthHelpers_js_1.CLIENT_SECRET_PARAM];
+            if (supplier == null) {
+                throw new errors.CortiError({
+                    message: oauthAuthHelpers_js_1.CLIENT_SECRET_REQUIRED_ERROR_MESSAGE,
+                });
+            }
+            return core.EndpointSupplier.get(supplier, { endpointMetadata });
+        });
+    }
+    getAuthRequest() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata, } = {}) {
+            const token = yield this.getToken({ endpointMetadata });
+            return {
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                },
+            };
+        });
+    }
+    getToken() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata } = {}) {
+            if (this.accessToken && this.expiresAt > new Date()) {
+                return this.accessToken;
+            }
+            // If a refresh is already in progress, return the existing promise
+            if (this.refreshPromise != null) {
+                return this.refreshPromise;
+            }
+            return this.refresh({ endpointMetadata });
+        });
+    }
+    refresh() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata } = {}) {
+            this.refreshPromise = (() => __awaiter(this, void 0, void 0, function* () {
+                try {
+                    const clientId = yield this.clientIdSupplier({ endpointMetadata });
+                    const clientSecret = yield this.clientSecretSupplier({ endpointMetadata });
+                    const tokenResponse = clientId && this.storedRefreshToken && this.refreshExpiresAt && this.refreshExpiresAt > new Date()
+                        ? yield this.authClient.refreshToken({
+                            clientId,
+                            refreshToken: this.storedRefreshToken,
+                        })
+                        : yield this.authClient.getToken({ clientId, clientSecret });
+                    this.accessToken = tokenResponse.accessToken;
+                    this.expiresAt = (0, oauthAuthHelpers_js_1.getExpiresAt)(tokenResponse.expiresIn, oauthAuthHelpers_js_1.BUFFER_IN_MINUTES);
+                    if (tokenResponse.refreshToken) {
+                        this.storedRefreshToken = tokenResponse.refreshToken;
+                        this.refreshExpiresAt = tokenResponse.refreshExpiresIn
+                            ? (0, oauthAuthHelpers_js_1.getExpiresAt)(tokenResponse.refreshExpiresIn, oauthAuthHelpers_js_1.BUFFER_IN_MINUTES)
+                            : undefined;
+                    }
+                    return this.accessToken;
+                }
+                finally {
+                    this.refreshPromise = undefined;
+                }
+            }))();
+            return this.refreshPromise;
+        });
+    }
+}
+exports.OAuthAuthProvider = OAuthAuthProvider;
+class OAuthTokenOverrideAuthProvider {
+    constructor(options) {
+        this._tokenSupplier = options[TOKEN_PARAM];
+        this._clientIdSupplier = options.clientId;
+        // Patch: store custom refresh callback
+        this._refreshAccessToken = options.refreshAccessToken;
+        this.expiresAt = options.expiresIn ? (0, oauthAuthHelpers_js_1.getExpiresAt)(options.expiresIn, oauthAuthHelpers_js_1.BUFFER_IN_MINUTES) : undefined;
+        this.storedRefreshToken = options.refreshToken;
+        this.refreshExpiresAt = options.refreshExpiresIn
+            ? (0, oauthAuthHelpers_js_1.getExpiresAt)(options.refreshExpiresIn, oauthAuthHelpers_js_1.BUFFER_IN_MINUTES)
+            : undefined;
+        if (options.clientId && options.refreshToken) {
+            this.authClient = new CortiAuth_js_1.CortiAuth(options);
+        }
+        // Patch: pre-seed token from discovery promise so getAuthRequest doesn't call refreshAccessToken again
+        if (options.initialTokenResponse) {
+            this._seedPromise = options.initialTokenResponse
+                .then((resp) => {
+                this.accessToken = resp.accessToken;
+                this.expiresAt = resp.expiresIn ? (0, oauthAuthHelpers_js_1.getExpiresAt)(resp.expiresIn, oauthAuthHelpers_js_1.BUFFER_IN_MINUTES) : undefined;
+                if (resp.refreshToken) {
+                    this.storedRefreshToken = resp.refreshToken;
+                    this.refreshExpiresAt = resp.refreshExpiresIn
+                        ? (0, oauthAuthHelpers_js_1.getExpiresAt)(resp.refreshExpiresIn, oauthAuthHelpers_js_1.BUFFER_IN_MINUTES)
+                        : undefined;
+                }
+            })
+                .finally(() => {
+                this._seedPromise = undefined;
+            });
+        }
+    }
