@foxscheduling/sdk 0.1.0

package/README.md

@@ -0,0 +1,58 @@
+# @foxscheduling/sdk
+
+Official Node.js SDK for the [Fox Scheduling Partner API](https://foxscheduling.com/developers).
+
+## Install
+
+```bash
+npm install @foxscheduling/sdk @foxscheduling/shared
+```
+
+## API key (single business)
+
+```typescript
+import { FoxScheduling } from "@foxscheduling/sdk";
+
+const fox = new FoxScheduling({
+  auth: { type: "apiKey", apiKey: process.env.FOX_API_KEY! },
+});
+
+const business = await fox.business.get();
+```
+
+Create keys under **Settings → API keys** in the Fox Scheduling dashboard.
+
+## OAuth (multi-tenant integrations)
+
+```typescript
+import { FoxScheduling, FileTokenStore } from "@foxscheduling/sdk";
+
+const fox = new FoxScheduling({
+  auth: {
+    type: "oauth",
+    clientId: process.env.FOX_CLIENT_ID!,
+    clientSecret: process.env.FOX_CLIENT_SECRET!,
+    redirectUri: "https://your-domain.com/oauth/callback",
+    tokenStore: new FileTokenStore("./fox-tokens.json"),
+  },
+});
+
+const { url, codeVerifier } = fox.oauth!.getAuthorizationUrl({
+  scopes: ["business:read", "bookings:read"],
+});
+// Redirect user to url, then on callback:
+await fox.oauth!.exchangeCode(code, codeVerifier);
+```
+
+## Webhook verification
+
+```typescript
+import { verifyFoxWebhookSignature } from "@foxscheduling/sdk";
+
+const ok = verifyFoxWebhookSignature({
+  secret: webhookSecret,
+  timestamp: req.headers["x-fox-timestamp"],
+  rawBody: req.rawBody,
+  signatureHex: req.headers["x-fox-signature"],
+});
+```

package/dist/auth/apiKey.d.ts

@@ -0,0 +1,10 @@
+export interface AuthProvider {
+    getAuthorizationHeader(): Promise<string>;
+    onUnauthorized?(): Promise<boolean>;
+}
+export declare class ApiKeyAuthProvider implements AuthProvider {
+    private readonly apiKey;
+    constructor(apiKey: string);
+    getAuthorizationHeader(): Promise<string>;
+}
+//# sourceMappingURL=apiKey.d.ts.map

package/dist/auth/apiKey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apiKey.d.ts","sourceRoot":"","sources":["../../src/auth/apiKey.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,sBAAsB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,cAAc,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;CACrC;AAUD,qBAAa,kBAAmB,YAAW,YAAY;IACzC,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;IAQrC,sBAAsB,IAAI,OAAO,CAAC,MAAM,CAAC;CAGhD"}

package/dist/auth/apiKey.js

@@ -0,0 +1,17 @@
+function isBrowserEnvironment() {
+    return (typeof globalThis !== "undefined" &&
+        "document" in globalThis &&
+        typeof globalThis.document !== "undefined");
+}
+export class ApiKeyAuthProvider {
+    apiKey;
+    constructor(apiKey) {
+        this.apiKey = apiKey;
+        if (isBrowserEnvironment()) {
+            throw new Error("@foxscheduling/sdk: API keys must not be used in browser environments.");
+        }
+    }
+    async getAuthorizationHeader() {
+        return `Bearer ${this.apiKey}`;
+    }
+}

package/dist/auth/oauth.d.ts

@@ -0,0 +1,29 @@
+import type { OAuthScope } from "@foxscheduling/shared";
+import type { AuthorizationUrlResult, TokenSet } from "../types.js";
+import { TokenManager, type OAuthTokenClient } from "./tokenManager.js";
+import type { TokenStore } from "./tokenStore.js";
+import type { AuthProvider } from "./apiKey.js";
+export declare class OAuthClient implements OAuthTokenClient, AuthProvider {
+    private readonly config;
+    readonly tokenManager: TokenManager;
+    constructor(config: {
+        baseUrl: string;
+        clientId: string;
+        clientSecret?: string;
+        redirectUri: string;
+        tokenStore: TokenStore;
+        fetchImpl: typeof fetch;
+    });
+    getAuthorizationUrl(params: {
+        scopes: OAuthScope[];
+        state?: string;
+    }): AuthorizationUrlResult;
+    exchangeCode(code: string, codeVerifier: string): Promise<TokenSet>;
+    revoke(): Promise<void>;
+    getAuthorizationHeader(): Promise<string>;
+    onUnauthorized(): Promise<boolean>;
+    refresh(refreshToken: string): Promise<TokenSet>;
+    private exchangeAuthorizationCode;
+    private postToken;
+}
+//# sourceMappingURL=oauth.d.ts.map

