npm - @hubspot/app-connect-sdk - Versions diffs - 1.0.0-alpha.11 → 1.0.0-alpha.13 - Mend

@hubspot/app-connect-sdk 1.0.0-alpha.11 → 1.0.0-alpha.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (199) hide show

package/dist/server/utils/jwt-utils.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"jwt-utils.js","names":[],"sources":["../../../src/server/utils/jwt-utils.ts"],"sourcesContent":["import { base64url, base64urlDecode } from './base64-utils.ts';\n\ninterface EncodeAndSignJwtOptions {\n header: Record<string, unknown>;\n payload: Record<string, unknown>;\n privateKey: CryptoKey;\n}\n\n/*\n Low-level helper that encodes a JWS Compact Serialization JWT\n * (RFC 7519) and signs it with the supplied `privateKey` using\n * ES256 (P-256 + SHA-256). Returns the three-segment compact form.\n /\nexport async function encodeAndSignJwt(\n options: EncodeAndSignJwtOptions\n): Promise<string> {\n const { header, payload, privateKey } = options;\n\n const encodedHeader = base64url(\n new TextEncoder().encode(JSON.stringify(header))\n );\n const encodedPayload = base64url(\n new TextEncoder().encode(JSON.stringify(payload))\n );\n const signingInput = `${encodedHeader}.${encodedPayload}`;\n const signatureBuffer = await crypto.subtle.sign(\n { name: 'ECDSA', hash: 'SHA-256' },\n privateKey,\n new TextEncoder().encode(signingInput)\n );\n return `${signingInput}.${base64url(new Uint8Array(signatureBuffer))}`;\n}\n\nasync function importPublicKey(jwk: JsonWebKey): Promise<CryptoKey> {\n return crypto.subtle.importKey(\n 'jwk',\n jwk,\n { name: 'ECDSA', namedCurve: 'P-256' },\n false,\n ['verify']\n );\n}\n\ninterface DecodeAndVerifyJwtOptions {\n token: string;\n publicKeyJwk: JsonWebKey;\n}\n\n/\n Verifies the ES256 signature on `token` against `publicKeyJwk` and\n * returns the decoded payload. Does not check `exp` — use\n * {@link verifyJwt} when expiry enforcement is desired.\n \n @throws {Error} When the token isn't three segments, when the\n * signature fails verification, or when the payload isn't valid\n * JSON.\n /\nexport async function decodeAndVerifyJwt(\n options: DecodeAndVerifyJwtOptions\n): Promise<Record<string, unknown>> {\n const { token, publicKeyJwk } = options;\n const parts = token.split('.');\n if (parts.length !== 3) throw new Error('Invalid JWT format');\n const [encodedHeader, encodedPayload, encodedSignature] = parts as [\n string,\n string,\n string,\n ];\n const publicKey = await importPublicKey(publicKeyJwk);\n const valid = await crypto.subtle.verify(\n { name: 'ECDSA', hash: 'SHA-256' },\n publicKey,\n base64urlDecode(encodedSignature),\n new TextEncoder().encode(`${encodedHeader}.${encodedPayload}`)\n );\n if (!valid) throw new Error('JWT signature verification failed');\n return JSON.parse(\n new TextDecoder().decode(base64urlDecode(encodedPayload))\n ) as Record<string, unknown>;\n}\n\nexport interface VerifyJwtOptions {\n /* Compact-serialized JWT to verify. /\n token: string;\n /* Public key in JWK form. Caller is responsible for trusting it. /\n publicKeyJwk: JsonWebKey;\n}\n\n/\n Verifies signature and (if present) `exp` (RFC 7519 §4.1.4) on a\n * JWT and returns its payload.\n \n @throws {Error} When the signature fails or when `exp` has passed.\n /\nexport async function verifyJwt(\n options: VerifyJwtOptions\n): Promise<Record<string, unknown>> {\n const { token, publicKeyJwk } = options;\n const payload = await decodeAndVerifyJwt({ token, publicKeyJwk });\n const now = Math.floor(Date.now() / 1000);\n if (typeof payload['exp'] === 'number' && payload['exp'] < now) {\n throw new Error('JWT expired');\n }\n return payload;\n}\n\nexport interface SignJwtOptions {\n /* ES256 private key as a non-extractable WebCrypto key. /\n privateKey: CryptoKey;\n /\n Custom claims merged onto an `iat` claim (and `exp` when\n * `ttlSeconds` is supplied). Caller-provided keys override the\n * standard ones.\n /\n payload: Record<string, unknown>;\n /\n Lifetime of the token in seconds. When set, the JWT's `exp` claim\n * is computed as `iat + ttlSeconds`. When omitted, no `exp` is added\n * (the caller is responsible for one if needed).\n /\n ttlSeconds?: number;\n}\n\n/\n Signs a JWT (RFC 7519) with `alg=ES256, typ=JWT` and returns the\n * compact serialization. Always sets `iat` to the current second; the\n * caller controls every other claim via `payload`.\n */\nexport async function signJwt(options: SignJwtOptions): Promise<string> {\n const { privateKey, payload, ttlSeconds } = options;\n const now = Math.floor(Date.now() / 1000);\n const payloadWithStandardClaims =\n ttlSeconds !== undefined\n ? { iat: now, exp: now + ttlSeconds, ...payload }\n : { iat: now, ...payload };\n return encodeAndSignJwt({\n header: { alg: 'ES256', typ: 'JWT' },\n payload: payloadWithStandardClaims,\n privateKey,\n });\n}\n"],"mappings":";;;;;;;AAaA,eAAsB,iBACpB,SACiB;CACjB,MAAM,EAAE,QAAQ,SAAS,eAAe;CAQxC,MAAM,eAAe,GANC,UACpB,IAAI,~~aAAa~~,~~CAAC~~,OAAO,KAAK,UAAU,~~OAAO~~,CAAC,CAKb,~~CAAC~~,GAHf,UACrB,IAAI,~~aAAa~~,~~CAAC~~,OAAO,KAAK,UAAU,~~QAAQ~~,CAAC,CAEI;~~CACvD~~,MAAM,kBAAkB,MAAM,OAAO,OAAO,KAC1C;EAAE,MAAM;EAAS,MAAM;~~EAAW~~,~~EAClC~~,YACA,IAAI,~~aAAa~~,~~CAAC~~,OAAO,~~aAAa~~,CACvC;~~CACD~~,OAAO,GAAG,aAAa,GAAG,UAAU,IAAI,WAAW,~~gBAAgB~~,CAAC~~;;AAGtE~~,eAAe,gBAAgB,KAAqC;CAClE,OAAO,OAAO,OAAO,UACnB,OACA,KACA;EAAE,MAAM;EAAS,YAAY;~~EAAS~~,~~EACtC~~,OACA,CAAC,~~SAAS~~,CACX~~;;;;;;;;;;;AAiBH~~,eAAsB,mBACpB,SACkC;CAClC,MAAM,EAAE,OAAO,iBAAiB;CAChC,MAAM,QAAQ,MAAM,MAAM,~~IAAI~~;~~CAC9B~~,IAAI,MAAM,WAAW,GAAG,MAAM,IAAI,MAAM,~~qBAAqB~~;~~CAC7D~~,MAAM,CAAC,eAAe,gBAAgB,oBAAoB;CAK1D,MAAM,YAAY,MAAM,gBAAgB,~~aAAa~~;~~CAOrD~~,IAAI,CAAC,MANe,OAAO,OAAO,OAChC;EAAE,MAAM;EAAS,MAAM;~~EAAW~~,~~EAClC~~,WACA,gBAAgB,~~iBAAiB~~,~~EACjC~~,IAAI,~~aAAa~~,~~CAAC~~,OAAO,GAAG,cAAc,GAAG,~~iBAAiB~~,CAC/D,~~EACW~~,MAAM,IAAI,MAAM,~~oCAAoC~~;~~CAChE~~,OAAO,KAAK,MACV,IAAI,~~aAAa~~,~~CAAC~~,OAAO,gBAAgB,~~eAAe~~,CAAC,CAC1D~~;;;;;;;;AAgBH~~,eAAsB,UACpB,SACkC;CAClC,MAAM,EAAE,OAAO,iBAAiB;CAChC,MAAM,UAAU,MAAM,mBAAmB;EAAE;EAAO;~~EAAc~~,CAAC;~~CACjE~~,MAAM,MAAM,KAAK,MAAM,KAAK,~~KAAK~~,~~GAAG~~,~~IAAK~~;~~CACzC~~,IAAI,OAAO,QAAQ,WAAW,YAAY,QAAQ,SAAS,KACzD,MAAM,IAAI,MAAM,~~cAAc~~;~~CAEhC~~,OAAO~~;;;;;;;AAyBT~~,eAAsB,QAAQ,SAA0C;CACtE,MAAM,EAAE,YAAY,SAAS,eAAe;CAC5C,MAAM,MAAM,KAAK,MAAM,KAAK,~~KAAK~~,~~GAAG~~,~~IAAK~~;~~CAKzC~~,OAAO,iBAAiB;EACtB,QAAQ;GAAE,KAAK;GAAS,KAAK;~~GAAO~~;~~EACpC~~,SALA,eAAe,KAAA,IACX;GAAE,KAAK;GAAK,KAAK,MAAM;GAAY,GAAG;~~GAAS~~,~~GAC/C~~;GAAE,KAAK;GAAK,GAAG;~~GAAS~~;~~EAI5B~~;~~EACD~~,CAAC"}
