npm - @hubspot/app-connect-sdk - Versions diffs - 1.0.0-alpha.20 → 1.0.0-alpha.21 - Mend

@hubspot/app-connect-sdk 1.0.0-alpha.20 → 1.0.0-alpha.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

package/dist/browser/{types-DkAmHcZt.d.ts → types-C3wed8dU.d.ts} RENAMED Viewed

@@ -1,3 +1,26 @@
+//#region src/shared/wire-types.d.ts
+interface AuthCompleteWhoamiUser {
+  id?: string | undefined;
+  email?: string | undefined;
+  firstName?: string | undefined;
+  lastName?: string | undefined;
+}
+interface AuthCompleteWhoamiHub {
+  id?: number | undefined;
+  domain?: string | undefined;
+  uiDomain?: string | undefined;
+}
+/**
+ * Identity information for the authenticated user and their HubSpot
+ * account. Both fields are optional because the access token may not
+ * carry the scopes needed to fetch each piece (`public-users-read` for
+ * `user`, `external-settings-access` for `hub`).
+ */
+interface AuthCompleteWhoami {
+  user: AuthCompleteWhoamiUser;
+  hub: AuthCompleteWhoamiHub;
+}
+//#endregion
 //#region src/browser/types.d.ts
 /**
  * How the browser navigates to HubSpot's OAuth authorize endpoint when
@@ -48,6 +71,13 @@ interface AppConnectState {
   status: AppConnectStatus;
   /** Last error message that occurred, or `null` if no error. */
   error: string | null;
+  /**
+   * Identity of the connected HubSpot user and their account. Populated
+   * after a successful OAuth flow on a best-effort basis (fields may be
+   * absent if the access token lacked the required scopes). `null` before
+   * connect or after disconnect.
+   */
+  whoami: AuthCompleteWhoami | null;
   /**
    * Begins the OAuth connect flow. On success the browser either
    * redirects to HubSpot's authorize endpoint or opens it in a popup
@@ -91,4 +121,4 @@ interface AppConnectController {
 }
 //#endregion
 export { OAuthConnectMode as a, AppConnectStatus as i, AppConnectController as n, AppConnectState as r, AppConnectBrowserConfig as t };
-//# sourceMappingURL=types-DkAmHcZt.d.ts.map
+//# sourceMappingURL=types-C3wed8dU.d.ts.map

package/dist/server/hono/hubspot-connect-routes/auth-complete.js CHANGED Viewed

@@ -6,6 +6,7 @@ import { serializeCookie, setResponseCookie } from "../utils/cookie-utils.js";
 import { REFRESH_COOKIE_MAX_AGE_SEC } from "./constants.js";
 import { buildClientAssertion, buildClientAssertionFormParams, buildClientSecretFormParams, buildTokenEndpointDpopProof, requestOAuthToken } from "./oauth-client.js";
 import { buildCimdClientIdUrlFromRequest, buildFrontendOAuthRedirectUri, clearTempCookie, isPositiveFiniteNumber, isSafeReturnPath, parseAppOriginHeader } from "./utils.js";
+import { fetchWhoami } from "./whoami.js";
 //#region src/server/hono/hubspot-connect-routes/auth-complete.ts
 /**
 * Cross-origin OAuth completion endpoint.
@@ -144,9 +145,11 @@ async function handleAuthComplete(c, options) {
 		c,
 		value: clearTempCookie(TEMP_COOKIE_OAUTH_STATE)
 	});
+	const whoami = await fetchWhoami(accessToken, hubspotConnectEnv);
 	return c.json({
 		expires_at: expiresAt,
-		return_path: returnPath
+		return_path: returnPath,
+		whoami
 	});
 }
 //#endregion

