npm - @hubspot/app-connect-sdk - Versions diffs - 1.0.0-alpha.1 - Mend

@hubspot/app-connect-sdk 1.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (833) hide show

package/dist/server/api-client.js ADDED Viewed

@@ -0,0 +1,101 @@
+import { HubSpotApiError } from "./api-client-core/errors.js";
+import { createHubSpotClient } from "./api-client-core/client.js";
+import { createBinaryData, isBinaryData } from "./api-client-core/binary-data.js";
+import { op } from "./api-client-core/op.js";
+import { pagination } from "./api-client-core/pagination.js";
+import { accountAccountInfo } from "./api-client-core/apis/account/account-info.generated.js";
+import { accountAuditLogs } from "./api-client-core/apis/account/audit-logs.generated.js";
+import { authOauth } from "./api-client-core/apis/auth/oauth.generated.js";
+import { automationActions } from "./api-client-core/apis/automation/actions.generated.js";
+import { automationSequences } from "./api-client-core/apis/automation/sequences.generated.js";
+import { businessUnits } from "./api-client-core/apis/business-units.generated.js";
+import { cmsAuthors } from "./api-client-core/apis/cms/authors.generated.js";
+import { cmsBlogSettings } from "./api-client-core/apis/cms/blog-settings.generated.js";
+import { cmsCmsContentAudit } from "./api-client-core/apis/cms/cms-content-audit.generated.js";
+import { cmsDomains } from "./api-client-core/apis/cms/domains.generated.js";
+import { cmsHubdb } from "./api-client-core/apis/cms/hubdb.generated.js";
+import { cmsMediaBridge } from "./api-client-core/apis/cms/media-bridge.generated.js";
+import { cmsPages } from "./api-client-core/apis/cms/pages.generated.js";
+import { cmsPosts } from "./api-client-core/apis/cms/posts.generated.js";
+import { cmsSiteSearch } from "./api-client-core/apis/cms/site-search.generated.js";
+import { cmsSourceCode } from "./api-client-core/apis/cms/source-code.generated.js";
+import { cmsTags } from "./api-client-core/apis/cms/tags.generated.js";
+import { cmsUrlMappings } from "./api-client-core/apis/cms/url-mappings.generated.js";
+import { cmsUrlRedirects } from "./api-client-core/apis/cms/url-redirects.generated.js";
+import { communicationPreferencesSubscriptions } from "./api-client-core/apis/communication-preferences/subscriptions.generated.js";
+import { conversations } from "./api-client-core/apis/conversations.generated.js";
+import { conversationsCustomChannels } from "./api-client-core/apis/conversations/custom-channels.generated.js";
+import { conversationsVisitorIdentification } from "./api-client-core/apis/conversations/visitor-identification.generated.js";
+import { crmAppUninstalls } from "./api-client-core/apis/crm/app-uninstalls.generated.js";
+import { crmAppointments } from "./api-client-core/apis/crm/appointments.generated.js";
+import { crmAssociationsSchema } from "./api-client-core/apis/crm/associations-schema.generated.js";
+import { crmAssociations } from "./api-client-core/apis/crm/associations.generated.js";
+import { crmCallingExtensions } from "./api-client-core/apis/crm/calling-extensions.generated.js";
+import { crmCalls } from "./api-client-core/apis/crm/calls.generated.js";
+import { crmCarts } from "./api-client-core/apis/crm/carts.generated.js";
+import { crmCommercePayments } from "./api-client-core/apis/crm/commerce-payments.generated.js";
+import { crmCommerceSubscriptions } from "./api-client-core/apis/crm/commerce-subscriptions.generated.js";
+import { crmCommunications } from "./api-client-core/apis/crm/communications.generated.js";
+import { crmCompanies } from "./api-client-core/apis/crm/companies.generated.js";
+import { crmContacts } from "./api-client-core/apis/crm/contacts.generated.js";
+import { crmContracts } from "./api-client-core/apis/crm/contracts.generated.js";
+import { crmCourses } from "./api-client-core/apis/crm/courses.generated.js";
+import { crmCrmOwners } from "./api-client-core/apis/crm/crm-owners.generated.js";
+import { crmCustomObjects } from "./api-client-core/apis/crm/custom-objects.generated.js";
+import { crmDealSplits } from "./api-client-core/apis/crm/deal-splits.generated.js";
+import { crmDeals } from "./api-client-core/apis/crm/deals.generated.js";
+import { crmDiscounts } from "./api-client-core/apis/crm/discounts.generated.js";
+import { crmEmails } from "./api-client-core/apis/crm/emails.generated.js";
+import { crmExports } from "./api-client-core/apis/crm/exports.generated.js";
+import { crmFeedbackSubmissions } from "./api-client-core/apis/crm/feedback-submissions.generated.js";
+import { crmFees } from "./api-client-core/apis/crm/fees.generated.js";
+import { crmGoalTargets } from "./api-client-core/apis/crm/goal-targets.generated.js";
+import { crmImports } from "./api-client-core/apis/crm/imports.generated.js";
+import { crmInvoices } from "./api-client-core/apis/crm/invoices.generated.js";
+import { crmLeads } from "./api-client-core/apis/crm/leads.generated.js";
+import { crmLimitsTracking } from "./api-client-core/apis/crm/limits-tracking.generated.js";
+import { crmLineItems } from "./api-client-core/apis/crm/line-items.generated.js";
+import { crmListings } from "./api-client-core/apis/crm/listings.generated.js";
+import { crmLists } from "./api-client-core/apis/crm/lists.generated.js";
+import { crmMeetings } from "./api-client-core/apis/crm/meetings.generated.js";
+import { crmNotes } from "./api-client-core/apis/crm/notes.generated.js";
+import { crmObjectLibrary } from "./api-client-core/apis/crm/object-library.generated.js";
+import { crmObjects } from "./api-client-core/apis/crm/objects.generated.js";
+import { crmOrders } from "./api-client-core/apis/crm/orders.generated.js";
+import { crmPartnerClients } from "./api-client-core/apis/crm/partner-clients.generated.js";
+import { crmPartnerServices } from "./api-client-core/apis/crm/partner-services.generated.js";
+import { crmPipelines } from "./api-client-core/apis/crm/pipelines.generated.js";
+import { crmPostalMail } from "./api-client-core/apis/crm/postal-mail.generated.js";
+import { crmProducts } from "./api-client-core/apis/crm/products.generated.js";
+import { crmProjects } from "./api-client-core/apis/crm/projects.generated.js";
+import { crmProperties } from "./api-client-core/apis/crm/properties.generated.js";
+import { crmPropertyValidations } from "./api-client-core/apis/crm/property-validations.generated.js";
+import { crmPublicAppCrmCards } from "./api-client-core/apis/crm/public-app-crm-cards.generated.js";
+import { crmPublicAppFeatureFlags } from "./api-client-core/apis/crm/public-app-feature-flags.generated.js";
+import { crmQuotes } from "./api-client-core/apis/crm/quotes.generated.js";
+import { crmSchemas } from "./api-client-core/apis/crm/schemas.generated.js";
+import { crmServices } from "./api-client-core/apis/crm/services.generated.js";
+import { crmTasks } from "./api-client-core/apis/crm/tasks.generated.js";
+import { crmTaxes } from "./api-client-core/apis/crm/taxes.generated.js";
+import { crmTickets } from "./api-client-core/apis/crm/tickets.generated.js";
+import { crmTimeline } from "./api-client-core/apis/crm/timeline.generated.js";
+import { crmTranscriptions } from "./api-client-core/apis/crm/transcriptions.generated.js";
+import { crmUsers } from "./api-client-core/apis/crm/users.generated.js";
+import { crmVideoConferencingExtension } from "./api-client-core/apis/crm/video-conferencing-extension.generated.js";
+import { events } from "./api-client-core/apis/events.generated.js";
+import { eventsManageEventDefinitions } from "./api-client-core/apis/events/manage-event-definitions.generated.js";
+import { eventsSendEventCompletions } from "./api-client-core/apis/events/send-event-completions.generated.js";
+import { files } from "./api-client-core/apis/files.generated.js";
+import { marketingCampaignsPublicApi } from "./api-client-core/apis/marketing/campaigns-public-api.generated.js";
+import { marketingMarketingEmails } from "./api-client-core/apis/marketing/marketing-emails.generated.js";
+import { marketingMarketingEvents } from "./api-client-core/apis/marketing/marketing-events.generated.js";
+import { marketingSingleSend } from "./api-client-core/apis/marketing/single-send.generated.js";
+import { marketingTransactionalSingleSend } from "./api-client-core/apis/marketing/transactional-single-send.generated.js";
+import { metaOrigins } from "./api-client-core/apis/meta/origins.generated.js";
+import { schedulerMeetings } from "./api-client-core/apis/scheduler/meetings.generated.js";
+import { settingsMulticurrency } from "./api-client-core/apis/settings/multicurrency.generated.js";
+import { settingsTaxRates } from "./api-client-core/apis/settings/tax-rates.generated.js";
+import { settingsUserProvisioning } from "./api-client-core/apis/settings/user-provisioning.generated.js";
+import { webhooksJournal } from "./api-client-core/apis/webhooks-journal.generated.js";
+import { webhooks } from "./api-client-core/apis/webhooks.generated.js";
+export { HubSpotApiError, accountAccountInfo, accountAuditLogs, authOauth, automationActions, automationSequences, businessUnits, cmsAuthors, cmsBlogSettings, cmsCmsContentAudit, cmsDomains, cmsHubdb, cmsMediaBridge, cmsPages, cmsPosts, cmsSiteSearch, cmsSourceCode, cmsTags, cmsUrlMappings, cmsUrlRedirects, communicationPreferencesSubscriptions, conversations, conversationsCustomChannels, conversationsVisitorIdentification, createBinaryData, createHubSpotClient, crmAppUninstalls, crmAppointments, crmAssociations, crmAssociationsSchema, crmCallingExtensions, crmCalls, crmCarts, crmCommercePayments, crmCommerceSubscriptions, crmCommunications, crmCompanies, crmContacts, crmContracts, crmCourses, crmCrmOwners, crmCustomObjects, crmDealSplits, crmDeals, crmDiscounts, crmEmails, crmExports, crmFeedbackSubmissions, crmFees, crmGoalTargets, crmImports, crmInvoices, crmLeads, crmLimitsTracking, crmLineItems, crmListings, crmLists, crmMeetings, crmNotes, crmObjectLibrary, crmObjects, crmOrders, crmPartnerClients, crmPartnerServices, crmPipelines, crmPostalMail, crmProducts, crmProjects, crmProperties, crmPropertyValidations, crmPublicAppCrmCards, crmPublicAppFeatureFlags, crmQuotes, crmSchemas, crmServices, crmTasks, crmTaxes, crmTickets, crmTimeline, crmTranscriptions, crmUsers, crmVideoConferencingExtension, events, eventsManageEventDefinitions, eventsSendEventCompletions, files, isBinaryData, marketingCampaignsPublicApi, marketingMarketingEmails, marketingMarketingEvents, marketingSingleSend, marketingTransactionalSingleSend, metaOrigins, op, pagination, schedulerMeetings, settingsMulticurrency, settingsTaxRates, settingsUserProvisioning, webhooks, webhooksJournal };