1	+ {"version":3,"file":"jwt-utils.js","names":[],"sources":["../../../src/server/utils/jwt-utils.ts"],"sourcesContent":["import { base64url, base64urlDecode } from './base64-utils.ts';\n\ninterface EncodeAndSignJwtOptions {\n header: Record<string, unknown>;\n payload: Record<string, unknown>;\n privateKey: CryptoKey;\n}\n\n/*\n Low-level helper that encodes a JWS Compact Serialization JWT\n * (RFC 7519) and signs it with the supplied `privateKey` using\n * ES256 (P-256 + SHA-256). Returns the three-segment compact form.\n /\nexport async function encodeAndSignJwt(\n options: EncodeAndSignJwtOptions\n): Promise<string> {\n const { header, payload, privateKey } = options;\n\n const encodedHeader = base64url(\n new TextEncoder().encode(JSON.stringify(header))\n );\n const encodedPayload = base64url(\n new TextEncoder().encode(JSON.stringify(payload))\n );\n const signingInput = `${encodedHeader}.${encodedPayload}`;\n const signatureBuffer = await crypto.subtle.sign(\n { name: 'ECDSA', hash: 'SHA-256' },\n privateKey,\n new TextEncoder().encode(signingInput)\n );\n return `${signingInput}.${base64url(new Uint8Array(signatureBuffer))}`;\n}\n\nasync function importPublicKey(jwk: JsonWebKey): Promise<CryptoKey> {\n return crypto.subtle.importKey(\n 'jwk',\n jwk,\n { name: 'ECDSA', namedCurve: 'P-256' },\n false,\n ['verify']\n );\n}\n\ninterface DecodeAndVerifyJwtOptions {\n token: string;\n publicKeyJwk: JsonWebKey;\n}\n\n/\n Verifies the ES256 signature on `token` against `publicKeyJwk` and\n * returns the decoded payload. Does not check `exp` — use\n * {@link verifyJwt} when expiry enforcement is desired.\n \n @throws {Error} When the token isn't three segments, when the\n * signature fails verification, or when the payload isn't valid\n * JSON.\n /\nexport async function decodeAndVerifyJwt(\n options: DecodeAndVerifyJwtOptions\n): Promise<Record<string, unknown>> {\n const { token, publicKeyJwk } = options;\n const parts = token.split('.');\n if (parts.length !== 3) throw new Error('Invalid JWT format');\n const [encodedHeader, encodedPayload, encodedSignature] = parts as [\n string,\n string,\n string,\n ];\n const publicKey = await importPublicKey(publicKeyJwk);\n const valid = await crypto.subtle.verify(\n { name: 'ECDSA', hash: 'SHA-256' },\n publicKey,\n base64urlDecode(encodedSignature),\n new TextEncoder().encode(`${encodedHeader}.${encodedPayload}`)\n );\n if (!valid) throw new Error('JWT signature verification failed');\n return JSON.parse(\n new TextDecoder().decode(base64urlDecode(encodedPayload))\n ) as Record<string, unknown>;\n}\n\nexport interface VerifyJwtOptions {\n /* Compact-serialized JWT to verify. /\n token: string;\n /* Public key in JWK form. Caller is responsible for trusting it. /\n publicKeyJwk: JsonWebKey;\n}\n\n/\n Verifies signature and (if present) `exp` (RFC 7519 §4.1.4) on a\n * JWT and returns its payload.\n \n @throws {Error} When the signature fails or when `exp` has passed.\n /\nexport async function verifyJwt(\n options: VerifyJwtOptions\n): Promise<Record<string, unknown>> {\n const { token, publicKeyJwk } = options;\n const payload = await decodeAndVerifyJwt({ token, publicKeyJwk });\n const now = Math.floor(Date.now() / 1000);\n if (typeof payload['exp'] === 'number' && payload['exp'] < now) {\n throw new Error('JWT expired');\n }\n return payload;\n}\n\nexport interface SignJwtOptions {\n /* ES256 private key as a non-extractable WebCrypto key. /\n privateKey: CryptoKey;\n /\n Custom claims merged onto an `iat` claim (and `exp` when\n * `ttlSeconds` is supplied). Caller-provided keys override the\n * standard ones.\n /\n payload: Record<string, unknown>;\n /\n Lifetime of the token in seconds. When set, the JWT's `exp` claim\n * is computed as `iat + ttlSeconds`. When omitted, no `exp` is added\n * (the caller is responsible for one if needed).\n /\n ttlSeconds?: number;\n}\n\n/\n Signs a JWT (RFC 7519) with `alg=ES256, typ=JWT` and returns the\n * compact serialization. Always sets `iat` to the current second; the\n * caller controls every other claim via `payload`.\n */\nexport async function signJwt(options: SignJwtOptions): Promise<string> {\n const { privateKey, payload, ttlSeconds } = options;\n const now = Math.floor(Date.now() / 1000);\n const payloadWithStandardClaims =\n ttlSeconds !== undefined\n ? { iat: now, exp: now + ttlSeconds, ...payload }\n : { iat: now, ...payload };\n return encodeAndSignJwt({\n header: { alg: 'ES256', typ: 'JWT' },\n payload: payloadWithStandardClaims,\n privateKey,\n });\n}\n"],"mappings":";;;;;;;AAaA,eAAsB,iBACpB,SACiB;CACjB,MAAM,EAAE,QAAQ,SAAS,eAAe;CAQxC,MAAM,eAAe,GANC,UACpB,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,MAAM,CAAC,CAKb,EAAE,GAHf,UACrB,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,OAAO,CAAC,CAEI;CACtD,MAAM,kBAAkB,MAAM,OAAO,OAAO,KAC1C;EAAE,MAAM;EAAS,MAAM;CAAU,GACjC,YACA,IAAI,YAAY,EAAE,OAAO,YAAY,CACvC;CACA,OAAO,GAAG,aAAa,GAAG,UAAU,IAAI,WAAW,eAAe,CAAC;AACrE;AAEA,eAAe,gBAAgB,KAAqC;CAClE,OAAO,OAAO,OAAO,UACnB,OACA,KACA;EAAE,MAAM;EAAS,YAAY;CAAQ,GACrC,OACA,CAAC,QAAQ,CACX;AACF;;;;;;;;;;AAgBA,eAAsB,mBACpB,SACkC;CAClC,MAAM,EAAE,OAAO,iBAAiB;CAChC,MAAM,QAAQ,MAAM,MAAM,GAAG;CAC7B,IAAI,MAAM,WAAW,GAAG,MAAM,IAAI,MAAM,oBAAoB;CAC5D,MAAM,CAAC,eAAe,gBAAgB,oBAAoB;CAK1D,MAAM,YAAY,MAAM,gBAAgB,YAAY;CAOpD,IAAI,CAAC,MANe,OAAO,OAAO,OAChC;EAAE,MAAM;EAAS,MAAM;CAAU,GACjC,WACA,gBAAgB,gBAAgB,GAChC,IAAI,YAAY,EAAE,OAAO,GAAG,cAAc,GAAG,gBAAgB,CAC/D,GACY,MAAM,IAAI,MAAM,mCAAmC;CAC/D,OAAO,KAAK,MACV,IAAI,YAAY,EAAE,OAAO,gBAAgB,cAAc,CAAC,CAC1D;AACF;;;;;;;AAeA,eAAsB,UACpB,SACkC;CAClC,MAAM,EAAE,OAAO,iBAAiB;CAChC,MAAM,UAAU,MAAM,mBAAmB;EAAE;EAAO;CAAa,CAAC;CAChE,MAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;CACxC,IAAI,OAAO,QAAQ,WAAW,YAAY,QAAQ,SAAS,KACzD,MAAM,IAAI,MAAM,aAAa;CAE/B,OAAO;AACT;;;;;;AAwBA,eAAsB,QAAQ,SAA0C;CACtE,MAAM,EAAE,YAAY,SAAS,eAAe;CAC5C,MAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;CAKxC,OAAO,iBAAiB;EACtB,QAAQ;GAAE,KAAK;GAAS,KAAK;EAAM;EACnC,SALA,eAAe,KAAA,IACX;GAAE,KAAK;GAAK,KAAK,MAAM;GAAY,GAAG;EAAQ,IAC9C;GAAE,KAAK;GAAK,GAAG;EAAQ;EAI3B;CACF,CAAC;AACH"}

