@hubspot/app-connect-sdk 1.0.0-alpha.2 → 1.0.0-alpha.21

package/dist/server/hono/hubspot-connect-routes/auth-complete.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-complete.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-complete.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport {\n  AUTH_COMPLETE_CODE_PARAM,\n  AUTH_COMPLETE_STATE_PARAM,\n} from '../../../shared/constants.ts';\nimport type { AuthCompleteResponse } from '../../../shared/wire-types.ts';\nimport {\n  HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n  HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n  HUBSPOT_REFRESH_COOKIE_PREFIX,\n  TEMP_COOKIE_OAUTH_STATE,\n  TEMP_COOKIE_PKCE_VERIFIER,\n} from '../../constants.ts';\nimport { base64urlDecode } from '../../utils/base64-utils.ts';\nimport { parseCookies } from '../../utils/cookie-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { REFRESH_COOKIE_MAX_AGE_SEC } from './constants.ts';\nimport {\n  buildClientAssertion,\n  buildClientAssertionFormParams,\n  buildClientSecretFormParams,\n  buildTokenEndpointDpopProof,\n  requestOAuthToken,\n} from './oauth-client.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n  buildCimdClientIdUrlFromRequest,\n  buildFrontendOAuthRedirectUri,\n  clearTempCookie,\n  isPositiveFiniteNumber,\n  isSafeReturnPath,\n  parseAppOriginHeader,\n} from './utils.ts';\nimport { fetchWhoami } from './whoami.ts';\n\ninterface OAuthStatePayload {\n  return_path?: string;\n  sid?: string;\n}\n\n/**\n * Cross-origin OAuth completion endpoint.\n *\n * Called from the React app on the frontend OAuth callback path\n * (`HUBSPOT_FRONTEND_CALLBACK_PATH`) once HubSpot has redirected the\n * browser back with `?code` + `?state`. The browser POSTs both\n * values here as a credentialed cross-site fetch — same partition as\n * `init-session`, so the temp PKCE/state cookies are visible — and\n * the SDK:\n *\n * 1. Validates `state` against the temp `__hs_oauth_state` cookie.\n * 2. Pulls the PKCE verifier from `__hs_pkce_verifier`.\n * 3. Rebuilds the same `redirect_uri` it sent to HubSpot during\n *    `init-session` (frontend origin + the fixed callback path);\n *    the OAuth token endpoint requires the two values to match.\n * 4. Exchanges `code` for an access + refresh token (with DPoP /\n *    CIMD client-assertion when enabled).\n * 5. Sets the durable session cookies (access token, refresh) with\n *    `SameSite=None; Secure; Partitioned` so they live in the\n *    `(frontend, edge)` partition where subsequent API fetches will\n *    read them.\n * 6. Clears the temp cookies.\n * 7. Returns `{ expires_at, return_path }` so the controller can\n *    update its session-storage expiry tracking and navigate back to\n *    the page the user started the connect flow from.\n */\nexport async function handleAuthComplete(\n  c: Context,\n  options: HubSpotConnectOAuthRouteOptions\n) {\n  const { appKeys, refreshCookiePath, hubspotConnectEnv } = options;\n  const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n  const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n  const requestHostHeader = c.req.header('host') ?? undefined;\n  const code = c.req.query(AUTH_COMPLETE_CODE_PARAM);\n  const state = c.req.query(AUTH_COMPLETE_STATE_PARAM);\n\n  if (!code || !state) {\n    return c.json({ error: 'Missing code or state' }, 400);\n  }\n\n  if (hubspotConnectEnv.isAppPrivateKeyRequired && !appKeys) {\n    return c.json(\n      {\n        error:\n          'Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD or DPoP is enabled',\n      },\n      500\n    );\n  }\n\n  const cookies = parseCookies(c.req.header('Cookie'));\n  const expectedState = cookies[TEMP_COOKIE_OAUTH_STATE];\n  const codeVerifier = cookies[TEMP_COOKIE_PKCE_VERIFIER];\n  const appOriginCookie = cookies[HUBSPOT_APP_ORIGIN_COOKIE_NAME];\n\n  if (!expectedState || state !== decodeURIComponent(expectedState)) {\n    return c.json({ error: 'State mismatch' }, 403);\n  }\n  if (!codeVerifier) {\n    return c.json({ error: 'Missing PKCE verifier' }, 400);\n  }\n  // The redirect_uri the OAuth token endpoint validates must equal\n  // the one we sent during init-session. We rebuild it from the\n  // pinned origin cookie so that value is anchored server-side, not\n  // taken from the (caller-controlled) request `Origin` on this call.\n  const appOrigin = parseAppOriginHeader(appOriginCookie);\n  if (!appOrigin) {\n    return c.json({ error: 'Missing app origin cookie' }, 400);\n  }\n\n  let statePayload: OAuthStatePayload;\n  try {\n    statePayload = JSON.parse(\n      new TextDecoder().decode(base64urlDecode(decodeURIComponent(state)))\n    ) as OAuthStatePayload;\n  } catch {\n    return c.json({ error: 'Malformed state value' }, 400);\n  }\n  const returnPath = statePayload.return_path;\n  if (!returnPath || !isSafeReturnPath(returnPath)) {\n    return c.json({ error: 'Invalid return path in state' }, 400);\n  }\n\n  const sessionId = statePayload.sid;\n  if (!sessionId) {\n    return c.json({ error: 'Missing app session cookie' }, 400);\n  }\n\n  const decodedCodeVerifier = decodeURIComponent(codeVerifier);\n\n  const clientId = hubspotConnectEnv.isCimdEnabled\n    ? buildCimdClientIdUrlFromRequest({\n        requestUrl: c.req.url,\n        basePath: options.basePath,\n        xForwardedProto,\n        xForwardedHost,\n        requestHostHeader,\n        appOrigin,\n      })\n    : hubspotConnectEnv.hubspotClientId;\n\n  const redirectUri = buildFrontendOAuthRedirectUri(appOrigin);\n\n  const tokenEndpointUrl = new URL(\n    '/oauth/v1/token',\n    hubspotConnectEnv.hubspotOAuthApiOrigin\n  ).href;\n\n  let dpopProof: string | undefined;\n  if (hubspotConnectEnv.isDpopEnabled) {\n    dpopProof = await buildTokenEndpointDpopProof({\n      appKeys: appKeys!,\n      tokenEndpointUrl,\n      sessionIdHash: sessionId,\n    });\n  }\n\n  let formParams: Record<string, string>;\n  if (hubspotConnectEnv.isCimdEnabled) {\n    const clientAssertion = await buildClientAssertion({\n      appKeys: appKeys!,\n      clientId,\n      audience: tokenEndpointUrl,\n    });\n    formParams = {\n      grant_type: 'authorization_code',\n      code,\n      code_verifier: decodedCodeVerifier,\n      redirect_uri: redirectUri,\n      ...buildClientAssertionFormParams({ clientId, clientAssertion }),\n    };\n  } else {\n    formParams = {\n      grant_type: 'authorization_code',\n      code,\n      code_verifier: decodedCodeVerifier,\n      redirect_uri: redirectUri,\n      ...buildClientSecretFormParams({\n        clientId,\n        clientSecret: hubspotConnectEnv.hubspotClientSecret,\n      }),\n    };\n  }\n\n  const tokenResult = await requestOAuthToken({\n    tokenEndpointUrl,\n    isDpopEnabled: hubspotConnectEnv.isDpopEnabled,\n    ...(dpopProof !== undefined ? { dpopProof } : {}),\n    formParams,\n  });\n  if (!tokenResult.ok) {\n    return c.json(\n      { error: `Token exchange failed: ${tokenResult.errorText}` },\n      502\n    );\n  }\n\n  const {\n    access_token: accessToken,\n    refresh_token: refreshToken,\n    expires_in,\n  } = tokenResult.body;\n  if (!refreshToken) {\n    return c.json({ error: 'Token response missing refresh_token' }, 502);\n  }\n  if (!isPositiveFiniteNumber(expires_in)) {\n    return c.json(\n      { error: 'Token response missing or invalid expires_in' },\n      502\n    );\n  }\n\n  const expiresAt = Date.now() + expires_in * 1000;\n  const refreshCookieName = `${HUBSPOT_REFRESH_COOKIE_PREFIX}${sessionId}`;\n\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n      value: accessToken,\n      path: '/',\n      sameSite: 'None',\n      partitioned: true,\n      maxAge: expires_in,\n    }),\n  });\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: refreshCookieName,\n      value: refreshToken,\n      path: refreshCookiePath,\n      sameSite: 'None',\n      partitioned: true,\n      maxAge: REFRESH_COOKIE_MAX_AGE_SEC,\n    }),\n  });\n  setResponseCookie({ c, value: clearTempCookie(TEMP_COOKIE_PKCE_VERIFIER) });\n  setResponseCookie({ c, value: clearTempCookie(TEMP_COOKIE_OAUTH_STATE) });\n\n  const whoami = await fetchWhoami(accessToken, hubspotConnectEnv);\n  return c.json({\n    expires_at: expiresAt,\n    return_path: returnPath,\n    whoami,\n  } satisfies AuthCompleteResponse);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmEA,eAAsB,mBACpB,GACA,SACA;CACA,MAAM,EAAE,SAAS,mBAAmB,sBAAsB;CAC1D,MAAM,kBAAkB,EAAE,IAAI,OAAO,mBAAmB,KAAK,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,kBAAkB,KAAK,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,MAAM,KAAK,KAAA;CAClD,MAAM,OAAO,EAAE,IAAI,MAAM,wBAAwB;CACjD,MAAM,QAAQ,EAAE,IAAI,MAAM,yBAAyB;CAEnD,IAAI,CAAC,QAAQ,CAAC,OACZ,OAAO,EAAE,KAAK,EAAE,OAAO,wBAAwB,GAAG,GAAG;CAGvD,IAAI,kBAAkB,2BAA2B,CAAC,SAChD,OAAO,EAAE,KACP,EACE,OACE,4FACJ,GACA,GACF;CAGF,MAAM,UAAU,aAAa,EAAE,IAAI,OAAO,QAAQ,CAAC;CACnD,MAAM,gBAAgB,QAAQ;CAC9B,MAAM,eAAe,QAAQ;CAC7B,MAAM,kBAAkB,QAAQ;CAEhC,IAAI,CAAC,iBAAiB,UAAU,mBAAmB,aAAa,GAC9D,OAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,GAAG,GAAG;CAEhD,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,EAAE,OAAO,wBAAwB,GAAG,GAAG;CAMvD,MAAM,YAAY,qBAAqB,eAAe;CACtD,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,4BAA4B,GAAG,GAAG;CAG3D,IAAI;CACJ,IAAI;EACF,eAAe,KAAK,MAClB,IAAI,YAAY,EAAE,OAAO,gBAAgB,mBAAmB,KAAK,CAAC,CAAC,CACrE;CACF,QAAQ;EACN,OAAO,EAAE,KAAK,EAAE,OAAO,wBAAwB,GAAG,GAAG;CACvD;CACA,MAAM,aAAa,aAAa;CAChC,IAAI,CAAC,cAAc,CAAC,iBAAiB,UAAU,GAC7C,OAAO,EAAE,KAAK,EAAE,OAAO,+BAA+B,GAAG,GAAG;CAG9D,MAAM,YAAY,aAAa;CAC/B,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,GAAG,GAAG;CAG5D,MAAM,sBAAsB,mBAAmB,YAAY;CAE3D,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB,UAAU,QAAQ;EAClB;EACA;EACA;EACA;CACF,CAAC,IACD,kBAAkB;CAEtB,MAAM,cAAc,8BAA8B,SAAS;CAE3D,MAAM,mBAAmB,IAAI,IAC3B,mBACA,kBAAkB,qBACpB,EAAE;CAEF,IAAI;CACJ,IAAI,kBAAkB,eACpB,YAAY,MAAM,4BAA4B;EACnC;EACT;EACA,eAAe;CACjB,CAAC;CAGH,IAAI;CACJ,IAAI,kBAAkB,eAMpB,aAAa;EACX,YAAY;EACZ;EACA,eAAe;EACf,cAAc;EACd,GAAG,+BAA+B;GAAE;GAAU,iBAAA,MAVlB,qBAAqB;IACxC;IACT;IACA,UAAU;GACZ,CAAC;EAM+D,CAAC;CACjE;MAEA,aAAa;EACX,YAAY;EACZ;EACA,eAAe;EACf,cAAc;EACd,GAAG,4BAA4B;GAC7B;GACA,cAAc,kBAAkB;EAClC,CAAC;CACH;CAGF,MAAM,cAAc,MAAM,kBAAkB;EAC1C;EACA,eAAe,kBAAkB;EACjC,GAAI,cAAc,KAAA,IAAY,EAAE,UAAU,IAAI,CAAC;EAC/C;CACF,CAAC;CACD,IAAI,CAAC,YAAY,IACf,OAAO,EAAE,KACP,EAAE,OAAO,0BAA0B,YAAY,YAAY,GAC3D,GACF;CAGF,MAAM,EACJ,cAAc,aACd,eAAe,cACf,eACE,YAAY;CAChB,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,EAAE,OAAO,uCAAuC,GAAG,GAAG;CAEtE,IAAI,CAAC,uBAAuB,UAAU,GACpC,OAAO,EAAE,KACP,EAAE,OAAO,+CAA+C,GACxD,GACF;CAGF,MAAM,YAAY,KAAK,IAAI,IAAI,aAAa;CAC5C,MAAM,oBAAoB,GAAG,gCAAgC;CAE7D,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAAE;EAAG,OAAO,gBAAgB,yBAAyB;CAAE,CAAC;CAC1E,kBAAkB;EAAE;EAAG,OAAO,gBAAgB,uBAAuB;CAAE,CAAC;CAExE,MAAM,SAAS,MAAM,YAAY,aAAa,iBAAiB;CAC/D,OAAO,EAAE,KAAK;EACZ,YAAY;EACZ,aAAa;EACb;CACF,CAAgC;AAClC"}

package/dist/server/hono/hubspot-connect-routes/auth-init-session.js

@@ -1,9 +1,9 @@
 import { base64url } from "../../shared/encoding/base64.js";
 import { sha256base64url } from "../../shared/encoding/sha256.js";
-import { HUBSPOT_APP_SID_COOKIE_NAME, TEMP_COOKIE_OAUTH_STATE, TEMP_COOKIE_PKCE_VERIFIER } from "../../constants.js";
+import { HUBSPOT_APP_ORIGIN_COOKIE_NAME, HUBSPOT_APP_SID_COOKIE_NAME, TEMP_COOKIE_OAUTH_STATE, TEMP_COOKIE_PKCE_VERIFIER } from "../../constants.js";
 import { serializeCookie, setResponseCookie } from "../utils/cookie-utils.js";
 import { OAUTH_TEMP_MAX_AGE_SEC, SESSION_MAX_AGE_SEC } from "./constants.js";
-import { buildCimdClientIdUrlFromRequest, buildOAuthRedirectUriFromRequest, isSafeReturnPath } from "./utils.js";
+import { buildCimdClientIdUrlFromRequest, buildFrontendOAuthRedirectUri, isSafeReturnPath, parseAppOriginHeader } from "./utils.js";
 import { deriveHubSpotAuthorizeScopesFromClientMetadata } from "./fetch-hubspot-client-metadata.js";
 //#region src/server/hono/hubspot-connect-routes/auth-init-session.ts
 async function handleAuthInitSession(c, options) {
@@ -13,6 +13,8 @@ async function handleAuthInitSession(c, options) {
 	const requestHostHeader = c.req.header("host") ?? void 0;
 	const returnPath = new URL(c.req.url).searchParams.get("return_path") ?? "/";
 	if (!isSafeReturnPath(returnPath)) return c.text("Invalid return_path", 400);
+	const appOrigin = parseAppOriginHeader(c.req.header("Origin"));
+	if (!appOrigin) return c.text("Missing or invalid Origin header; init-session must be called from a browser", 400);
 	const sessionIdBytes = new Uint8Array(32);
 	crypto.getRandomValues(sessionIdBytes);
 	const sessionId = base64url(sessionIdBytes);
@@ -30,15 +32,11 @@ async function handleAuthInitSession(c, options) {
 		basePath: options.basePath,
 		xForwardedProto,
 		xForwardedHost,
-		requestHostHeader
+		requestHostHeader,
+		appOrigin
 	}) : hubspotConnectEnv.hubspotClientId;
-	const redirectUri = buildOAuthRedirectUriFromRequest({
-		requestUrl: c.req.url,
-		basePath: options.basePath,
-		xForwardedProto,
-		xForwardedHost,
-		requestHostHeader
-	});
+	console.log("clientId", clientId);
+	const redirectUri = buildFrontendOAuthRedirectUri(appOrigin);
 	const authorizeUrl = new URL(hubspotConnectEnv.hubspotAuthorizationEndpoint);
 	authorizeUrl.searchParams.set("response_type", "code");
 	authorizeUrl.searchParams.set("client_id", clientId);
@@ -53,12 +51,25 @@ async function handleAuthInitSession(c, options) {
 		authorizeUrl.searchParams.set("scope", scopesResult.scope);
 		if (scopesResult.optionalScope !== void 0) authorizeUrl.searchParams.set("optional_scope", scopesResult.optionalScope);
 	}
+	setResponseCookie({
+		c,
+		value: serializeCookie({
+			name: HUBSPOT_APP_ORIGIN_COOKIE_NAME,
+			value: appOrigin,
+			path: "/",
+			sameSite: "None",
+			partitioned: true,
+			maxAge: SESSION_MAX_AGE_SEC
+		})
+	});
 	setResponseCookie({
 		c,
 		value: serializeCookie({
 			name: HUBSPOT_APP_SID_COOKIE_NAME,
 			value: sessionId,
 			path: "/",
+			sameSite: "None",
+			partitioned: true,
 			maxAge: SESSION_MAX_AGE_SEC
 		})
 	});
@@ -68,7 +79,8 @@ async function handleAuthInitSession(c, options) {
 			name: TEMP_COOKIE_PKCE_VERIFIER,
 			value: encodeURIComponent(codeVerifier),
 			path: "/",
-			sameSite: "Lax",
+			sameSite: "None",
+			partitioned: true,
 			maxAge: OAUTH_TEMP_MAX_AGE_SEC
 		})
 	});
@@ -78,7 +90,8 @@ async function handleAuthInitSession(c, options) {
 			name: TEMP_COOKIE_OAUTH_STATE,
 			value: encodeURIComponent(stateValue),
 			path: "/",
-			sameSite: "Lax",
+			sameSite: "None",
+			partitioned: true,
 			maxAge: OAUTH_TEMP_MAX_AGE_SEC
 		})
 	});