package/dist/server/constants.js ADDED Viewed

@@ -0,0 +1,46 @@
+//#region src/server/constants.ts
+/**
+* Cookie name carrying the DPoP-bound access token. Uses the
+* `__Host-` prefix so the browser only accepts it from a `Secure`
+* response with `Path=/` — a defense-in-depth against subdomain
+* cookie injection.
+*/
+const HUBSPOT_ACCESS_TOKEN_COOKIE_NAME = "__Host-hs_access_token";
+/**
+* Cookie carrying the opaque app-session ID. Hashed before being put
+* on the wire as a DPoP `sid` claim.
+*/
+const HUBSPOT_APP_SID_COOKIE_NAME = "__Host-hs_app_sid";
+/**
+* Prefix used for refresh-token cookies. Each session gets its own
+* cookie name (`hs_refresh_<sidHash>`) so multiple devices/tabs can
+* coexist without overwriting each other's refresh tokens.
+*/
+const HUBSPOT_REFRESH_COOKIE_PREFIX = "hs_refresh_";
+const PROTECTED_COOKIE_NAMES = new Set([HUBSPOT_ACCESS_TOKEN_COOKIE_NAME, HUBSPOT_APP_SID_COOKIE_NAME]);
+/**
+* Returns `true` for cookies the SDK manages internally
+* (access token, session ID, any refresh-token cookie). The
+* `sanitizeRequest` helper uses this to strip these cookies from the
+* request before user code sees it, ensuring user route handlers
+* cannot accidentally leak them in logs or proxy them upstream.
+*/
+function isProtectedCookieName(cookieName) {
+	return PROTECTED_COOKIE_NAMES.has(cookieName) || cookieName.startsWith("hs_refresh_");
+}
+/**
+* Cookie carrying the PKCE code verifier between `init-session` and
+* `callback`. `Lax` SameSite so it accompanies the redirect back from
+* HubSpot.
+*/
+const TEMP_COOKIE_PKCE_VERIFIER = "__hs_pkce_verifier";
+/**
+* Cookie carrying the OAuth `state` value between `init-session` and
+* `callback`. Compared against the `state` query parameter as the
+* primary CSRF defense.
+*/
+const TEMP_COOKIE_OAUTH_STATE = "__hs_oauth_state";
+//#endregion
+export { HUBSPOT_ACCESS_TOKEN_COOKIE_NAME, HUBSPOT_APP_SID_COOKIE_NAME, HUBSPOT_REFRESH_COOKIE_PREFIX, TEMP_COOKIE_OAUTH_STATE, TEMP_COOKIE_PKCE_VERIFIER, isProtectedCookieName };
+//# sourceMappingURL=constants.js.map

package/dist/server/constants.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"constants.js","names":[],"sources":["../../src/server/constants.ts"],"sourcesContent":["/**\n * Cookie name carrying the DPoP-bound access token. Uses the\n * `__Host-` prefix so the browser only accepts it from a `Secure`\n * response with `Path=/` — a defense-in-depth against subdomain\n * cookie injection.\n */\nexport const HUBSPOT_ACCESS_TOKEN_COOKIE_NAME = '__Host-hs_access_token';\n\n/**\n * Cookie carrying the opaque app-session ID. Hashed before being put\n * on the wire as a DPoP `sid` claim.\n */\nexport const HUBSPOT_APP_SID_COOKIE_NAME = '__Host-hs_app_sid';\n\n/**\n * Prefix used for refresh-token cookies. Each session gets its own\n * cookie name (`hs_refresh_<sidHash>`) so multiple devices/tabs can\n * coexist without overwriting each other's refresh tokens.\n */\nexport const HUBSPOT_REFRESH_COOKIE_PREFIX = 'hs_refresh_';\n\nconst PROTECTED_COOKIE_NAMES = new Set([\n HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n HUBSPOT_APP_SID_COOKIE_NAME,\n]);\n\n/**\n * Returns `true` for cookies the SDK manages internally\n * (access token, session ID, any refresh-token cookie). The\n * `sanitizeRequest` helper uses this to strip these cookies from the\n * request before user code sees it, ensuring user route handlers\n * cannot accidentally leak them in logs or proxy them upstream.\n */\nexport function isProtectedCookieName(cookieName: string): boolean {\n return (\n PROTECTED_COOKIE_NAMES.has(cookieName) ||\n cookieName.startsWith(HUBSPOT_REFRESH_COOKIE_PREFIX)\n );\n}\n\n/**\n * Cookie carrying the PKCE code verifier between `init-session` and\n * `callback`. `Lax` SameSite so it accompanies the redirect back from\n * HubSpot.\n */\nexport const TEMP_COOKIE_PKCE_VERIFIER = '__hs_pkce_verifier';\n\n/**\n * Cookie carrying the OAuth `state` value between `init-session` and\n * `callback`. Compared against the `state` query parameter as the\n * primary CSRF defense.\n */\nexport const TEMP_COOKIE_OAUTH_STATE = '__hs_oauth_state';\n"],"mappings":";;;;;;;AAMA,MAAa,mCAAmC;;;;;AAMhD,MAAa,8BAA8B;;;;;;AAO3C,MAAa,gCAAgC;AAE7C,MAAM,yBAAyB,IAAI,IAAI,CACrC,kCACA,4BACD,CAAC;;;;;;;;AASF,SAAgB,sBAAsB,YAA6B;CACjE,OACE,uBAAuB,IAAI,WAAW,IACtC,WAAW,WAAA,cAAyC;;;;;;;AASxD,MAAa,4BAA4B;;;;;;AAOzC,MAAa,0BAA0B"}