package/dist/auth/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,KAAK,EAAE,sBAAsB,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAMpE,OAAO,EACL,YAAY,EAEZ,KAAK,gBAAgB,EACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAUhD,qBAAa,WAAY,YAAW,gBAAgB,EAAE,YAAY;IAI9D,OAAO,CAAC,QAAQ,CAAC,MAAM;IAHzB,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;gBAGjB,MAAM,EAAE;QACvB,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,WAAW,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,UAAU,CAAC;QACvB,SAAS,EAAE,OAAO,KAAK,CAAC;KACzB;IAKH,mBAAmB,CAAC,MAAM,EAAE;QAC1B,MAAM,EAAE,UAAU,EAAE,CAAC;QACrB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GAAG,sBAAsB;IAmBpB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAUnE,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAqBvB,sBAAsB,IAAI,OAAO,CAAC,MAAM,CAAC;IAKzC,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;IAWlC,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;YAYxC,yBAAyB;YAkBzB,SAAS;CAkBxB"}

package/dist/auth/oauth.js

@@ -0,0 +1,110 @@
+import { generateCodeChallengeS256, generateCodeVerifier, generateState, } from "./pkce.js";
+import { TokenManager, tokenSetFromOAuthResponse, } from "./tokenManager.js";
+export class OAuthClient {
+    config;
+    tokenManager;
+    constructor(config) {
+        this.config = config;
+        this.tokenManager = new TokenManager(config.tokenStore, this);
+    }
+    getAuthorizationUrl(params) {
+        const codeVerifier = generateCodeVerifier();
+        const state = params.state ?? generateState();
+        const query = new URLSearchParams({
+            client_id: this.config.clientId,
+            redirect_uri: this.config.redirectUri,
+            response_type: "code",
+            scope: params.scopes.join(" "),
+            state,
+            code_challenge: generateCodeChallengeS256(codeVerifier),
+            code_challenge_method: "S256",
+        });
+        return {
+            url: `${this.config.baseUrl}/oauth/authorize?${query.toString()}`,
+            codeVerifier,
+            state,
+        };
+    }
+    async exchangeCode(code, codeVerifier) {
+        const tokens = await this.exchangeAuthorizationCode({
+            code,
+            codeVerifier,
+            redirectUri: this.config.redirectUri,
+        });
+        await this.tokenManager.setTokens(tokens);
+        return tokens;
+    }
+    async revoke() {
+        const tokens = await this.config.tokenStore.load();
+        if (!tokens)
+            return;
+        const res = await this.config.fetchImpl(`${this.config.baseUrl}/oauth/revoke`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                token: tokens.refreshToken,
+                client_id: this.config.clientId,
+                ...(this.config.clientSecret
+                    ? { client_secret: this.config.clientSecret }
+                    : {}),
+            }),
+        });
+        if (!res.ok) {
+            const json = (await res.json());
+            throw new Error(json.errorCode ?? "REVOKE_FAILED");
+        }
+        await this.tokenManager.clear();
+    }
+    async getAuthorizationHeader() {
+        const token = await this.tokenManager.getValidAccessToken();
+        return `Bearer ${token}`;
+    }
+    async onUnauthorized() {
+        const tokens = await this.config.tokenStore.load();
+        if (!tokens?.refreshToken)
+            return false;
+        try {
+            await this.tokenManager.refresh(tokens.refreshToken);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async refresh(refreshToken) {
+        const data = await this.postToken({
+            grant_type: "refresh_token",
+            refresh_token: refreshToken,
+            client_id: this.config.clientId,
+            ...(this.config.clientSecret
+                ? { client_secret: this.config.clientSecret }
+                : {}),
+        });
+        return tokenSetFromOAuthResponse(data);
+    }
+    async exchangeAuthorizationCode(params) {
+        const data = await this.postToken({
+            grant_type: "authorization_code",
+            code: params.code,
+            redirect_uri: params.redirectUri,
+            client_id: this.config.clientId,
+            code_verifier: params.codeVerifier,
+            ...(this.config.clientSecret
+                ? { client_secret: this.config.clientSecret }
+                : {}),
+        });
+        return tokenSetFromOAuthResponse(data);
+    }
+    async postToken(body) {
+        const res = await this.config.fetchImpl(`${this.config.baseUrl}/oauth/token`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(body),
+        });
+        const json = (await res.json());
+        if (json.statusMessage !== "SUCCESS" || !json.data) {
+            throw new Error(json.errorCode ?? "TOKEN_EXCHANGE_FAILED");
+        }
+        return json.data;
+    }
+}