package/package.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "name": "@hubspot/app-connect-sdk",
-  "version": "1.0.0-alpha.11",
+  "version": "1.0.0-alpha.13",
   "description": "HubSpot App Connect SDK (alpha release). Documentation and integration guidance forthcoming.",
   "type": "module",
   "exports": {
     "./browser": "./dist/browser/index.js",
     "./react": "./dist/browser/react.js",
     "./react/lovable": "./dist/browser/react/lovable.js",
-    "./server/api-client": "./dist/server/api-client-core.js",
+    "./server/api-client": "./dist/server/api-client.js",
     "./server/lovable": "./dist/server/lovable.js",
     "./server/oauth": "./dist/server/oauth.js"
   },
@@ -26,27 +26,27 @@
     "react": "^18.0.0 || ^19.0.0"
   },
   "dependencies": {
-    "@base-ui/react": "^1.4.1",
-    "hono": "^4.7.11"
+    "@base-ui/react": "1.4.1",
+    "hono": "4.12.19"
   },
   "engines": {
     "node": ">=24.0.0"
   },
   "devDependencies": {
-    "@types/deno": "^2.5.0",
-    "@types/node": "25.6.0",
-    "@types/react": "^19.1.0",
-    "@vanilla-extract/css": "^1.20.1",
-    "@vanilla-extract/rollup-plugin": "^1.5.3",
-    "eslint": "10.0.3",
-    "prettier": "3.8.1",
-    "react": "^19.1.0",
-    "tsdown": "0.22.0-beta.3",
+    "@types/deno": "2.7.0",
+    "@types/node": "25.9.0",
+    "@types/react": "19.2.14",
+    "@vanilla-extract/css": "1.20.1",
+    "@vanilla-extract/rollup-plugin": "1.5.3",
+    "eslint": "10.4.0",
+    "prettier": "3.8.3",
+    "react": "19.2.6",
+    "tsdown": "0.22.0",
     "typescript": "6.0.3",
-    "vitest": "4.0.18",
+    "vitest": "4.1.6",
     "@private/eslint-config": "0.1.0",
-    "@private/prettier-config": "0.1.0",
-    "@private/tsconfig": "0.1.0"
+    "@private/tsconfig": "0.1.0",
+    "@private/prettier-config": "0.1.0"
   },
   "scripts": {
     "clean": "rm -rf dist build *.tsbuildinfo node_modules .turbo",