package/dist/server/deno/start.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { SecureStartContext, SecureStartLoader } from "../secure-start-core.js";
+//#region src/server/deno/start.d.ts
+/**
+ * Deno entrypoint helper. Reads `HUBSPOT_APP_PRIVATE_KEY` from `Deno.env`
+ * when CIMD or DPoP is enabled, imports the supplied loader, and invokes
+ * `start` with `AppKeys` or `null`.
+ */
+declare function secureStart(loader: SecureStartLoader): Promise<void>;
+//#endregion
+export { secureStart };
+//# sourceMappingURL=start.d.ts.map

package/dist/server/deno/start.js ADDED Viewed

@@ -0,0 +1,21 @@
+import { runSecureStart } from "../secure-start-core.js";
+//#region src/server/deno/start.ts
+const denoSecureStartAdapter = {
+	readEnv: (key) => Deno.env.get(key),
+	deleteEnv: (key) => {
+		Deno.env.delete(key);
+	},
+	exit: (code) => Deno.exit(code)
+};
+/**
+* Deno entrypoint helper. Reads `HUBSPOT_APP_PRIVATE_KEY` from `Deno.env`
+* when CIMD or DPoP is enabled, imports the supplied loader, and invokes
+* `start` with `AppKeys` or `null`.
+*/
+function secureStart(loader) {
+	return runSecureStart(loader, denoSecureStartAdapter);
+}
+//#endregion
+export { secureStart };
+//# sourceMappingURL=start.js.map

package/dist/server/deno/start.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"start.js","names":[],"sources":["../../../src/server/deno/start.ts"],"sourcesContent":["import {\n runSecureStart,\n type SecureStartAdapter,\n type SecureStartContext,\n type SecureStartLoader,\n} from '../secure-start-core.ts';\n\nexport type { SecureStartContext, SecureStartLoader };\n\nconst denoSecureStartAdapter: SecureStartAdapter = {\n readEnv: (key) => Deno.env.get(key),\n deleteEnv: (key) => {\n Deno.env.delete(key);\n },\n exit: (code) => Deno.exit(code),\n};\n\n/**\n * Deno entrypoint helper. Reads `HUBSPOT_APP_PRIVATE_KEY` from `Deno.env`\n * when CIMD or DPoP is enabled, imports the supplied loader, and invokes\n * `start` with `AppKeys` or `null`.\n */\nexport function secureStart(loader: SecureStartLoader): Promise<void> {\n return runSecureStart(loader, denoSecureStartAdapter);\n}\n"],"mappings":";;AASA,MAAM,yBAA6C;CACjD,UAAU,QAAQ,KAAK,IAAI,IAAI,IAAI;CACnC,YAAY,QAAQ;EAClB,KAAK,IAAI,OAAO,IAAI;;CAEtB,OAAO,SAAS,KAAK,KAAK,KAAK;CAChC;;;;;;AAOD,SAAgB,YAAY,QAA0C;CACpE,OAAO,eAAe,QAAQ,uBAAuB"}

package/dist/server/hono/hono-request-handler.js ADDED Viewed

@@ -0,0 +1,54 @@
+import { createHubSpotClient } from "../api-client-core/client.js";
+import { noopLogger } from "../shared/logger.js";
+import { fetchTransportPlugin } from "../api-client-core/plugins/fetch-transport.js";
+import { HUBSPOT_ACCESS_TOKEN_COOKIE_NAME, HUBSPOT_APP_SID_COOKIE_NAME } from "../constants.js";
+import { createHubSpotProxy } from "../proxy.js";
+import { parseCookies } from "../utils/cookie-utils.js";
+import { sanitizeRequest } from "../sanitize-request.js";
+import { Hono } from "hono";
+//#region src/server/hono/hono-request-handler.ts
+/**
+* Wraps a Hono app so its `fetch` handler additionally:
+*
+* - Strips SDK-managed cookies (access token, refresh, sid) from the
+*   request before the app sees them, via `sanitizeRequest`.
+* - Exposes a `hubSpotProxy` on the Hono context so route handlers
+*   can issue authenticated calls to HubSpot's API on behalf of the
+*   browser session.
+*/
+function createAppConnectRequestHandler(options) {
+	const { registerRoutes, appKeys, logger = noopLogger } = options;
+	const app = new Hono();
+	registerRoutes(app);
+	return (request) => {
+		const cookie = request.headers.get("Cookie");
+		if (!cookie) throw new Error("Missing auth cookies");
+		const cookies = parseCookies(cookie);
+		const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];
+		const sessionId = cookies[HUBSPOT_APP_SID_COOKIE_NAME];
+		if (!accessToken || !sessionId) return new Response(null, {
+			status: 401,
+			statusText: "Unauthorized",
+			headers: { "Content-Type": "application/json" }
+		});
+		const hubSpotProxy = createHubSpotProxy({
+			userCredentials: {
+				accessToken,
+				sessionId
+			},
+			appKeys,
+			logger
+		});
+		const hubSpotClient = createHubSpotClient({ plugins: [fetchTransportPlugin({ getAccessToken: () => accessToken })] });
+		const sanitizedRequest = sanitizeRequest(request);
+		const honoBindings = {
+			hubSpotProxy,
+			hubSpotClient
+		};
+		return app.fetch(sanitizedRequest, honoBindings);
+	};
+}
+//#endregion
+export { createAppConnectRequestHandler };
+//# sourceMappingURL=hono-request-handler.js.map

package/dist/server/hono/hono-request-handler.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"hono-request-handler.js","names":[],"sources":["../../../src/server/hono/hono-request-handler.ts"],"sourcesContent":["import { Hono } from 'hono';\n\nimport { noopLogger, type Logger } from '../../shared/logger.ts';\nimport { createHubSpotClient } from '../api-client-core/client.ts';\nimport { fetchTransportPlugin } from '../api-client-core/plugins/fetch-transport.ts';\nimport {\n HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n HUBSPOT_APP_SID_COOKIE_NAME,\n} from '../constants.ts';\nimport { createHubSpotProxy } from '../proxy.ts';\nimport { sanitizeRequest } from '../sanitize-request.ts';\nimport type { AppKeys, UserCredentials } from '../types.ts';\nimport { parseCookies } from '../utils/cookie-utils.ts';\nimport type { AppConnectHonoBindings, AppConnectHonoEnv } from './types.ts';\n\n/**\n * Web-standard fetch handler signature returned by\n * {@link createAppConnectRequestHandler}.\n */\nexport type AppConnectFetchHandler = (\n request: Request\n) => Response | Promise<Response>;\n\n/**\n * Callback used to attach application routes to the SDK-owned Hono\n * app instance.\n */\nexport type RegisterAppConnectRoutesFunction = (\n app: Hono<AppConnectHonoEnv>\n) => void;\n\n/**\n * Options accepted by {@link createAppConnectRequestHandler}.\n */\nexport interface CreateAppConnectRequestHandlerOptions {\n /** Registers application routes on the SDK-owned Hono app. */\n registerRoutes: RegisterAppConnectRoutesFunction;\n /**\n * Imported app keys from `secureStart`, or `null` when CIMD and DPoP\n * are both disabled.\n */\n appKeys: AppKeys | null;\n /**\n * Optional logger. When omitted the SDK uses a no-op logger so\n * server-side state never leaks into the host application's\n * console.\n */\n logger?: Logger;\n}\n\n/**\n * Wraps a Hono app so its `fetch` handler additionally:\n *\n * - Strips SDK-managed cookies (access token, refresh, sid) from the\n * request before the app sees them, via `sanitizeRequest`.\n * - Exposes a `hubSpotProxy` on the Hono context so route handlers\n * can issue authenticated calls to HubSpot's API on behalf of the\n * browser session.\n */\nexport function createAppConnectRequestHandler(\n options: CreateAppConnectRequestHandlerOptions\n): AppConnectFetchHandler {\n const { registerRoutes, appKeys, logger = noopLogger } = options;\n const app = new Hono<AppConnectHonoEnv>();\n registerRoutes(app);\n\n return (request: Request) => {\n const cookie = request.headers.get('Cookie');\n if (!cookie) {\n throw new Error('Missing auth cookies');\n }\n const cookies = parseCookies(cookie);\n const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];\n const sessionId = cookies[HUBSPOT_APP_SID_COOKIE_NAME];\n if (!accessToken || !sessionId) {\n // Return 401 Unauthorized\n return new Response(null, {\n status: 401,\n statusText: 'Unauthorized',\n headers: {\n 'Content-Type': 'application/json',\n },\n });\n }\n const userCredentials: UserCredentials = { accessToken, sessionId };\n\n const hubSpotProxy = createHubSpotProxy({\n userCredentials,\n appKeys,\n logger,\n });\n\n const hubSpotClient = createHubSpotClient({\n plugins: [fetchTransportPlugin({ getAccessToken: () => accessToken })],\n });\n\n const sanitizedRequest = sanitizeRequest(request);\n\n const honoBindings: AppConnectHonoBindings = {\n hubSpotProxy,\n hubSpotClient,\n };\n\n return app.fetch(sanitizedRequest, honoBindings);\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AA2DA,SAAgB,+BACd,SACwB;CACxB,MAAM,EAAE,gBAAgB,SAAS,SAAS,eAAe;CACzD,MAAM,MAAM,IAAI,MAAyB;CACzC,eAAe,IAAI;CAEnB,QAAQ,YAAqB;EAC3B,MAAM,SAAS,QAAQ,QAAQ,IAAI,SAAS;EAC5C,IAAI,CAAC,QACH,MAAM,IAAI,MAAM,uBAAuB;EAEzC,MAAM,UAAU,aAAa,OAAO;EACpC,MAAM,cAAc,QAAQ;EAC5B,MAAM,YAAY,QAAQ;EAC1B,IAAI,CAAC,eAAe,CAAC,WAEnB,OAAO,IAAI,SAAS,MAAM;GACxB,QAAQ;GACR,YAAY;GACZ,SAAS,EACP,gBAAgB,oBACjB;GACF,CAAC;EAIJ,MAAM,eAAe,mBAAmB;GACtC,iBAAA;IAHyC;IAAa;IAGvC;GACf;GACA;GACD,CAAC;EAEF,MAAM,gBAAgB,oBAAoB,EACxC,SAAS,CAAC,qBAAqB,EAAE,sBAAsB,aAAa,CAAC,CAAC,EACvE,CAAC;EAEF,MAAM,mBAAmB,gBAAgB,QAAQ;EAEjD,MAAM,eAAuC;GAC3C;GACA;GACD;EAED,OAAO,IAAI,MAAM,kBAAkB,aAAa"}