package/dist/server/hono/hubspot-connect-routes/auth-complete.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth-complete.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-complete.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport {\n AUTH_COMPLETE_CODE_PARAM,\n AUTH_COMPLETE_STATE_PARAM,\n} from '../../../shared/constants.ts';\nimport {\n HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n HUBSPOT_REFRESH_COOKIE_PREFIX,\n TEMP_COOKIE_OAUTH_STATE,\n TEMP_COOKIE_PKCE_VERIFIER,\n} from '../../constants.ts';\nimport { base64urlDecode } from '../../utils/base64-utils.ts';\nimport { parseCookies } from '../../utils/cookie-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { REFRESH_COOKIE_MAX_AGE_SEC } from './constants.ts';\nimport {\n buildClientAssertion,\n buildClientAssertionFormParams,\n buildClientSecretFormParams,\n buildTokenEndpointDpopProof,\n requestOAuthToken,\n} from './oauth-client.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n buildCimdClientIdUrlFromRequest,\n buildFrontendOAuthRedirectUri,\n clearTempCookie,\n isPositiveFiniteNumber,\n isSafeReturnPath,\n parseAppOriginHeader,\n} from './utils.ts';\n\ninterface OAuthStatePayload {\n return_path?: string;\n sid?: string;\n}\n\n/*\n Cross-origin OAuth completion endpoint.\n \n Called from the React app on the frontend OAuth callback path\n * (`HUBSPOT_FRONTEND_CALLBACK_PATH`) once HubSpot has redirected the\n * browser back with `?code` + `?state`. The browser POSTs both\n * values here as a credentialed cross-site fetch — same partition as\n * `init-session`, so the temp PKCE/state cookies are visible — and\n * the SDK:\n \n 1. Validates `state` against the temp `__hs_oauth_state` cookie.\n * 2. Pulls the PKCE verifier from `__hs_pkce_verifier`.\n * 3. Rebuilds the same `redirect_uri` it sent to HubSpot during\n * `init-session` (frontend origin + the fixed callback path);\n * the OAuth token endpoint requires the two values to match.\n * 4. Exchanges `code` for an access + refresh token (with DPoP /\n * CIMD client-assertion when enabled).\n * 5. Sets the durable session cookies (access token, refresh) with\n * `SameSite=None; Secure; Partitioned` so they live in the\n * `(frontend, edge)` partition where subsequent API fetches will\n * read them.\n * 6. Clears the temp cookies.\n * 7. Returns `{ expires_at, return_path }` so the controller can\n * update its session-storage expiry tracking and navigate back to\n * the page the user started the connect flow from.\n /\nexport async function handleAuthComplete(\n c: Context,\n options: HubSpotConnectOAuthRouteOptions\n) {\n const { appKeys, refreshCookiePath, hubspotConnectEnv } = options;\n const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n const requestHostHeader = c.req.header('host') ?? undefined;\n const code = c.req.query(AUTH_COMPLETE_CODE_PARAM);\n const state = c.req.query(AUTH_COMPLETE_STATE_PARAM);\n\n if (!code \|\| !state) {\n return c.json({ error: 'Missing code or state' }, 400);\n }\n\n if (hubspotConnectEnv.isAppPrivateKeyRequired && !appKeys) {\n return c.json(\n {\n error:\n 'Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD or DPoP is enabled',\n },\n 500\n );\n }\n\n const cookies = parseCookies(c.req.header('Cookie'));\n const expectedState = cookies[TEMP_COOKIE_OAUTH_STATE];\n const codeVerifier = cookies[TEMP_COOKIE_PKCE_VERIFIER];\n const appOriginCookie = cookies[HUBSPOT_APP_ORIGIN_COOKIE_NAME];\n\n if (!expectedState \|\| state !== decodeURIComponent(expectedState)) {\n return c.json({ error: 'State mismatch' }, 403);\n }\n if (!codeVerifier) {\n return c.json({ error: 'Missing PKCE verifier' }, 400);\n }\n // The redirect_uri the OAuth token endpoint validates must equal\n // the one we sent during init-session. We rebuild it from the\n // pinned origin cookie so that value is anchored server-side, not\n // taken from the (caller-controlled) request `Origin` on this call.\n const appOrigin = parseAppOriginHeader(appOriginCookie);\n if (!appOrigin) {\n return c.json({ error: 'Missing app origin cookie' }, 400);\n }\n\n let statePayload: OAuthStatePayload;\n try {\n statePayload = JSON.parse(\n new TextDecoder().decode(base64urlDecode(decodeURIComponent(state)))\n ) as OAuthStatePayload;\n } catch {\n return c.json({ error: 'Malformed state value' }, 400);\n }\n const returnPath = statePayload.return_path;\n if (!returnPath \|\| !isSafeReturnPath(returnPath)) {\n return c.json({ error: 'Invalid return path in state' }, 400);\n }\n\n const sessionId = statePayload.sid;\n if (!sessionId) {\n return c.json({ error: 'Missing app session cookie' }, 400);\n }\n\n const decodedCodeVerifier = decodeURIComponent(codeVerifier);\n\n const clientId = hubspotConnectEnv.isCimdEnabled\n ? buildCimdClientIdUrlFromRequest({\n requestUrl: c.req.url,\n basePath: options.basePath,\n xForwardedProto,\n xForwardedHost,\n requestHostHeader,\n appOrigin,\n })\n : hubspotConnectEnv.hubspotClientId;\n\n const redirectUri = buildFrontendOAuthRedirectUri(appOrigin);\n\n const tokenEndpointUrl = new URL(\n '/oauth/v1/token',\n hubspotConnectEnv.hubspotOAuthApiOrigin\n ).href;\n\n let dpopProof: string \| undefined;\n if (hubspotConnectEnv.isDpopEnabled) {\n dpopProof = await buildTokenEndpointDpopProof({\n appKeys: appKeys!,\n tokenEndpointUrl,\n sessionIdHash: sessionId,\n });\n }\n\n let formParams: Record<string, string>;\n if (hubspotConnectEnv.isCimdEnabled) {\n const clientAssertion = await buildClientAssertion({\n appKeys: appKeys!,\n clientId,\n audience: tokenEndpointUrl,\n });\n formParams = {\n grant_type: 'authorization_code',\n code,\n code_verifier: decodedCodeVerifier,\n redirect_uri: redirectUri,\n ...buildClientAssertionFormParams({ clientId, clientAssertion }),\n };\n } else {\n formParams = {\n grant_type: 'authorization_code',\n code,\n code_verifier: decodedCodeVerifier,\n redirect_uri: redirectUri,\n ...buildClientSecretFormParams({\n clientId,\n clientSecret: hubspotConnectEnv.hubspotClientSecret,\n }),\n };\n }\n\n const tokenResult = await requestOAuthToken({\n tokenEndpointUrl,\n isDpopEnabled: hubspotConnectEnv.isDpopEnabled,\n ...(dpopProof !