package/src/browser/app-connect-controller/init.test.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
-import { HUBSPOT_FRONTEND_CALLBACK_PATH } from '../../shared/constants.ts';
+import { OAUTH_CALLBACK_PATH } from '../../shared/constants.ts';
 import { noopLogger } from '../../shared/logger.ts';
 import { EXPIRES_AT_KEY } from './constants.ts';
 import { initAppConnect } from './init.ts';
@@ -104,7 +104,7 @@ describe('initAppConnect', () => {
   it('POSTs to /auth/complete on the OAuth callback path and persists expires_at + return_path', async () => {
     const expiresAt = Date.now() + 1800 * 1000;
     installFakeWindow({
-      href: `https://app.example.com${HUBSPOT_FRONTEND_CALLBACK_PATH}?code=auth-code&state=auth-state`,
+      href: `https://app.example.com${OAUTH_CALLBACK_PATH}?code=auth-code&state=auth-state`,
     });
     const fetchSpy = vi
       .spyOn(globalThis, 'fetch')
@@ -138,7 +138,7 @@ describe('initAppConnect', () => {
   it('throws and clears session storage when /auth/complete returns a non-OK response', async () => {
     installFakeWindow({
-      href: `https://app.example.com${HUBSPOT_FRONTEND_CALLBACK_PATH}?code=auth-code&state=bad-state`,
+      href: `https://app.example.com${OAUTH_CALLBACK_PATH}?code=auth-code&state=bad-state`,
     });
     vi.spyOn(globalThis, 'fetch').mockResolvedValue(
       new Response('{"error":"State mismatch"}', {
@@ -155,7 +155,7 @@ describe('initAppConnect', () => {
   it('skips the callback step on the callback path when code or state are missing', async () => {
     installFakeWindow({
-      href: `https://app.example.com${HUBSPOT_FRONTEND_CALLBACK_PATH}`,
+      href: `https://app.example.com${OAUTH_CALLBACK_PATH}`,
     });
     const fetchSpy = vi.spyOn(globalThis, 'fetch');
     const context = createTestContext();