package/dist/server/hono/hubspot-connect-routes/auth-callback.js ADDED Viewed

@@ -0,0 +1,125 @@
+import { base64urlDecode } from "../../shared/encoding/base64.js";
+import { HUBSPOT_ACCESS_TOKEN_COOKIE_NAME, HUBSPOT_REFRESH_COOKIE_PREFIX, TEMP_COOKIE_OAUTH_STATE, TEMP_COOKIE_PKCE_VERIFIER } from "../../constants.js";
+import { parseCookies } from "../../utils/cookie-utils.js";
+import { EXPIRES_AT_URL_PARAM } from "../../shared/constants.js";
+import { serializeCookie, setResponseCookie } from "../utils/cookie-utils.js";
+import { REFRESH_COOKIE_MAX_AGE_SEC } from "./constants.js";
+import { buildClientAssertion, buildClientAssertionFormParams, buildClientSecretFormParams, buildTokenEndpointDpopProof, requestOAuthToken } from "./oauth-client.js";
+import { buildCimdClientIdUrlFromRequest, buildOAuthRedirectUriFromRequest, clearTempCookie, isPositiveFiniteNumber, isSafeReturnPath } from "./utils.js";
+//#region src/server/hono/hubspot-connect-routes/auth-callback.ts
+async function handleAuthCallback(c, options) {
+	const { appKeys, refreshCookiePath, basePath, hubspotConnectEnv } = options;
+	const xForwardedProto = c.req.header("x-forwarded-proto") ?? void 0;
+	const xForwardedHost = c.req.header("x-forwarded-host") ?? void 0;
+	const requestHostHeader = c.req.header("host") ?? void 0;
+	const code = c.req.query("code");
+	const state = c.req.query("state");
+	if (!code || !state) return c.text("Missing code or state", 400);
+	if (hubspotConnectEnv.isAppPrivateKeyRequired && !appKeys) return c.text("Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD or DPoP is enabled", 500);
+	const cookies = parseCookies(c.req.header("Cookie"));
+	const expectedState = cookies[TEMP_COOKIE_OAUTH_STATE];
+	const codeVerifier = cookies[TEMP_COOKIE_PKCE_VERIFIER];
+	if (!expectedState || state !== decodeURIComponent(expectedState)) return c.text("State mismatch", 403);
+	if (!codeVerifier) return c.text("Missing PKCE verifier", 400);
+	let statePayload;
+	try {
+		statePayload = JSON.parse(new TextDecoder().decode(base64urlDecode(decodeURIComponent(state))));
+	} catch {
+		return c.text("Malformed state value", 400);
+	}
+	const returnPath = statePayload.return_path;
+	if (!returnPath || !isSafeReturnPath(returnPath)) return c.text("Invalid return path in state", 400);
+	const sessionId = statePayload.sid;
+	if (!sessionId) return c.text("Missing app session cookie", 400);
+	const decodedCodeVerifier = decodeURIComponent(codeVerifier);
+	const clientId = hubspotConnectEnv.isCimdEnabled ? buildCimdClientIdUrlFromRequest({
+		requestUrl: c.req.url,
+		basePath,
+		xForwardedProto,
+		xForwardedHost,
+		requestHostHeader
+	}) : hubspotConnectEnv.hubspotClientId;
+	const redirectUri = buildOAuthRedirectUriFromRequest({
+		requestUrl: c.req.url,
+		basePath,
+		xForwardedProto,
+		xForwardedHost,
+		requestHostHeader
+	});
+	const tokenEndpointUrl = new URL("/oauth/v1/token", hubspotConnectEnv.hubspotOAuthApiOrigin).href;
+	let dpopProof;
+	if (hubspotConnectEnv.isDpopEnabled) dpopProof = await buildTokenEndpointDpopProof({
+		appKeys,
+		tokenEndpointUrl,
+		sessionIdHash: sessionId
+	});
+	let formParams;
+	if (hubspotConnectEnv.isCimdEnabled) formParams = {
+		grant_type: "authorization_code",
+		code,
+		code_verifier: decodedCodeVerifier,
+		redirect_uri: redirectUri,
+		...buildClientAssertionFormParams({
+			clientId,
+			clientAssertion: await buildClientAssertion({
+				appKeys,
+				clientId,
+				audience: tokenEndpointUrl
+			})
+		})
+	};
+	else formParams = {
+		grant_type: "authorization_code",
+		code,
+		code_verifier: decodedCodeVerifier,
+		redirect_uri: redirectUri,
+		...buildClientSecretFormParams({
+			clientId,
+			clientSecret: hubspotConnectEnv.hubspotClientSecret
+		})
+	};
+	const tokenResult = await requestOAuthToken({
+		tokenEndpointUrl,
+		isDpopEnabled: hubspotConnectEnv.isDpopEnabled,
+		...dpopProof !== void 0 ? { dpopProof } : {},
+		formParams
+	});
+	if (!tokenResult.ok) return c.text(`Token exchange failed: ${tokenResult.errorText}`, 502);
+	const { access_token: accessToken, refresh_token: refreshToken, expires_in } = tokenResult.body;
+	if (!refreshToken) return c.text("Token response missing refresh_token", 502);
+	if (!isPositiveFiniteNumber(expires_in)) return c.text("Token response missing or invalid expires_in", 502);
+	const expiresAt = Date.now() + expires_in * 1e3;
+	const refreshCookieName = `${HUBSPOT_REFRESH_COOKIE_PREFIX}${sessionId}`;
+	setResponseCookie({
+		c,
+		value: serializeCookie({
+			name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
+			value: accessToken,
+			path: "/",
+			maxAge: expires_in
+		})
+	});
+	setResponseCookie({
+		c,
+		value: serializeCookie({
+			name: refreshCookieName,
+			value: refreshToken,
+			path: refreshCookiePath,
+			maxAge: REFRESH_COOKIE_MAX_AGE_SEC
+		})
+	});
+	setResponseCookie({
+		c,
+		value: clearTempCookie(TEMP_COOKIE_PKCE_VERIFIER)
+	});
+	setResponseCookie({
+		c,
+		value: clearTempCookie(TEMP_COOKIE_OAUTH_STATE)
+	});
+	const separator = returnPath.includes("?") ? "&" : "?";
+	return c.redirect(`${returnPath}${separator}${EXPIRES_AT_URL_PARAM}=${expiresAt}`, 302);
+}
+//#endregion
+export { handleAuthCallback };
+//# sourceMappingURL=auth-callback.js.map