package/dist/server/hono/hubspot-connect-routes/auth-init-session.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth-init-session.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-init-session.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport {\n  HUBSPOT_APP_SID_COOKIE_NAME,\n  TEMP_COOKIE_OAUTH_STATE,\n  TEMP_COOKIE_PKCE_VERIFIER,\n} from '../../constants.ts';\nimport { base64url } from '../../utils/base64-utils.ts';\nimport { sha256base64url } from '../../utils/crypto-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { OAUTH_TEMP_MAX_AGE_SEC, SESSION_MAX_AGE_SEC } from './constants.ts';\nimport { deriveHubSpotAuthorizeScopesFromClientMetadata } from './fetch-hubspot-client-metadata.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n  buildCimdClientIdUrlFromRequest,\n  buildOAuthRedirectUriFromRequest,\n  isSafeReturnPath,\n} from './utils.ts';\n\nexport async function handleAuthInitSession(\n  c: Context,\n  options: HubSpotConnectOAuthRouteOptions\n) {\n  const { hubspotConnectEnv, cimdClientMetadata } = options;\n  const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n  const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n  const requestHostHeader = c.req.header('host') ?? undefined;\n  const url = new URL(c.req.url);\n  const returnPath = url.searchParams.get('return_path') ?? '/';\n  if (!isSafeReturnPath(returnPath)) {\n    return c.text('Invalid return_path', 400);\n  }\n\n  const sessionIdBytes = new Uint8Array(32);\n  crypto.getRandomValues(sessionIdBytes);\n  const sessionId = base64url(sessionIdBytes);\n  const sessionIdHash = await sha256base64url(sessionId);\n\n  const codeVerifierBytes = new Uint8Array(32);\n  crypto.getRandomValues(codeVerifierBytes);\n  const codeVerifier = base64url(codeVerifierBytes);\n  const codeChallenge = await sha256base64url(codeVerifier);\n\n  const stateValue = base64url(\n    new TextEncoder().encode(\n      JSON.stringify({\n        return_path: returnPath,\n        sid: sessionIdHash,\n      })\n    )\n  );\n\n  const clientId = hubspotConnectEnv.isCimdEnabled\n    ? buildCimdClientIdUrlFromRequest({\n        requestUrl: c.req.url,\n        basePath: options.basePath,\n        xForwardedProto,\n        xForwardedHost,\n        requestHostHeader,\n      })\n    : hubspotConnectEnv.hubspotClientId;\n\n  const redirectUri = buildOAuthRedirectUriFromRequest({\n    requestUrl: c.req.url,\n    basePath: options.basePath,\n    xForwardedProto,\n    xForwardedHost,\n    requestHostHeader,\n  });\n\n  const authorizeUrl = new URL(hubspotConnectEnv.hubspotAuthorizationEndpoint);\n  authorizeUrl.searchParams.set('response_type', 'code');\n  authorizeUrl.searchParams.set('client_id', clientId);\n  authorizeUrl.searchParams.set('redirect_uri', redirectUri);\n  authorizeUrl.searchParams.set('code_challenge', codeChallenge);\n  authorizeUrl.searchParams.set('code_challenge_method', 'S256');\n  authorizeUrl.searchParams.set('state', stateValue);\n  authorizeUrl.searchParams.set('sid', sessionIdHash);\n\n  if (!hubspotConnectEnv.isCimdEnabled) {\n    const scopesResult =\n      deriveHubSpotAuthorizeScopesFromClientMetadata(cimdClientMetadata);\n    if (!scopesResult.ok) {\n      return c.text(scopesResult.message, scopesResult.status as 500 | 502);\n    }\n    authorizeUrl.searchParams.set('scope', scopesResult.scope);\n    if (scopesResult.optionalScope !== undefined) {\n      authorizeUrl.searchParams.set(\n        'optional_scope',\n        scopesResult.optionalScope\n      );\n    }\n  }\n\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: HUBSPOT_APP_SID_COOKIE_NAME,\n      value: sessionId,\n      path: '/',\n      maxAge: SESSION_MAX_AGE_SEC,\n    }),\n  });\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: TEMP_COOKIE_PKCE_VERIFIER,\n      value: encodeURIComponent(codeVerifier),\n      path: '/',\n      sameSite: 'Lax',\n      maxAge: OAUTH_TEMP_MAX_AGE_SEC,\n    }),\n  });\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: TEMP_COOKIE_OAUTH_STATE,\n      value: encodeURIComponent(stateValue),\n      path: '/',\n      sameSite: 'Lax',\n      maxAge: OAUTH_TEMP_MAX_AGE_SEC,\n    }),\n  });\n\n  return c.json({ authorization_url: authorizeUrl.toString() });\n}\n"],"mappings":";;;;;;;;AAmBA,eAAsB,sBACpB,GACA,SACA;CACA,MAAM,EAAE,mBAAmB,uBAAuB;CAClD,MAAM,kBAAkB,EAAE,IAAI,OAAO,oBAAoB,IAAI,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,mBAAmB,IAAI,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,OAAO,IAAI,KAAA;CAElD,MAAM,aAAa,IADH,IAAI,EAAE,IAAI,IACJ,CAAC,aAAa,IAAI,cAAc,IAAI;CAC1D,IAAI,CAAC,iBAAiB,WAAW,EAC/B,OAAO,EAAE,KAAK,uBAAuB,IAAI;CAG3C,MAAM,iBAAiB,IAAI,WAAW,GAAG;CACzC,OAAO,gBAAgB,eAAe;CACtC,MAAM,YAAY,UAAU,eAAe;CAC3C,MAAM,gBAAgB,MAAM,gBAAgB,UAAU;CAEtD,MAAM,oBAAoB,IAAI,WAAW,GAAG;CAC5C,OAAO,gBAAgB,kBAAkB;CACzC,MAAM,eAAe,UAAU,kBAAkB;CACjD,MAAM,gBAAgB,MAAM,gBAAgB,aAAa;CAEzD,MAAM,aAAa,UACjB,IAAI,aAAa,CAAC,OAChB,KAAK,UAAU;EACb,aAAa;EACb,KAAK;EACN,CAAC,CACH,CACF;CAED,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB,UAAU,QAAQ;EAClB;EACA;EACA;EACD,CAAC,GACF,kBAAkB;CAEtB,MAAM,cAAc,iCAAiC;EACnD,YAAY,EAAE,IAAI;EAClB,UAAU,QAAQ;EAClB;EACA;EACA;EACD,CAAC;CAEF,MAAM,eAAe,IAAI,IAAI,kBAAkB,6BAA6B;CAC5E,aAAa,aAAa,IAAI,iBAAiB,OAAO;CACtD,aAAa,aAAa,IAAI,aAAa,SAAS;CACpD,aAAa,aAAa,IAAI,gBAAgB,YAAY;CAC1D,aAAa,aAAa,IAAI,kBAAkB,cAAc;CAC9D,aAAa,aAAa,IAAI,yBAAyB,OAAO;CAC9D,aAAa,aAAa,IAAI,SAAS,WAAW;CAClD,aAAa,aAAa,IAAI,OAAO,cAAc;CAEnD,IAAI,CAAC,kBAAkB,eAAe;EACpC,MAAM,eACJ,+CAA+C,mBAAmB;EACpE,IAAI,CAAC,aAAa,IAChB,OAAO,EAAE,KAAK,aAAa,SAAS,aAAa,OAAoB;EAEvE,aAAa,aAAa,IAAI,SAAS,aAAa,MAAM;EAC1D,IAAI,aAAa,kBAAkB,KAAA,GACjC,aAAa,aAAa,IACxB,kBACA,aAAa,cACd;;CAIL,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO,mBAAmB,aAAa;GACvC,MAAM;GACN,UAAU;GACV,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO,mBAAmB,WAAW;GACrC,MAAM;GACN,UAAU;GACV,QAAQ;GACT,CAAC;EACH,CAAC;CAEF,OAAO,EAAE,KAAK,EAAE,mBAAmB,aAAa,UAAU,EAAE,CAAC"}
+{"version":3,"file":"auth-init-session.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-init-session.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport {\n  HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n  HUBSPOT_APP_SID_COOKIE_NAME,\n  TEMP_COOKIE_OAUTH_STATE,\n  TEMP_COOKIE_PKCE_VERIFIER,\n} from '../../constants.ts';\nimport { base64url } from '../../utils/base64-utils.ts';\nimport { sha256base64url } from '../../utils/crypto-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { OAUTH_TEMP_MAX_AGE_SEC, SESSION_MAX_AGE_SEC } from './constants.ts';\nimport { deriveHubSpotAuthorizeScopesFromClientMetadata } from './fetch-hubspot-client-metadata.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n  buildCimdClientIdUrlFromRequest,\n  buildFrontendOAuthRedirectUri,\n  isSafeReturnPath,\n  parseAppOriginHeader,\n} from './utils.ts';\n\nexport async function handleAuthInitSession(\n  c: Context,\n  options: HubSpotConnectOAuthRouteOptions\n) {\n  const { hubspotConnectEnv, cimdClientMetadata } = options;\n  const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n  const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n  const requestHostHeader = c.req.header('host') ?? undefined;\n  const url = new URL(c.req.url);\n  const returnPath = url.searchParams.get('return_path') ?? '/';\n  if (!isSafeReturnPath(returnPath)) {\n    return c.text('Invalid return_path', 400);\n  }\n\n  // The app origin pins the OAuth `redirect_uri` (which lands on the\n  // frontend, not on this edge function) and, via the persisted\n  // `__Host-hs_app_origin` cookie, drives credentialed\n  // `Access-Control-Allow-Origin` on every subsequent SDK response.\n  const appOrigin = parseAppOriginHeader(c.req.header('Origin'));\n  if (!appOrigin) {\n    return c.text(\n      'Missing or invalid Origin header; init-session must be called from a browser',\n      400\n    );\n  }\n\n  const sessionIdBytes = new Uint8Array(32);\n  crypto.getRandomValues(sessionIdBytes);\n  const sessionId = base64url(sessionIdBytes);\n  const sessionIdHash = await sha256base64url(sessionId);\n\n  const codeVerifierBytes = new Uint8Array(32);\n  crypto.getRandomValues(codeVerifierBytes);\n  const codeVerifier = base64url(codeVerifierBytes);\n  const codeChallenge = await sha256base64url(codeVerifier);\n\n  const stateValue = base64url(\n    new TextEncoder().encode(\n      JSON.stringify({\n        return_path: returnPath,\n        sid: sessionIdHash,\n      })\n    )\n  );\n\n  const clientId = hubspotConnectEnv.isCimdEnabled\n    ? buildCimdClientIdUrlFromRequest({\n        requestUrl: c.req.url,\n        basePath: options.basePath,\n        xForwardedProto,\n        xForwardedHost,\n        requestHostHeader,\n        appOrigin,\n      })\n    : hubspotConnectEnv.hubspotClientId;\n\n  console.log('clientId', clientId);\n  const redirectUri = buildFrontendOAuthRedirectUri(appOrigin);\n\n  const authorizeUrl = new URL(hubspotConnectEnv.hubspotAuthorizationEndpoint);\n  authorizeUrl.searchParams.set('response_type', 'code');\n  authorizeUrl.searchParams.set('client_id', clientId);\n  authorizeUrl.searchParams.set('redirect_uri', redirectUri);\n  authorizeUrl.searchParams.set('code_challenge', codeChallenge);\n  authorizeUrl.searchParams.set('code_challenge_method', 'S256');\n  authorizeUrl.searchParams.set('state', stateValue);\n  authorizeUrl.searchParams.set('sid', sessionIdHash);\n\n  if (!hubspotConnectEnv.isCimdEnabled) {\n    const scopesResult =\n      deriveHubSpotAuthorizeScopesFromClientMetadata(cimdClientMetadata);\n    if (!scopesResult.ok) {\n      return c.text(scopesResult.message, scopesResult.status as 500 | 502);\n    }\n    authorizeUrl.searchParams.set('scope', scopesResult.scope);\n    if (scopesResult.optionalScope !== undefined) {\n      authorizeUrl.searchParams.set(\n        'optional_scope',\n        scopesResult.optionalScope\n      );\n    }\n  }\n\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n      value: appOrigin,\n      path: '/',\n      sameSite: 'None',\n      partitioned: true,\n      maxAge: SESSION_MAX_AGE_SEC,\n    }),\n  });\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: HUBSPOT_APP_SID_COOKIE_NAME,\n      value: sessionId,\n      path: '/',\n      sameSite: 'None',\n      partitioned: true,\n      maxAge: SESSION_MAX_AGE_SEC,\n    }),\n  });\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: TEMP_COOKIE_PKCE_VERIFIER,\n      value: encodeURIComponent(codeVerifier),\n      path: '/',\n      sameSite: 'None',\n      partitioned: true,\n      maxAge: OAUTH_TEMP_MAX_AGE_SEC,\n    }),\n  });\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: TEMP_COOKIE_OAUTH_STATE,\n      value: encodeURIComponent(stateValue),\n      path: '/',\n      sameSite: 'None',\n      partitioned: true,\n      maxAge: OAUTH_TEMP_MAX_AGE_SEC,\n    }),\n  });\n\n  return c.json({ authorization_url: authorizeUrl.toString() });\n}\n"],"mappings":";;;;;;;;AAqBA,eAAsB,sBACpB,GACA,SACA;CACA,MAAM,EAAE,mBAAmB,uBAAuB;CAClD,MAAM,kBAAkB,EAAE,IAAI,OAAO,mBAAmB,KAAK,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,kBAAkB,KAAK,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,MAAM,KAAK,KAAA;CAElD,MAAM,aAAa,IADH,IAAI,EAAE,IAAI,GACL,EAAE,aAAa,IAAI,aAAa,KAAK;CAC1D,IAAI,CAAC,iBAAiB,UAAU,GAC9B,OAAO,EAAE,KAAK,uBAAuB,GAAG;CAO1C,MAAM,YAAY,qBAAqB,EAAE,IAAI,OAAO,QAAQ,CAAC;CAC7D,IAAI,CAAC,WACH,OAAO,EAAE,KACP,gFACA,GACF;CAGF,MAAM,iBAAiB,IAAI,WAAW,EAAE;CACxC,OAAO,gBAAgB,cAAc;CACrC,MAAM,YAAY,UAAU,cAAc;CAC1C,MAAM,gBAAgB,MAAM,gBAAgB,SAAS;CAErD,MAAM,oBAAoB,IAAI,WAAW,EAAE;CAC3C,OAAO,gBAAgB,iBAAiB;CACxC,MAAM,eAAe,UAAU,iBAAiB;CAChD,MAAM,gBAAgB,MAAM,gBAAgB,YAAY;CAExD,MAAM,aAAa,UACjB,IAAI,YAAY,EAAE,OAChB,KAAK,UAAU;EACb,aAAa;EACb,KAAK;CACP,CAAC,CACH,CACF;CAEA,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB,UAAU,QAAQ;EAClB;EACA;EACA;EACA;CACF,CAAC,IACD,kBAAkB;CAEtB,QAAQ,IAAI,YAAY,QAAQ;CAChC,MAAM,cAAc,8BAA8B,SAAS;CAE3D,MAAM,eAAe,IAAI,IAAI,kBAAkB,4BAA4B;CAC3E,aAAa,aAAa,IAAI,iBAAiB,MAAM;CACrD,aAAa,aAAa,IAAI,aAAa,QAAQ;CACnD,aAAa,aAAa,IAAI,gBAAgB,WAAW;CACzD,aAAa,aAAa,IAAI,kBAAkB,aAAa;CAC7D,aAAa,aAAa,IAAI,yBAAyB,MAAM;CAC7D,aAAa,aAAa,IAAI,SAAS,UAAU;CACjD,aAAa,aAAa,IAAI,OAAO,aAAa;CAElD,IAAI,CAAC,kBAAkB,eAAe;EACpC,MAAM,eACJ,+CAA+C,kBAAkB;EACnE,IAAI,CAAC,aAAa,IAChB,OAAO,EAAE,KAAK,aAAa,SAAS,aAAa,MAAmB;EAEtE,aAAa,aAAa,IAAI,SAAS,aAAa,KAAK;EACzD,IAAI,aAAa,kBAAkB,KAAA,GACjC,aAAa,aAAa,IACxB,kBACA,aAAa,aACf;CAEJ;CAEA,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO,mBAAmB,YAAY;GACtC,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO,mBAAmB,UAAU;GACpC,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CAED,OAAO,EAAE,KAAK,EAAE,mBAAmB,aAAa,SAAS,EAAE,CAAC;AAC9D"}