package/src/browser/app-connect-controller/init.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import {
   AUTH_COMPLETE_CODE_PARAM,
   AUTH_COMPLETE_STATE_PARAM,
-  HUBSPOT_FRONTEND_CALLBACK_PATH,
+  OAUTH_CALLBACK_PATH,
 } from '../../shared/constants.ts';
 import type { AuthCompleteResponse } from '../../shared/wire-types.ts';
 import { EXPIRES_AT_KEY } from './constants.ts';
@@ -37,7 +37,7 @@ export async function initAppConnect(
 }
 async function consumeOAuthCallback(context: AppConnectContext): Promise<void> {
-  if (window.location.pathname !== HUBSPOT_FRONTEND_CALLBACK_PATH) return;
+  if (window.location.pathname !== OAUTH_CALLBACK_PATH) return;
   const params = new URLSearchParams(window.location.search);
   const code = params.get(AUTH_COMPLETE_CODE_PARAM);

package/src/browser/react/components/ConnectButton/ConnectButton.tsx CHANGED Viewed

@@ -20,7 +20,6 @@ export function ConnectButton({
   className,
 }: ConnectButtonProps) {
   const { status, connectToHubSpot } = useHubSpotAppConnect();
-  console.log('status', status);
   const isConnecting = status === 'connecting' || status === 'initializing';
   const composedClassName = [root, className].filter(Boolean).join(' ');
   const labelClassName = isConnecting ? `${label} ${labelMuted}` : label;

package/src/server/api-client-core/client.ts CHANGED Viewed

@@ -18,7 +18,11 @@ import type {
  */
 function assertSuccess(response: ApiResponse): void {
   if (response.status < 200 || response.status >= 300) {
-    throw new HubSpotApiError(response);
+    const error = new HubSpotApiError(response);
+    if (response.bodyJson == null) {
+      error.message = `${error.message} (empty or non-JSON response body)`;
+    }
+    throw error;
   }
 }

package/src/server/api-client-core/plugins/fetch-transport.test.ts ADDED Viewed

@@ -0,0 +1,114 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import { createHubSpotClient } from '../client.ts';
+import { op } from '../op.ts';
+import {
+  fetchTransportPlugin,
+  type FetchTransportHeaderContext,
+} from './fetch-transport.ts';
+describe('fetchTransportPlugin', () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+  it('uses Bearer authorization when getAuthorizationHeaders is omitted', async () => {
+    const fetchSpy = vi
+      .spyOn(globalThis, 'fetch')
+      .mockResolvedValue(new Response('{}'));
+    const client = createHubSpotClient({
+      plugins: [
+        fetchTransportPlugin({
+          getEndpoint: () => 'https://api.example.test',
+          getAccessToken: () => 'tok',
+        }),
+      ],
+    });
+    await client.send(
+      op.get('/crm/v3/objects/contacts/{contactId}', {
+        pathParams: { contactId: '123' },
+      })
+    );
+    expect(fetchSpy).toHaveBeenCalledWith(
+      'https://api.example.test/crm/v3/objects/contacts/123',
+      expect.objectContaining({
+        headers: expect.objectContaining({
+          Authorization: 'Bearer tok',
+        }),
+      })
+    );
+  });
+  it('uses getAuthorizationHeaders for authorization when provided', async () => {
+    const fetchSpy = vi
+      .spyOn(globalThis, 'fetch')
+      .mockResolvedValue(new Response('{}'));
+    const getAuthorizationHeaders = vi.fn(
+      (_ctx: FetchTransportHeaderContext) => ({
+        Authorization: 'DPoP tok',
+        DPoP: 'proof',
+      })
+    );
+    const client = createHubSpotClient({
+      plugins: [
+        fetchTransportPlugin({
+          getEndpoint: () => 'https://api.example.test',
+          getAuthorizationHeaders,
+        }),
+      ],
+    });
+    await client.send(op.get('/x'));
+    const init = fetchSpy.mock.calls[0]?.[1] as RequestInit;
+    const headers = init.headers as Record<string, string>;
+    expect(headers.Authorization).toBe('DPoP tok');
+    expect(headers.DPoP).toBe('proof');
+  });
+  it('passes targetUrl with query params to getAuthorizationHeaders', async () => {
+    vi.spyOn(globalThis, 'fetch').mockResolvedValue(new Response('{}'));
+    const getAuthorizationHeaders = vi.fn(
+      (_ctx: FetchTransportHeaderContext) => ({
+        Authorization: 'DPoP tok',
+        DPoP: 'proof',
+      })
+    );
+    const client = createHubSpotClient({
+      plugins: [
+        fetchTransportPlugin({
+          getEndpoint: () => 'https://api.example.test',
+          getAuthorizationHeaders,
+        }),
+      ],
+    });
+    await client.send(
+      op.get('/x', {
+        queryParams: { limit: 10, properties: ['email'] },
+      })
+    );
+    expect(getAuthorizationHeaders).toHaveBeenCalledWith(
+      expect.objectContaining({
+        targetUrl: 'https://api.example.test/x?limit=10&properties=email',
+        method: 'GET',
+      })
+    );
+  });
+  it('throws when neither getAccessToken nor getAuthorizationHeaders is provided', async () => {
+    const client = createHubSpotClient({
+      plugins: [fetchTransportPlugin({})],
+    });
+    await expect(client.send(op.get('/x'))).rejects.toThrow(
+      'fetchTransportPlugin: getAccessToken or getAuthorizationHeaders is required'
+    );
+  });
+});