package/dist/server/hono/hubspot-connect-routes/auth-callback.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-callback.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-callback.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport { EXPIRES_AT_URL_PARAM } from '../../../shared/constants.ts';\nimport {\n HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n HUBSPOT_REFRESH_COOKIE_PREFIX,\n TEMP_COOKIE_OAUTH_STATE,\n TEMP_COOKIE_PKCE_VERIFIER,\n} from '../../constants.ts';\nimport { base64urlDecode } from '../../utils/base64-utils.ts';\nimport { parseCookies } from '../../utils/cookie-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { REFRESH_COOKIE_MAX_AGE_SEC } from './constants.ts';\nimport {\n buildClientAssertion,\n buildClientAssertionFormParams,\n buildClientSecretFormParams,\n buildTokenEndpointDpopProof,\n requestOAuthToken,\n} from './oauth-client.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n buildCimdClientIdUrlFromRequest,\n buildOAuthRedirectUriFromRequest,\n clearTempCookie,\n isPositiveFiniteNumber,\n isSafeReturnPath,\n} from './utils.ts';\n\ninterface OAuthStatePayload {\n return_path?: string;\n sid?: string;\n}\n\nexport async function handleAuthCallback(\n c: Context,\n options: HubSpotConnectOAuthRouteOptions\n) {\n const { appKeys, refreshCookiePath, basePath, hubspotConnectEnv } = options;\n const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n const requestHostHeader = c.req.header('host') ?? undefined;\n const code = c.req.query('code');\n const state = c.req.query('state');\n\n if (!code || !state) {\n return c.text('Missing code or state', 400);\n }\n\n if (hubspotConnectEnv.isAppPrivateKeyRequired && !appKeys) {\n return c.text(\n 'Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD or DPoP is enabled',\n 500\n );\n }\n\n const cookies = parseCookies(c.req.header('Cookie'));\n const expectedState = cookies[TEMP_COOKIE_OAUTH_STATE];\n const codeVerifier = cookies[TEMP_COOKIE_PKCE_VERIFIER];\n\n if (!expectedState || state !== decodeURIComponent(expectedState)) {\n return c.text('State mismatch', 403);\n }\n if (!codeVerifier) {\n return c.text('Missing PKCE verifier', 400);\n }\n\n let statePayload: OAuthStatePayload;\n try {\n statePayload = JSON.parse(\n new TextDecoder().decode(base64urlDecode(decodeURIComponent(state)))\n ) as OAuthStatePayload;\n } catch {\n return c.text('Malformed state value', 400);\n }\n const returnPath = statePayload.return_path;\n if (!returnPath || !isSafeReturnPath(returnPath)) {\n return c.text('Invalid return path in state', 400);\n }\n\n const sessionId = statePayload.sid;\n if (!sessionId) {\n return c.text('Missing app session cookie', 400);\n }\n\n const decodedCodeVerifier = decodeURIComponent(codeVerifier);\n\n const clientId = hubspotConnectEnv.isCimdEnabled\n ? buildCimdClientIdUrlFromRequest({\n requestUrl: c.req.url,\n basePath,\n xForwardedProto,\n xForwardedHost,\n requestHostHeader,\n })\n : hubspotConnectEnv.hubspotClientId;\n\n const redirectUri = buildOAuthRedirectUriFromRequest({\n requestUrl: c.req.url,\n basePath,\n xForwardedProto,\n xForwardedHost,\n requestHostHeader,\n });\n\n const tokenEndpointUrl = new URL(\n '/oauth/v1/token',\n hubspotConnectEnv.hubspotOAuthApiOrigin\n ).href;\n\n let dpopProof: string | undefined;\n if (hubspotConnectEnv.isDpopEnabled) {\n dpopProof = await buildTokenEndpointDpopProof({\n appKeys: appKeys!,\n tokenEndpointUrl,\n sessionIdHash: sessionId,\n });\n }\n\n let formParams: Record<string, string>;\n if (hubspotConnectEnv.isCimdEnabled) {\n const clientAssertion = await buildClientAssertion({\n appKeys: appKeys!,\n clientId,\n audience: tokenEndpointUrl,\n });\n formParams = {\n grant_type: 'authorization_code',\n code,\n code_verifier: decodedCodeVerifier,\n redirect_uri: redirectUri,\n ...buildClientAssertionFormParams({ clientId, clientAssertion }),\n };\n } else {\n formParams = {\n grant_type: 'authorization_code',\n code,\n code_verifier: decodedCodeVerifier,\n redirect_uri: redirectUri,\n ...buildClientSecretFormParams({\n clientId,\n clientSecret: hubspotConnectEnv.hubspotClientSecret,\n }),\n };\n }\n\n const tokenResult = await requestOAuthToken({\n tokenEndpointUrl,\n isDpopEnabled: hubspotConnectEnv.isDpopEnabled,\n ...(dpopProof !== undefined ? { dpopProof } : {}),\n formParams,\n });\n if (!tokenResult.ok) {\n return c.text(`Token exchange failed: ${tokenResult.errorText}`, 502);\n }\n\n const {\n access_token: accessToken,\n refresh_token: refreshToken,\n expires_in,\n } = tokenResult.body;\n if (!refreshToken) {\n return c.text('Token response missing refresh_token', 502);\n }\n if (!isPositiveFiniteNumber(expires_in)) {\n return c.text('Token response missing or invalid expires_in', 502);\n }\n\n const expiresAt = Date.now() + expires_in * 1000;\n const refreshCookieName = `${HUBSPOT_REFRESH_COOKIE_PREFIX}${sessionId}`;\n\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n value: accessToken,\n path: '/',\n maxAge: expires_in,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: refreshCookieName,\n value: refreshToken,\n path: refreshCookiePath,\n maxAge: REFRESH_COOKIE_MAX_AGE_SEC,\n }),\n });\n setResponseCookie({ c, value: clearTempCookie(TEMP_COOKIE_PKCE_VERIFIER) });\n setResponseCookie({ c, value: clearTempCookie(TEMP_COOKIE_OAUTH_STATE) });\n\n const separator = returnPath.includes('?') ? '&' : '?';\n return c.redirect(\n `${returnPath}${separator}${EXPIRES_AT_URL_PARAM}=${expiresAt}`,\n 302\n );\n}\n"],"mappings":";;;;;;;;;AAkCA,eAAsB,mBACpB,GACA,SACA;CACA,MAAM,EAAE,SAAS,mBAAmB,UAAU,sBAAsB;CACpE,MAAM,kBAAkB,EAAE,IAAI,OAAO,oBAAoB,IAAI,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,mBAAmB,IAAI,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,OAAO,IAAI,KAAA;CAClD,MAAM,OAAO,EAAE,IAAI,MAAM,OAAO;CAChC,MAAM,QAAQ,EAAE,IAAI,MAAM,QAAQ;CAElC,IAAI,CAAC,QAAQ,CAAC,OACZ,OAAO,EAAE,KAAK,yBAAyB,IAAI;CAG7C,IAAI,kBAAkB,2BAA2B,CAAC,SAChD,OAAO,EAAE,KACP,6FACA,IACD;CAGH,MAAM,UAAU,aAAa,EAAE,IAAI,OAAO,SAAS,CAAC;CACpD,MAAM,gBAAgB,QAAQ;CAC9B,MAAM,eAAe,QAAQ;CAE7B,IAAI,CAAC,iBAAiB,UAAU,mBAAmB,cAAc,EAC/D,OAAO,EAAE,KAAK,kBAAkB,IAAI;CAEtC,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,yBAAyB,IAAI;CAG7C,IAAI;CACJ,IAAI;EACF,eAAe,KAAK,MAClB,IAAI,aAAa,CAAC,OAAO,gBAAgB,mBAAmB,MAAM,CAAC,CAAC,CACrE;SACK;EACN,OAAO,EAAE,KAAK,yBAAyB,IAAI;;CAE7C,MAAM,aAAa,aAAa;CAChC,IAAI,CAAC,cAAc,CAAC,iBAAiB,WAAW,EAC9C,OAAO,EAAE,KAAK,gCAAgC,IAAI;CAGpD,MAAM,YAAY,aAAa;CAC/B,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,8BAA8B,IAAI;CAGlD,MAAM,sBAAsB,mBAAmB,aAAa;CAE5D,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB;EACA;EACA;EACA;EACD,CAAC,GACF,kBAAkB;CAEtB,MAAM,cAAc,iCAAiC;EACnD,YAAY,EAAE,IAAI;EAClB;EACA;EACA;EACA;EACD,CAAC;CAEF,MAAM,mBAAmB,IAAI,IAC3B,mBACA,kBAAkB,sBACnB,CAAC;CAEF,IAAI;CACJ,IAAI,kBAAkB,eACpB,YAAY,MAAM,4BAA4B;EACnC;EACT;EACA,eAAe;EAChB,CAAC;CAGJ,IAAI;CACJ,IAAI,kBAAkB,eAMpB,aAAa;EACX,YAAY;EACZ;EACA,eAAe;EACf,cAAc;EACd,GAAG,+BAA+B;GAAE;GAAU,iBAAA,MAVlB,qBAAqB;IACxC;IACT;IACA,UAAU;IACX,CAAC;GAM+D,CAAC;EACjE;MAED,aAAa;EACX,YAAY;EACZ;EACA,eAAe;EACf,cAAc;EACd,GAAG,4BAA4B;GAC7B;GACA,cAAc,kBAAkB;GACjC,CAAC;EACH;CAGH,MAAM,cAAc,MAAM,kBAAkB;EAC1C;EACA,eAAe,kBAAkB;EACjC,GAAI,cAAc,KAAA,IAAY,EAAE,WAAW,GAAG,EAAE;EAChD;EACD,CAAC;CACF,IAAI,CAAC,YAAY,IACf,OAAO,EAAE,KAAK,0BAA0B,YAAY,aAAa,IAAI;CAGvE,MAAM,EACJ,cAAc,aACd,eAAe,cACf,eACE,YAAY;CAChB,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,wCAAwC,IAAI;CAE5D,IAAI,CAAC,uBAAuB,WAAW,EACrC,OAAO,EAAE,KAAK,gDAAgD,IAAI;CAGpE,MAAM,YAAY,KAAK,KAAK,GAAG,aAAa;CAC5C,MAAM,oBAAoB,GAAG,gCAAgC;CAE7D,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAAE;EAAG,OAAO,gBAAgB,0BAA0B;EAAE,CAAC;CAC3E,kBAAkB;EAAE;EAAG,OAAO,gBAAgB,wBAAwB;EAAE,CAAC;CAEzE,MAAM,YAAY,WAAW,SAAS,IAAI,GAAG,MAAM;CACnD,OAAO,EAAE,SACP,GAAG,aAAa,YAAY,qBAAqB,GAAG,aACpD,IACD"}