package/dist/auth/pkce.d.ts

@@ -0,0 +1,4 @@
+export declare function generateCodeVerifier(): string;
+export declare function generateCodeChallengeS256(codeVerifier: string): string;
+export declare function generateState(): string;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/auth/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAEA,wBAAgB,oBAAoB,IAAI,MAAM,CAE7C;AAED,wBAAgB,yBAAyB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAEtE;AAED,wBAAgB,aAAa,IAAI,MAAM,CAEtC"}

package/dist/auth/pkce.js

@@ -0,0 +1,10 @@
+import { createHash, randomBytes } from "node:crypto";
+export function generateCodeVerifier() {
+    return randomBytes(32).toString("base64url");
+}
+export function generateCodeChallengeS256(codeVerifier) {
+    return createHash("sha256").update(codeVerifier).digest("base64url");
+}
+export function generateState() {
+    return randomBytes(16).toString("base64url");
+}

package/dist/auth/tokenManager.d.ts

@@ -0,0 +1,24 @@
+import type { TokenSet } from "../types.js";
+import type { TokenStore } from "./tokenStore.js";
+export interface OAuthTokenClient {
+    exchangeCode(code: string, codeVerifier: string): Promise<TokenSet>;
+    refresh(refreshToken: string): Promise<TokenSet>;
+}
+export declare class TokenManager {
+    private readonly store;
+    private readonly client;
+    private refreshPromise;
+    constructor(store: TokenStore, client: OAuthTokenClient);
+    getValidAccessToken(): Promise<string>;
+    setTokens(tokens: TokenSet): Promise<void>;
+    refresh(refreshToken: string): Promise<TokenSet>;
+    clear(): Promise<void>;
+}
+export declare function tokenSetFromOAuthResponse(data: {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+    scope: string;
+    token_type: string;
+}): TokenSet;
+//# sourceMappingURL=tokenManager.d.ts.map

package/dist/auth/tokenManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenManager.d.ts","sourceRoot":"","sources":["../../src/auth/tokenManager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAIlD,MAAM,WAAW,gBAAgB;IAC/B,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpE,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CAClD;AAED,qBAAa,YAAY;IAIrB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAJzB,OAAO,CAAC,cAAc,CAAkC;gBAGrC,KAAK,EAAE,UAAU,EACjB,MAAM,EAAE,gBAAgB;IAGrC,mBAAmB,IAAI,OAAO,CAAC,MAAM,CAAC;IAYtC,SAAS,CAAC,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAI1C,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAehD,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAG7B;AAED,wBAAgB,yBAAyB,CAAC,IAAI,EAAE;IAC9C,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB,GAAG,QAAQ,CAQX"}