package/src/server/api-client-core/plugins/fetch-transport.ts CHANGED Viewed

@@ -1,10 +1,23 @@
 import { isBinaryData } from '../binary-data.ts';
-import type { Plugin } from '../types.ts';
+import type { Operation, Plugin } from '../types.ts';
-const BASE_URL = 'https://api.hubapi.com';
+const HUBSPOT_API_ENDPOINT = 'https://api.hubapi.com';
+export interface FetchTransportHeaderContext {
+  /** Fully resolved request URL (endpoint + path + query). */
+  targetUrl: string;
+  /** Uppercase HTTP method. */
+  method: string;
+  /** The operation being sent. */
+  operation: Operation;
+}
 export interface FetchTransportPluginOptions {
-  getAccessToken: () => string;
+  getEndpoint?: () => string;
+  getAccessToken?: () => string;
+  getAuthorizationHeaders?: (
+    ctx: FetchTransportHeaderContext
+  ) => Record<string, string> | Promise<Record<string, string>>;
 }
 function appendRecordToUrlSearchParams(
@@ -23,6 +36,28 @@ function appendRecordToUrlSearchParams(
   }
 }
+async function readResponseBodyJson(response: Response): Promise<unknown> {
+  if (response.status === 204) {
+    return undefined;
+  }
+  const text = await response.text();
+  if (text.length === 0) {
+    return null;
+  }
+  try {
+    return JSON.parse(text) as unknown;
+  } catch {
+    if (response.status >= 200 && response.status < 300) {
+      throw new SyntaxError(
+        `fetchTransportPlugin: response body is not valid JSON (status ${response.status})`
+      );
+    }
+    return null;
+  }
+}
 /**
  * Transport plugin that executes HTTP requests using the Fetch API.
  *
@@ -38,12 +73,17 @@ export function fetchTransportPlugin(
     activate(api) {
       api.addMiddleware(async (ctx) => {
         const { operation } = ctx;
+        const endpoint = options.getEndpoint?.() ?? HUBSPOT_API_ENDPOINT;
+        const method = operation.method.toUpperCase();
         // Interpolate path parameters (e.g. "/contacts/{contactId}" → "/contacts/123")
-        let url = `${BASE_URL}${operation.path}`;
+        let targetUrl = `${endpoint}${operation.path}`;
         if (operation.pathParams) {
           for (const [key, value] of Object.entries(operation.pathParams)) {
-            url = url.replace(`{${key}}`, encodeURIComponent(String(value)));
+            targetUrl = targetUrl.replace(
+              `{${key}}`,
+              encodeURIComponent(String(value))
+            );
           }
         }
@@ -52,16 +92,30 @@ export function fetchTransportPlugin(
           const params = new URLSearchParams();
           appendRecordToUrlSearchParams(params, operation.queryParams);
           const qs = params.toString();
-          if (qs) url += `?${qs}`;
+          if (qs) targetUrl += `?${qs}`;
         }
+        const authHeaders = options.getAuthorizationHeaders
+          ? await options.getAuthorizationHeaders({
+              targetUrl,
+              method,
+              operation,
+            })
+          : options.getAccessToken
+            ? { Authorization: `Bearer ${options.getAccessToken()}` }
+            : (() => {
+                throw new Error(
+                  'fetchTransportPlugin: getAccessToken or getAuthorizationHeaders is required'
+                );
+              })();
         const headers: Record<string, string> = {
           ...(operation.headers ?? {}),
-          Authorization: `Bearer ${options.getAccessToken()}`,
+          ...authHeaders,
         };
         const init: RequestInit = {
-          method: operation.method.toUpperCase(),
+          method,
           headers,
         };
@@ -100,7 +154,8 @@ export function fetchTransportPlugin(
             init.body = JSON.stringify(operation.body);
           }
         }
-        const response = await fetch(url, init);
+        const response = await fetch(targetUrl, init);
         const responseHeaders: Record<string, string> = Object.create(null);
         response.headers.forEach((value, key) => {
           responseHeaders[key] = value;
@@ -110,8 +165,7 @@ export function fetchTransportPlugin(
           status: response.status,
           statusText: response.statusText,
           headers: responseHeaders,
-          // 204 No Content responses have no body to parse
-          bodyJson: response.status === 204 ? undefined : await response.json(),
+          bodyJson: await readResponseBodyJson(response),
         };
       });
     },