package/dist/server/hono/hubspot-connect-routes/auth-init-session.js ADDED Viewed

@@ -0,0 +1,90 @@
+import { base64url } from "../../shared/encoding/base64.js";
+import { sha256base64url } from "../../shared/encoding/sha256.js";
+import { HUBSPOT_APP_SID_COOKIE_NAME, TEMP_COOKIE_OAUTH_STATE, TEMP_COOKIE_PKCE_VERIFIER } from "../../constants.js";
+import { serializeCookie, setResponseCookie } from "../utils/cookie-utils.js";
+import { OAUTH_TEMP_MAX_AGE_SEC, SESSION_MAX_AGE_SEC } from "./constants.js";
+import { buildCimdClientIdUrlFromRequest, buildOAuthRedirectUriFromRequest, isSafeReturnPath } from "./utils.js";
+import { deriveHubSpotAuthorizeScopesFromClientMetadata } from "./fetch-hubspot-client-metadata.js";
+//#region src/server/hono/hubspot-connect-routes/auth-init-session.ts
+async function handleAuthInitSession(c, options) {
+	const { hubspotConnectEnv, cimdClientMetadata } = options;
+	const xForwardedProto = c.req.header("x-forwarded-proto") ?? void 0;
+	const xForwardedHost = c.req.header("x-forwarded-host") ?? void 0;
+	const requestHostHeader = c.req.header("host") ?? void 0;
+	const returnPath = new URL(c.req.url).searchParams.get("return_path") ?? "/";
+	if (!isSafeReturnPath(returnPath)) return c.text("Invalid return_path", 400);
+	const sessionIdBytes = new Uint8Array(32);
+	crypto.getRandomValues(sessionIdBytes);
+	const sessionId = base64url(sessionIdBytes);
+	const sessionIdHash = await sha256base64url(sessionId);
+	const codeVerifierBytes = new Uint8Array(32);
+	crypto.getRandomValues(codeVerifierBytes);
+	const codeVerifier = base64url(codeVerifierBytes);
+	const codeChallenge = await sha256base64url(codeVerifier);
+	const stateValue = base64url(new TextEncoder().encode(JSON.stringify({
+		return_path: returnPath,
+		sid: sessionIdHash
+	})));
+	const clientId = hubspotConnectEnv.isCimdEnabled ? buildCimdClientIdUrlFromRequest({
+		requestUrl: c.req.url,
+		basePath: options.basePath,
+		xForwardedProto,
+		xForwardedHost,
+		requestHostHeader
+	}) : hubspotConnectEnv.hubspotClientId;
+	const redirectUri = buildOAuthRedirectUriFromRequest({
+		requestUrl: c.req.url,
+		basePath: options.basePath,
+		xForwardedProto,
+		xForwardedHost,
+		requestHostHeader
+	});
+	const authorizeUrl = new URL(hubspotConnectEnv.hubspotAuthorizationEndpoint);
+	authorizeUrl.searchParams.set("response_type", "code");
+	authorizeUrl.searchParams.set("client_id", clientId);
+	authorizeUrl.searchParams.set("redirect_uri", redirectUri);
+	authorizeUrl.searchParams.set("code_challenge", codeChallenge);
+	authorizeUrl.searchParams.set("code_challenge_method", "S256");
+	authorizeUrl.searchParams.set("state", stateValue);
+	authorizeUrl.searchParams.set("sid", sessionIdHash);
+	if (!hubspotConnectEnv.isCimdEnabled) {
+		const scopesResult = deriveHubSpotAuthorizeScopesFromClientMetadata(cimdClientMetadata);
+		if (!scopesResult.ok) return c.text(scopesResult.message, scopesResult.status);
+		authorizeUrl.searchParams.set("scope", scopesResult.scope);
+		if (scopesResult.optionalScope !== void 0) authorizeUrl.searchParams.set("optional_scope", scopesResult.optionalScope);
+	}
+	setResponseCookie({
+		c,
+		value: serializeCookie({
+			name: HUBSPOT_APP_SID_COOKIE_NAME,
+			value: sessionId,
+			path: "/",
+			maxAge: SESSION_MAX_AGE_SEC
+		})
+	});
+	setResponseCookie({
+		c,
+		value: serializeCookie({
+			name: TEMP_COOKIE_PKCE_VERIFIER,
+			value: encodeURIComponent(codeVerifier),
+			path: "/",
+			sameSite: "Lax",
+			maxAge: OAUTH_TEMP_MAX_AGE_SEC
+		})
+	});
+	setResponseCookie({
+		c,
+		value: serializeCookie({
+			name: TEMP_COOKIE_OAUTH_STATE,
+			value: encodeURIComponent(stateValue),
+			path: "/",
+			sameSite: "Lax",
+			maxAge: OAUTH_TEMP_MAX_AGE_SEC
+		})
+	});
+	return c.json({ authorization_url: authorizeUrl.toString() });
+}
+//#endregion
+export { handleAuthInitSession };
+//# sourceMappingURL=auth-init-session.js.map