== undefined ? { dpopProof } : {}),\n formParams,\n });\n if (!tokenResult.ok) {\n return c.json(\n { error: `Token exchange failed: ${tokenResult.errorText}` },\n 502\n );\n }\n\n const {\n access_token: accessToken,\n refresh_token: refreshToken,\n expires_in,\n } = tokenResult.body;\n if (!refreshToken) {\n return c.json({ error: 'Token response missing refresh_token' }, 502);\n }\n if (!isPositiveFiniteNumber(expires_in)) {\n return c.json(\n { error: 'Token response missing or invalid expires_in' },\n 502\n );\n }\n\n const expiresAt = Date.now() + expires_in 1000;\n const refreshCookieName = `${HUBSPOT_REFRESH_COOKIE_PREFIX}${sessionId}`;\n\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n value: accessToken,\n path: '/',\n sameSite: 'None',\n partitioned: true,\n maxAge: expires_in,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: refreshCookieName,\n value: refreshToken,\n path: refreshCookiePath,\n sameSite: 'None',\n partitioned: true,\n maxAge: REFRESH_COOKIE_MAX_AGE_SEC,\n }),\n });\n setResponseCookie({ c, value: clearTempCookie(TEMP_COOKIE_PKCE_VERIFIER) });\n setResponseCookie({ c, value: clearTempCookie(TEMP_COOKIE_OAUTH_STATE) });\n\n return c.json({ expires_at: expiresAt, return_path: returnPath });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiEA,eAAsB,mBACpB,GACA,SACA;CACA,MAAM,EAAE,SAAS,mBAAmB,sBAAsB;CAC1D,MAAM,kBAAkB,EAAE,IAAI,OAAO,mBAAmB,KAAK,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,kBAAkB,KAAK,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,MAAM,KAAK,KAAA;CAClD,MAAM,OAAO,EAAE,IAAI,MAAM,wBAAwB;CACjD,MAAM,QAAQ,EAAE,IAAI,MAAM,yBAAyB;CAEnD,IAAI,CAAC,QAAQ,CAAC,OACZ,OAAO,EAAE,KAAK,EAAE,OAAO,wBAAwB,GAAG,GAAG;CAGvD,IAAI,kBAAkB,2BAA2B,CAAC,SAChD,OAAO,EAAE,KACP,EACE,OACE,4FACJ,GACA,GACF;CAGF,MAAM,UAAU,aAAa,EAAE,IAAI,OAAO,QAAQ,CAAC;CACnD,MAAM,gBAAgB,QAAQ;CAC9B,MAAM,eAAe,QAAQ;CAC7B,MAAM,kBAAkB,QAAQ;CAEhC,IAAI,CAAC,iBAAiB,UAAU,mBAAmB,aAAa,GAC9D,OAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,GAAG,GAAG;CAEhD,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,EAAE,OAAO,wBAAwB,GAAG,GAAG;CAMvD,MAAM,YAAY,qBAAqB,eAAe;CACtD,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,4BAA4B,GAAG,GAAG;CAG3D,IAAI;CACJ,IAAI;EACF,eAAe,KAAK,MAClB,IAAI,YAAY,EAAE,OAAO,gBAAgB,mBAAmB,KAAK,CAAC,CAAC,CACrE;CACF,QAAQ;EACN,OAAO,EAAE,KAAK,EAAE,OAAO,wBAAwB,GAAG,GAAG;CACvD;CACA,MAAM,aAAa,aAAa;CAChC,IAAI,CAAC,cAAc,CAAC,iBAAiB,UAAU,GAC7C,OAAO,EAAE,KAAK,EAAE,OAAO,+BAA+B,GAAG,GAAG;CAG9D,MAAM,YAAY,aAAa;CAC/B,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,GAAG,GAAG;CAG5D,MAAM,sBAAsB,mBAAmB,YAAY;CAE3D,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB,UAAU,QAAQ;EAClB;EACA;EACA;EACA;CACF,CAAC,IACD,kBAAkB;CAEtB,MAAM,cAAc,8BAA8B,SAAS;CAE3D,MAAM,mBAAmB,IAAI,IAC3B,mBACA,kBAAkB,qBACpB,EAAE;CAEF,IAAI;CACJ,IAAI,kBAAkB,eACpB,YAAY,MAAM,4BAA4B;EACnC;EACT;EACA,eAAe;CACjB,CAAC;CAGH,IAAI;CACJ,IAAI,kBAAkB,eAMpB,aAAa;EACX,YAAY;EACZ;EACA,eAAe;EACf,cAAc;EACd,GAAG,+BAA+B;GAAE;GAAU,iBAAA,MAVlB,qBAAqB;IACxC;IACT;IACA,UAAU;GACZ,CAAC;EAM+D,CAAC;CACjE;MAEA,aAAa;EACX,YAAY;EACZ;EACA,eAAe;EACf,cAAc;EACd,GAAG,4BAA4B;GAC7B;GACA,cAAc,kBAAkB;EAClC,CAAC;CACH;CAGF,MAAM,cAAc,MAAM,kBAAkB;EAC1C;EACA,eAAe,kBAAkB;EACjC,GAAI,cAAc,KAAA,IAAY,EAAE,UAAU,IAAI,CAAC;EAC/C;CACF,CAAC;CACD,IAAI,CAAC,YAAY,IACf,OAAO,EAAE,KACP,EAAE,OAAO,0BAA0B,YAAY,YAAY,GAC3D,GACF;CAGF,MAAM,EACJ,cAAc,aACd,eAAe,cACf,eACE,YAAY;CAChB,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,EAAE,OAAO,uCAAuC,GAAG,GAAG;CAEtE,IAAI,CAAC,uBAAuB,UAAU,GACpC,OAAO,EAAE,KACP,EAAE,OAAO,+CAA+C,GACxD,GACF;CAGF,MAAM,YAAY,KAAK,IAAI,IAAI,aAAa;CAC5C,MAAM,oBAAoB,GAAG,gCAAgC;CAE7D,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAAE;EAAG,OAAO,gBAAgB,yBAAyB;CAAE,CAAC;CAC1E,kBAAkB;EAAE;EAAG,OAAO,gBAAgB,uBAAuB;CAAE,CAAC;CAExE,OAAO,EAAE,KAAK;EAAE,YAAY;EAAW,aAAa;CAAW,CAAC;AAClE"}
1	+ {"version":3,"file":"auth-complete.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-complete.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport {\n AUTH_COMPLETE_CODE_PARAM,\n AUTH_COMPLETE_STATE_PARAM,\n} from '../../../shared/constants.ts';\nimport type { AuthCompleteResponse } from '../../../shared/wire-types.ts';\nimport {\n HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n HUBSPOT_REFRESH_COOKIE_PREFIX,\n TEMP_COOKIE_OAUTH_STATE,\n TEMP_COOKIE_PKCE_VERIFIER,\n} from '../../constants.ts';\nimport { base64urlDecode } from '../../utils/base64-utils.ts';\nimport { parseCookies } from '../../utils/cookie-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { REFRESH_COOKIE_MAX_AGE_SEC } from './constants.ts';\nimport {\n buildClientAssertion,\n buildClientAssertionFormParams,\n buildClientSecretFormParams,\n buildTokenEndpointDpopProof,\n requestOAuthToken,\n} from './oauth-client.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n buildCimdClientIdUrlFromRequest,\n buildFrontendOAuthRedirectUri,\n clearTempCookie,\n isPositiveFiniteNumber,\n isSafeReturnPath,\n parseAppOriginHeader,\n} from './utils.ts';\nimport { fetchWhoami } from './whoami.ts';\n\ninterface OAuthStatePayload {\n return_path?: string;\n sid?: string;\n}\n\n/*\n Cross-origin OAuth completion endpoint.\n \n Called from the React app on the frontend OAuth callback path\n * (`HUBSPOT_FRONTEND_CALLBACK_PATH`) once HubSpot has redirected the\n * browser back with `?code` + `?state`. The browser POSTs both\n * values here as a credentialed cross-site fetch — same partition as\n * `init-session`, so the temp PKCE/state cookies are visible — and\n * the SDK:\n \n 1. Validates `state` against the temp `__hs_oauth_state` cookie.\n * 2. Pulls the PKCE verifier from `__hs_pkce_verifier`.\n * 3. Rebuilds the same `redirect_uri` it sent to HubSpot during\n * `init-session` (frontend origin + the fixed callback path);\n * the OAuth token endpoint requires the two values to match.\n * 4. Exchanges `code` for an access + refresh token (with DPoP /\n * CIMD client-assertion when enabled).\n * 5. Sets the durable session cookies (access token, refresh) with\n * `SameSite=None; Secure; Partitioned` so they live in the\n * `(frontend, edge)` partition where subsequent API fetches will\n * read them.\n * 6. Clears the temp cookies.\n * 7. Returns `{ expires_at, return_path }` so the controller can\n * update its session-storage expiry tracking and navigate back to\n * the page the user started the connect flow from.\n /\nexport async function handleAuthComplete(\n c: Context,\n options: HubSpotConnectOAuthRouteOptions\n) {\n const { appKeys, refreshCookiePath, hubspotConnectEnv } = options;\n const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n const requestHostHeader = c.req.header('host') ?? undefined;\n const code = c.req.query(AUTH_COMPLETE_CODE_PARAM);\n const state = c.req.query(AUTH_COMPLETE_STATE_PARAM);\n\n if (!code \|\| !state) {\n return c.json({ error: 'Missing code or state' }, 400);\n }\n\n if (hubspotConnectEnv.isAppPrivateKeyRequired && !appKeys) {\n return c.json(\n {\n error:\n 'Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD or DPoP is enabled',\n },\n 500\n );\n }\n\n const cookies = parseCookies(c.req.header('Cookie'));\n const expectedState = cookies[TEMP_COOKIE_OAUTH_STATE];\n const codeVerifier = cookies[TEMP_COOKIE_PKCE_VERIFIER];\n const appOriginCookie = cookies[HUBSPOT_APP_ORIGIN_COOKIE_NAME];\n\n if (!expectedState \|\| state !