package/dist/server/hono/hubspot-connect-routes/auth-logout.js

@@ -1,8 +1,8 @@
-import { HUBSPOT_ACCESS_TOKEN_COOKIE_NAME, HUBSPOT_APP_SID_COOKIE_NAME } from "../../constants.js";
+import { HUBSPOT_ACCESS_TOKEN_COOKIE_NAME, HUBSPOT_APP_ORIGIN_COOKIE_NAME, HUBSPOT_APP_SID_COOKIE_NAME } from "../../constants.js";
 import { parseCookies } from "../../utils/cookie-utils.js";
 import { serializeCookie, setResponseCookie } from "../utils/cookie-utils.js";
 import { buildClientAssertion } from "./oauth-client.js";
-import { buildCimdClientIdUrlFromRequest } from "./utils.js";
+import { buildCimdClientIdUrlFromRequest, parseAppOriginHeader } from "./utils.js";
 //#region src/server/hono/hubspot-connect-routes/auth-logout.ts
 async function revokeToken(options) {
 	const { revokeEndpointUrl, body, logger } = options;
@@ -24,13 +24,19 @@ async function handleAuthLogout(c, options) {
 	const requestHostHeader = c.req.header("host") ?? void 0;
 	const cookies = parseCookies(c.req.header("Cookie"));
 	const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];
-	const clientId = hubspotConnectEnv.isCimdEnabled ? buildCimdClientIdUrlFromRequest({
-		requestUrl: c.req.url,
-		basePath,
-		xForwardedProto,
-		xForwardedHost,
-		requestHostHeader
-	}) : hubspotConnectEnv.hubspotClientId;
+	let clientId;
+	if (hubspotConnectEnv.isCimdEnabled) {
+		const appOrigin = parseAppOriginHeader(c.req.header("Origin"));
+		if (!appOrigin) return c.json({ error: "Missing or invalid Origin header" }, 400);
+		clientId = buildCimdClientIdUrlFromRequest({
+			requestUrl: c.req.url,
+			basePath,
+			xForwardedProto,
+			xForwardedHost,
+			requestHostHeader,
+			appOrigin
+		});
+	} else clientId = hubspotConnectEnv.hubspotClientId;
 	const revokeEndpointUrl = new URL("/oauth/v1/revoke", hubspotConnectEnv.hubspotOAuthApiOrigin).href;
 	if (accessToken) if (hubspotConnectEnv.isCimdEnabled) {
 		if (!appKeys) return c.json({ error: "Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD is enabled" }, 500);
@@ -66,6 +72,8 @@ async function handleAuthLogout(c, options) {
 			name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
 			value: "",
 			path: "/",
+			sameSite: "None",
+			partitioned: true,
 			maxAge: 0
 		})
 	});
@@ -75,6 +83,19 @@ async function handleAuthLogout(c, options) {
 			name: HUBSPOT_APP_SID_COOKIE_NAME,
 			value: "",
 			path: "/",
+			sameSite: "None",
+			partitioned: true,
+			maxAge: 0
+		})
+	});
+	setResponseCookie({
+		c,
+		value: serializeCookie({
+			name: HUBSPOT_APP_ORIGIN_COOKIE_NAME,
+			value: "",
+			path: "/",
+			sameSite: "None",
+			partitioned: true,
 			maxAge: 0
 		})
 	});
@@ -85,6 +106,8 @@ async function handleAuthLogout(c, options) {
 				name: cookieName,
 				value: "",
 				path: refreshCookiePath,
+				sameSite: "None",
+				partitioned: true,
 				maxAge: 0
 			})
 		});

package/dist/server/hono/hubspot-connect-routes/auth-logout.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth-logout.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-logout.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport type { Logger } from '../../../shared/logger.ts';\nimport {\n  HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n  HUBSPOT_APP_SID_COOKIE_NAME,\n  HUBSPOT_REFRESH_COOKIE_PREFIX,\n} from '../../constants.ts';\nimport { parseCookies } from '../../utils/cookie-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { buildClientAssertion } from './oauth-client.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport { buildCimdClientIdUrlFromRequest } from './utils.ts';\n\nasync function revokeToken(options: {\n  revokeEndpointUrl: string;\n  body: URLSearchParams;\n  logger: Logger;\n}): Promise<void> {\n  const { revokeEndpointUrl, body, logger } = options;\n  try {\n    const response = await fetch(revokeEndpointUrl, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body,\n    });\n    if (!response.ok) {\n      logger.warn(\n        `HubSpot token revoke returned HTTP ${response.status} ${response.statusText}`\n      );\n    }\n  } catch (error) {\n    logger.warn('HubSpot token revoke request failed', error);\n  }\n}\n\nexport async function handleAuthLogout(\n  c: Context,\n  options: HubSpotConnectOAuthRouteOptions\n) {\n  const { appKeys, refreshCookiePath, basePath, hubspotConnectEnv, logger } =\n    options;\n  const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n  const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n  const requestHostHeader = c.req.header('host') ?? undefined;\n  const cookies = parseCookies(c.req.header('Cookie'));\n  const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];\n\n  const clientId = hubspotConnectEnv.isCimdEnabled\n    ? buildCimdClientIdUrlFromRequest({\n        requestUrl: c.req.url,\n        basePath,\n        xForwardedProto,\n        xForwardedHost,\n        requestHostHeader,\n      })\n    : hubspotConnectEnv.hubspotClientId;\n\n  const revokeEndpointUrl = new URL(\n    '/oauth/v1/revoke',\n    hubspotConnectEnv.hubspotOAuthApiOrigin\n  ).href;\n\n  if (accessToken) {\n    if (hubspotConnectEnv.isCimdEnabled) {\n      if (!appKeys) {\n        return c.json(\n          {\n            error:\n              'Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD is enabled',\n          },\n          500\n        );\n      }\n      const clientAssertion = await buildClientAssertion({\n        appKeys,\n        clientId,\n        audience: revokeEndpointUrl,\n      });\n      await revokeToken({\n        revokeEndpointUrl,\n        body: new URLSearchParams({\n          token: accessToken,\n          token_type_hint: 'access_token',\n          client_id: clientId,\n          client_assertion_type:\n            'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',\n          client_assertion: clientAssertion,\n        }),\n        logger,\n      });\n    } else {\n      await revokeToken({\n        revokeEndpointUrl,\n        body: new URLSearchParams({\n          token: accessToken,\n          token_type_hint: 'access_token',\n          client_id: clientId,\n          client_secret: hubspotConnectEnv.hubspotClientSecret,\n        }),\n        logger,\n      });\n    }\n  }\n\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n      value: '',\n      path: '/',\n      maxAge: 0,\n    }),\n  });\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: HUBSPOT_APP_SID_COOKIE_NAME,\n      value: '',\n      path: '/',\n      maxAge: 0,\n    }),\n  });\n\n  Object.keys(cookies).forEach((cookieName) => {\n    if (cookieName.startsWith(HUBSPOT_REFRESH_COOKIE_PREFIX)) {\n      setResponseCookie({\n        c,\n        value: serializeCookie({\n          name: cookieName,\n          value: '',\n          path: refreshCookiePath,\n          maxAge: 0,\n        }),\n      });\n    }\n  });\n\n  return c.json({ redirect_to: '/' });\n}\n"],"mappings":";;;;;;AAcA,eAAe,YAAY,SAIT;CAChB,MAAM,EAAE,mBAAmB,MAAM,WAAW;CAC5C,IAAI;EACF,MAAM,WAAW,MAAM,MAAM,mBAAmB;GAC9C,QAAQ;GACR,SAAS,EAAE,gBAAgB,qCAAqC;GAChE;GACD,CAAC;EACF,IAAI,CAAC,SAAS,IACZ,OAAO,KACL,sCAAsC,SAAS,OAAO,GAAG,SAAS,aACnE;UAEI,OAAO;EACd,OAAO,KAAK,uCAAuC,MAAM;;;AAI7D,eAAsB,iBACpB,GACA,SACA;CACA,MAAM,EAAE,SAAS,mBAAmB,UAAU,mBAAmB,WAC/D;CACF,MAAM,kBAAkB,EAAE,IAAI,OAAO,oBAAoB,IAAI,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,mBAAmB,IAAI,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,OAAO,IAAI,KAAA;CAClD,MAAM,UAAU,aAAa,EAAE,IAAI,OAAO,SAAS,CAAC;CACpD,MAAM,cAAc,QAAQ;CAE5B,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB;EACA;EACA;EACA;EACD,CAAC,GACF,kBAAkB;CAEtB,MAAM,oBAAoB,IAAI,IAC5B,oBACA,kBAAkB,sBACnB,CAAC;CAEF,IAAI,aACF,IAAI,kBAAkB,eAAe;EACnC,IAAI,CAAC,SACH,OAAO,EAAE,KACP,EACE,OACE,qFACH,EACD,IACD;EAEH,MAAM,kBAAkB,MAAM,qBAAqB;GACjD;GACA;GACA,UAAU;GACX,CAAC;EACF,MAAM,YAAY;GAChB;GACA,MAAM,IAAI,gBAAgB;IACxB,OAAO;IACP,iBAAiB;IACjB,WAAW;IACX,uBACE;IACF,kBAAkB;IACnB,CAAC;GACF;GACD,CAAC;QAEF,MAAM,YAAY;EAChB;EACA,MAAM,IAAI,gBAAgB;GACxB,OAAO;GACP,iBAAiB;GACjB,WAAW;GACX,eAAe,kBAAkB;GAClC,CAAC;EACF;EACD,CAAC;CAIN,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,QAAQ;GACT,CAAC;EACH,CAAC;CAEF,OAAO,KAAK,QAAQ,CAAC,SAAS,eAAe;EAC3C,IAAI,WAAW,WAAA,cAAyC,EACtD,kBAAkB;GAChB;GACA,OAAO,gBAAgB;IACrB,MAAM;IACN,OAAO;IACP,MAAM;IACN,QAAQ;IACT,CAAC;GACH,CAAC;GAEJ;CAEF,OAAO,EAAE,KAAK,EAAE,aAAa,KAAK,CAAC"}
+{"version":3,"file":"auth-logout.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-logout.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport type { Logger } from '../../../shared/logger.ts';\nimport {\n  HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n  HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n  HUBSPOT_APP_SID_COOKIE_NAME,\n  HUBSPOT_REFRESH_COOKIE_PREFIX,\n} from '../../constants.ts';\nimport { parseCookies } from '../../utils/cookie-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { buildClientAssertion } from './oauth-client.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n  buildCimdClientIdUrlFromRequest,\n  parseAppOriginHeader,\n} from './utils.ts';\n\nasync function revokeToken(options: {\n  revokeEndpointUrl: string;\n  body: URLSearchParams;\n  logger: Logger;\n}): Promise<void> {\n  const { revokeEndpointUrl, body, logger } = options;\n  try {\n    const response = await fetch(revokeEndpointUrl, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body,\n    });\n    if (!response.ok) {\n      logger.warn(\n        `HubSpot token revoke returned HTTP ${response.status} ${response.statusText}`\n      );\n    }\n  } catch (error) {\n    logger.warn('HubSpot token revoke request failed', error);\n  }\n}\n\nexport async function handleAuthLogout(\n  c: Context,\n  options: HubSpotConnectOAuthRouteOptions\n) {\n  const { appKeys, refreshCookiePath, basePath, hubspotConnectEnv, logger } =\n    options;\n  const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n  const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n  const requestHostHeader = c.req.header('host') ?? undefined;\n  const cookies = parseCookies(c.req.header('Cookie'));\n  const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];\n\n  let clientId: string;\n  if (hubspotConnectEnv.isCimdEnabled) {\n    const appOrigin = parseAppOriginHeader(c.req.header('Origin'));\n    if (!appOrigin) {\n      return c.json({ error: 'Missing or invalid Origin header' }, 400);\n    }\n    clientId = buildCimdClientIdUrlFromRequest({\n      requestUrl: c.req.url,\n      basePath,\n      xForwardedProto,\n      xForwardedHost,\n      requestHostHeader,\n      appOrigin,\n    });\n  } else {\n    clientId = hubspotConnectEnv.hubspotClientId;\n  }\n\n  const revokeEndpointUrl = new URL(\n    '/oauth/v1/revoke',\n    hubspotConnectEnv.hubspotOAuthApiOrigin\n  ).href;\n\n  if (accessToken) {\n    if (hubspotConnectEnv.isCimdEnabled) {\n      if (!appKeys) {\n        return c.json(\n          {\n            error:\n              'Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD is enabled',\n          },\n          500\n        );\n      }\n      const clientAssertion = await buildClientAssertion({\n        appKeys,\n        clientId,\n        audience: revokeEndpointUrl,\n      });\n      await revokeToken({\n        revokeEndpointUrl,\n        body: new URLSearchParams({\n          token: accessToken,\n          token_type_hint: 'access_token',\n          client_id: clientId,\n          client_assertion_type:\n            'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',\n          client_assertion: clientAssertion,\n        }),\n        logger,\n      });\n    } else {\n      await revokeToken({\n        revokeEndpointUrl,\n        body: new URLSearchParams({\n          token: accessToken,\n          token_type_hint: 'access_token',\n          client_id: clientId,\n          client_secret: hubspotConnectEnv.hubspotClientSecret,\n        }),\n        logger,\n      });\n    }\n  }\n\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n      value: '',\n      path: '/',\n      sameSite: 'None',\n      partitioned: true,\n      maxAge: 0,\n    }),\n  });\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: HUBSPOT_APP_SID_COOKIE_NAME,\n      value: '',\n      path: '/',\n      sameSite: 'None',\n      partitioned: true,\n      maxAge: 0,\n    }),\n  });\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n      value: '',\n      path: '/',\n      sameSite: 'None',\n      partitioned: true,\n      maxAge: 0,\n    }),\n  });\n\n  Object.keys(cookies).forEach((cookieName) => {\n    if (cookieName.startsWith(HUBSPOT_REFRESH_COOKIE_PREFIX)) {\n      setResponseCookie({\n        c,\n        value: serializeCookie({\n          name: cookieName,\n          value: '',\n          path: refreshCookiePath,\n          sameSite: 'None',\n          partitioned: true,\n          maxAge: 0,\n        }),\n      });\n    }\n  });\n\n  return c.json({ redirect_to: '/' });\n}\n"],"mappings":";;;;;;AAkBA,eAAe,YAAY,SAIT;CAChB,MAAM,EAAE,mBAAmB,MAAM,WAAW;CAC5C,IAAI;EACF,MAAM,WAAW,MAAM,MAAM,mBAAmB;GAC9C,QAAQ;GACR,SAAS,EAAE,gBAAgB,oCAAoC;GAC/D;EACF,CAAC;EACD,IAAI,CAAC,SAAS,IACZ,OAAO,KACL,sCAAsC,SAAS,OAAO,GAAG,SAAS,YACpE;CAEJ,SAAS,OAAO;EACd,OAAO,KAAK,uCAAuC,KAAK;CAC1D;AACF;AAEA,eAAsB,iBACpB,GACA,SACA;CACA,MAAM,EAAE,SAAS,mBAAmB,UAAU,mBAAmB,WAC/D;CACF,MAAM,kBAAkB,EAAE,IAAI,OAAO,mBAAmB,KAAK,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,kBAAkB,KAAK,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,MAAM,KAAK,KAAA;CAClD,MAAM,UAAU,aAAa,EAAE,IAAI,OAAO,QAAQ,CAAC;CACnD,MAAM,cAAc,QAAQ;CAE5B,IAAI;CACJ,IAAI,kBAAkB,eAAe;EACnC,MAAM,YAAY,qBAAqB,EAAE,IAAI,OAAO,QAAQ,CAAC;EAC7D,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,mCAAmC,GAAG,GAAG;EAElE,WAAW,gCAAgC;GACzC,YAAY,EAAE,IAAI;GAClB;GACA;GACA;GACA;GACA;EACF,CAAC;CACH,OACE,WAAW,kBAAkB;CAG/B,MAAM,oBAAoB,IAAI,IAC5B,oBACA,kBAAkB,qBACpB,EAAE;CAEF,IAAI,aACF,IAAI,kBAAkB,eAAe;EACnC,IAAI,CAAC,SACH,OAAO,EAAE,KACP,EACE,OACE,oFACJ,GACA,GACF;EAEF,MAAM,kBAAkB,MAAM,qBAAqB;GACjD;GACA;GACA,UAAU;EACZ,CAAC;EACD,MAAM,YAAY;GAChB;GACA,MAAM,IAAI,gBAAgB;IACxB,OAAO;IACP,iBAAiB;IACjB,WAAW;IACX,uBACE;IACF,kBAAkB;GACpB,CAAC;GACD;EACF,CAAC;CACH,OACE,MAAM,YAAY;EAChB;EACA,MAAM,IAAI,gBAAgB;GACxB,OAAO;GACP,iBAAiB;GACjB,WAAW;GACX,eAAe,kBAAkB;EACnC,CAAC;EACD;CACF,CAAC;CAIL,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CAED,OAAO,KAAK,OAAO,EAAE,SAAS,eAAe;EAC3C,IAAI,WAAW,WAAA,aAAwC,GACrD,kBAAkB;GAChB;GACA,OAAO,gBAAgB;IACrB,MAAM;IACN,OAAO;IACP,MAAM;IACN,UAAU;IACV,aAAa;IACb,QAAQ;GACV,CAAC;EACH,CAAC;CAEL,CAAC;CAED,OAAO,EAAE,KAAK,EAAE,aAAa,IAAI,CAAC;AACpC"}