+    static canCreate(options) {
+        // Patch: either token or refreshAccessToken is sufficient
+        return (options === null || options === void 0 ? void 0 : options[TOKEN_PARAM]) != null || (options === null || options === void 0 ? void 0 : options.refreshAccessToken) != null;
+    }
+    getAuthRequest() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata, } = {}) {
+            // Patch: await seed promise so the initial token from resolveClientOptions is set before checking expiry
+            if (this._seedPromise) {
+                yield this._seedPromise;
+            }
+            const isExpiredOrAbsent = !this.accessToken || (this.expiresAt != null && this.expiresAt <= new Date());
+            // Patch: custom refreshAccessToken takes priority — call it when token is absent or expired
+            if (this._refreshAccessToken && isExpiredOrAbsent) {
+                const result = yield this._refreshAccessToken(this.storedRefreshToken);
+                this.accessToken = result.accessToken;
+                this.expiresAt = result.expiresIn ? (0, oauthAuthHelpers_js_1.getExpiresAt)(result.expiresIn, oauthAuthHelpers_js_1.BUFFER_IN_MINUTES) : undefined;
+                if (result.refreshToken) {
+                    this.storedRefreshToken = result.refreshToken;
+                    this.refreshExpiresAt = result.refreshExpiresIn
+                        ? (0, oauthAuthHelpers_js_1.getExpiresAt)(result.refreshExpiresIn, oauthAuthHelpers_js_1.BUFFER_IN_MINUTES)
+                        : undefined;
+                }
+                return { headers: { Authorization: `Bearer ${this.accessToken}` } };
+            }
+            // Built-in: if access token is expired and we have a valid SDK refresh token, use it
+            if (this.expiresAt != null &&
+                this.expiresAt <= new Date() &&
+                this._clientIdSupplier &&
+                this.storedRefreshToken &&
+                this.refreshExpiresAt &&
+                this.refreshExpiresAt > new Date() &&
+                this.authClient) {
+                const clientId = yield core.EndpointSupplier.get(this._clientIdSupplier, { endpointMetadata });
+                const tokenResponse = yield this.authClient.refreshToken({
+                    clientId,
+                    refreshToken: this.storedRefreshToken,
+                });
+                this.accessToken = tokenResponse.accessToken;
+                this.expiresAt = (0, oauthAuthHelpers_js_1.getExpiresAt)(tokenResponse.expiresIn, oauthAuthHelpers_js_1.BUFFER_IN_MINUTES);
+                if (tokenResponse.refreshToken) {
+                    this.storedRefreshToken = tokenResponse.refreshToken;
+                    this.refreshExpiresAt = tokenResponse.refreshExpiresIn
+                        ? (0, oauthAuthHelpers_js_1.getExpiresAt)(tokenResponse.refreshExpiresIn, oauthAuthHelpers_js_1.BUFFER_IN_MINUTES)
+                        : undefined;
+                }
+                return { headers: { Authorization: `Bearer ${this.accessToken}` } };
+            }
+            // Token not yet acquired — resolve from supplier (static token / initial value)
+            if (!this.accessToken) {
+                if (this._tokenSupplier == null) {
+                    throw new errors.CortiError({ message: TOKEN_PARAM_REQUIRED_ERROR_MESSAGE });
+                }
+                this.accessToken = yield core.EndpointSupplier.get(this._tokenSupplier, { endpointMetadata });
+            }
+            if (!this.accessToken) {
+                throw new errors.CortiError({ message: TOKEN_PARAM_REQUIRED_ERROR_MESSAGE });
+            }
+            return { headers: { Authorization: `Bearer ${this.accessToken}` } };
+        });
+    }
+}
+exports.OAuthTokenOverrideAuthProvider = OAuthTokenOverrideAuthProvider;
+(function (OAuthAuthProvider) {
+    OAuthAuthProvider.AUTH_SCHEME = "OAuth";
+    /** Patch: Message extended to mention ROPC (clientId, username, password). */
+    OAuthAuthProvider.AUTH_CONFIG_ERROR_MESSAGE = `Insufficient options to create OAuthAuthProvider. Please provide '${oauthAuthHelpers_js_1.CLIENT_ID_PARAM}' and '${oauthAuthHelpers_js_1.CLIENT_SECRET_PARAM}', or ${TOKEN_PARAM}, or ROPC (${oauthAuthHelpers_js_1.CLIENT_ID_PARAM}, username, password).`;
+    function createInstance(options) {
+        if (OAuthTokenOverrideAuthProvider.canCreate(options)) {
+            return new OAuthTokenOverrideAuthProvider(options);
+        }
+        /** Patch: ROPC provider before client credentials so ROPC auth is used when username+password provided. */