== decodeURIComponent(expectedState)) {\n return c.json({ error: 'State mismatch' }, 403);\n }\n if (!codeVerifier) {\n return c.json({ error: 'Missing PKCE verifier' }, 400);\n }\n // The redirect_uri the OAuth token endpoint validates must equal\n // the one we sent during init-session. We rebuild it from the\n // pinned origin cookie so that value is anchored server-side, not\n // taken from the (caller-controlled) request `Origin` on this call.\n const appOrigin = parseAppOriginHeader(appOriginCookie);\n if (!appOrigin) {\n return c.json({ error: 'Missing app origin cookie' }, 400);\n }\n\n let statePayload: OAuthStatePayload;\n try {\n statePayload = JSON.parse(\n new TextDecoder().decode(base64urlDecode(decodeURIComponent(state)))\n ) as OAuthStatePayload;\n } catch {\n return c.json({ error: 'Malformed state value' }, 400);\n }\n const returnPath = statePayload.return_path;\n if (!returnPath \|\| !isSafeReturnPath(returnPath)) {\n return c.json({ error: 'Invalid return path in state' }, 400);\n }\n\n const sessionId = statePayload.sid;\n if (!sessionId) {\n return c.json({ error: 'Missing app session cookie' }, 400);\n }\n\n const decodedCodeVerifier = decodeURIComponent(codeVerifier);\n\n const clientId = hubspotConnectEnv.isCimdEnabled\n ? buildCimdClientIdUrlFromRequest({\n requestUrl: c.req.url,\n basePath: options.basePath,\n xForwardedProto,\n xForwardedHost,\n requestHostHeader,\n appOrigin,\n })\n : hubspotConnectEnv.hubspotClientId;\n\n const redirectUri = buildFrontendOAuthRedirectUri(appOrigin);\n\n const tokenEndpointUrl = new URL(\n '/oauth/v1/token',\n hubspotConnectEnv.hubspotOAuthApiOrigin\n ).href;\n\n let dpopProof: string \| undefined;\n if (hubspotConnectEnv.isDpopEnabled) {\n dpopProof = await buildTokenEndpointDpopProof({\n appKeys: appKeys!,\n tokenEndpointUrl,\n sessionIdHash: sessionId,\n });\n }\n\n let formParams: Record<string, string>;\n if (hubspotConnectEnv.isCimdEnabled) {\n const clientAssertion = await buildClientAssertion({\n appKeys: appKeys!,\n clientId,\n audience: tokenEndpointUrl,\n });\n formParams = {\n grant_type: 'authorization_code',\n code,\n code_verifier: decodedCodeVerifier,\n redirect_uri: redirectUri,\n ...buildClientAssertionFormParams({ clientId, clientAssertion }),\n };\n } else {\n formParams = {\n grant_type: 'authorization_code',\n code,\n code_verifier: decodedCodeVerifier,\n redirect_uri: redirectUri,\n ...buildClientSecretFormParams({\n clientId,\n clientSecret: hubspotConnectEnv.hubspotClientSecret,\n }),\n };\n }\n\n const tokenResult = await requestOAuthToken({\n tokenEndpointUrl,\n isDpopEnabled: hubspotConnectEnv.isDpopEnabled,\n ...(dpopProof !== undefined ? { dpopProof } : {}),\n formParams,\n });\n if (!tokenResult.ok) {\n return c.json(\n { error: `Token exchange failed: ${tokenResult.errorText}` },\n 502\n );\n }\n\n const {\n access_token: accessToken,\n refresh_token: refreshToken,\n expires_in,\n } = tokenResult.body;\n if (!refreshToken) {\n return c.json({ error: 'Token response missing refresh_token' }, 502);\n }\n if (!isPositiveFiniteNumber(expires_in)) {\n return c.json(\n { error: 'Token response missing or invalid expires_in' },\n 502\n );\n }\n\n const expiresAt = Date.now() + expires_in 1000;\n const refreshCookieName = `${HUBSPOT_REFRESH_COOKIE_PREFIX}${sessionId}`;\n\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n value: accessToken,\n path: '/',\n sameSite: 'None',\n partitioned: true,\n maxAge: expires_in,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: refreshCookieName,\n value: refreshToken,\n path: refreshCookiePath,\n sameSite: 'None',\n partitioned: true,\n maxAge: REFRESH_COOKIE_MAX_AGE_SEC,\n }),\n });\n setResponseCookie({ c, value: clearTempCookie(TEMP_COOKIE_PKCE_VERIFIER) });\n setResponseCookie({ c, value: clearTempCookie(TEMP_COOKIE_OAUTH_STATE) });\n\n const whoami = await fetchWhoami(accessToken, hubspotConnectEnv);\n return c.json({\n expires_at: expiresAt,\n return_path: returnPath,\n whoami,\n } satisfies AuthCompleteResponse);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmEA,eAAsB,mBACpB,GACA,SACA;CACA,MAAM,EAAE,SAAS,mBAAmB,sBAAsB;CAC1D,MAAM,kBAAkB,EAAE,IAAI,OAAO,mBAAmB,KAAK,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,kBAAkB,KAAK,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,MAAM,KAAK,KAAA;CAClD,MAAM,OAAO,EAAE,IAAI,MAAM,wBAAwB;CACjD,MAAM,QAAQ,EAAE,IAAI,MAAM,yBAAyB;CAEnD,IAAI,CAAC,QAAQ,CAAC,OACZ,OAAO,EAAE,KAAK,EAAE,OAAO,wBAAwB,GAAG,GAAG;CAGvD,IAAI,kBAAkB,2BAA2B,CAAC,SAChD,OAAO,EAAE,KACP,EACE,OACE,4FACJ,GACA,GACF;CAGF,MAAM,UAAU,aAAa,EAAE,IAAI,OAAO,QAAQ,CAAC;CACnD,MAAM,gBAAgB,QAAQ;CAC9B,MAAM,eAAe,QAAQ;CAC7B,MAAM,kBAAkB,QAAQ;CAEhC,IAAI,CAAC,iBAAiB,UAAU,mBAAmB,aAAa,GAC9D,OAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,GAAG,GAAG;CAEhD,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,EAAE,OAAO,wBAAwB,GAAG,GAAG;CAMvD,MAAM,YAAY,qBAAqB,eAAe;CACtD,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,4BAA4B,GAAG,GAAG;CAG3D,IAAI;CACJ,IAAI;EACF,eAAe,KAAK,MAClB,IAAI,YAAY,EAAE,OAAO,gBAAgB,mBAAmB,KAAK,CAAC,CAAC,CACrE;CACF,QAAQ;EACN,OAAO,EAAE,KAAK,EAAE,OAAO,wBAAwB,GAAG,GAAG;CACvD;CACA,MAAM,aAAa,aAAa;CAChC,IAAI,CAAC,cAAc,CAAC,iBAAiB,UAAU,GAC7C,OAAO,EAAE,KAAK,EAAE,OAAO,+BAA+B,GAAG,GAAG;CAG9D,MAAM,YAAY,aAAa;CAC/B,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,GAAG,GAAG;CAG5D,MAAM,sBAAsB,mBAAmB,YAAY;CAE3D,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB,UAAU,QAAQ;EAClB;EACA;EACA;EACA;CACF,CAAC,IACD,kBAAkB;CAEtB,MAAM,cAAc,8BAA8B,SAAS;CAE3D,MAAM,mBAAmB,IAAI,IAC3B,mBACA,kBAAkB,qBACpB,EAAE;CAEF,IAAI;CACJ,IAAI,kBAAkB,eACpB,YAAY,MAAM,4BAA4B;EACnC;EACT;EACA,eAAe;CACjB,CAAC;CAGH,IAAI;CACJ,IAAI,kBAAkB,eAMpB,aAAa;EACX,YAAY;EACZ;EACA,eAAe;EACf,cAAc;EACd,GAAG,+BAA+B;GAAE;GAAU,iBAAA,MAVlB,qBAAqB;IACxC;IACT;IACA,UAAU;GACZ,CAAC;EAM+D,CAAC;CACjE;MAEA,aAAa;EACX,YAAY;EACZ;EACA,eAAe;EACf,cAAc;EACd,GAAG,4BAA4B;GAC7B;GACA,cAAc,kBAAkB;EAClC,CAAC;CACH;CAGF,MAAM,cAAc,MAAM,kBAAkB;EAC1C;EACA,eAAe,kBAAkB;EACjC,GAAI,cAAc,KAAA,IAAY,EAAE,UAAU,IAAI,CAAC;EAC/C;CACF,CAAC;CACD,IAAI,CAAC,YAAY,IACf,OAAO,EAAE,KACP,EAAE,OAAO,0BAA0B,YAAY,YAAY,GAC3D,GACF;CAGF,MAAM,EACJ,cAAc,aACd,eAAe,cACf,eACE,YAAY;CAChB,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,EAAE,OAAO,uCAAuC,GAAG,GAAG;CAEtE,IAAI,CAAC,uBAAuB,UAAU,GACpC,OAAO,EAAE,KACP,EAAE,OAAO,+CAA+C,GACxD,GACF;CAGF,MAAM,YAAY,KAAK,IAAI,IAAI,aAAa;CAC5C,MAAM,oBAAoB,GAAG,gCAAgC;CAE7D,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;EACV,CAAC;CACH,CAAC;CACD,kBAAkB;EAAE;EAAG,OAAO,gBAAgB,yBAAyB;CAAE,CAAC;CAC1E,kBAAkB;EAAE;EAAG,OAAO,gBAAgB,uBAAuB;CAAE,CAAC;CAExE,MAAM,SAAS,MAAM,YAAY,aAAa,iBAAiB;CAC/D,OAAO,EAAE,KAAK;EACZ,YAAY;EACZ,aAAa;EACb;CACF,CAAgC;AAClC"}