package/dist/server/hono/hubspot-connect-routes/auth-refresh.js

@@ -4,7 +4,7 @@ import { parseCookies } from "../../utils/cookie-utils.js";
 import { serializeCookie, setResponseCookie } from "../utils/cookie-utils.js";
 import { REFRESH_COOKIE_MAX_AGE_SEC } from "./constants.js";
 import { buildClientAssertion, buildClientAssertionFormParams, buildClientSecretFormParams, buildTokenEndpointDpopProof, requestOAuthToken } from "./oauth-client.js";
-import { buildCimdClientIdUrlFromRequest, isPositiveFiniteNumber } from "./utils.js";
+import { buildCimdClientIdUrlFromRequest, isPositiveFiniteNumber, parseAppOriginHeader } from "./utils.js";
 //#region src/server/hono/hubspot-connect-routes/auth-refresh.ts
 async function handleAuthRefresh(c, options) {
 	const { appKeys, refreshCookiePath, basePath, hubspotConnectEnv } = options;
@@ -19,13 +19,19 @@ async function handleAuthRefresh(c, options) {
 	const refreshCookieName = `${HUBSPOT_REFRESH_COOKIE_PREFIX}${sidHash}`;
 	const refreshToken = cookies[refreshCookieName];
 	if (!refreshToken) return c.json({ error: "Missing refresh token" }, 401);
-	const clientId = hubspotConnectEnv.isCimdEnabled ? buildCimdClientIdUrlFromRequest({
-		requestUrl: c.req.url,
-		basePath,
-		xForwardedProto,
-		xForwardedHost,
-		requestHostHeader
-	}) : hubspotConnectEnv.hubspotClientId;
+	let clientId;
+	if (hubspotConnectEnv.isCimdEnabled) {
+		const appOrigin = parseAppOriginHeader(c.req.header("Origin"));
+		if (!appOrigin) return c.json({ error: "Missing or invalid Origin header" }, 400);
+		clientId = buildCimdClientIdUrlFromRequest({
+			requestUrl: c.req.url,
+			basePath,
+			xForwardedProto,
+			xForwardedHost,
+			requestHostHeader,
+			appOrigin
+		});
+	} else clientId = hubspotConnectEnv.hubspotClientId;
 	const tokenEndpointUrl = new URL("/oauth/v1/token", hubspotConnectEnv.hubspotOAuthApiOrigin).href;
 	let dpopProof;
 	if (hubspotConnectEnv.isDpopEnabled) dpopProof = await buildTokenEndpointDpopProof({
@@ -34,19 +40,21 @@ async function handleAuthRefresh(c, options) {
 		sessionIdHash: sidHash
 	});
 	let formParams;
-	if (hubspotConnectEnv.isCimdEnabled) formParams = {
-		grant_type: "refresh_token",
-		refresh_token: refreshToken,
-		...buildClientAssertionFormParams({
+	if (hubspotConnectEnv.isCimdEnabled) {
+		const clientAssertion = await buildClientAssertion({
+			appKeys,
 			clientId,
-			clientAssertion: await buildClientAssertion({
-				appKeys,
+			audience: tokenEndpointUrl
+		});
+		formParams = {
+			grant_type: "refresh_token",
+			refresh_token: refreshToken,
+			...buildClientAssertionFormParams({
 				clientId,
-				audience: tokenEndpointUrl
+				clientAssertion
 			})
-		})
-	};
-	else formParams = {
+		};
+	} else formParams = {
 		grant_type: "refresh_token",
 		refresh_token: refreshToken,
 		...buildClientSecretFormParams({
@@ -70,6 +78,8 @@ async function handleAuthRefresh(c, options) {
 			name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
 			value: newAccessToken,
 			path: "/",
+			sameSite: "None",
+			partitioned: true,
 			maxAge: expires_in
 		})
 	});
@@ -79,6 +89,8 @@ async function handleAuthRefresh(c, options) {
 			name: refreshCookieName,
 			value: newRefreshToken,
 			path: refreshCookiePath,
+			sameSite: "None",
+			partitioned: true,
 			maxAge: REFRESH_COOKIE_MAX_AGE_SEC
 		})
 	});
@@ -89,6 +101,8 @@ async function handleAuthRefresh(c, options) {
 				name: cookieName,
 				value: "",
 				path: refreshCookiePath,
+				sameSite: "None",
+				partitioned: true,
 				maxAge: 0
 			})
 		});

package/dist/server/hono/hubspot-connect-routes/auth-refresh.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth-refresh.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-refresh.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport {\n  HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n  HUBSPOT_APP_SID_COOKIE_NAME,\n  HUBSPOT_REFRESH_COOKIE_PREFIX,\n} from '../../constants.ts';\nimport { parseCookies } from '../../utils/cookie-utils.ts';\nimport { sha256base64url } from '../../utils/crypto-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { REFRESH_COOKIE_MAX_AGE_SEC } from './constants.ts';\nimport {\n  buildClientAssertion,\n  buildClientAssertionFormParams,\n  buildClientSecretFormParams,\n  buildTokenEndpointDpopProof,\n  requestOAuthToken,\n} from './oauth-client.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n  buildCimdClientIdUrlFromRequest,\n  isPositiveFiniteNumber,\n} from './utils.ts';\n\nexport async function handleAuthRefresh(\n  c: Context,\n  options: HubSpotConnectOAuthRouteOptions\n) {\n  const { appKeys, refreshCookiePath, basePath, hubspotConnectEnv } = options;\n  const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n  const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n  const requestHostHeader = c.req.header('host') ?? undefined;\n  const cookies = parseCookies(c.req.header('Cookie'));\n  const sessionId = cookies[HUBSPOT_APP_SID_COOKIE_NAME];\n  if (!sessionId) {\n    return c.json({ error: 'Missing session cookie' }, 401);\n  }\n\n  if (hubspotConnectEnv.isAppPrivateKeyRequired && !appKeys) {\n    return c.json(\n      {\n        error:\n          'Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD or DPoP is enabled',\n      },\n      500\n    );\n  }\n\n  const sidHash = await sha256base64url(sessionId);\n  const refreshCookieName = `${HUBSPOT_REFRESH_COOKIE_PREFIX}${sidHash}`;\n  const refreshToken = cookies[refreshCookieName];\n  if (!refreshToken) {\n    return c.json({ error: 'Missing refresh token' }, 401);\n  }\n\n  const clientId = hubspotConnectEnv.isCimdEnabled\n    ? buildCimdClientIdUrlFromRequest({\n        requestUrl: c.req.url,\n        basePath,\n        xForwardedProto,\n        xForwardedHost,\n        requestHostHeader,\n      })\n    : hubspotConnectEnv.hubspotClientId;\n\n  const tokenEndpointUrl = new URL(\n    '/oauth/v1/token',\n    hubspotConnectEnv.hubspotOAuthApiOrigin\n  ).href;\n\n  let dpopProof: string | undefined;\n  if (hubspotConnectEnv.isDpopEnabled) {\n    dpopProof = await buildTokenEndpointDpopProof({\n      appKeys: appKeys!,\n      tokenEndpointUrl,\n      sessionIdHash: sidHash,\n    });\n  }\n\n  let formParams: Record<string, string>;\n  if (hubspotConnectEnv.isCimdEnabled) {\n    const clientAssertion = await buildClientAssertion({\n      appKeys: appKeys!,\n      clientId,\n      audience: tokenEndpointUrl,\n    });\n    formParams = {\n      grant_type: 'refresh_token',\n      refresh_token: refreshToken,\n      ...buildClientAssertionFormParams({ clientId, clientAssertion }),\n    };\n  } else {\n    formParams = {\n      grant_type: 'refresh_token',\n      refresh_token: refreshToken,\n      ...buildClientSecretFormParams({\n        clientId,\n        clientSecret: hubspotConnectEnv.hubspotClientSecret,\n      }),\n    };\n  }\n\n  const tokenResult = await requestOAuthToken({\n    tokenEndpointUrl,\n    isDpopEnabled: hubspotConnectEnv.isDpopEnabled,\n    ...(dpopProof !== undefined ? { dpopProof } : {}),\n    formParams,\n  });\n  if (!tokenResult.ok) {\n    return c.json(\n      { error: `Token refresh failed: ${tokenResult.errorText}` },\n      502\n    );\n  }\n\n  const {\n    access_token: newAccessToken,\n    refresh_token: newRefreshToken,\n    expires_in,\n  } = tokenResult.body;\n\n  if (!newRefreshToken) {\n    return c.json({ error: 'Token response missing refresh_token' }, 502);\n  }\n  if (!isPositiveFiniteNumber(expires_in)) {\n    return c.json(\n      { error: 'Token response missing or invalid expires_in' },\n      502\n    );\n  }\n\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n      value: newAccessToken,\n      path: '/',\n      maxAge: expires_in,\n    }),\n  });\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: refreshCookieName,\n      value: newRefreshToken,\n      path: refreshCookiePath,\n      maxAge: REFRESH_COOKIE_MAX_AGE_SEC,\n    }),\n  });\n\n  // Cookies prefixed with HUBSPOT_REFRESH_COOKIE_PREFIX that don't match the\n  // new refresh cookie name are stale and need to be cleared.\n  Object.keys(cookies).forEach((cookieName) => {\n    if (\n      cookieName.startsWith(HUBSPOT_REFRESH_COOKIE_PREFIX) &&\n      cookieName !== refreshCookieName\n    ) {\n      setResponseCookie({\n        c,\n        value: serializeCookie({\n          name: cookieName,\n          value: '',\n          path: refreshCookiePath,\n          maxAge: 0,\n        }),\n      });\n    }\n  });\n\n  return c.json({ expires_in });\n}\n"],"mappings":";;;;;;;;AAwBA,eAAsB,kBACpB,GACA,SACA;CACA,MAAM,EAAE,SAAS,mBAAmB,UAAU,sBAAsB;CACpE,MAAM,kBAAkB,EAAE,IAAI,OAAO,oBAAoB,IAAI,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,mBAAmB,IAAI,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,OAAO,IAAI,KAAA;CAClD,MAAM,UAAU,aAAa,EAAE,IAAI,OAAO,SAAS,CAAC;CACpD,MAAM,YAAY,QAAQ;CAC1B,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;CAGzD,IAAI,kBAAkB,2BAA2B,CAAC,SAChD,OAAO,EAAE,KACP,EACE,OACE,6FACH,EACD,IACD;CAGH,MAAM,UAAU,MAAM,gBAAgB,UAAU;CAChD,MAAM,oBAAoB,GAAG,gCAAgC;CAC7D,MAAM,eAAe,QAAQ;CAC7B,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,EAAE,OAAO,yBAAyB,EAAE,IAAI;CAGxD,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB;EACA;EACA;EACA;EACD,CAAC,GACF,kBAAkB;CAEtB,MAAM,mBAAmB,IAAI,IAC3B,mBACA,kBAAkB,sBACnB,CAAC;CAEF,IAAI;CACJ,IAAI,kBAAkB,eACpB,YAAY,MAAM,4BAA4B;EACnC;EACT;EACA,eAAe;EAChB,CAAC;CAGJ,IAAI;CACJ,IAAI,kBAAkB,eAMpB,aAAa;EACX,YAAY;EACZ,eAAe;EACf,GAAG,+BAA+B;GAAE;GAAU,iBAAA,MARlB,qBAAqB;IACxC;IACT;IACA,UAAU;IACX,CAAC;GAI+D,CAAC;EACjE;MAED,aAAa;EACX,YAAY;EACZ,eAAe;EACf,GAAG,4BAA4B;GAC7B;GACA,cAAc,kBAAkB;GACjC,CAAC;EACH;CAGH,MAAM,cAAc,MAAM,kBAAkB;EAC1C;EACA,eAAe,kBAAkB;EACjC,GAAI,cAAc,KAAA,IAAY,EAAE,WAAW,GAAG,EAAE;EAChD;EACD,CAAC;CACF,IAAI,CAAC,YAAY,IACf,OAAO,EAAE,KACP,EAAE,OAAO,yBAAyB,YAAY,aAAa,EAC3D,IACD;CAGH,MAAM,EACJ,cAAc,gBACd,eAAe,iBACf,eACE,YAAY;CAEhB,IAAI,CAAC,iBACH,OAAO,EAAE,KAAK,EAAE,OAAO,wCAAwC,EAAE,IAAI;CAEvE,IAAI,CAAC,uBAAuB,WAAW,EACrC,OAAO,EAAE,KACP,EAAE,OAAO,gDAAgD,EACzD,IACD;CAGH,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,QAAQ;GACT,CAAC;EACH,CAAC;CAIF,OAAO,KAAK,QAAQ,CAAC,SAAS,eAAe;EAC3C,IACE,WAAW,WAAA,cAAyC,IACpD,eAAe,mBAEf,kBAAkB;GAChB;GACA,OAAO,gBAAgB;IACrB,MAAM;IACN,OAAO;IACP,MAAM;IACN,QAAQ;IACT,CAAC;GACH,CAAC;GAEJ;CAEF,OAAO,EAAE,KAAK,EAAE,YAAY,CAAC"}
+{"version":3,"file":"auth-refresh.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-refresh.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport {\n  HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n  HUBSPOT_APP_SID_COOKIE_NAME,\n  HUBSPOT_REFRESH_COOKIE_PREFIX,\n} from '../../constants.ts';\nimport { parseCookies } from '../../utils/cookie-utils.ts';\nimport { sha256base64url } from '../../utils/crypto-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { REFRESH_COOKIE_MAX_AGE_SEC } from './constants.ts';\nimport {\n  buildClientAssertion,\n  buildClientAssertionFormParams,\n  buildClientSecretFormParams,\n  buildTokenEndpointDpopProof,\n  requestOAuthToken,\n} from './oauth-client.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n  buildCimdClientIdUrlFromRequest,\n  isPositiveFiniteNumber,\n  parseAppOriginHeader,\n} from './utils.ts';\n\nexport async function handleAuthRefresh(\n  c: Context,\n  options: HubSpotConnectOAuthRouteOptions\n) {\n  const { appKeys, refreshCookiePath, basePath, hubspotConnectEnv } = options;\n  const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n  const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n  const requestHostHeader = c.req.header('host') ?? undefined;\n  const cookies = parseCookies(c.req.header('Cookie'));\n  const sessionId = cookies[HUBSPOT_APP_SID_COOKIE_NAME];\n  if (!sessionId) {\n    return c.json({ error: 'Missing session cookie' }, 401);\n  }\n\n  if (hubspotConnectEnv.isAppPrivateKeyRequired && !appKeys) {\n    return c.json(\n      {\n        error:\n          'Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD or DPoP is enabled',\n      },\n      500\n    );\n  }\n\n  const sidHash = await sha256base64url(sessionId);\n  const refreshCookieName = `${HUBSPOT_REFRESH_COOKIE_PREFIX}${sidHash}`;\n  const refreshToken = cookies[refreshCookieName];\n  if (!refreshToken) {\n    return c.json({ error: 'Missing refresh token' }, 401);\n  }\n\n  let clientId: string;\n  if (hubspotConnectEnv.isCimdEnabled) {\n    const appOrigin = parseAppOriginHeader(c.req.header('Origin'));\n    if (!appOrigin) {\n      return c.json({ error: 'Missing or invalid Origin header' }, 400);\n    }\n    clientId = buildCimdClientIdUrlFromRequest({\n      requestUrl: c.req.url,\n      basePath,\n      xForwardedProto,\n      xForwardedHost,\n      requestHostHeader,\n      appOrigin,\n    });\n  } else {\n    clientId = hubspotConnectEnv.hubspotClientId;\n  }\n\n  const tokenEndpointUrl = new URL(\n    '/oauth/v1/token',\n    hubspotConnectEnv.hubspotOAuthApiOrigin\n  ).href;\n\n  let dpopProof: string | undefined;\n  if (hubspotConnectEnv.isDpopEnabled) {\n    dpopProof = await buildTokenEndpointDpopProof({\n      appKeys: appKeys!,\n      tokenEndpointUrl,\n      sessionIdHash: sidHash,\n    });\n  }\n\n  let formParams: Record<string, string>;\n  if (hubspotConnectEnv.isCimdEnabled) {\n    const clientAssertion = await buildClientAssertion({\n      appKeys: appKeys!,\n      clientId,\n      audience: tokenEndpointUrl,\n    });\n    formParams = {\n      grant_type: 'refresh_token',\n      refresh_token: refreshToken,\n      ...buildClientAssertionFormParams({ clientId, clientAssertion }),\n    };\n  } else {\n    formParams = {\n      grant_type: 'refresh_token',\n      refresh_token: refreshToken,\n      ...buildClientSecretFormParams({\n        clientId,\n        clientSecret: hubspotConnectEnv.hubspotClientSecret,\n      }),\n    };\n  }\n\n  const tokenResult = await requestOAuthToken({\n    tokenEndpointUrl,\n    isDpopEnabled: hubspotConnectEnv.isDpopEnabled,\n    ...(dpopProof !== undefined ? { dpopProof } : {}),\n    formParams,\n  });\n  if (!tokenResult.ok) {\n    return c.json(\n      { error: `Token refresh failed: ${tokenResult.errorText}` },\n      502\n    );\n  }\n\n  const {\n    access_token: newAccessToken,\n    refresh_token: newRefreshToken,\n    expires_in,\n  } = tokenResult.body;\n\n  if (!newRefreshToken) {\n    return c.json({ error: 'Token response missing refresh_token' }, 502);\n  }\n  if (!isPositiveFiniteNumber(expires_in)) {\n    return c.json(\n      { error: 'Token response missing or invalid expires_in' },\n      502\n    );\n  }\n\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n      value: newAccessToken,\n      path: '/',\n      sameSite: 'None',\n      partitioned: true,\n      maxAge: expires_in,\n    }),\n  });\n  setResponseCookie({\n    c,\n    value: serializeCookie({\n      name: refreshCookieName,\n      value: newRefreshToken,\n      path: refreshCookiePath,\n      sameSite: 'None',\n      partitioned: true,\n      maxAge: REFRESH_COOKIE_MAX_AGE_SEC,\n    }),\n  });\n\n  // Cookies prefixed with HUBSPOT_REFRESH_COOKIE_PREFIX that don't match the\n  // new refresh cookie name are stale and need to be cleared.\n  Object.keys(cookies).forEach((cookieName) => {\n    if (\n      cookieName.startsWith(HUBSPOT_REFRESH_COOKIE_PREFIX) &&\n      cookieName !== refreshCookieName\n    ) {\n      setResponseCookie({\n        c,\n        value: serializeCookie({\n          name: cookieName,\n          value: '',\n          path: refreshCookiePath,\n          sameSite: 'None',\n          partitioned: true,\n          maxAge: 0,\n        }),\n      });\n    }\n  });\n\n  return c.json({ expires_in });\n}\n"],"mappings":";;;;;;;;AAyBA,eAAsB,kBACpB,GACA,SACA;CACA,MAAM,EAAE,SAAS,mBAAmB,UAAU,sBAAsB;CACpE,MAAM,kBAAkB,EAAE,IAAI,OAAO,mBAAmB,KAAK,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,kBAAkB,KAAK,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,MAAM,KAAK,KAAA;CAClD,MAAM,UAAU,aAAa,EAAE,IAAI,OAAO,QAAQ,CAAC;CACnD,MAAM,YAAY,QAAQ;CAC1B,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,yBAAyB,GAAG,GAAG;CAGxD,IAAI,kBAAkB,2BAA2B,CAAC,SAChD,OAAO,EAAE,KACP,EACE,OACE,4FACJ,GACA,GACF;CAGF,MAAM,UAAU,MAAM,gBAAgB,SAAS;CAC/C,MAAM,oBAAoB,GAAG,gCAAgC;CAC7D,MAAM,eAAe,QAAQ;CAC7B,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,EAAE,OAAO,wBAAwB,GAAG,GAAG;CAGvD,IAAI;CACJ,IAAI,kBAAkB,eAAe;EACnC,MAAM,YAAY,qBAAqB,EAAE,IAAI,OAAO,QAAQ,CAAC;EAC7D,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,mCAAmC,GAAG,GAAG;EAElE,WAAW,gCAAgC;GACzC,YAAY,EAAE,IAAI;GAClB;GACA;GACA;GACA;GACA;EACF,CAAC;CACH,OACE,WAAW,kBAAkB;CAG/B,MAAM,mBAAmB,IAAI,IAC3B,mBACA,kBAAkB,qBACpB,EAAE;CAEF,IAAI;CACJ,IAAI,kBAAkB,eACpB,YAAY,MAAM,4BAA4B;EACnC;EACT;EACA,eAAe;CACjB,CAAC;CAGH,IAAI;CACJ,IAAI,kBAAkB,eAAe;EACnC,MAAM,kBAAkB,MAAM,qBAAqB;GACxC;GACT;GACA,UAAU;EACZ,CAAC;EACD,aAAa;GACX,YAAY;GACZ,eAAe;GACf,GAAG,+BAA+B;IAAE;IAAU;GAAgB,CAAC;EACjE;CACF,OACE,aAAa;EACX,YAAY;EACZ,eAAe;EACf,GAAG,4BAA4B;GAC7B;GACA,cAAc,kBAAkB;EAClC,CAAC;CACH;CAGF,MAAM,cAAc,MAAM,kBAAkB;EAC1C;EACA,eAAe,kBAAkB;EACjC,GAAI,cAAc,KAAA,IAAY,EAAE,UAAU,IAAI,CAAC;EAC/C;CACF,CAAC;CACD,IAAI,CAAC,YAAY,IACf,OAAO,EAAE,KACP,EAAE,OAAO,yBAAyB,YAAY,YAAY,GAC1D,GACF;CAGF,MAAM,EACJ,cAAc,gBACd,eAAe,iBACf,eACE,YAAY;CAEhB,IAAI,CAAC,iBACH,OAAO,EAAE,KAAK,EAAE,OAAO,uCAAuC,GAAG,GAAG;CAEtE,IAAI,CAAC,uBAAuB,UAAU,GACpC,OAAO,EAAE,KACP,EAAE,OAAO,+CAA+C,GACxD,GACF;CAGF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CAID,OAAO,KAAK,OAAO,EAAE,SAAS,eAAe;EAC3C,IACE,WAAW,WAAA,aAAwC,KACnD,eAAe,mBAEf,kBAAkB;GAChB;GACA,OAAO,gBAAgB;IACrB,MAAM;IACN,OAAO;IACP,MAAM;IACN,UAAU;IACV,aAAa;IACb,QAAQ;GACV,CAAC;EACH,CAAC;CAEL,CAAC;CAED,OAAO,EAAE,KAAK,EAAE,WAAW,CAAC;AAC9B"}