package/dist/auth/tokenManager.js

@@ -0,0 +1,50 @@
+const REFRESH_BUFFER_MS = 5 * 60 * 1000;
+export class TokenManager {
+    store;
+    client;
+    refreshPromise = null;
+    constructor(store, client) {
+        this.store = store;
+        this.client = client;
+    }
+    async getValidAccessToken() {
+        const tokens = await this.store.load();
+        if (!tokens) {
+            throw new Error("No OAuth tokens stored. Complete authorization first.");
+        }
+        if (Date.now() >= tokens.expiresAt - REFRESH_BUFFER_MS) {
+            const refreshed = await this.refresh(tokens.refreshToken);
+            return refreshed.accessToken;
+        }
+        return tokens.accessToken;
+    }
+    async setTokens(tokens) {
+        await this.store.save(tokens);
+    }
+    async refresh(refreshToken) {
+        if (!this.refreshPromise) {
+            this.refreshPromise = this.client
+                .refresh(refreshToken)
+                .then(async (tokens) => {
+                await this.store.save(tokens);
+                return tokens;
+            })
+                .finally(() => {
+                this.refreshPromise = null;
+            });
+        }
+        return this.refreshPromise;
+    }
+    async clear() {
+        await this.store.clear();
+    }
+}
+export function tokenSetFromOAuthResponse(data) {
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        expiresAt: Date.now() + data.expires_in * 1000,
+        scope: data.scope,
+        tokenType: data.token_type,
+    };
+}

package/dist/auth/tokenStore.d.ts

@@ -0,0 +1,21 @@
+import type { TokenSet } from "../types.js";
+export interface TokenStore {
+    load(): Promise<TokenSet | null>;
+    save(tokens: TokenSet): Promise<void>;
+    clear(): Promise<void>;
+}
+export declare class MemoryTokenStore implements TokenStore {
+    private tokens;
+    load(): Promise<TokenSet | null>;
+    save(tokens: TokenSet): Promise<void>;
+    clear(): Promise<void>;
+}
+export declare class FileTokenStore implements TokenStore {
+    private readonly filePath;
+    constructor(filePath: string);
+    private readFile;
+    load(): Promise<TokenSet | null>;
+    save(tokens: TokenSet): Promise<void>;
+    clear(): Promise<void>;
+}
+//# sourceMappingURL=tokenStore.d.ts.map

package/dist/auth/tokenStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenStore.d.ts","sourceRoot":"","sources":["../../src/auth/tokenStore.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAE5C,MAAM,WAAW,UAAU;IACzB,IAAI,IAAI,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED,qBAAa,gBAAiB,YAAW,UAAU;IACjD,OAAO,CAAC,MAAM,CAAyB;IAEjC,IAAI,IAAI,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAIhC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAG7B;AAED,qBAAa,cAAe,YAAW,UAAU;IACnC,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBAAR,QAAQ,EAAE,MAAM;YAE/B,QAAQ;IAUhB,IAAI,IAAI,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAMhC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAKrC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAQ7B"}

package/dist/auth/tokenStore.js

@@ -0,0 +1,49 @@
+export class MemoryTokenStore {
+    tokens = null;
+    async load() {
+        return this.tokens;
+    }
+    async save(tokens) {
+        this.tokens = tokens;
+    }
+    async clear() {
+        this.tokens = null;
+    }
+}
+export class FileTokenStore {
+    filePath;
+    constructor(filePath) {
+        this.filePath = filePath;
+    }
+    async readFile() {
+        const fs = await import("node:fs/promises");
+        try {
+            return await fs.readFile(this.filePath, "utf8");
+        }
+        catch (err) {
+            if (err.code === "ENOENT")
+                return null;
+            throw err;
+        }
+    }
+    async load() {
+        const raw = await this.readFile();
+        if (!raw)
+            return null;
+        return JSON.parse(raw);
+    }
+    async save(tokens) {
+        const fs = await import("node:fs/promises");
+        await fs.writeFile(this.filePath, JSON.stringify(tokens, null, 2), "utf8");
+    }
+    async clear() {
+        const fs = await import("node:fs/promises");
+        try {
+            await fs.unlink(this.filePath);
+        }
+        catch (err) {
+            if (err.code !== "ENOENT")
+                throw err;
+        }
+    }
+}

package/dist/cjs/auth/apiKey.cjs

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApiKeyAuthProvider = void 0;
+function isBrowserEnvironment() {
+    return (typeof globalThis !== "undefined" &&
+        "document" in globalThis &&
+        typeof globalThis.document !== "undefined");
+}
+class ApiKeyAuthProvider {
+    apiKey;
+    constructor(apiKey) {
+        this.apiKey = apiKey;
+        if (isBrowserEnvironment()) {
+            throw new Error("@foxscheduling/sdk: API keys must not be used in browser environments.");
+        }
+    }
+    async getAuthorizationHeader() {
+        return `Bearer ${this.apiKey}`;
+    }
+}
+exports.ApiKeyAuthProvider = ApiKeyAuthProvider;