package/dist/server/hono/hubspot-connect-routes/whoami.js ADDED Viewed

@@ -0,0 +1,51 @@
+import { createHubSpotClient } from "../../api-client-core/client.js";
+import { account } from "../../api-client-core/apis/account/account-info.generated.js";
+import { authOauth } from "../../api-client-core/apis/auth/oauth.generated.js";
+import { settingsUsers } from "../../api-client-core/apis/settings/user-provisioning.generated.js";
+import { getHubSpotApiOrigin } from "../../utils/env-utils.js";
+import { fetchTransportPlugin } from "../../api-client-core/plugins/fetch-transport.js";
+//#region src/server/hono/hubspot-connect-routes/whoami.ts
+async function fetchWhoami(accessToken, hubspotConnectEnv) {
+	const apiClient = createHubSpotClient({ plugins: [fetchTransportPlugin({
+		getEndpoint: getHubSpotApiOrigin,
+		getAccessToken: () => accessToken
+	})] });
+	const introspectInput = hubspotConnectEnv.isCimdEnabled ? { token: accessToken } : {
+		client_id: hubspotConnectEnv.hubspotClientId,
+		client_secret: hubspotConnectEnv.hubspotClientSecret,
+		token: accessToken
+	};
+	const [introspectResult, hubResult] = await Promise.allSettled([apiClient.send(authOauth.introspectToken(introspectInput)), apiClient.send(account.get())]);
+	const whoami = {
+		hub: {},
+		user: {}
+	};
+	if (hubResult.status === "fulfilled") {
+		const portal = hubResult.value;
+		whoami.hub.id = portal.portalId;
+		whoami.hub.uiDomain = portal.uiDomain;
+	}
+	if (introspectResult.status === "fulfilled" && introspectResult.value.token_use === "access_token") {
+		whoami.hub.domain = introspectResult.value.hub_domain;
+		const userId = String(introspectResult.value.user_id);
+		const userResult = await apiClient.send(settingsUsers.get({
+			userId,
+			idProperty: "USER_ID"
+		})).then((u) => ({
+			ok: true,
+			value: u
+		}), () => ({ ok: false }));
+		if (userResult.ok) {
+			const u = userResult.value;
+			whoami.user.id = u.id;
+			whoami.user.email = u.email;
+			whoami.user.firstName = u.firstName;
+			whoami.user.lastName = u.lastName;
+		}
+	}
+	return whoami;
+}
+//#endregion
+export { fetchWhoami };
+//# sourceMappingURL=whoami.js.map