package/dist/server/hono/hubspot-connect-routes/cimd-client-metadata-types.js.map

@@ -1 +1 @@
-{"version":3,"file":"cimd-client-metadata-types.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/cimd-client-metadata-types.ts"],"sourcesContent":["/**\n * Caller-supplied scope configuration for the CIMD document served at\n * `{basePath}/client.json`. `redirect_uri` and `jwks_uri` are derived at\n * request time by the hubspot-connect routes.\n */\nexport interface HubSpotConnectCimdClientMetadata {\n  scope: HubSpotConnectCimdClientScope;\n}\n\nexport interface HubSpotConnectCimdClientScope {\n  required: string[];\n  optional?: string[];\n}\n\n/**\n * JSON body returned by `GET {basePath}/client.json` (HubSpot CIMD).\n */\nexport interface HubSpotConnectCimdClientDocument {\n  redirect_uri: string;\n  jwks_uri: string;\n  scope: HubSpotConnectCimdClientScope;\n}\n\nexport function assertHubSpotConnectCimdClientMetadata(\n  value: HubSpotConnectCimdClientMetadata\n): void {\n  const required = value.scope?.required;\n  const requiredOk =\n    Array.isArray(required) &&\n    required.length > 0 &&\n    required.every((s) => typeof s === 'string' && s.length > 0);\n  if (!requiredOk) {\n    throw new Error(\n      'HubSpotConnectCimdClientMetadata.scope.required must be a non-empty array of non-empty strings'\n    );\n  }\n  const optional = value.scope.optional;\n  if (optional === undefined) {\n    return;\n  }\n  if (!Array.isArray(optional)) {\n    throw new Error(\n      'HubSpotConnectCimdClientMetadata.scope.optional must be an array when set'\n    );\n  }\n  if (\n    optional.length > 0 &&\n    !optional.every((s) => typeof s === 'string' && s.length > 0)\n  ) {\n    throw new Error(\n      'HubSpotConnectCimdClientMetadata.scope.optional entries must be non-empty strings'\n    );\n  }\n}\n"],"mappings":";AAuBA,SAAgB,uCACd,OACM;CACN,MAAM,WAAW,MAAM,OAAO;CAK9B,IAAI,EAHF,MAAM,QAAQ,SAAS,IACvB,SAAS,SAAS,KAClB,SAAS,OAAO,MAAM,OAAO,MAAM,YAAY,EAAE,SAAS,EAAE,GAE5D,MAAM,IAAI,MACR,iGACD;CAEH,MAAM,WAAW,MAAM,MAAM;CAC7B,IAAI,aAAa,KAAA,GACf;CAEF,IAAI,CAAC,MAAM,QAAQ,SAAS,EAC1B,MAAM,IAAI,MACR,4EACD;CAEH,IACE,SAAS,SAAS,KAClB,CAAC,SAAS,OAAO,MAAM,OAAO,MAAM,YAAY,EAAE,SAAS,EAAE,EAE7D,MAAM,IAAI,MACR,oFACD"}
+{"version":3,"file":"cimd-client-metadata-types.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/cimd-client-metadata-types.ts"],"sourcesContent":["/**\n * Caller-supplied scope configuration for the CIMD document served at\n * `{basePath}/client.json`. `redirect_uri` and `jwks_uri` are derived at\n * request time by the hubspot-connect routes.\n */\nexport interface HubSpotConnectCimdClientMetadata {\n  scope: HubSpotConnectCimdClientScope;\n}\n\nexport interface HubSpotConnectCimdClientScope {\n  required: string[];\n  optional?: string[];\n}\n\n/**\n * JSON body returned by `GET {basePath}/client.json` (HubSpot CIMD).\n */\nexport interface HubSpotConnectCimdClientDocument {\n  redirect_uri: string;\n  jwks_uri: string;\n  scope: HubSpotConnectCimdClientScope;\n}\n\nexport function assertHubSpotConnectCimdClientMetadata(\n  value: HubSpotConnectCimdClientMetadata\n): void {\n  const required = value.scope?.required;\n  const requiredOk =\n    Array.isArray(required) &&\n    required.length > 0 &&\n    required.every((s) => typeof s === 'string' && s.length > 0);\n  if (!requiredOk) {\n    throw new Error(\n      'HubSpotConnectCimdClientMetadata.scope.required must be a non-empty array of non-empty strings'\n    );\n  }\n  const optional = value.scope.optional;\n  if (optional === undefined) {\n    return;\n  }\n  if (!Array.isArray(optional)) {\n    throw new Error(\n      'HubSpotConnectCimdClientMetadata.scope.optional must be an array when set'\n    );\n  }\n  if (\n    optional.length > 0 &&\n    !optional.every((s) => typeof s === 'string' && s.length > 0)\n  ) {\n    throw new Error(\n      'HubSpotConnectCimdClientMetadata.scope.optional entries must be non-empty strings'\n    );\n  }\n}\n"],"mappings":";AAuBA,SAAgB,uCACd,OACM;CACN,MAAM,WAAW,MAAM,OAAO;CAK9B,IAAI,EAHF,MAAM,QAAQ,QAAQ,KACtB,SAAS,SAAS,KAClB,SAAS,OAAO,MAAM,OAAO,MAAM,YAAY,EAAE,SAAS,CAAC,IAE3D,MAAM,IAAI,MACR,gGACF;CAEF,MAAM,WAAW,MAAM,MAAM;CAC7B,IAAI,aAAa,KAAA,GACf;CAEF,IAAI,CAAC,MAAM,QAAQ,QAAQ,GACzB,MAAM,IAAI,MACR,2EACF;CAEF,IACE,SAAS,SAAS,KAClB,CAAC,SAAS,OAAO,MAAM,OAAO,MAAM,YAAY,EAAE,SAAS,CAAC,GAE5D,MAAM,IAAI,MACR,mFACF;AAEJ"}

package/dist/server/hono/hubspot-connect-routes/cimd-public-routes.js

@@ -7,12 +7,15 @@ async function handleCimdClientJson(c, options) {
 	const xForwardedProto = c.req.header("x-forwarded-proto") ?? void 0;
 	const xForwardedHost = c.req.header("x-forwarded-host") ?? void 0;
 	const requestHostHeader = c.req.header("host") ?? void 0;
+	const appOrigin = c.req.query("app_origin");
+	if (!appOrigin) return c.text("Missing app origin", 400);
 	const forwarded = {
 		requestUrl: c.req.url,
 		basePath,
 		xForwardedProto,
 		xForwardedHost,
-		requestHostHeader
+		requestHostHeader,
+		appOrigin
 	};
 	const body = {
 		redirect_uri: buildOAuthRedirectUriFromRequest(forwarded),