package/dist/cjs/auth/apiKey.d.ts

@@ -0,0 +1,10 @@
+export interface AuthProvider {
+    getAuthorizationHeader(): Promise<string>;
+    onUnauthorized?(): Promise<boolean>;
+}
+export declare class ApiKeyAuthProvider implements AuthProvider {
+    private readonly apiKey;
+    constructor(apiKey: string);
+    getAuthorizationHeader(): Promise<string>;
+}
+//# sourceMappingURL=apiKey.d.ts.map

package/dist/cjs/auth/apiKey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apiKey.d.ts","sourceRoot":"","sources":["../../../src/auth/apiKey.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,sBAAsB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,cAAc,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;CACrC;AAUD,qBAAa,kBAAmB,YAAW,YAAY;IACzC,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;IAQrC,sBAAsB,IAAI,OAAO,CAAC,MAAM,CAAC;CAGhD"}

package/dist/cjs/auth/oauth.cjs

@@ -0,0 +1,114 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthClient = void 0;
+const pkce_js_1 = require("./pkce.cjs");
+const tokenManager_js_1 = require("./tokenManager.cjs");
+class OAuthClient {
+    config;
+    tokenManager;
+    constructor(config) {
+        this.config = config;
+        this.tokenManager = new tokenManager_js_1.TokenManager(config.tokenStore, this);
+    }
+    getAuthorizationUrl(params) {
+        const codeVerifier = (0, pkce_js_1.generateCodeVerifier)();
+        const state = params.state ?? (0, pkce_js_1.generateState)();
+        const query = new URLSearchParams({
+            client_id: this.config.clientId,
+            redirect_uri: this.config.redirectUri,
+            response_type: "code",
+            scope: params.scopes.join(" "),
+            state,
+            code_challenge: (0, pkce_js_1.generateCodeChallengeS256)(codeVerifier),
+            code_challenge_method: "S256",
+        });
+        return {
+            url: `${this.config.baseUrl}/oauth/authorize?${query.toString()}`,
+            codeVerifier,
+            state,
+        };
+    }
+    async exchangeCode(code, codeVerifier) {
+        const tokens = await this.exchangeAuthorizationCode({
+            code,
+            codeVerifier,
+            redirectUri: this.config.redirectUri,
+        });
+        await this.tokenManager.setTokens(tokens);
+        return tokens;
+    }
+    async revoke() {
+        const tokens = await this.config.tokenStore.load();
+        if (!tokens)
+            return;
+        const res = await this.config.fetchImpl(`${this.config.baseUrl}/oauth/revoke`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                token: tokens.refreshToken,
+                client_id: this.config.clientId,
+                ...(this.config.clientSecret
+                    ? { client_secret: this.config.clientSecret }
+                    : {}),
+            }),
+        });
+        if (!res.ok) {
+            const json = (await res.json());
+            throw new Error(json.errorCode ?? "REVOKE_FAILED");
+        }
+        await this.tokenManager.clear();
+    }
+    async getAuthorizationHeader() {
+        const token = await this.tokenManager.getValidAccessToken();
+        return `Bearer ${token}`;
+    }
+    async onUnauthorized() {
+        const tokens = await this.config.tokenStore.load();
+        if (!tokens?.refreshToken)
+            return false;
+        try {
+            await this.tokenManager.refresh(tokens.refreshToken);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async refresh(refreshToken) {
+        const data = await this.postToken({
+            grant_type: "refresh_token",
+            refresh_token: refreshToken,
+            client_id: this.config.clientId,
+            ...(this.config.clientSecret
+                ? { client_secret: this.config.clientSecret }
+                : {}),
+        });
+        return (0, tokenManager_js_1.tokenSetFromOAuthResponse)(data);
+    }
+    async exchangeAuthorizationCode(params) {
+        const data = await this.postToken({
+            grant_type: "authorization_code",
+            code: params.code,
+            redirect_uri: params.redirectUri,
+            client_id: this.config.clientId,
+            code_verifier: params.codeVerifier,
+            ...(this.config.clientSecret
+                ? { client_secret: this.config.clientSecret }
+                : {}),
+        });
+        return (0, tokenManager_js_1.tokenSetFromOAuthResponse)(data);
+    }
+    async postToken(body) {
+        const res = await this.config.fetchImpl(`${this.config.baseUrl}/oauth/token`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(body),
+        });
+        const json = (await res.json());
+        if (json.statusMessage !== "SUCCESS" || !json.data) {
+            throw new Error(json.errorCode ?? "TOKEN_EXCHANGE_FAILED");
+        }
+        return json.data;
+    }
+}
+exports.OAuthClient = OAuthClient;