package/dist/server/hono/hubspot-connect-routes/whoami.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"whoami.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/whoami.ts"],"sourcesContent":["import type { AuthCompleteWhoami } from '../../../shared/wire-types.ts';\nimport {\n account,\n authOauth,\n createHubSpotClient,\n settingsUsers,\n} from '../../api-client-core/index.ts';\nimport { fetchTransportPlugin } from '../../api-client-core/plugins/fetch-transport.ts';\nimport { getHubSpotApiOrigin } from '../../utils/env-utils.ts';\nimport type { HubSpotConnectRoutesEnv } from './load-hubspot-connect-routes-env.ts';\n\nexport async function fetchWhoami(\n accessToken: string,\n hubspotConnectEnv: HubSpotConnectRoutesEnv\n): Promise<AuthCompleteWhoami> {\n const apiClient = createHubSpotClient({\n plugins: [\n fetchTransportPlugin({\n getEndpoint: getHubSpotApiOrigin,\n getAccessToken: () => accessToken,\n }),\n ],\n });\n\n const introspectInput = hubspotConnectEnv.isCimdEnabled\n ? { token: accessToken }\n : {\n client_id: hubspotConnectEnv.hubspotClientId,\n client_secret: hubspotConnectEnv.hubspotClientSecret,\n token: accessToken,\n };\n\n // Introspect and account.get are independent — run in parallel.\n // settingsUsers.get requires user_id from introspect, so it runs after.\n const [introspectResult, hubResult] = await Promise.allSettled([\n apiClient.send(authOauth.introspectToken(introspectInput)),\n apiClient.send(account.get()),\n ]);\n\n const whoami: AuthCompleteWhoami = {\n hub: {},\n user: {},\n };\n\n if (hubResult.status === 'fulfilled') {\n const portal = hubResult.value;\n whoami.hub.id = portal.portalId;\n whoami.hub.uiDomain = portal.uiDomain;\n }\n\n if (\n introspectResult.status === 'fulfilled' &&\n introspectResult.value.token_use === 'access_token'\n ) {\n whoami.hub.domain = introspectResult.value.hub_domain;\n\n const userId = String(introspectResult.value.user_id);\n const userResult = await apiClient\n .send(settingsUsers.get({ userId, idProperty: 'USER_ID' }))\n .then(\n (u) => ({ ok: true as const, value: u }),\n () => ({ ok: false as const })\n );\n if (userResult.ok) {\n const u = userResult.value;\n whoami.user.id = u.id;\n whoami.user.email = u.email;\n whoami.user.firstName = u.firstName;\n whoami.user.lastName = u.lastName;\n }\n }\n\n return whoami;\n}\n"],"mappings":";;;;;;;AAWA,eAAsB,YACpB,aACA,mBAC6B;CAC7B,MAAM,YAAY,oBAAoB,EACpC,SAAS,CACP,qBAAqB;EACnB,aAAa;EACb,sBAAsB;CACxB,CAAC,CACH,EACF,CAAC;CAED,MAAM,kBAAkB,kBAAkB,gBACtC,EAAE,OAAO,YAAY,IACrB;EACE,WAAW,kBAAkB;EAC7B,eAAe,kBAAkB;EACjC,OAAO;CACT;CAIJ,MAAM,CAAC,kBAAkB,aAAa,MAAM,QAAQ,WAAW,CAC7D,UAAU,KAAK,UAAU,gBAAgB,eAAe,CAAC,GACzD,UAAU,KAAK,QAAQ,IAAI,CAAC,CAC9B,CAAC;CAED,MAAM,SAA6B;EACjC,KAAK,CAAC;EACN,MAAM,CAAC;CACT;CAEA,IAAI,UAAU,WAAW,aAAa;EACpC,MAAM,SAAS,UAAU;EACzB,OAAO,IAAI,KAAK,OAAO;EACvB,OAAO,IAAI,WAAW,OAAO;CAC/B;CAEA,IACE,iBAAiB,WAAW,eAC5B,iBAAiB,MAAM,cAAc,gBACrC;EACA,OAAO,IAAI,SAAS,iBAAiB,MAAM;EAE3C,MAAM,SAAS,OAAO,iBAAiB,MAAM,OAAO;EACpD,MAAM,aAAa,MAAM,UACtB,KAAK,cAAc,IAAI;GAAE;GAAQ,YAAY;EAAU,CAAC,CAAC,EACzD,MACE,OAAO;GAAE,IAAI;GAAe,OAAO;EAAE,WAC/B,EAAE,IAAI,MAAe,EAC9B;EACF,IAAI,WAAW,IAAI;GACjB,MAAM,IAAI,WAAW;GACrB,OAAO,KAAK,KAAK,EAAE;GACnB,OAAO,KAAK,QAAQ,EAAE;GACtB,OAAO,KAAK,YAAY,EAAE;GAC1B,OAAO,KAAK,WAAW,EAAE;EAC3B;CACF;CAEA,OAAO;AACT"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@hubspot/app-connect-sdk",
-  "version": "1.0.0-alpha.20",
+  "version": "1.0.0-alpha.21",
   "description": "HubSpot App Connect SDK (alpha release). Documentation and integration guidance forthcoming.",
   "type": "module",
   "exports": {
@@ -45,8 +45,8 @@
     "typescript": "6.0.3",
     "vitest": "4.1.6",
     "@private/eslint-config": "0.1.0",
-    "@private/prettier-config": "0.1.0",
-    "@private/tsconfig": "0.1.0"
+    "@private/tsconfig": "0.1.0",
+    "@private/prettier-config": "0.1.0"
   },
   "scripts": {
     "clean": "rm -rf dist build *.tsbuildinfo node_modules .turbo",

package/src/browser/app-connect-controller/connect-start.test.ts CHANGED Viewed

@@ -35,6 +35,7 @@ function createTestContext(
     isDisconnectInFlight: false,
     error: null,
     expiresAt: null,
+    whoami: null,
   };
   return {
     config: {

package/src/browser/app-connect-controller/constants.ts CHANGED Viewed

@@ -1,11 +1,13 @@
 export { EXPIRES_AT_URL_PARAM } from '../../shared/constants.ts';
 /**
- * Key the controller persists the access-token `expiresAt` (Unix
- * epoch milliseconds) under in `sessionStorage`. Survives full-page
- * navigations within the same tab.
+ * Key under which the controller persists the entire session blob
+ * (expiresAt + whoami) as a single JSON string in `sessionStorage`.
+ * Using one key makes logout trivially correct — one `removeItem` call
+ * clears all session state. Survives full-page navigations within the
+ * same tab.
  */
-export const EXPIRES_AT_KEY = 'hubspot_token_expires_at';
+export const SESSION_STORAGE_KEY = 'hubspot_connect_session';
 /**
  * Number of milliseconds before `expiresAt` that the refresh

package/src/browser/app-connect-controller/create.ts CHANGED Viewed

@@ -16,7 +16,7 @@ import type {
 } from './types.ts';
 import { memoizeLast } from './utils/memoize-utils.ts';
 import {
-  getExpiresAtFromSessionStorage,
+  getSessionFromSessionStorage,
   isClientSessionActive,
 } from './utils/session-utils.ts';
 import { createStore } from './utils/store-utils.ts';
@@ -54,6 +54,7 @@ export function createAppConnectController(
     isSessionConnected: false,
     error: null,
     expiresAt: null,
+    whoami: null,
   });
   const context: AppConnectContext = {
     config,
@@ -62,7 +63,11 @@ export function createAppConnectController(
     store,
   };
-  store.setState({ expiresAt: getExpiresAtFromSessionStorage(context) });
+  const storedSession = getSessionFromSessionStorage(context);
+  store.setState({
+    expiresAt: storedSession?.expiresAt ?? null,
+    whoami: storedSession?.whoami ?? null,
+  });
   let hasStarted = false;
@@ -90,6 +95,7 @@ export function createAppConnectController(
   >((storeState) => ({
     status: getDerivedStatus(storeState),
     error: storeState.error,
+    whoami: storeState.whoami,
     connectToHubSpot,
     disconnectFromHubSpot,
   }));

package/src/browser/app-connect-controller/disconnect.ts CHANGED Viewed

@@ -35,6 +35,7 @@ export async function disconnectFromHubSpot(
     store.setState({
       expiresAt: null,
+      whoami: null,
       isSessionConnected: false,
       isDisconnectInFlight: false,
     });