package/dist/server/hono/hubspot-connect-routes/cimd-public-routes.js.map

@@ -1 +1 @@
-{"version":3,"file":"cimd-public-routes.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/cimd-public-routes.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport type { JwkSet } from '../../types.ts';\nimport { getJwkThumbprint } from '../../utils/jwk-utils.ts';\nimport type { HubSpotConnectCimdClientDocument } from './cimd-client-metadata-types.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n  buildHubSpotAppJwksUrlFromRequest,\n  buildOAuthRedirectUriFromRequest,\n  type BuildOAuthRedirectUriFromRequestOptions,\n} from './utils.ts';\n\nexport async function handleCimdClientJson(\n  c: Context,\n  options: HubSpotConnectOAuthRouteOptions\n): Promise<Response> {\n  const { cimdClientMetadata, basePath } = options;\n  if (!cimdClientMetadata) {\n    return c.text('CIMD client metadata is not configured', 500);\n  }\n\n  const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n  const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n  const requestHostHeader = c.req.header('host') ?? undefined;\n\n  const forwarded: BuildOAuthRedirectUriFromRequestOptions = {\n    requestUrl: c.req.url,\n    basePath,\n    xForwardedProto,\n    xForwardedHost,\n    requestHostHeader,\n  };\n\n  const body: HubSpotConnectCimdClientDocument = {\n    redirect_uri: buildOAuthRedirectUriFromRequest(forwarded),\n    jwks_uri: buildHubSpotAppJwksUrlFromRequest(forwarded),\n    scope: cimdClientMetadata.scope,\n  };\n\n  return c.text(JSON.stringify(body, null, 2), 200, {\n    'Content-Type': 'application/json; charset=utf-8',\n  });\n}\n\nexport async function handleCimdAppJwks(\n  c: Context,\n  options: HubSpotConnectOAuthRouteOptions\n): Promise<Response> {\n  const { appKeys, hubspotConnectEnv } = options;\n  if (!hubspotConnectEnv.isCimdEnabled) {\n    return c.text('Not found', 404);\n  }\n  if (!appKeys) {\n    return c.text('Missing app keys', 503);\n  }\n\n  const kid = await getJwkThumbprint({\n    publicKeyJwk: appKeys.appPublicKeyJwk,\n  });\n\n  const jwk = {\n    ...appKeys.appPublicKeyJwk,\n    kid,\n    use: 'sig',\n    alg: 'ES256',\n    key_ops: ['verify'],\n    ext: true,\n  } as JsonWebKey;\n\n  const jwks: JwkSet = { keys: [jwk] };\n  return c.json(jwks);\n}\n"],"mappings":";;;AAYA,eAAsB,qBACpB,GACA,SACmB;CACnB,MAAM,EAAE,oBAAoB,aAAa;CACzC,IAAI,CAAC,oBACH,OAAO,EAAE,KAAK,0CAA0C,IAAI;CAG9D,MAAM,kBAAkB,EAAE,IAAI,OAAO,oBAAoB,IAAI,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,mBAAmB,IAAI,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,OAAO,IAAI,KAAA;CAElD,MAAM,YAAqD;EACzD,YAAY,EAAE,IAAI;EAClB;EACA;EACA;EACA;EACD;CAED,MAAM,OAAyC;EAC7C,cAAc,iCAAiC,UAAU;EACzD,UAAU,kCAAkC,UAAU;EACtD,OAAO,mBAAmB;EAC3B;CAED,OAAO,EAAE,KAAK,KAAK,UAAU,MAAM,MAAM,EAAE,EAAE,KAAK,EAChD,gBAAgB,mCACjB,CAAC;;AAGJ,eAAsB,kBACpB,GACA,SACmB;CACnB,MAAM,EAAE,SAAS,sBAAsB;CACvC,IAAI,CAAC,kBAAkB,eACrB,OAAO,EAAE,KAAK,aAAa,IAAI;CAEjC,IAAI,CAAC,SACH,OAAO,EAAE,KAAK,oBAAoB,IAAI;CAGxC,MAAM,MAAM,MAAM,iBAAiB,EACjC,cAAc,QAAQ,iBACvB,CAAC;CAWF,MAAM,OAAe,EAAE,MAAM,CAAC;EAR5B,GAAG,QAAQ;EACX;EACA,KAAK;EACL,KAAK;EACL,SAAS,CAAC,SAAS;EACnB,KAAK;EAG0B,CAAC,EAAE;CACpC,OAAO,EAAE,KAAK,KAAK"}
+{"version":3,"file":"cimd-public-routes.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/cimd-public-routes.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport type { JwkSet } from '../../types.ts';\nimport { getJwkThumbprint } from '../../utils/jwk-utils.ts';\nimport type { HubSpotConnectCimdClientDocument } from './cimd-client-metadata-types.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n  buildHubSpotAppJwksUrlFromRequest,\n  buildOAuthRedirectUriFromRequest,\n  type BuildOAuthRedirectUriFromRequestOptions,\n} from './utils.ts';\n\nexport async function handleCimdClientJson(\n  c: Context,\n  options: HubSpotConnectOAuthRouteOptions\n): Promise<Response> {\n  const { cimdClientMetadata, basePath } = options;\n  if (!cimdClientMetadata) {\n    return c.text('CIMD client metadata is not configured', 500);\n  }\n\n  const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n  const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n  const requestHostHeader = c.req.header('host') ?? undefined;\n  const appOrigin = c.req.query('app_origin');\n  if (!appOrigin) {\n    return c.text('Missing app origin', 400);\n  }\n  const forwarded: BuildOAuthRedirectUriFromRequestOptions = {\n    requestUrl: c.req.url,\n    basePath,\n    xForwardedProto,\n    xForwardedHost,\n    requestHostHeader,\n    appOrigin,\n  };\n\n  const body: HubSpotConnectCimdClientDocument = {\n    redirect_uri: buildOAuthRedirectUriFromRequest(forwarded),\n    jwks_uri: buildHubSpotAppJwksUrlFromRequest(forwarded),\n    scope: cimdClientMetadata.scope,\n  };\n\n  return c.text(JSON.stringify(body, null, 2), 200, {\n    'Content-Type': 'application/json; charset=utf-8',\n  });\n}\n\nexport async function handleCimdAppJwks(\n  c: Context,\n  options: HubSpotConnectOAuthRouteOptions\n): Promise<Response> {\n  const { appKeys, hubspotConnectEnv } = options;\n  if (!hubspotConnectEnv.isCimdEnabled) {\n    return c.text('Not found', 404);\n  }\n  if (!appKeys) {\n    return c.text('Missing app keys', 503);\n  }\n\n  const kid = await getJwkThumbprint({\n    publicKeyJwk: appKeys.appPublicKeyJwk,\n  });\n\n  const jwk = {\n    ...appKeys.appPublicKeyJwk,\n    kid,\n    use: 'sig',\n    alg: 'ES256',\n    key_ops: ['verify'],\n    ext: true,\n  } as JsonWebKey;\n\n  const jwks: JwkSet = { keys: [jwk] };\n  return c.json(jwks);\n}\n"],"mappings":";;;AAYA,eAAsB,qBACpB,GACA,SACmB;CACnB,MAAM,EAAE,oBAAoB,aAAa;CACzC,IAAI,CAAC,oBACH,OAAO,EAAE,KAAK,0CAA0C,GAAG;CAG7D,MAAM,kBAAkB,EAAE,IAAI,OAAO,mBAAmB,KAAK,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,kBAAkB,KAAK,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,MAAM,KAAK,KAAA;CAClD,MAAM,YAAY,EAAE,IAAI,MAAM,YAAY;CAC1C,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,sBAAsB,GAAG;CAEzC,MAAM,YAAqD;EACzD,YAAY,EAAE,IAAI;EAClB;EACA;EACA;EACA;EACA;CACF;CAEA,MAAM,OAAyC;EAC7C,cAAc,iCAAiC,SAAS;EACxD,UAAU,kCAAkC,SAAS;EACrD,OAAO,mBAAmB;CAC5B;CAEA,OAAO,EAAE,KAAK,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG,KAAK,EAChD,gBAAgB,kCAClB,CAAC;AACH;AAEA,eAAsB,kBACpB,GACA,SACmB;CACnB,MAAM,EAAE,SAAS,sBAAsB;CACvC,IAAI,CAAC,kBAAkB,eACrB,OAAO,EAAE,KAAK,aAAa,GAAG;CAEhC,IAAI,CAAC,SACH,OAAO,EAAE,KAAK,oBAAoB,GAAG;CAGvC,MAAM,MAAM,MAAM,iBAAiB,EACjC,cAAc,QAAQ,gBACxB,CAAC;CAWD,MAAM,OAAe,EAAE,MAAM,CAAC;EAR5B,GAAG,QAAQ;EACX;EACA,KAAK;EACL,KAAK;EACL,SAAS,CAAC,QAAQ;EAClB,KAAK;CAGyB,CAAC,EAAE;CACnC,OAAO,EAAE,KAAK,IAAI;AACpB"}

package/dist/server/hono/hubspot-connect-routes/fetch-hubspot-client-metadata.js.map

@@ -1 +1 @@
-{"version":3,"file":"fetch-hubspot-client-metadata.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/fetch-hubspot-client-metadata.ts"],"sourcesContent":["import type { HubSpotConnectCimdClientMetadata } from './cimd-client-metadata-types.ts';\n\nexport interface DeriveHubSpotAuthorizeScopesFromClientMetadataSuccess {\n  ok: true;\n  scope: string;\n  optionalScope?: string;\n}\n\nexport interface DeriveHubSpotAuthorizeScopesFromClientMetadataFailure {\n  ok: false;\n  status: number;\n  message: string;\n}\n\nexport type DeriveHubSpotAuthorizeScopesFromClientMetadataResult =\n  | DeriveHubSpotAuthorizeScopesFromClientMetadataSuccess\n  | DeriveHubSpotAuthorizeScopesFromClientMetadataFailure;\n\n/**\n * Builds `scope` and `optional_scope` query values for HubSpot\n * `/oauth/authorize` from in-memory client metadata (same shape as\n * `HubSpotConnectCimdClientMetadata` / `startHubSpotConnectFunction({ client })`).\n */\nexport function deriveHubSpotAuthorizeScopesFromClientMetadata(\n  metadata: HubSpotConnectCimdClientMetadata\n): DeriveHubSpotAuthorizeScopesFromClientMetadataResult {\n  const required = metadata.scope?.required;\n  const requiredOk =\n    Array.isArray(required) &&\n    required.length > 0 &&\n    required.every((s) => typeof s === 'string' && s.length > 0);\n\n  if (!requiredOk) {\n    return {\n      ok: false,\n      status: 500,\n      message: 'Invalid or empty scope.required in client metadata',\n    };\n  }\n\n  const scope = required.join(' ');\n\n  const optionalRaw = metadata.scope.optional;\n  if (optionalRaw == null) {\n    return { ok: true, scope };\n  }\n\n  if (!Array.isArray(optionalRaw)) {\n    return {\n      ok: false,\n      status: 500,\n      message: 'Invalid scope.optional in client metadata',\n    };\n  }\n\n  if (optionalRaw.length === 0) {\n    return { ok: true, scope };\n  }\n\n  if (!optionalRaw.every((s) => typeof s === 'string' && s.length > 0)) {\n    return {\n      ok: false,\n      status: 500,\n      message: 'Invalid scope.optional in client metadata',\n    };\n  }\n\n  return {\n    ok: true,\n    scope,\n    optionalScope: optionalRaw.join(' '),\n  };\n}\n"],"mappings":";;;;;;AAuBA,SAAgB,+CACd,UACsD;CACtD,MAAM,WAAW,SAAS,OAAO;CAMjC,IAAI,EAJF,MAAM,QAAQ,SAAS,IACvB,SAAS,SAAS,KAClB,SAAS,OAAO,MAAM,OAAO,MAAM,YAAY,EAAE,SAAS,EAAE,GAG5D,OAAO;EACL,IAAI;EACJ,QAAQ;EACR,SAAS;EACV;CAGH,MAAM,QAAQ,SAAS,KAAK,IAAI;CAEhC,MAAM,cAAc,SAAS,MAAM;CACnC,IAAI,eAAe,MACjB,OAAO;EAAE,IAAI;EAAM;EAAO;CAG5B,IAAI,CAAC,MAAM,QAAQ,YAAY,EAC7B,OAAO;EACL,IAAI;EACJ,QAAQ;EACR,SAAS;EACV;CAGH,IAAI,YAAY,WAAW,GACzB,OAAO;EAAE,IAAI;EAAM;EAAO;CAG5B,IAAI,CAAC,YAAY,OAAO,MAAM,OAAO,MAAM,YAAY,EAAE,SAAS,EAAE,EAClE,OAAO;EACL,IAAI;EACJ,QAAQ;EACR,SAAS;EACV;CAGH,OAAO;EACL,IAAI;EACJ;EACA,eAAe,YAAY,KAAK,IAAI;EACrC"}
+{"version":3,"file":"fetch-hubspot-client-metadata.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/fetch-hubspot-client-metadata.ts"],"sourcesContent":["import type { HubSpotConnectCimdClientMetadata } from './cimd-client-metadata-types.ts';\n\nexport interface DeriveHubSpotAuthorizeScopesFromClientMetadataSuccess {\n  ok: true;\n  scope: string;\n  optionalScope?: string;\n}\n\nexport interface DeriveHubSpotAuthorizeScopesFromClientMetadataFailure {\n  ok: false;\n  status: number;\n  message: string;\n}\n\nexport type DeriveHubSpotAuthorizeScopesFromClientMetadataResult =\n  | DeriveHubSpotAuthorizeScopesFromClientMetadataSuccess\n  | DeriveHubSpotAuthorizeScopesFromClientMetadataFailure;\n\n/**\n * Builds `scope` and `optional_scope` query values for HubSpot\n * `/oauth/authorize` from in-memory client metadata (same shape as\n * `HubSpotConnectCimdClientMetadata` / `startHubSpotConnectFunction({ client })`).\n */\nexport function deriveHubSpotAuthorizeScopesFromClientMetadata(\n  metadata: HubSpotConnectCimdClientMetadata\n): DeriveHubSpotAuthorizeScopesFromClientMetadataResult {\n  const required = metadata.scope?.required;\n  const requiredOk =\n    Array.isArray(required) &&\n    required.length > 0 &&\n    required.every((s) => typeof s === 'string' && s.length > 0);\n\n  if (!requiredOk) {\n    return {\n      ok: false,\n      status: 500,\n      message: 'Invalid or empty scope.required in client metadata',\n    };\n  }\n\n  const scope = required.join(' ');\n\n  const optionalRaw = metadata.scope.optional;\n  if (optionalRaw == null) {\n    return { ok: true, scope };\n  }\n\n  if (!Array.isArray(optionalRaw)) {\n    return {\n      ok: false,\n      status: 500,\n      message: 'Invalid scope.optional in client metadata',\n    };\n  }\n\n  if (optionalRaw.length === 0) {\n    return { ok: true, scope };\n  }\n\n  if (!optionalRaw.every((s) => typeof s === 'string' && s.length > 0)) {\n    return {\n      ok: false,\n      status: 500,\n      message: 'Invalid scope.optional in client metadata',\n    };\n  }\n\n  return {\n    ok: true,\n    scope,\n    optionalScope: optionalRaw.join(' '),\n  };\n}\n"],"mappings":";;;;;;AAuBA,SAAgB,+CACd,UACsD;CACtD,MAAM,WAAW,SAAS,OAAO;CAMjC,IAAI,EAJF,MAAM,QAAQ,QAAQ,KACtB,SAAS,SAAS,KAClB,SAAS,OAAO,MAAM,OAAO,MAAM,YAAY,EAAE,SAAS,CAAC,IAG3D,OAAO;EACL,IAAI;EACJ,QAAQ;EACR,SAAS;CACX;CAGF,MAAM,QAAQ,SAAS,KAAK,GAAG;CAE/B,MAAM,cAAc,SAAS,MAAM;CACnC,IAAI,eAAe,MACjB,OAAO;EAAE,IAAI;EAAM;CAAM;CAG3B,IAAI,CAAC,MAAM,QAAQ,WAAW,GAC5B,OAAO;EACL,IAAI;EACJ,QAAQ;EACR,SAAS;CACX;CAGF,IAAI,YAAY,WAAW,GACzB,OAAO;EAAE,IAAI;EAAM;CAAM;CAG3B,IAAI,CAAC,YAAY,OAAO,MAAM,OAAO,MAAM,YAAY,EAAE,SAAS,CAAC,GACjE,OAAO;EACL,IAAI;EACJ,QAAQ;EACR,SAAS;CACX;CAGF,OAAO;EACL,IAAI;EACJ;EACA,eAAe,YAAY,KAAK,GAAG;CACrC;AACF"}

package/dist/server/hono/hubspot-connect-routes/hubspot-connect-routes.js

@@ -1,6 +1,7 @@
 import { assertHubSpotConnectCimdClientMetadata } from "./cimd-client-metadata-types.js";
 import { noopLogger } from "../../shared/logger.js";
-import { handleAuthCallback } from "./auth-callback.js";
+import { corsMiddleware } from "../utils/cors-middleware.js";
+import { handleAuthComplete } from "./auth-complete.js";
 import { handleAuthInitSession } from "./auth-init-session.js";
 import { handleAuthLogout } from "./auth-logout.js";
 import { handleAuthRefresh } from "./auth-refresh.js";
@@ -22,10 +23,11 @@ function registerHubSpotConnectRoutes(options) {
 		hubspotConnectEnv,
 		cimdClientMetadata
 	};
+	app.use("*", corsMiddleware());
 	app.get("/client.json", (c) => handleCimdClientJson(c, oauthRouteOptions));
 	if (hubspotConnectEnv.isCimdEnabled) app.get("/jwks.json", (c) => handleCimdAppJwks(c, oauthRouteOptions));
 	app.get("/auth/init-session", (c) => handleAuthInitSession(c, oauthRouteOptions));
-	app.get("/auth/callback", (c) => handleAuthCallback(c, oauthRouteOptions));
+	app.post("/auth/complete", (c) => handleAuthComplete(c, oauthRouteOptions));
 	app.post("/auth/refresh", (c) => handleAuthRefresh(c, oauthRouteOptions));
 	app.post("/auth/logout", (c) => handleAuthLogout(c, oauthRouteOptions));
 }