package/dist/server/hono/hubspot-connect-routes/auth-init-session.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-init-session.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-init-session.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport {\n HUBSPOT_APP_SID_COOKIE_NAME,\n TEMP_COOKIE_OAUTH_STATE,\n TEMP_COOKIE_PKCE_VERIFIER,\n} from '../../constants.ts';\nimport { base64url } from '../../utils/base64-utils.ts';\nimport { sha256base64url } from '../../utils/crypto-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { OAUTH_TEMP_MAX_AGE_SEC, SESSION_MAX_AGE_SEC } from './constants.ts';\nimport { deriveHubSpotAuthorizeScopesFromClientMetadata } from './fetch-hubspot-client-metadata.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n buildCimdClientIdUrlFromRequest,\n buildOAuthRedirectUriFromRequest,\n isSafeReturnPath,\n} from './utils.ts';\n\nexport async function handleAuthInitSession(\n c: Context,\n options: HubSpotConnectOAuthRouteOptions\n) {\n const { hubspotConnectEnv, cimdClientMetadata } = options;\n const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n const requestHostHeader = c.req.header('host') ?? undefined;\n const url = new URL(c.req.url);\n const returnPath = url.searchParams.get('return_path') ?? '/';\n if (!isSafeReturnPath(returnPath)) {\n return c.text('Invalid return_path', 400);\n }\n\n const sessionIdBytes = new Uint8Array(32);\n crypto.getRandomValues(sessionIdBytes);\n const sessionId = base64url(sessionIdBytes);\n const sessionIdHash = await sha256base64url(sessionId);\n\n const codeVerifierBytes = new Uint8Array(32);\n crypto.getRandomValues(codeVerifierBytes);\n const codeVerifier = base64url(codeVerifierBytes);\n const codeChallenge = await sha256base64url(codeVerifier);\n\n const stateValue = base64url(\n new TextEncoder().encode(\n JSON.stringify({\n return_path: returnPath,\n sid: sessionIdHash,\n })\n )\n );\n\n const clientId = hubspotConnectEnv.isCimdEnabled\n ? buildCimdClientIdUrlFromRequest({\n requestUrl: c.req.url,\n basePath: options.basePath,\n xForwardedProto,\n xForwardedHost,\n requestHostHeader,\n })\n : hubspotConnectEnv.hubspotClientId;\n\n const redirectUri = buildOAuthRedirectUriFromRequest({\n requestUrl: c.req.url,\n basePath: options.basePath,\n xForwardedProto,\n xForwardedHost,\n requestHostHeader,\n });\n\n const authorizeUrl = new URL(hubspotConnectEnv.hubspotAuthorizationEndpoint);\n authorizeUrl.searchParams.set('response_type', 'code');\n authorizeUrl.searchParams.set('client_id', clientId);\n authorizeUrl.searchParams.set('redirect_uri', redirectUri);\n authorizeUrl.searchParams.set('code_challenge', codeChallenge);\n authorizeUrl.searchParams.set('code_challenge_method', 'S256');\n authorizeUrl.searchParams.set('state', stateValue);\n authorizeUrl.searchParams.set('sid', sessionIdHash);\n\n if (!hubspotConnectEnv.isCimdEnabled) {\n const scopesResult =\n deriveHubSpotAuthorizeScopesFromClientMetadata(cimdClientMetadata);\n if (!scopesResult.ok) {\n return c.text(scopesResult.message, scopesResult.status as 500 | 502);\n }\n authorizeUrl.searchParams.set('scope', scopesResult.scope);\n if (scopesResult.optionalScope !== undefined) {\n authorizeUrl.searchParams.set(\n 'optional_scope',\n scopesResult.optionalScope\n );\n }\n }\n\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_APP_SID_COOKIE_NAME,\n value: sessionId,\n path: '/',\n maxAge: SESSION_MAX_AGE_SEC,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: TEMP_COOKIE_PKCE_VERIFIER,\n value: encodeURIComponent(codeVerifier),\n path: '/',\n sameSite: 'Lax',\n maxAge: OAUTH_TEMP_MAX_AGE_SEC,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: TEMP_COOKIE_OAUTH_STATE,\n value: encodeURIComponent(stateValue),\n path: '/',\n sameSite: 'Lax',\n maxAge: OAUTH_TEMP_MAX_AGE_SEC,\n }),\n });\n\n return c.json({ authorization_url: authorizeUrl.toString() });\n}\n"],"mappings":";;;;;;;;AAmBA,eAAsB,sBACpB,GACA,SACA;CACA,MAAM,EAAE,mBAAmB,uBAAuB;CAClD,MAAM,kBAAkB,EAAE,IAAI,OAAO,oBAAoB,IAAI,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,mBAAmB,IAAI,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,OAAO,IAAI,KAAA;CAElD,MAAM,aAAa,IADH,IAAI,EAAE,IAAI,IACJ,CAAC,aAAa,IAAI,cAAc,IAAI;CAC1D,IAAI,CAAC,iBAAiB,WAAW,EAC/B,OAAO,EAAE,KAAK,uBAAuB,IAAI;CAG3C,MAAM,iBAAiB,IAAI,WAAW,GAAG;CACzC,OAAO,gBAAgB,eAAe;CACtC,MAAM,YAAY,UAAU,eAAe;CAC3C,MAAM,gBAAgB,MAAM,gBAAgB,UAAU;CAEtD,MAAM,oBAAoB,IAAI,WAAW,GAAG;CAC5C,OAAO,gBAAgB,kBAAkB;CACzC,MAAM,eAAe,UAAU,kBAAkB;CACjD,MAAM,gBAAgB,MAAM,gBAAgB,aAAa;CAEzD,MAAM,aAAa,UACjB,IAAI,aAAa,CAAC,OAChB,KAAK,UAAU;EACb,aAAa;EACb,KAAK;EACN,CAAC,CACH,CACF;CAED,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB,UAAU,QAAQ;EAClB;EACA;EACA;EACD,CAAC,GACF,kBAAkB;CAEtB,MAAM,cAAc,iCAAiC;EACnD,YAAY,EAAE,IAAI;EAClB,UAAU,QAAQ;EAClB;EACA;EACA;EACD,CAAC;CAEF,MAAM,eAAe,IAAI,IAAI,kBAAkB,6BAA6B;CAC5E,aAAa,aAAa,IAAI,iBAAiB,OAAO;CACtD,aAAa,aAAa,IAAI,aAAa,SAAS;CACpD,aAAa,aAAa,IAAI,gBAAgB,YAAY;CAC1D,aAAa,aAAa,IAAI,kBAAkB,cAAc;CAC9D,aAAa,aAAa,IAAI,yBAAyB,OAAO;CAC9D,aAAa,aAAa,IAAI,SAAS,WAAW;CAClD,aAAa,aAAa,IAAI,OAAO,cAAc;CAEnD,IAAI,CAAC,kBAAkB,eAAe;EACpC,MAAM,eACJ,+CAA+C,mBAAmB;EACpE,IAAI,CAAC,aAAa,IAChB,OAAO,EAAE,KAAK,aAAa,SAAS,aAAa,OAAoB;EAEvE,aAAa,aAAa,IAAI,SAAS,aAAa,MAAM;EAC1D,IAAI,aAAa,kBAAkB,KAAA,GACjC,aAAa,aAAa,IACxB,kBACA,aAAa,cACd;;CAIL,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO,mBAAmB,aAAa;GACvC,MAAM;GACN,UAAU;GACV,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO,mBAAmB,WAAW;GACrC,MAAM;GACN,UAAU;GACV,QAAQ;GACT,CAAC;EACH,CAAC;CAEF,OAAO,EAAE,KAAK,EAAE,mBAAmB,aAAa,UAAU,EAAE,CAAC"}