package/src/browser/app-connect-controller/init.test.ts CHANGED Viewed

@@ -5,7 +5,7 @@ import {
   OAUTH_POPUP_CALLBACK_MESSAGE_TYPE,
 } from '../../shared/constants.ts';
 import { noopLogger } from '../../shared/logger.ts';
-import { EXPIRES_AT_KEY } from './constants.ts';
+import { SESSION_STORAGE_KEY } from './constants.ts';
 import { initAppConnect } from './init.ts';
 import { OAUTH_POPUP_WINDOW_NAME } from './oauth-popup.ts';
 import type {
@@ -39,6 +39,7 @@ function createTestContext(): AppConnectContext {
     isDisconnectInFlight: false,
     error: null,
     expiresAt: null,
+    whoami: null,
   };
   return {
     config: { hubSpotConnectBaseUrl: HUBSPOT_CONNECT_BASE_URL },
@@ -124,14 +125,16 @@ describe('initAppConnect', () => {
     installFakeWindow({
       href: `https://app.example.com${OAUTH_CALLBACK_PATH}?code=auth-code&state=auth-state`,
     });
-    const fetchSpy = vi
-      .spyOn(globalThis, 'fetch')
-      .mockResolvedValue(
-        new Response(
-          JSON.stringify({ expires_at: expiresAt, return_path: '/dashboard' }),
-          { status: 200 }
-        )
-      );
+    const fetchSpy = vi.spyOn(globalThis, 'fetch').mockResolvedValue(
+      new Response(
+        JSON.stringify({
+          expires_at: expiresAt,
+          return_path: '/dashboard',
+          whoami: {},
+        }),
+        { status: 200 }
+      )
+    );
     const context = createTestContext();
     await initAppConnect(context);
@@ -148,9 +151,10 @@ describe('initAppConnect', () => {
     expect((calledInit as RequestInit).credentials).toBe('include');
     expect(context.store.getSnapshot().expiresAt).toBe(expiresAt);
-    expect(context.sessionStorage.getItem(EXPIRES_AT_KEY)).toBe(
-      String(expiresAt)
+    const stored = JSON.parse(
+      context.sessionStorage.getItem(SESSION_STORAGE_KEY)!
     );
+    expect(stored.expiresAt).toBe(expiresAt);
     expect(window.location.pathname).toBe('/dashboard');
   });
@@ -165,10 +169,13 @@ describe('initAppConnect', () => {
       })
     );
     const context = createTestContext();
-    context.sessionStorage.setItem(EXPIRES_AT_KEY, '999');
+    context.sessionStorage.setItem(
+      SESSION_STORAGE_KEY,
+      '{"expiresAt":999,"whoami":null}'
+    );
     await expect(initAppConnect(context)).rejects.toThrow(/Failed to complete/);
-    expect(context.sessionStorage.getItem(EXPIRES_AT_KEY)).toBeNull();
+    expect(context.sessionStorage.getItem(SESSION_STORAGE_KEY)).toBeNull();
   });
   it('relays code and state to the opener without calling auth/complete when in an OAuth popup', async () => {
@@ -208,7 +215,11 @@ describe('initAppConnect', () => {
     });
     vi.spyOn(globalThis, 'fetch').mockResolvedValue(
       new Response(
-        JSON.stringify({ expires_at: expiresAt, return_path: '/dashboard' }),
+        JSON.stringify({
+          expires_at: expiresAt,
+          return_path: '/dashboard',
+          whoami: {},
+        }),
         { status: 200 }
       )
     );
@@ -232,7 +243,11 @@ describe('initAppConnect', () => {
     });
     vi.spyOn(globalThis, 'fetch').mockResolvedValue(
       new Response(
-        JSON.stringify({ expires_at: expiresAt, return_path: '/dashboard' }),
+        JSON.stringify({
+          expires_at: expiresAt,
+          return_path: '/dashboard',
+          whoami: {},
+        }),
         { status: 200 }
       )
     );

package/src/browser/app-connect-controller/init.ts CHANGED Viewed

@@ -9,7 +9,7 @@ import {
   relayOAuthCallbackToOpener,
 } from './oauth-popup.ts';
 import type { AppConnectContext } from './types.ts';
-import { storeExpiresAt } from './utils/session-utils.ts';
+import { storeSession } from './utils/session-utils.ts';
 /**
  * On `controller.start()`:
@@ -49,7 +49,7 @@ async function consumeOAuthCallback(context: AppConnectContext): Promise<void> {
   const body = await completeHubSpotOAuthSession(context, { code, state });
   const { expires_at: expiresAt, return_path: returnPath } = body;
-  storeExpiresAt({ context, expiresAtMs: expiresAt });
+  storeSession({ context, expiresAtMs: expiresAt, whoami: body.whoami });
   const targetUrl = new URL(returnPath, window.location.origin);
   history.replaceState(

package/src/browser/app-connect-controller/oauth-complete.test.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { afterEach, describe, expect, it, vi } from 'vitest';
 import { noopLogger } from '../../shared/logger.ts';
-import { EXPIRES_AT_KEY } from './constants.ts';
+import { SESSION_STORAGE_KEY } from './constants.ts';
 import { completeHubSpotOAuthSession } from './oauth-complete.ts';
 import type {
   AppConnectContext,
@@ -34,6 +34,7 @@ function createTestContext(): AppConnectContext {
     isDisconnectInFlight: false,
     error: null,
     expiresAt: null,
+    whoami: null,
   };
   return {
     config: { hubSpotConnectBaseUrl: HUBSPOT_CONNECT_BASE_URL },
@@ -93,7 +94,10 @@ describe('completeHubSpotOAuthSession', () => {
       })
     );
     const context = createTestContext();
-    context.sessionStorage.setItem(EXPIRES_AT_KEY, '999');
+    context.sessionStorage.setItem(
+      SESSION_STORAGE_KEY,
+      '{"expiresAt":999,"whoami":null}'
+    );
     await expect(
       completeHubSpotOAuthSession(context, {
@@ -101,6 +105,6 @@ describe('completeHubSpotOAuthSession', () => {
         state: 'bad-state',
       })
     ).rejects.toThrow(/Failed to complete/);
-    expect(context.sessionStorage.getItem(EXPIRES_AT_KEY)).toBeNull();
+    expect(context.sessionStorage.getItem(SESSION_STORAGE_KEY)).toBeNull();
   });
 });

package/src/browser/app-connect-controller/oauth-popup.test.ts CHANGED Viewed

@@ -34,6 +34,7 @@ function createTestContext(): AppConnectContext {
     isDisconnectInFlight: false,
     error: null,
     expiresAt: null,
+    whoami: null,
   };
   return {
     config: { hubSpotConnectBaseUrl: HUBSPOT_CONNECT_BASE_URL },

package/src/browser/app-connect-controller/types.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import type { AuthCompleteWhoami } from '../../shared/wire-types.ts';
 import type { Logger } from '../index.ts';
 import type { AppConnectBrowserConfig } from '../types.ts';
 import type { Store } from './utils/store-utils.ts';
@@ -30,6 +31,8 @@ export interface AppConnectInternalState {
   error: string | null;
   /** Access-token expiry (Unix epoch milliseconds), or `null` if unknown. */
   expiresAt: number | null;
+  /** Identity of the connected user and their HubSpot account, or `null`. */
+  whoami: AuthCompleteWhoami | null;
 }
 /** Convenience alias for the typed store used by the controller. */

package/src/browser/app-connect-controller/utils/session-utils.test.ts CHANGED Viewed