package/dist/server/hono/hubspot-connect-routes/hubspot-connect-routes.js.map

@@ -1 +1 @@
-{"version":3,"file":"hubspot-connect-routes.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/hubspot-connect-routes.ts"],"sourcesContent":["import type { Hono } from 'hono';\n\nimport { noopLogger, type Logger } from '../../../shared/logger.ts';\nimport type { AppKeys } from '../../types.ts';\nimport { handleAuthCallback } from './auth-callback.ts';\nimport { handleAuthInitSession } from './auth-init-session.ts';\nimport { handleAuthLogout } from './auth-logout.ts';\nimport { handleAuthRefresh } from './auth-refresh.ts';\nimport { assertHubSpotConnectCimdClientMetadata } from './cimd-client-metadata-types.ts';\nimport type { HubSpotConnectCimdClientMetadata } from './cimd-client-metadata-types.ts';\nimport {\n  handleCimdAppJwks,\n  handleCimdClientJson,\n} from './cimd-public-routes.ts';\nimport type { HubSpotConnectRoutesEnv } from './load-hubspot-connect-routes-env.ts';\n\n/**\n * Options accepted by {@link registerHubSpotConnectRoutes}.\n */\nexport interface RegisterHubSpotConnectRoutesOptions {\n  /** The Hono app to mount the OAuth routes on. */\n  app: Hono;\n  /**\n   * Imported app keys from `secureStart`, or `null` when CIMD and DPoP\n   * are both disabled.\n   */\n  appKeys: AppKeys | null;\n  /**\n   * Path the routes are mounted under (no trailing slash). Used to\n   * scope refresh-token cookies via `Path=${basePath}/auth`.\n   */\n  basePath: string;\n  /**\n   * OAuth and client-mode settings, typically from\n   * {@link loadHubSpotConnectRoutesEnv}.\n   */\n  hubspotConnectEnv: HubSpotConnectRoutesEnv;\n  /**\n   * Scope configuration for `GET /client.json` and for authorize URL\n   * scopes when CIMD is off. Always required.\n   */\n  cimdClientMetadata: HubSpotConnectCimdClientMetadata;\n  /**\n   * Optional logger. When omitted the SDK uses a no-op logger so\n   * server-side state never leaks into the host application's\n   * console.\n   */\n  logger?: Logger;\n}\n\n/**\n * Mounts hubspot-connect routes: OAuth (`/auth/...`); `GET /client.json`\n * from `cimdClientMetadata`; `GET /jwks.json` when CIMD is enabled.\n */\nexport function registerHubSpotConnectRoutes(\n  options: RegisterHubSpotConnectRoutesOptions\n): void {\n  const {\n    app,\n    appKeys,\n    basePath,\n    hubspotConnectEnv,\n    cimdClientMetadata,\n    logger = noopLogger,\n  } = options;\n\n  if (!cimdClientMetadata) {\n    throw new Error(\n      'registerHubSpotConnectRoutes: cimdClientMetadata is required'\n    );\n  }\n  assertHubSpotConnectCimdClientMetadata(cimdClientMetadata);\n\n  const refreshCookiePath = `${basePath}/auth`;\n  const oauthRouteOptions = {\n    appKeys,\n    refreshCookiePath,\n    logger,\n    basePath,\n    hubspotConnectEnv,\n    cimdClientMetadata,\n  };\n\n  app.get('/client.json', (c) => handleCimdClientJson(c, oauthRouteOptions));\n  if (hubspotConnectEnv.isCimdEnabled) {\n    app.get('/jwks.json', (c) => handleCimdAppJwks(c, oauthRouteOptions));\n  }\n\n  app.get('/auth/init-session', (c) =>\n    handleAuthInitSession(c, oauthRouteOptions)\n  );\n  app.get('/auth/callback', (c) => handleAuthCallback(c, oauthRouteOptions));\n  app.post('/auth/refresh', (c) => handleAuthRefresh(c, oauthRouteOptions));\n  app.post('/auth/logout', (c) => handleAuthLogout(c, oauthRouteOptions));\n}\n"],"mappings":";;;;;;;;;;;;AAsDA,SAAgB,6BACd,SACM;CACN,MAAM,EACJ,KACA,SACA,UACA,mBACA,oBACA,SAAS,eACP;CAEJ,IAAI,CAAC,oBACH,MAAM,IAAI,MACR,+DACD;CAEH,uCAAuC,mBAAmB;CAG1D,MAAM,oBAAoB;EACxB;EACA,mBAAA,GAH2B,SAAS;EAIpC;EACA;EACA;EACA;EACD;CAED,IAAI,IAAI,iBAAiB,MAAM,qBAAqB,GAAG,kBAAkB,CAAC;CAC1E,IAAI,kBAAkB,eACpB,IAAI,IAAI,eAAe,MAAM,kBAAkB,GAAG,kBAAkB,CAAC;CAGvE,IAAI,IAAI,uBAAuB,MAC7B,sBAAsB,GAAG,kBAAkB,CAC5C;CACD,IAAI,IAAI,mBAAmB,MAAM,mBAAmB,GAAG,kBAAkB,CAAC;CAC1E,IAAI,KAAK,kBAAkB,MAAM,kBAAkB,GAAG,kBAAkB,CAAC;CACzE,IAAI,KAAK,iBAAiB,MAAM,iBAAiB,GAAG,kBAAkB,CAAC"}
+{"version":3,"file":"hubspot-connect-routes.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/hubspot-connect-routes.ts"],"sourcesContent":["import type { Hono } from 'hono';\n\nimport { noopLogger, type Logger } from '../../../shared/logger.ts';\nimport type { AppKeys } from '../../types.ts';\nimport { corsMiddleware } from '../utils/cors-middleware.ts';\nimport { handleAuthComplete } from './auth-complete.ts';\nimport { handleAuthInitSession } from './auth-init-session.ts';\nimport { handleAuthLogout } from './auth-logout.ts';\nimport { handleAuthRefresh } from './auth-refresh.ts';\nimport { assertHubSpotConnectCimdClientMetadata } from './cimd-client-metadata-types.ts';\nimport type { HubSpotConnectCimdClientMetadata } from './cimd-client-metadata-types.ts';\nimport {\n  handleCimdAppJwks,\n  handleCimdClientJson,\n} from './cimd-public-routes.ts';\nimport type { HubSpotConnectRoutesEnv } from './load-hubspot-connect-routes-env.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\n\n/**\n * Options accepted by {@link registerHubSpotConnectRoutes}.\n */\nexport interface RegisterHubSpotConnectRoutesOptions {\n  /** The Hono app to mount the OAuth routes on. */\n  app: Hono;\n  /**\n   * Imported app keys from `secureStart`, or `null` when CIMD and DPoP\n   * are both disabled.\n   */\n  appKeys: AppKeys | null;\n  /**\n   * Path the routes are mounted under (no trailing slash). Used to\n   * scope refresh-token cookies via `Path=${basePath}/auth`.\n   */\n  basePath: string;\n  /**\n   * OAuth and client-mode settings, typically from\n   * {@link loadHubSpotConnectRoutesEnv}.\n   */\n  hubspotConnectEnv: HubSpotConnectRoutesEnv;\n  /**\n   * Scope configuration for `GET /client.json` and for authorize URL\n   * scopes when CIMD is off. Always required.\n   */\n  cimdClientMetadata: HubSpotConnectCimdClientMetadata;\n  /**\n   * Optional logger. When omitted the SDK uses a no-op logger so\n   * server-side state never leaks into the host application's\n   * console.\n   */\n  logger?: Logger;\n}\n\n/**\n * Mounts hubspot-connect routes: OAuth (`/auth/...`); `GET /client.json`\n * from `cimdClientMetadata`; `GET /jwks.json` when CIMD is enabled.\n */\nexport function registerHubSpotConnectRoutes(\n  options: RegisterHubSpotConnectRoutesOptions\n): void {\n  const {\n    app,\n    appKeys,\n    basePath,\n    hubspotConnectEnv,\n    cimdClientMetadata,\n    logger = noopLogger,\n  } = options;\n\n  if (!cimdClientMetadata) {\n    throw new Error(\n      'registerHubSpotConnectRoutes: cimdClientMetadata is required'\n    );\n  }\n  assertHubSpotConnectCimdClientMetadata(cimdClientMetadata);\n\n  const refreshCookiePath = `${basePath}/auth`;\n  const oauthRouteOptions: HubSpotConnectOAuthRouteOptions = {\n    appKeys,\n    refreshCookiePath,\n    logger,\n    basePath,\n    hubspotConnectEnv,\n    cimdClientMetadata,\n  };\n\n  // Credentialed CORS for the cross-origin Lovable / Supabase shape.\n  // Echoes the request `Origin` (or the pinned `__Host-hs_app_origin`\n  // cookie value once init-session has run) and short-circuits OPTIONS\n  // preflights with a 204 before any route handler runs.\n  app.use('*', corsMiddleware());\n\n  app.get('/client.json', (c) => handleCimdClientJson(c, oauthRouteOptions));\n  if (hubspotConnectEnv.isCimdEnabled) {\n    app.get('/jwks.json', (c) => handleCimdAppJwks(c, oauthRouteOptions));\n  }\n\n  app.get('/auth/init-session', (c) =>\n    handleAuthInitSession(c, oauthRouteOptions)\n  );\n  app.post('/auth/complete', (c) => handleAuthComplete(c, oauthRouteOptions));\n  app.post('/auth/refresh', (c) => handleAuthRefresh(c, oauthRouteOptions));\n  app.post('/auth/logout', (c) => handleAuthLogout(c, oauthRouteOptions));\n}\n"],"mappings":";;;;;;;;;;;;;AAwDA,SAAgB,6BACd,SACM;CACN,MAAM,EACJ,KACA,SACA,UACA,mBACA,oBACA,SAAS,eACP;CAEJ,IAAI,CAAC,oBACH,MAAM,IAAI,MACR,8DACF;CAEF,uCAAuC,kBAAkB;CAGzD,MAAM,oBAAqD;EACzD;EACA,mBAAA,GAH2B,SAAS;EAIpC;EACA;EACA;EACA;CACF;CAMA,IAAI,IAAI,KAAK,eAAe,CAAC;CAE7B,IAAI,IAAI,iBAAiB,MAAM,qBAAqB,GAAG,iBAAiB,CAAC;CACzE,IAAI,kBAAkB,eACpB,IAAI,IAAI,eAAe,MAAM,kBAAkB,GAAG,iBAAiB,CAAC;CAGtE,IAAI,IAAI,uBAAuB,MAC7B,sBAAsB,GAAG,iBAAiB,CAC5C;CACA,IAAI,KAAK,mBAAmB,MAAM,mBAAmB,GAAG,iBAAiB,CAAC;CAC1E,IAAI,KAAK,kBAAkB,MAAM,kBAAkB,GAAG,iBAAiB,CAAC;CACxE,IAAI,KAAK,iBAAiB,MAAM,iBAAiB,GAAG,iBAAiB,CAAC;AACxE"}

package/dist/server/hono/hubspot-connect-routes/load-hubspot-connect-routes-env.js

@@ -1,4 +1,4 @@
-import { isHubspotCimdEnabled, isHubspotDpopEnabled, requireEnv } from "../../utils/env-utils.js";
+import { getHubSpotAuthorizationEndpoint, getHubSpotOAuthApiOrigin, isHubspotCimdEnabled, isHubspotDpopEnabled, requireHubSpotClientId, requireHubSpotClientSecret } from "../../utils/env-utils.js";
 //#region src/server/hono/hubspot-connect-routes/load-hubspot-connect-routes-env.ts
 /**
 * Reads hubspot-connect environment variables from `process.env` or
@@ -6,8 +6,8 @@ import { isHubspotCimdEnabled, isHubspotDpopEnabled, requireEnv } from "../../ut
 * {@link registerHubSpotConnectRoutes}.
 */
 function loadHubSpotConnectRoutesEnv() {
-	const hubspotAuthorizationEndpoint = requireEnv("HUBSPOT_AUTHORIZATION_ENDPOINT");
-	const hubspotOAuthApiOrigin = new URL(requireEnv("HUBSPOT_OAUTH_API_ORIGIN")).origin;
+	const hubspotAuthorizationEndpoint = getHubSpotAuthorizationEndpoint();
+	const hubspotOAuthApiOrigin = getHubSpotOAuthApiOrigin();
 	const isCimdEnabled = isHubspotCimdEnabled();
 	const isDpopEnabled = isHubspotDpopEnabled();
 	const isAppPrivateKeyRequired = isCimdEnabled || isDpopEnabled;
@@ -24,8 +24,8 @@ function loadHubSpotConnectRoutesEnv() {
 		isCimdEnabled: false,
 		isDpopEnabled,
 		isAppPrivateKeyRequired,
-		hubspotClientId: requireEnv("HUBSPOT_CLIENT_ID"),
-		hubspotClientSecret: requireEnv("HUBSPOT_CLIENT_SECRET")
+		hubspotClientId: requireHubSpotClientId(),
+		hubspotClientSecret: requireHubSpotClientSecret()
 	};
 }
 //#endregion

package/dist/server/hono/hubspot-connect-routes/load-hubspot-connect-routes-env.js.map

@@ -1 +1 @@
-{"version":3,"file":"load-hubspot-connect-routes-env.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/load-hubspot-connect-routes-env.ts"],"sourcesContent":["import {\n  isHubspotCimdEnabled,\n  isHubspotDpopEnabled,\n  requireEnv,\n} from '../../utils/env-utils.ts';\n\n/**\n * HubSpot OAuth and client-mode settings read once for hubspot-connect\n * routes. Built by {@link loadHubSpotConnectRoutesEnv}.\n */\nexport type HubSpotConnectRoutesEnv =\n  | HubSpotConnectRoutesEnvCimd\n  | HubSpotConnectRoutesEnvClientSecret;\n\nexport interface HubSpotConnectRoutesEnvCimd {\n  hubspotAuthorizationEndpoint: string;\n  hubspotOAuthApiOrigin: string;\n  isCimdEnabled: true;\n  isDpopEnabled: boolean;\n  isAppPrivateKeyRequired: boolean;\n}\n\nexport interface HubSpotConnectRoutesEnvClientSecret {\n  hubspotAuthorizationEndpoint: string;\n  hubspotOAuthApiOrigin: string;\n  isCimdEnabled: false;\n  isDpopEnabled: boolean;\n  isAppPrivateKeyRequired: boolean;\n  hubspotClientId: string;\n  hubspotClientSecret: string;\n}\n\n/**\n * Reads hubspot-connect environment variables from `process.env` or\n * `Deno.env` and returns a typed object for\n * {@link registerHubSpotConnectRoutes}.\n */\nexport function loadHubSpotConnectRoutesEnv(): HubSpotConnectRoutesEnv {\n  const hubspotAuthorizationEndpoint = requireEnv(\n    'HUBSPOT_AUTHORIZATION_ENDPOINT'\n  );\n  const hubspotOAuthApiOrigin = new URL(requireEnv('HUBSPOT_OAUTH_API_ORIGIN'))\n    .origin;\n  const isCimdEnabled = isHubspotCimdEnabled();\n  const isDpopEnabled = isHubspotDpopEnabled();\n  const isAppPrivateKeyRequired = isCimdEnabled || isDpopEnabled;\n\n  if (isCimdEnabled) {\n    return {\n      hubspotAuthorizationEndpoint,\n      hubspotOAuthApiOrigin,\n      isCimdEnabled: true,\n      isDpopEnabled,\n      isAppPrivateKeyRequired,\n    };\n  }\n\n  return {\n    hubspotAuthorizationEndpoint,\n    hubspotOAuthApiOrigin,\n    isCimdEnabled: false,\n    isDpopEnabled,\n    isAppPrivateKeyRequired,\n    hubspotClientId: requireEnv('HUBSPOT_CLIENT_ID'),\n    hubspotClientSecret: requireEnv('HUBSPOT_CLIENT_SECRET'),\n  };\n}\n"],"mappings":";;;;;;;AAqCA,SAAgB,8BAAuD;CACrE,MAAM,+BAA+B,WACnC,iCACD;CACD,MAAM,wBAAwB,IAAI,IAAI,WAAW,2BAA2B,CAAC,CAC1E;CACH,MAAM,gBAAgB,sBAAsB;CAC5C,MAAM,gBAAgB,sBAAsB;CAC5C,MAAM,0BAA0B,iBAAiB;CAEjD,IAAI,eACF,OAAO;EACL;EACA;EACA,eAAe;EACf;EACA;EACD;CAGH,OAAO;EACL;EACA;EACA,eAAe;EACf;EACA;EACA,iBAAiB,WAAW,oBAAoB;EAChD,qBAAqB,WAAW,wBAAwB;EACzD"}
+{"version":3,"file":"load-hubspot-connect-routes-env.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/load-hubspot-connect-routes-env.ts"],"sourcesContent":["import {\n  getHubSpotAuthorizationEndpoint,\n  getHubSpotOAuthApiOrigin,\n  isHubspotCimdEnabled,\n  isHubspotDpopEnabled,\n  requireHubSpotClientId,\n  requireHubSpotClientSecret,\n} from '../../utils/env-utils.ts';\n\n/**\n * HubSpot OAuth and client-mode settings read once for hubspot-connect\n * routes. Built by {@link loadHubSpotConnectRoutesEnv}.\n */\nexport type HubSpotConnectRoutesEnv =\n  | HubSpotConnectRoutesEnvCimd\n  | HubSpotConnectRoutesEnvClientSecret;\n\nexport interface HubSpotConnectRoutesEnvCimd {\n  hubspotAuthorizationEndpoint: string;\n  hubspotOAuthApiOrigin: string;\n  isCimdEnabled: true;\n  isDpopEnabled: boolean;\n  isAppPrivateKeyRequired: boolean;\n}\n\nexport interface HubSpotConnectRoutesEnvClientSecret {\n  hubspotAuthorizationEndpoint: string;\n  hubspotOAuthApiOrigin: string;\n  isCimdEnabled: false;\n  isDpopEnabled: boolean;\n  isAppPrivateKeyRequired: boolean;\n  hubspotClientId: string;\n  hubspotClientSecret: string;\n}\n\n/**\n * Reads hubspot-connect environment variables from `process.env` or\n * `Deno.env` and returns a typed object for\n * {@link registerHubSpotConnectRoutes}.\n */\nexport function loadHubSpotConnectRoutesEnv(): HubSpotConnectRoutesEnv {\n  const hubspotAuthorizationEndpoint = getHubSpotAuthorizationEndpoint();\n  const hubspotOAuthApiOrigin = getHubSpotOAuthApiOrigin();\n  const isCimdEnabled = isHubspotCimdEnabled();\n  const isDpopEnabled = isHubspotDpopEnabled();\n  const isAppPrivateKeyRequired = isCimdEnabled || isDpopEnabled;\n\n  if (isCimdEnabled) {\n    return {\n      hubspotAuthorizationEndpoint,\n      hubspotOAuthApiOrigin,\n      isCimdEnabled: true,\n      isDpopEnabled,\n      isAppPrivateKeyRequired,\n    };\n  }\n\n  return {\n    hubspotAuthorizationEndpoint,\n    hubspotOAuthApiOrigin,\n    isCimdEnabled: false,\n    isDpopEnabled,\n    isAppPrivateKeyRequired,\n    hubspotClientId: requireHubSpotClientId(),\n    hubspotClientSecret: requireHubSpotClientSecret(),\n  };\n}\n"],"mappings":";;;;;;;AAwCA,SAAgB,8BAAuD;CACrE,MAAM,+BAA+B,gCAAgC;CACrE,MAAM,wBAAwB,yBAAyB;CACvD,MAAM,gBAAgB,qBAAqB;CAC3C,MAAM,gBAAgB,qBAAqB;CAC3C,MAAM,0BAA0B,iBAAiB;CAEjD,IAAI,eACF,OAAO;EACL;EACA;EACA,eAAe;EACf;EACA;CACF;CAGF,OAAO;EACL;EACA;EACA,eAAe;EACf;EACA;EACA,iBAAiB,uBAAuB;EACxC,qBAAqB,2BAA2B;CAClD;AACF"}