package/dist/server/hono/hubspot-connect-routes/auth-logout.js ADDED Viewed

@@ -0,0 +1,97 @@
+import { HUBSPOT_ACCESS_TOKEN_COOKIE_NAME, HUBSPOT_APP_SID_COOKIE_NAME } from "../../constants.js";
+import { parseCookies } from "../../utils/cookie-utils.js";
+import { serializeCookie, setResponseCookie } from "../utils/cookie-utils.js";
+import { buildClientAssertion } from "./oauth-client.js";
+import { buildCimdClientIdUrlFromRequest } from "./utils.js";
+//#region src/server/hono/hubspot-connect-routes/auth-logout.ts
+async function revokeToken(options) {
+	const { revokeEndpointUrl, body, logger } = options;
+	try {
+		const response = await fetch(revokeEndpointUrl, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body
+		});
+		if (!response.ok) logger.warn(`HubSpot token revoke returned HTTP ${response.status} ${response.statusText}`);
+	} catch (error) {
+		logger.warn("HubSpot token revoke request failed", error);
+	}
+}
+async function handleAuthLogout(c, options) {
+	const { appKeys, refreshCookiePath, basePath, hubspotConnectEnv, logger } = options;
+	const xForwardedProto = c.req.header("x-forwarded-proto") ?? void 0;
+	const xForwardedHost = c.req.header("x-forwarded-host") ?? void 0;
+	const requestHostHeader = c.req.header("host") ?? void 0;
+	const cookies = parseCookies(c.req.header("Cookie"));
+	const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];
+	const clientId = hubspotConnectEnv.isCimdEnabled ? buildCimdClientIdUrlFromRequest({
+		requestUrl: c.req.url,
+		basePath,
+		xForwardedProto,
+		xForwardedHost,
+		requestHostHeader
+	}) : hubspotConnectEnv.hubspotClientId;
+	const revokeEndpointUrl = new URL("/oauth/v1/revoke", hubspotConnectEnv.hubspotOAuthApiOrigin).href;
+	if (accessToken) if (hubspotConnectEnv.isCimdEnabled) {
+		if (!appKeys) return c.json({ error: "Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD is enabled" }, 500);
+		const clientAssertion = await buildClientAssertion({
+			appKeys,
+			clientId,
+			audience: revokeEndpointUrl
+		});
+		await revokeToken({
+			revokeEndpointUrl,
+			body: new URLSearchParams({
+				token: accessToken,
+				token_type_hint: "access_token",
+				client_id: clientId,
+				client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+				client_assertion: clientAssertion
+			}),
+			logger
+		});
+	} else await revokeToken({
+		revokeEndpointUrl,
+		body: new URLSearchParams({
+			token: accessToken,
+			token_type_hint: "access_token",
+			client_id: clientId,
+			client_secret: hubspotConnectEnv.hubspotClientSecret
+		}),
+		logger
+	});
+	setResponseCookie({
+		c,
+		value: serializeCookie({
+			name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
+			value: "",
+			path: "/",
+			maxAge: 0
+		})
+	});
+	setResponseCookie({
+		c,
+		value: serializeCookie({
+			name: HUBSPOT_APP_SID_COOKIE_NAME,
+			value: "",
+			path: "/",
+			maxAge: 0
+		})
+	});
+	Object.keys(cookies).forEach((cookieName) => {
+		if (cookieName.startsWith("hs_refresh_")) setResponseCookie({
+			c,
+			value: serializeCookie({
+				name: cookieName,
+				value: "",
+				path: refreshCookiePath,
+				maxAge: 0
+			})
+		});
+	});
+	return c.json({ redirect_to: "/" });
+}
+//#endregion
+export { handleAuthLogout };
+//# sourceMappingURL=auth-logout.js.map

package/dist/server/hono/hubspot-connect-routes/auth-logout.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-logout.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-logout.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport type { Logger } from '../../../shared/logger.ts';\nimport {\n HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n HUBSPOT_APP_SID_COOKIE_NAME,\n HUBSPOT_REFRESH_COOKIE_PREFIX,\n} from '../../constants.ts';\nimport { parseCookies } from '../../utils/cookie-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { buildClientAssertion } from './oauth-client.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport { buildCimdClientIdUrlFromRequest } from './utils.ts';\n\nasync function revokeToken(options: {\n revokeEndpointUrl: string;\n body: URLSearchParams;\n logger: Logger;\n}): Promise<void> {\n const { revokeEndpointUrl, body, logger } = options;\n try {\n const response = await fetch(revokeEndpointUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body,\n });\n if (!response.ok) {\n logger.warn(\n `HubSpot token revoke returned HTTP ${response.status} ${response.statusText}`\n );\n }\n } catch (error) {\n logger.warn('HubSpot token revoke request failed', error);\n }\n}\n\nexport async function handleAuthLogout(\n c: Context,\n options: HubSpotConnectOAuthRouteOptions\n) {\n const { appKeys, refreshCookiePath, basePath, hubspotConnectEnv, logger } =\n options;\n const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n const requestHostHeader = c.req.header('host') ?? undefined;\n const cookies = parseCookies(c.req.header('Cookie'));\n const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];\n\n const clientId = hubspotConnectEnv.isCimdEnabled\n ? buildCimdClientIdUrlFromRequest({\n requestUrl: c.req.url,\n basePath,\n xForwardedProto,\n xForwardedHost,\n requestHostHeader,\n })\n : hubspotConnectEnv.hubspotClientId;\n\n const revokeEndpointUrl = new URL(\n '/oauth/v1/revoke',\n hubspotConnectEnv.hubspotOAuthApiOrigin\n ).href;\n\n if (accessToken) {\n if (hubspotConnectEnv.isCimdEnabled) {\n if (!appKeys) {\n return c.json(\n {\n error:\n 'Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD is enabled',\n },\n 500\n );\n }\n const clientAssertion = await buildClientAssertion({\n appKeys,\n clientId,\n audience: revokeEndpointUrl,\n });\n await revokeToken({\n revokeEndpointUrl,\n body: new URLSearchParams({\n token: accessToken,\n token_type_hint: 'access_token',\n client_id: clientId,\n client_assertion_type:\n 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',\n client_assertion: clientAssertion,\n }),\n logger,\n });\n } else {\n await revokeToken({\n revokeEndpointUrl,\n body: new URLSearchParams({\n token: accessToken,\n token_type_hint: 'access_token',\n client_id: clientId,\n client_secret: hubspotConnectEnv.hubspotClientSecret,\n }),\n logger,\n });\n }\n }\n\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n value: '',\n path: '/',\n maxAge: 0,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_APP_SID_COOKIE_NAME,\n value: '',\n path: '/',\n maxAge: 0,\n }),\n });\n\n Object.keys(cookies).forEach((cookieName) => {\n if (cookieName.startsWith(HUBSPOT_REFRESH_COOKIE_PREFIX)) {\n setResponseCookie({\n c,\n value: serializeCookie({\n name: cookieName,\n value: '',\n path: refreshCookiePath,\n maxAge: 0,\n }),\n });\n }\n });\n\n return c.json({ redirect_to: '/' });\n}\n"],"mappings":";;;;;;AAcA,eAAe,YAAY,SAIT;CAChB,MAAM,EAAE,mBAAmB,MAAM,WAAW;CAC5C,IAAI;EACF,MAAM,WAAW,MAAM,MAAM,mBAAmB;GAC9C,QAAQ;GACR,SAAS,EAAE,gBAAgB,qCAAqC;GAChE;GACD,CAAC;EACF,IAAI,CAAC,SAAS,IACZ,OAAO,KACL,sCAAsC,SAAS,OAAO,GAAG,SAAS,aACnE;UAEI,OAAO;EACd,OAAO,KAAK,uCAAuC,MAAM;;;AAI7D,eAAsB,iBACpB,GACA,SACA;CACA,MAAM,EAAE,SAAS,mBAAmB,UAAU,mBAAmB,WAC/D;CACF,MAAM,kBAAkB,EAAE,IAAI,OAAO,oBAAoB,IAAI,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,mBAAmB,IAAI,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,OAAO,IAAI,KAAA;CAClD,MAAM,UAAU,aAAa,EAAE,IAAI,OAAO,SAAS,CAAC;CACpD,MAAM,cAAc,QAAQ;CAE5B,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB;EACA;EACA;EACA;EACD,CAAC,GACF,kBAAkB;CAEtB,MAAM,oBAAoB,IAAI,IAC5B,oBACA,kBAAkB,sBACnB,CAAC;CAEF,IAAI,aACF,IAAI,kBAAkB,eAAe;EACnC,IAAI,CAAC,SACH,OAAO,EAAE,KACP,EACE,OACE,qFACH,EACD,IACD;EAEH,MAAM,kBAAkB,MAAM,qBAAqB;GACjD;GACA;GACA,UAAU;GACX,CAAC;EACF,MAAM,YAAY;GAChB;GACA,MAAM,IAAI,gBAAgB;IACxB,OAAO;IACP,iBAAiB;IACjB,WAAW;IACX,uBACE;IACF,kBAAkB;IACnB,CAAC;GACF;GACD,CAAC;QAEF,MAAM,YAAY;EAChB;EACA,MAAM,IAAI,gBAAgB;GACxB,OAAO;GACP,iBAAiB;GACjB,WAAW;GACX,eAAe,kBAAkB;GAClC,CAAC;EACF;EACD,CAAC;CAIN,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,QAAQ;GACT,CAAC;EACH,CAAC;CAEF,OAAO,KAAK,QAAQ,CAAC,SAAS,eAAe;EAC3C,IAAI,WAAW,WAAA,cAAyC,EACtD,kBAAkB;GAChB;GACA,OAAO,gBAAgB;IACrB,MAAM;IACN,OAAO;IACP,MAAM;IACN,QAAQ;IACT,CAAC;GACH,CAAC;GAEJ;CAEF,OAAO,EAAE,KAAK,EAAE,aAAa,KAAK,CAAC"}