@@ -1,7 +1,8 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 import { noopLogger } from '../../../shared/logger.ts';
-import { EXPIRES_AT_KEY } from '../constants.ts';
+import type { AuthCompleteWhoami } from '../../../shared/wire-types.ts';
+import { SESSION_STORAGE_KEY } from '../constants.ts';
 import type {
   AppConnectContext,
   AppConnectInternalState,
@@ -9,9 +10,10 @@ import type {
 } from '../types.ts';
 import {
   clearSessionStorage,
-  getExpiresAtFromSessionStorage,
+  getSessionFromSessionStorage,
   isClientSessionActive,
   storeExpiresAt,
+  storeSession,
 } from './session-utils.ts';
 import { createStore } from './store-utils.ts';
@@ -36,6 +38,7 @@ function createTestContext(): AppConnectContext {
     isDisconnectInFlight: false,
     error: null,
     expiresAt: null,
+    whoami: null,
   };
   return {
     config: { hubSpotConnectBaseUrl: '/functions/v1/hubspot-connect' },
@@ -45,6 +48,14 @@ function createTestContext(): AppConnectContext {
   };
 }
+const MOCK_WHOAMI: AuthCompleteWhoami = {
+  user: { id: '99', email: 'demo@example.com', firstName: 'Demo' },
+  hub: {
+    id: 42,
+    uiDomain: 'app.hubspot.com',
+  },
+};
 describe('session-utils', () => {
   const FIXED_NOW = 1_700_000_000_000;
@@ -57,52 +68,92 @@ describe('session-utils', () => {
     vi.useRealTimers();
   });
+  describe('storeSession', () => {
+    it('writes expiresAt and whoami to both store and session storage', () => {
+      const context = createTestContext();
+      storeSession({
+        context,
+        expiresAtMs: FIXED_NOW + 60_000,
+        whoami: MOCK_WHOAMI,
+      });
+      expect(context.store.getSnapshot().expiresAt).toBe(FIXED_NOW + 60_000);
+      expect(context.store.getSnapshot().whoami).toEqual(MOCK_WHOAMI);
+      const stored = JSON.parse(
+        context.sessionStorage.getItem(SESSION_STORAGE_KEY)!
+      );
+      expect(stored.expiresAt).toBe(FIXED_NOW + 60_000);
+      expect(stored.whoami).toEqual(MOCK_WHOAMI);
+    });
+  });
   describe('storeExpiresAt', () => {
-    it('writes both the store and session storage', () => {
+    it('updates expiresAt in store and storage while preserving existing whoami', () => {
       const context = createTestContext();
+      context.store.setState({ whoami: MOCK_WHOAMI });
       storeExpiresAt({ context, expiresAtMs: FIXED_NOW + 60_000 });
       expect(context.store.getSnapshot().expiresAt).toBe(FIXED_NOW + 60_000);
-      expect(context.sessionStorage.getItem(EXPIRES_AT_KEY)).toBe(
-        String(FIXED_NOW + 60_000)
+      expect(context.store.getSnapshot().whoami).toEqual(MOCK_WHOAMI);
+      const stored = JSON.parse(
+        context.sessionStorage.getItem(SESSION_STORAGE_KEY)!
       );
+      expect(stored.expiresAt).toBe(FIXED_NOW + 60_000);
+      expect(stored.whoami).toEqual(MOCK_WHOAMI);
     });
   });
-  describe('getExpiresAtFromSessionStorage', () => {
+  describe('getSessionFromSessionStorage', () => {
     it('returns null when nothing is stored', () => {
       const context = createTestContext();
-      expect(getExpiresAtFromSessionStorage(context)).toBeNull();
+      expect(getSessionFromSessionStorage(context)).toBeNull();
     });
-    it('returns the stored value when in the future', () => {
+    it('returns the stored session when expiresAt is in the future', () => {
       const context = createTestContext();
-      const expiresAt = FIXED_NOW + 60_000;
-      context.sessionStorage.setItem(EXPIRES_AT_KEY, String(expiresAt));
-      expect(getExpiresAtFromSessionStorage(context)).toBe(expiresAt);
+      const session = { expiresAt: FIXED_NOW + 60_000, whoami: MOCK_WHOAMI };
+      context.sessionStorage.setItem(
+        SESSION_STORAGE_KEY,
+        JSON.stringify(session)
+      );
+      expect(getSessionFromSessionStorage(context)).toEqual(session);
     });
-    it('clears and returns null on malformed input', () => {
+    it('clears and returns null on malformed JSON', () => {
       const context = createTestContext();
-      context.sessionStorage.setItem(EXPIRES_AT_KEY, 'not-a-number');
-      expect(getExpiresAtFromSessionStorage(context)).toBeNull();
-      expect(context.sessionStorage.getItem(EXPIRES_AT_KEY)).toBeNull();
+      context.sessionStorage.setItem(SESSION_STORAGE_KEY, 'not-json');
+      expect(getSessionFromSessionStorage(context)).toBeNull();
+      expect(context.sessionStorage.getItem(SESSION_STORAGE_KEY)).toBeNull();
     });
-    it('clears and returns null on already-expired values', () => {
+    it('clears and returns null when expiresAt is not a number', () => {
       const context = createTestContext();
-      context.sessionStorage.setItem(EXPIRES_AT_KEY, String(FIXED_NOW - 1));
-      expect(getExpiresAtFromSessionStorage(context)).toBeNull();
-      expect(context.sessionStorage.getItem(EXPIRES_AT_KEY)).toBeNull();
+      context.sessionStorage.setItem(
+        SESSION_STORAGE_KEY,
+        JSON.stringify({ expiresAt: 'bad', whoami: null })
+      );
+      expect(getSessionFromSessionStorage(context)).toBeNull();
+      expect(context.sessionStorage.getItem(SESSION_STORAGE_KEY)).toBeNull();
+    });
+    it('clears and returns null when the session is already expired', () => {
+      const context = createTestContext();
+      context.sessionStorage.setItem(
+        SESSION_STORAGE_KEY,
+        JSON.stringify({ expiresAt: FIXED_NOW - 1, whoami: null })
+      );
+      expect(getSessionFromSessionStorage(context)).toBeNull();
+      expect(context.sessionStorage.getItem(SESSION_STORAGE_KEY)).toBeNull();
     });
   });
   describe('clearSessionStorage', () => {
-    it('removes the persisted expiresAt key', () => {
+    it('removes the session storage key', () => {
       const context = createTestContext();
-      context.sessionStorage.setItem(EXPIRES_AT_KEY, '123');
+      context.sessionStorage.setItem(SESSION_STORAGE_KEY, '{}');
       clearSessionStorage(context);
-      expect(context.sessionStorage.getItem(EXPIRES_AT_KEY)).toBeNull();
+      expect(context.sessionStorage.getItem(SESSION_STORAGE_KEY)).toBeNull();
     });
   });