package/dist/server/hono/hubspot-connect-routes/oauth-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-client.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/oauth-client.ts"],"sourcesContent":["import type { AppKeys } from '../../types.ts';\nimport { signDpopProof } from '../../utils/dpop-utils.ts';\nimport { signJwt } from '../../utils/jwt-utils.ts';\n\n/**\n * Lifetime of the OAuth `client_assertion` JWT in seconds. Short by\n * design — RFC 7521 recommends short-lived assertions, and HubSpot's\n * authorization server rejects assertions older than ~5 minutes.\n */\nconst CLIENT_ASSERTION_TTL_SEC = 60;\n\n/**\n * The `client_assertion_type` value mandated by RFC 7523 §2.2 for\n * JWT-bearer client authentication.\n */\nconst JWT_BEARER_ASSERTION_TYPE =\n  'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';\n\n/**\n * Wire shape of a HubSpot OAuth token-endpoint success response.\n */\nexport interface OAuthTokenResponse {\n  /** New DPoP-bound access token (sender-constrained). */\n  access_token: string;\n  /** New refresh token, opaque to the client. */\n  refresh_token: string;\n  /** Lifetime of `access_token` in seconds. */\n  expires_in: number;\n}\n\nexport interface BuildClientAssertionOptions {\n  appKeys: AppKeys;\n  /** Client ID URL — used as both `iss` and `sub`. */\n  clientId: string;\n  /** Token-endpoint URL — used as `aud`. */\n  audience: string;\n}\n\n/**\n * Mints a short-lived ES256 JWT used as the `client_assertion`\n * parameter when calling HubSpot's token endpoint, per RFC 7523.\n */\nexport async function buildClientAssertion(\n  options: BuildClientAssertionOptions\n): Promise<string> {\n  const { appKeys, clientId, audience } = options;\n  return signJwt({\n    privateKey: appKeys.appPrivateKey,\n    payload: {\n      iss: clientId,\n      sub: clientId,\n      aud: audience,\n      jti: crypto.randomUUID(),\n    },\n    ttlSeconds: CLIENT_ASSERTION_TTL_SEC,\n  });\n}\n\nexport interface BuildTokenEndpointDpopProofOptions {\n  appKeys: AppKeys;\n  /** Token-endpoint URL — used as the DPoP `htu` claim. */\n  tokenEndpointUrl: string;\n  /** Hash of the app session ID — used as the DPoP `sid` claim. */\n  sessionIdHash: string;\n}\n\n/**\n * Signs a DPoP proof for a `POST` to HubSpot's token endpoint. RFC 9449\n * binds the resulting access token to the proving public key so that\n * later API calls must come from the same key holder.\n */\nexport async function buildTokenEndpointDpopProof(\n  options: BuildTokenEndpointDpopProofOptions\n): Promise<string> {\n  const { appKeys, tokenEndpointUrl, sessionIdHash } = options;\n  return signDpopProof({\n    appKeys,\n    claims: {\n      htm: 'POST',\n      htu: tokenEndpointUrl,\n      jti: crypto.randomUUID(),\n      iat: Math.floor(Date.now() / 1000),\n      sid: sessionIdHash,\n    },\n  });\n}\n\nexport interface RequestOAuthTokenOptions {\n  tokenEndpointUrl: string;\n  /** Body parameters; serialized to `application/x-www-form-urlencoded`. */\n  formParams: Record<string, string>;\n  /**\n   * When true, a `DPoP` header is required and `dpopProof` must be set.\n   */\n  isDpopEnabled: boolean;\n  /**\n   * DPoP proof for this request; required when `isDpopEnabled` is true.\n   */\n  dpopProof?: string;\n}\n\nexport interface RequestOAuthTokenSuccess {\n  ok: true;\n  body: OAuthTokenResponse;\n}\n\nexport interface RequestOAuthTokenFailure {\n  ok: false;\n  /** HTTP status returned by the upstream endpoint. */\n  status: number;\n  /** Error body as text — used to compose the SDK's error response. */\n  errorText: string;\n}\n\nexport type RequestOAuthTokenResult =\n  | RequestOAuthTokenSuccess\n  | RequestOAuthTokenFailure;\n\n/**\n * POSTs an `application/x-www-form-urlencoded` body to a HubSpot token\n * endpoint. Attaches a `DPoP` header when `isDpopEnabled` is true and\n * `dpopProof` is provided. Reads the response once — either\n * as JSON on success or as text on failure — so callers never have to\n * consume the body twice.\n */\nexport async function requestOAuthToken(\n  options: RequestOAuthTokenOptions\n): Promise<RequestOAuthTokenResult> {\n  const { tokenEndpointUrl, formParams, dpopProof, isDpopEnabled } = options;\n  const headers: Record<string, string> = {\n    'Content-Type': 'application/x-www-form-urlencoded',\n  };\n  if (isDpopEnabled) {\n    if (!dpopProof) {\n      throw new Error('DPoP proof is required when DPoP is enabled');\n    }\n    headers.DPoP = dpopProof;\n  }\n  const tokenResponse = await fetch(tokenEndpointUrl, {\n    method: 'POST',\n    headers,\n    body: new URLSearchParams(formParams),\n  });\n  if (!tokenResponse.ok) {\n    const errorText = await tokenResponse.text();\n    return { ok: false, status: tokenResponse.status, errorText };\n  }\n  const body = (await tokenResponse.json()) as OAuthTokenResponse;\n  return { ok: true, body };\n}\n\n/**\n * Form parameters always present on the OAuth `client_assertion` flow.\n * Spread into the call site's `formParams`.\n */\nexport function buildClientAssertionFormParams(input: {\n  clientId: string;\n  clientAssertion: string;\n}): Record<string, string> {\n  const { clientId, clientAssertion } = input;\n  return {\n    client_id: clientId,\n    client_assertion_type: JWT_BEARER_ASSERTION_TYPE,\n    client_assertion: clientAssertion,\n  };\n}\n\nexport interface BuildClientSecretFormParamsOptions {\n  clientId: string;\n  clientSecret: string;\n}\n\nexport function buildClientSecretFormParams(\n  options: BuildClientSecretFormParamsOptions\n): Record<string, string> {\n  const { clientId, clientSecret } = options;\n  return {\n    client_id: clientId,\n    client_secret: clientSecret,\n  };\n}\n"],"mappings":";;;;;;;;AASA,MAAM,2BAA2B;;;;;AAMjC,MAAM,4BACJ;;;;;AA0BF,eAAsB,qBACpB,SACiB;CACjB,MAAM,EAAE,SAAS,UAAU,aAAa;CACxC,OAAO,QAAQ;EACb,YAAY,QAAQ;EACpB,SAAS;GACP,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK,OAAO,YAAY;GACzB;EACD,YAAY;EACb,CAAC;;;;;;;AAgBJ,eAAsB,4BACpB,SACiB;CACjB,MAAM,EAAE,SAAS,kBAAkB,kBAAkB;CACrD,OAAO,cAAc;EACnB;EACA,QAAQ;GACN,KAAK;GACL,KAAK;GACL,KAAK,OAAO,YAAY;GACxB,KAAK,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;GAClC,KAAK;GACN;EACF,CAAC;;;;;;;;;AAyCJ,eAAsB,kBACpB,SACkC;CAClC,MAAM,EAAE,kBAAkB,YAAY,WAAW,kBAAkB;CACnE,MAAM,UAAkC,EACtC,gBAAgB,qCACjB;CACD,IAAI,eAAe;EACjB,IAAI,CAAC,WACH,MAAM,IAAI,MAAM,8CAA8C;EAEhE,QAAQ,OAAO;;CAEjB,MAAM,gBAAgB,MAAM,MAAM,kBAAkB;EAClD,QAAQ;EACR;EACA,MAAM,IAAI,gBAAgB,WAAW;EACtC,CAAC;CACF,IAAI,CAAC,cAAc,IAAI;EACrB,MAAM,YAAY,MAAM,cAAc,MAAM;EAC5C,OAAO;GAAE,IAAI;GAAO,QAAQ,cAAc;GAAQ;GAAW;;CAG/D,OAAO;EAAE,IAAI;EAAM,MAAA,MADC,cAAc,MAAM;EACf;;;;;;AAO3B,SAAgB,+BAA+B,OAGpB;CACzB,MAAM,EAAE,UAAU,oBAAoB;CACtC,OAAO;EACL,WAAW;EACX,uBAAuB;EACvB,kBAAkB;EACnB;;AAQH,SAAgB,4BACd,SACwB;CACxB,MAAM,EAAE,UAAU,iBAAiB;CACnC,OAAO;EACL,WAAW;EACX,eAAe;EAChB"}
+{"version":3,"file":"oauth-client.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/oauth-client.ts"],"sourcesContent":["import type { AppKeys } from '../../types.ts';\nimport { signDpopProof } from '../../utils/dpop-utils.ts';\nimport { signJwt } from '../../utils/jwt-utils.ts';\n\n/**\n * Lifetime of the OAuth `client_assertion` JWT in seconds. Short by\n * design — RFC 7521 recommends short-lived assertions, and HubSpot's\n * authorization server rejects assertions older than ~5 minutes.\n */\nconst CLIENT_ASSERTION_TTL_SEC = 60;\n\n/**\n * The `client_assertion_type` value mandated by RFC 7523 §2.2 for\n * JWT-bearer client authentication.\n */\nconst JWT_BEARER_ASSERTION_TYPE =\n  'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';\n\n/**\n * Wire shape of a HubSpot OAuth token-endpoint success response.\n */\nexport interface OAuthTokenResponse {\n  /** New DPoP-bound access token (sender-constrained). */\n  access_token: string;\n  /** New refresh token, opaque to the client. */\n  refresh_token: string;\n  /** Lifetime of `access_token` in seconds. */\n  expires_in: number;\n}\n\nexport interface BuildClientAssertionOptions {\n  appKeys: AppKeys;\n  /** Client ID URL — used as both `iss` and `sub`. */\n  clientId: string;\n  /** Token-endpoint URL — used as `aud`. */\n  audience: string;\n}\n\n/**\n * Mints a short-lived ES256 JWT used as the `client_assertion`\n * parameter when calling HubSpot's token endpoint, per RFC 7523.\n */\nexport async function buildClientAssertion(\n  options: BuildClientAssertionOptions\n): Promise<string> {\n  const { appKeys, clientId, audience } = options;\n  return signJwt({\n    privateKey: appKeys.appPrivateKey,\n    payload: {\n      iss: clientId,\n      sub: clientId,\n      aud: audience,\n      jti: crypto.randomUUID(),\n    },\n    ttlSeconds: CLIENT_ASSERTION_TTL_SEC,\n  });\n}\n\nexport interface BuildTokenEndpointDpopProofOptions {\n  appKeys: AppKeys;\n  /** Token-endpoint URL — used as the DPoP `htu` claim. */\n  tokenEndpointUrl: string;\n  /** Hash of the app session ID — used as the DPoP `sid` claim. */\n  sessionIdHash: string;\n}\n\n/**\n * Signs a DPoP proof for a `POST` to HubSpot's token endpoint. RFC 9449\n * binds the resulting access token to the proving public key so that\n * later API calls must come from the same key holder.\n */\nexport async function buildTokenEndpointDpopProof(\n  options: BuildTokenEndpointDpopProofOptions\n): Promise<string> {\n  const { appKeys, tokenEndpointUrl, sessionIdHash } = options;\n  return signDpopProof({\n    appKeys,\n    claims: {\n      htm: 'POST',\n      htu: tokenEndpointUrl,\n      jti: crypto.randomUUID(),\n      iat: Math.floor(Date.now() / 1000),\n      sid: sessionIdHash,\n    },\n  });\n}\n\nexport interface RequestOAuthTokenOptions {\n  tokenEndpointUrl: string;\n  /** Body parameters; serialized to `application/x-www-form-urlencoded`. */\n  formParams: Record<string, string>;\n  /**\n   * When true, a `DPoP` header is required and `dpopProof` must be set.\n   */\n  isDpopEnabled: boolean;\n  /**\n   * DPoP proof for this request; required when `isDpopEnabled` is true.\n   */\n  dpopProof?: string;\n}\n\nexport interface RequestOAuthTokenSuccess {\n  ok: true;\n  body: OAuthTokenResponse;\n}\n\nexport interface RequestOAuthTokenFailure {\n  ok: false;\n  /** HTTP status returned by the upstream endpoint. */\n  status: number;\n  /** Error body as text — used to compose the SDK's error response. */\n  errorText: string;\n}\n\nexport type RequestOAuthTokenResult =\n  | RequestOAuthTokenSuccess\n  | RequestOAuthTokenFailure;\n\n/**\n * POSTs an `application/x-www-form-urlencoded` body to a HubSpot token\n * endpoint. Attaches a `DPoP` header when `isDpopEnabled` is true and\n * `dpopProof` is provided. Reads the response once — either\n * as JSON on success or as text on failure — so callers never have to\n * consume the body twice.\n */\nexport async function requestOAuthToken(\n  options: RequestOAuthTokenOptions\n): Promise<RequestOAuthTokenResult> {\n  const { tokenEndpointUrl, formParams, dpopProof, isDpopEnabled } = options;\n  const headers: Record<string, string> = {\n    'Content-Type': 'application/x-www-form-urlencoded',\n  };\n  if (isDpopEnabled) {\n    if (!dpopProof) {\n      throw new Error('DPoP proof is required when DPoP is enabled');\n    }\n    headers.DPoP = dpopProof;\n  }\n  const tokenResponse = await fetch(tokenEndpointUrl, {\n    method: 'POST',\n    headers,\n    body: new URLSearchParams(formParams),\n  });\n  if (!tokenResponse.ok) {\n    const errorText = await tokenResponse.text();\n    return { ok: false, status: tokenResponse.status, errorText };\n  }\n  const body = (await tokenResponse.json()) as OAuthTokenResponse;\n  return { ok: true, body };\n}\n\n/**\n * Form parameters always present on the OAuth `client_assertion` flow.\n * Spread into the call site's `formParams`.\n */\nexport function buildClientAssertionFormParams(input: {\n  clientId: string;\n  clientAssertion: string;\n}): Record<string, string> {\n  const { clientId, clientAssertion } = input;\n  return {\n    client_id: clientId,\n    client_assertion_type: JWT_BEARER_ASSERTION_TYPE,\n    client_assertion: clientAssertion,\n  };\n}\n\nexport interface BuildClientSecretFormParamsOptions {\n  clientId: string;\n  clientSecret: string;\n}\n\nexport function buildClientSecretFormParams(\n  options: BuildClientSecretFormParamsOptions\n): Record<string, string> {\n  const { clientId, clientSecret } = options;\n  return {\n    client_id: clientId,\n    client_secret: clientSecret,\n  };\n}\n"],"mappings":";;;;;;;;AASA,MAAM,2BAA2B;;;;;AAMjC,MAAM,4BACJ;;;;;AA0BF,eAAsB,qBACpB,SACiB;CACjB,MAAM,EAAE,SAAS,UAAU,aAAa;CACxC,OAAO,QAAQ;EACb,YAAY,QAAQ;EACpB,SAAS;GACP,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK,OAAO,WAAW;EACzB;EACA,YAAY;CACd,CAAC;AACH;;;;;;AAeA,eAAsB,4BACpB,SACiB;CACjB,MAAM,EAAE,SAAS,kBAAkB,kBAAkB;CACrD,OAAO,cAAc;EACnB;EACA,QAAQ;GACN,KAAK;GACL,KAAK;GACL,KAAK,OAAO,WAAW;GACvB,KAAK,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;GACjC,KAAK;EACP;CACF,CAAC;AACH;;;;;;;;AAwCA,eAAsB,kBACpB,SACkC;CAClC,MAAM,EAAE,kBAAkB,YAAY,WAAW,kBAAkB;CACnE,MAAM,UAAkC,EACtC,gBAAgB,oCAClB;CACA,IAAI,eAAe;EACjB,IAAI,CAAC,WACH,MAAM,IAAI,MAAM,6CAA6C;EAE/D,QAAQ,OAAO;CACjB;CACA,MAAM,gBAAgB,MAAM,MAAM,kBAAkB;EAClD,QAAQ;EACR;EACA,MAAM,IAAI,gBAAgB,UAAU;CACtC,CAAC;CACD,IAAI,CAAC,cAAc,IAAI;EACrB,MAAM,YAAY,MAAM,cAAc,KAAK;EAC3C,OAAO;GAAE,IAAI;GAAO,QAAQ,cAAc;GAAQ;EAAU;CAC9D;CAEA,OAAO;EAAE,IAAI;EAAM,MAAA,MADC,cAAc,KAAK;CACf;AAC1B;;;;;AAMA,SAAgB,+BAA+B,OAGpB;CACzB,MAAM,EAAE,UAAU,oBAAoB;CACtC,OAAO;EACL,WAAW;EACX,uBAAuB;EACvB,kBAAkB;CACpB;AACF;AAOA,SAAgB,4BACd,SACwB;CACxB,MAAM,EAAE,UAAU,iBAAiB;CACnC,OAAO;EACL,WAAW;EACX,eAAe;CACjB;AACF"}