package/dist/cjs/auth/oauth.d.ts

@@ -0,0 +1,29 @@
+import type { OAuthScope } from "@foxscheduling/shared";
+import type { AuthorizationUrlResult, TokenSet } from "../types.js";
+import { TokenManager, type OAuthTokenClient } from "./tokenManager.js";
+import type { TokenStore } from "./tokenStore.js";
+import type { AuthProvider } from "./apiKey.js";
+export declare class OAuthClient implements OAuthTokenClient, AuthProvider {
+    private readonly config;
+    readonly tokenManager: TokenManager;
+    constructor(config: {
+        baseUrl: string;
+        clientId: string;
+        clientSecret?: string;
+        redirectUri: string;
+        tokenStore: TokenStore;
+        fetchImpl: typeof fetch;
+    });
+    getAuthorizationUrl(params: {
+        scopes: OAuthScope[];
+        state?: string;
+    }): AuthorizationUrlResult;
+    exchangeCode(code: string, codeVerifier: string): Promise<TokenSet>;
+    revoke(): Promise<void>;
+    getAuthorizationHeader(): Promise<string>;
+    onUnauthorized(): Promise<boolean>;
+    refresh(refreshToken: string): Promise<TokenSet>;
+    private exchangeAuthorizationCode;
+    private postToken;
+}
+//# sourceMappingURL=oauth.d.ts.map

package/dist/cjs/auth/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../../src/auth/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,KAAK,EAAE,sBAAsB,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAMpE,OAAO,EACL,YAAY,EAEZ,KAAK,gBAAgB,EACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAUhD,qBAAa,WAAY,YAAW,gBAAgB,EAAE,YAAY;IAI9D,OAAO,CAAC,QAAQ,CAAC,MAAM;IAHzB,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;gBAGjB,MAAM,EAAE;QACvB,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,WAAW,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,UAAU,CAAC;QACvB,SAAS,EAAE,OAAO,KAAK,CAAC;KACzB;IAKH,mBAAmB,CAAC,MAAM,EAAE;QAC1B,MAAM,EAAE,UAAU,EAAE,CAAC;QACrB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GAAG,sBAAsB;IAmBpB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAUnE,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAqBvB,sBAAsB,IAAI,OAAO,CAAC,MAAM,CAAC;IAKzC,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;IAWlC,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;YAYxC,yBAAyB;YAkBzB,SAAS;CAkBxB"}

package/dist/cjs/auth/pkce.cjs

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateCodeVerifier = generateCodeVerifier;
+exports.generateCodeChallengeS256 = generateCodeChallengeS256;
+exports.generateState = generateState;
+const node_crypto_1 = require("node:crypto");
+function generateCodeVerifier() {
+    return (0, node_crypto_1.randomBytes)(32).toString("base64url");
+}
+function generateCodeChallengeS256(codeVerifier) {
+    return (0, node_crypto_1.createHash)("sha256").update(codeVerifier).digest("base64url");
+}
+function generateState() {
+    return (0, node_crypto_1.randomBytes)(16).toString("base64url");
+}

package/dist/cjs/auth/pkce.d.ts

@@ -0,0 +1,4 @@
+export declare function generateCodeVerifier(): string;
+export declare function generateCodeChallengeS256(codeVerifier: string): string;
+export declare function generateState(): string;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/cjs/auth/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../../src/auth/pkce.ts"],"names":[],"mappings":"AAEA,wBAAgB,oBAAoB,IAAI,MAAM,CAE7C;AAED,wBAAgB,yBAAyB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAEtE;AAED,wBAAgB,aAAa,IAAI,MAAM,CAEtC"}