package/src/server/api-client-core/plugins/index.ts CHANGED Viewed

@@ -5,6 +5,7 @@
  * middleware plugins that can be passed to {@link createHubSpotClient}.
  */
 export {
+  type FetchTransportHeaderContext,
   type FetchTransportPluginOptions,
   fetchTransportPlugin,
 } from './fetch-transport.ts';

package/src/server/hono/hono-request-handler.ts CHANGED Viewed

@@ -1,16 +1,20 @@
 import { Hono } from 'hono';
-import { noopLogger, type Logger } from '../../shared/logger.ts';
+import { type Logger } from '../../shared/logger.ts';
 import { createHubSpotClient } from '../api-client-core/client.ts';
 import { fetchTransportPlugin } from '../api-client-core/plugins/fetch-transport.ts';
 import {
   HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
   HUBSPOT_APP_SID_COOKIE_NAME,
 } from '../constants.ts';
-import { createHubSpotProxy } from '../proxy.ts';
 import { sanitizeRequest } from '../sanitize-request.ts';
-import type { AppKeys, UserCredentials } from '../types.ts';
+import type { AppKeys } from '../types.ts';
 import { parseCookies } from '../utils/cookie-utils.ts';
+import {
+  getHubSpotApiOrigin,
+  isHubspotDpopEnabled,
+} from '../utils/env-utils.ts';
+import { buildHubSpotDpopAuthHeaders } from '../utils/hubspot-dpop-auth-headers.ts';
 import type { AppConnectHonoBindings, AppConnectHonoEnv } from './types.ts';
 import { corsMiddleware } from './utils/cors-middleware.ts';
@@ -54,14 +58,21 @@ export interface CreateAppConnectRequestHandlerOptions {
  *
  * - Strips SDK-managed cookies (access token, refresh, sid) from the
  *   request before the app sees them, via `sanitizeRequest`.
- * - Exposes a `hubSpotProxy` on the Hono context so route handlers
+ * - Exposes a `hubSpot.client` on the Hono context so route handlers
  *   can issue authenticated calls to HubSpot's API on behalf of the
  *   browser session.
  */
 export function createAppConnectRequestHandler(
   options: CreateAppConnectRequestHandlerOptions
 ): AppConnectFetchHandler {
-  const { registerRoutes, appKeys, logger = noopLogger } = options;
+  const { registerRoutes, appKeys } = options;
+  if (isHubspotDpopEnabled() && appKeys === null) {
+    throw new Error(
+      'createAppConnectRequestHandler: appKeys is required when HUBSPOT_DPOP_ENABLED is true'
+    );
+  }
   const app = new Hono<AppConnectHonoEnv>();
   // Credentialed CORS first: preflights short-circuit with 204
   // before the auth check runs, and 401 responses still carry
@@ -97,22 +108,26 @@ export function createAppConnectRequestHandler(
     const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];
     const sessionId = cookies[HUBSPOT_APP_SID_COOKIE_NAME];
-    const userCredentials: UserCredentials = { accessToken, sessionId };
-    const proxy = createHubSpotProxy({
-      userCredentials,
-      appKeys,
-      logger,
-    });
     const client = createHubSpotClient({
       plugins: [
         fetchTransportPlugin({
-          getAccessToken: () => {
-            if (!accessToken) {
-              throw new Error('Missing access token');
+          getEndpoint: () => {
+            return getHubSpotApiOrigin();
+          },
+          getAuthorizationHeaders: (ctx) => {
+            if (isHubspotDpopEnabled()) {
+              return buildHubSpotDpopAuthHeaders({
+                accessToken: accessToken!,
+                sessionId: sessionId!,
+                appKeys: appKeys!,
+                method: ctx.method,
+                targetUrl: ctx.targetUrl,
+              });
             }
-            return accessToken;
+            return {
+              Authorization: `Bearer ${accessToken!}`,
+            };
           },
         }),
       ],
@@ -122,9 +137,8 @@ export function createAppConnectRequestHandler(
     const honoBindings: AppConnectHonoBindings = {
       hubSpot: {
-        proxy,
         client,
-        authenticated: proxy.authenticated,
+        authenticated: Boolean(accessToken && sessionId),
       },
     };

package/src/server/hono/hubspot-connect-routes/auth-complete.test.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { Hono } from 'hono';
 import { afterEach, describe, expect, it, vi } from 'vitest';
-import { HUBSPOT_FRONTEND_CALLBACK_PATH } from '../../../shared/constants.ts';
+import { OAUTH_CALLBACK_PATH } from '../../../shared/constants.ts';
 import {
   HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
   HUBSPOT_APP_ORIGIN_COOKIE_NAME,
@@ -216,7 +216,7 @@ describe('handleAuthComplete', () => {
     const body = (init as RequestInit).body as URLSearchParams | string;
     const formParams = new URLSearchParams(body as string);
     expect(formParams.get('redirect_uri')).toBe(
-      `${APP_ORIGIN}${HUBSPOT_FRONTEND_CALLBACK_PATH}`
+      `${APP_ORIGIN}${OAUTH_CALLBACK_PATH}`
     );
     expect(formParams.get('grant_type')).toBe('authorization_code');
   });