+        if (OAuthRopcAuthProvider_js_1.OAuthRopcAuthProvider.canCreate(options)) {
+            return new OAuthRopcAuthProvider_js_1.OAuthRopcAuthProvider(options);
+        }
+        /** Patch: PKCE provider before auth code — both have clientId+code+redirectUri, but PKCE has no clientSecret. */
+        if (OAuthPkceAuthProvider_js_1.OAuthPkceAuthProvider.canCreate(options)) {
+            return new OAuthPkceAuthProvider_js_1.OAuthPkceAuthProvider(options);
+        }
+        /** Patch: Auth code provider before client credentials — both have clientId+clientSecret, code+redirectUri distinguishes auth code. */
+        if (OAuthAuthCodeAuthProvider_js_1.OAuthAuthCodeAuthProvider.canCreate(options)) {
+            return new OAuthAuthCodeAuthProvider_js_1.OAuthAuthCodeAuthProvider(options);
+        }
+        if (OAuthAuthProvider.canCreate(options)) {
+            return new OAuthAuthProvider(options);
+        }
+        /** Patch: No credentials provided — proxy/passthrough mode; requests are sent without an Authorization header. */
+        const partialOptions = options;
+        const hasNoCredentials = partialOptions[oauthAuthHelpers_js_1.CLIENT_ID_PARAM] == null &&
+            partialOptions[oauthAuthHelpers_js_1.CLIENT_SECRET_PARAM] == null &&
+            partialOptions[TOKEN_PARAM] == null &&
+            partialOptions.refreshAccessToken == null &&
+            partialOptions[oauthAuthHelpers_js_1.USERNAME_PARAM] == null;
+        if (hasNoCredentials) {
+            return new core.NoOpAuthProvider();
+        }
+        throw new errors.CortiError({
+            message: OAuthAuthProvider.AUTH_CONFIG_ERROR_MESSAGE,
+        });
+    }
+    OAuthAuthProvider.createInstance = createInstance;
+})(OAuthAuthProvider || (exports.OAuthAuthProvider = OAuthAuthProvider = {}));

package/dist/cjs/custom/auth/CortiAuth.d.ts ADDED Viewed

@@ -0,0 +1,129 @@
+import type * as Corti from "../../api/index.js";
+import { AuthClient } from "../../api/resources/auth/client/Client.js";
+import type { OAuthAuthProvider } from "../../auth/OAuthAuthProvider.js";
+import * as core from "../../core/index.js";
+import { type Environment } from "../utils/environment.js";
+interface Options {
+    skipRedirect?: boolean;
+}
+export declare namespace CortiAuth {
+    /** Auth (clientId/clientSecret or token) is optional; credentials can be passed to getToken() instead. */
+    type Options = Omit<AuthClient.Options, "clientId" | "clientSecret" | "token" | "environment"> & Partial<OAuthAuthProvider.ClientCredentials> & Partial<OAuthAuthProvider.TokenOverride> & {
+        environment: Environment;
+    };
+    /** Optional scopes on getToken request. */
+    interface GetTokenRequest extends Corti.OAuthTokenRequest {
+        scopes?: string[];
+    }
+    /** ROPC (resource owner password credentials) request for getRopcFlowToken. */
+    interface GetRopcFlowTokenRequest {
+        clientId: string;
+        username: string;
+        password: string;
+        scopes?: string[];
+    }
+    /** Refresh token request for refreshToken. */
+    interface RefreshTokenRequest {
+        clientId: string;
+        refreshToken: string;
+        clientSecret?: string;
+        scopes?: string[];
+    }
+    /** Authorization code grant request for getCodeFlowToken. */
+    interface GetCodeFlowTokenRequest {
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+        code: string;
+        scopes?: string[];
+    }
+    /** PKCE grant request for getPkceFlowToken. codeVerifier is optional — if omitted, reads from localStorage. */
+    interface GetPkceFlowTokenRequest {
+        clientId: string;
+        redirectUri: string;
+        code: string;
+        codeVerifier?: string;
+        scopes?: string[];
+    }
+    /** Parameters for authorizeURL — builds the Keycloak authorization endpoint URL. */
+    interface AuthorizationCodeClient {
+        clientId: string;
+        redirectUri: string;
+        codeChallenge?: string;
+        scopes?: string[];
+    }
+    /** Parameters for authorizePkceUrl — like AuthorizationCodeClient but without codeChallenge (generated internally). */
+    interface PkceClient {
+        clientId: string;
+        redirectUri: string;
+        scopes?: string[];
+        codeVerifier?: string;
+    }
+}
+export declare class CortiAuth extends AuthClient {
+    /** No-op auth provider so super.token() does not trigger OAuth refresh. When auth is omitted, a dummy token is passed so the base constructor does not throw. */
+    constructor(options: CortiAuth.Options);
+    /**
+     * Exchange credentials for a short-lived access token using the tenant token endpoint (client_credentials).