package/src/server/hono/hubspot-connect-routes/auth-complete.ts CHANGED Viewed

@@ -135,6 +135,7 @@ export async function handleAuthComplete(
         xForwardedProto,
         xForwardedHost,
         requestHostHeader,
+        appOrigin,
       })
     : hubspotConnectEnv.hubspotClientId;

package/src/server/hono/hubspot-connect-routes/auth-init-session.test.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { Hono } from 'hono';
 import { describe, expect, it, vi } from 'vitest';
-import { HUBSPOT_FRONTEND_CALLBACK_PATH } from '../../../shared/constants.ts';
+import { OAUTH_CALLBACK_PATH } from '../../../shared/constants.ts';
 import {
   HUBSPOT_APP_ORIGIN_COOKIE_NAME,
   HUBSPOT_APP_SID_COOKIE_NAME,
@@ -111,7 +111,7 @@ describe('handleAuthInitSession', () => {
     const body = (await res.json()) as { authorization_url: string };
     const authUrl = new URL(body.authorization_url);
     expect(authUrl.searchParams.get('redirect_uri')).toBe(
-      `${APP_ORIGIN}${HUBSPOT_FRONTEND_CALLBACK_PATH}`
+      `${APP_ORIGIN}${OAUTH_CALLBACK_PATH}`
     );
   });

package/src/server/hono/hubspot-connect-routes/auth-init-session.ts CHANGED Viewed

@@ -71,9 +71,11 @@ export async function handleAuthInitSession(
         xForwardedProto,
         xForwardedHost,
         requestHostHeader,
+        appOrigin,
       })
     : hubspotConnectEnv.hubspotClientId;
+  console.log('clientId', clientId);
   const redirectUri = buildFrontendOAuthRedirectUri(appOrigin);
   const authorizeUrl = new URL(hubspotConnectEnv.hubspotAuthorizationEndpoint);

package/src/server/hono/hubspot-connect-routes/auth-logout.ts CHANGED Viewed

@@ -11,7 +11,10 @@ import { parseCookies } from '../../utils/cookie-utils.ts';
 import { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';
 import { buildClientAssertion } from './oauth-client.ts';
 import type { HubSpotConnectOAuthRouteOptions } from './types.ts';
-import { buildCimdClientIdUrlFromRequest } from './utils.ts';
+import {
+  buildCimdClientIdUrlFromRequest,
+  parseAppOriginHeader,
+} from './utils.ts';
 async function revokeToken(options: {
   revokeEndpointUrl: string;
@@ -47,15 +50,23 @@ export async function handleAuthLogout(
   const cookies = parseCookies(c.req.header('Cookie'));
   const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];
-  const clientId = hubspotConnectEnv.isCimdEnabled
-    ? buildCimdClientIdUrlFromRequest({
-        requestUrl: c.req.url,
-        basePath,
-        xForwardedProto,
-        xForwardedHost,
-        requestHostHeader,
-      })
-    : hubspotConnectEnv.hubspotClientId;
+  let clientId: string;
+  if (hubspotConnectEnv.isCimdEnabled) {
+    const appOrigin = parseAppOriginHeader(c.req.header('Origin'));
+    if (!appOrigin) {
+      return c.json({ error: 'Missing or invalid Origin header' }, 400);
+    }
+    clientId = buildCimdClientIdUrlFromRequest({
+      requestUrl: c.req.url,
+      basePath,
+      xForwardedProto,
+      xForwardedHost,
+      requestHostHeader,
+      appOrigin,
+    });
+  } else {
+    clientId = hubspotConnectEnv.hubspotClientId;
+  }
   const revokeEndpointUrl = new URL(
     '/oauth/v1/revoke',

package/src/server/hono/hubspot-connect-routes/auth-refresh.ts CHANGED Viewed

@@ -20,6 +20,7 @@ import type { HubSpotConnectOAuthRouteOptions } from './types.ts';
 import {
   buildCimdClientIdUrlFromRequest,
   isPositiveFiniteNumber,
+  parseAppOriginHeader,
 } from './utils.ts';
 export async function handleAuthRefresh(
@@ -53,15 +54,23 @@ export async function handleAuthRefresh(
     return c.json({ error: 'Missing refresh token' }, 401);
   }
-  const clientId = hubspotConnectEnv.isCimdEnabled
-    ? buildCimdClientIdUrlFromRequest({
-        requestUrl: c.req.url,
-        basePath,
-        xForwardedProto,
-        xForwardedHost,
-        requestHostHeader,
-      })
-    : hubspotConnectEnv.hubspotClientId;
+  let clientId: string;
+  if (hubspotConnectEnv.isCimdEnabled) {
+    const appOrigin = parseAppOriginHeader(c.req.header('Origin'));
+    if (!appOrigin) {
+      return c.json({ error: 'Missing or invalid Origin header' }, 400);
+    }
+    clientId = buildCimdClientIdUrlFromRequest({
+      requestUrl: c.req.url,
+      basePath,
+      xForwardedProto,
+      xForwardedHost,
+      requestHostHeader,
+      appOrigin,
+    });
+  } else {
+    clientId = hubspotConnectEnv.hubspotClientId;
+  }
   const tokenEndpointUrl = new URL(
     '/oauth/v1/token',