+     * Resolves tenant from client options. Supports optional scopes (openid is always included).
+     *
+     * @param request - Client credentials and optional scopes
+     * @param requestOptions - Request-specific configuration
+     *
+     * @throws {@link Corti.BadRequestError}
+     * @throws {@link Corti.UnauthorizedError}
+     *
+     * @example
+     *     const response = await auth.getToken({
+     *         clientId: "client_id",
+     *         clientSecret: "client_secret",
+     *         scopes: ["profile"]
+     *     });
+     */
+    getToken(request: CortiAuth.GetTokenRequest, requestOptions?: AuthClient.RequestOptions): core.HttpResponsePromise<Corti.AuthTokenResponse>;
+    private _getTokenWithTenant;
+    /** Exchange username/password for access token via ROPC (resource owner password credentials). */
+    getRopcFlowToken(request: CortiAuth.GetRopcFlowTokenRequest, requestOptions?: AuthClient.RequestOptions): core.HttpResponsePromise<Corti.AuthTokenResponse>;
+    /**
+     * Exchange a refresh token for a new access token (refresh_token grant).
+     * Resolves tenant from client options.
+     *
+     * @param request - Client ID, refresh token, and optional scopes
+     * @param requestOptions - Request-specific configuration
+     *
+     * @throws {@link Corti.BadRequestError}
+     * @throws {@link Corti.UnauthorizedError}
+     *
+     * @example
+     *     const response = await auth.refreshToken({
+     *         clientId: "client_id",
+     *         refreshToken: "refresh_token",
+     *     });
+     */
+    refreshToken(request: CortiAuth.RefreshTokenRequest, requestOptions?: AuthClient.RequestOptions): core.HttpResponsePromise<Corti.AuthTokenResponse>;
+    /** Exchange an authorization code for an access token (authorization_code grant). */
+    getCodeFlowToken(request: CortiAuth.GetCodeFlowTokenRequest, requestOptions?: AuthClient.RequestOptions): core.HttpResponsePromise<Corti.AuthTokenResponse>;
+    /**
+     * Exchange a PKCE authorization code for an access token (authorization_code grant with code_verifier).
+     * If codeVerifier is omitted, it is read from localStorage (set by authorizePkceUrl).
+     */
+    getPkceFlowToken(request: CortiAuth.GetPkceFlowTokenRequest, requestOptions?: AuthClient.RequestOptions): core.HttpResponsePromise<Corti.AuthTokenResponse>;
+    /**
+     * Build the Keycloak authorization endpoint URL for the PKCE flow.
+     * Generates a code verifier if not provided, stores it in localStorage, and computes the challenge.
+     * In a browser environment, redirects to the URL unless skipRedirect is true.
+     */
+    authorizePkceUrl({ clientId, redirectUri, scopes, codeVerifier }: CortiAuth.PkceClient, options?: Options): Promise<string>;
+    /** Read the PKCE code verifier stored in localStorage by authorizePkceUrl. Returns null if not found. */
+    static getCodeVerifier(): string | null;
+    /**
+     * Build the Keycloak authorization endpoint URL for the authorization code flow.
+     * In a browser environment, redirects to the URL unless skipRedirect is true.
+     * In a server environment (no window), always returns the URL string.
+     *
+     * @param client - clientId, redirectUri, and optional codeChallenge/scopes
+     * @param options - { skipRedirect?: boolean }
+     */
+    authorizeURL({ clientId, redirectUri, codeChallenge, scopes }: CortiAuth.AuthorizationCodeClient, options?: Options): Promise<string>;
+}
+export {};