@hubspot/app-connect-sdk 1.0.0-alpha.4 → 1.0.0-alpha.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (513) hide show
  1. package/.turbo/turbo-format$colon$check.log +4 -0
  2. package/.turbo/turbo-lint.log +2 -0
  3. package/.turbo/turbo-test.log +78 -0
  4. package/.turbo/turbo-tsdown.log +492 -20
  5. package/build/tsconfig.browser.tsbuildinfo +1 -1
  6. package/build/tsconfig.server.tsbuildinfo +1 -1
  7. package/dist/browser/{create-hzqjIhmO.js → create-crdncXsh.js} +2 -2
  8. package/dist/browser/create-crdncXsh.js.map +1 -0
  9. package/dist/browser/index.js +1 -1
  10. package/dist/browser/react/lovable.js +1 -1
  11. package/dist/server/api-client-core/apis/account/account-info-types.generated.d.ts +111 -0
  12. package/dist/server/api-client-core/apis/account/account-info.generated.d.ts +7 -0
  13. package/dist/server/api-client-core/apis/account/account-info.generated.js +9 -0
  14. package/dist/server/api-client-core/apis/account/account-info.generated.js.map +1 -0
  15. package/dist/server/api-client-core/apis/account/audit-logs-types.generated.d.ts +247 -0
  16. package/dist/server/api-client-core/apis/account/audit-logs.generated.d.ts +7 -0
  17. package/dist/server/api-client-core/apis/account/audit-logs.generated.js +28 -0
  18. package/dist/server/api-client-core/apis/account/audit-logs.generated.js.map +1 -0
  19. package/dist/server/api-client-core/apis/auth/oauth-types.generated.d.ts +121 -0
  20. package/dist/server/api-client-core/apis/auth/oauth.generated.d.ts +7 -0
  21. package/dist/server/api-client-core/apis/auth/oauth.generated.js +19 -0
  22. package/dist/server/api-client-core/apis/auth/oauth.generated.js.map +1 -0
  23. package/dist/server/api-client-core/apis/automation/actions-types.generated.d.ts +933 -0
  24. package/dist/server/api-client-core/apis/automation/actions.generated.d.ts +7 -0
  25. package/dist/server/api-client-core/apis/automation/actions.generated.js +121 -0
  26. package/dist/server/api-client-core/apis/automation/actions.generated.js.map +1 -0
  27. package/dist/server/api-client-core/apis/automation/sequences-types.generated.d.ts +422 -0
  28. package/dist/server/api-client-core/apis/automation/sequences.generated.d.ts +7 -0
  29. package/dist/server/api-client-core/apis/automation/sequences.generated.js +22 -0
  30. package/dist/server/api-client-core/apis/automation/sequences.generated.js.map +1 -0
  31. package/dist/server/api-client-core/apis/business-units-types.generated.d.ts +75 -0
  32. package/dist/server/api-client-core/apis/business-units.generated.d.ts +7 -0
  33. package/dist/server/api-client-core/apis/business-units.generated.js +12 -0
  34. package/dist/server/api-client-core/apis/business-units.generated.js.map +1 -0
  35. package/dist/server/api-client-core/apis/cms/authors-types.generated.d.ts +551 -0
  36. package/dist/server/api-client-core/apis/cms/authors.generated.d.ts +7 -0
  37. package/dist/server/api-client-core/apis/cms/authors.generated.js +163 -0
  38. package/dist/server/api-client-core/apis/cms/authors.generated.js.map +1 -0
  39. package/dist/server/api-client-core/apis/cms/blog-settings-types.generated.d.ts +366 -0
  40. package/dist/server/api-client-core/apis/cms/blog-settings.generated.d.ts +7 -0
  41. package/dist/server/api-client-core/apis/cms/blog-settings.generated.js +43 -0
  42. package/dist/server/api-client-core/apis/cms/blog-settings.generated.js.map +1 -0
  43. package/dist/server/api-client-core/apis/cms/cms-content-audit-types.generated.d.ts +157 -0
  44. package/dist/server/api-client-core/apis/cms/cms-content-audit.generated.d.ts +7 -0
  45. package/dist/server/api-client-core/apis/cms/cms-content-audit.generated.js +18 -0
  46. package/dist/server/api-client-core/apis/cms/cms-content-audit.generated.js.map +1 -0
  47. package/dist/server/api-client-core/apis/cms/domains-types.generated.d.ts +193 -0
  48. package/dist/server/api-client-core/apis/cms/domains.generated.d.ts +7 -0
  49. package/dist/server/api-client-core/apis/cms/domains.generated.js +20 -0
  50. package/dist/server/api-client-core/apis/cms/domains.generated.js.map +1 -0
  51. package/dist/server/api-client-core/apis/cms/hubdb-types.generated.d.ts +1097 -0
  52. package/dist/server/api-client-core/apis/cms/hubdb.generated.d.ts +7 -0
  53. package/dist/server/api-client-core/apis/cms/hubdb.generated.js +192 -0
  54. package/dist/server/api-client-core/apis/cms/hubdb.generated.js.map +1 -0
  55. package/dist/server/api-client-core/apis/cms/media-bridge-types.generated.d.ts +1780 -0
  56. package/dist/server/api-client-core/apis/cms/media-bridge.generated.d.ts +7 -0
  57. package/dist/server/api-client-core/apis/cms/media-bridge.generated.js +185 -0
  58. package/dist/server/api-client-core/apis/cms/media-bridge.generated.js.map +1 -0
  59. package/dist/server/api-client-core/apis/cms/pages-types.generated.d.ts +1768 -0
  60. package/dist/server/api-client-core/apis/cms/pages.generated.d.ts +7 -0
  61. package/dist/server/api-client-core/apis/cms/pages.generated.js +331 -0
  62. package/dist/server/api-client-core/apis/cms/pages.generated.js.map +1 -0
  63. package/dist/server/api-client-core/apis/cms/posts-types.generated.d.ts +1090 -0
  64. package/dist/server/api-client-core/apis/cms/posts.generated.d.ts +7 -0
  65. package/dist/server/api-client-core/apis/cms/posts.generated.js +201 -0
  66. package/dist/server/api-client-core/apis/cms/posts.generated.js.map +1 -0
  67. package/dist/server/api-client-core/apis/cms/site-search-types.generated.d.ts +200 -0
  68. package/dist/server/api-client-core/apis/cms/site-search.generated.d.ts +7 -0
  69. package/dist/server/api-client-core/apis/cms/site-search.generated.js +32 -0
  70. package/dist/server/api-client-core/apis/cms/site-search.generated.js.map +1 -0
  71. package/dist/server/api-client-core/apis/cms/source-code-types.generated.d.ts +218 -0
  72. package/dist/server/api-client-core/apis/cms/source-code.generated.d.ts +7 -0
  73. package/dist/server/api-client-core/apis/cms/source-code.generated.js +52 -0
  74. package/dist/server/api-client-core/apis/cms/source-code.generated.js.map +1 -0
  75. package/dist/server/api-client-core/apis/cms/tags-types.generated.d.ts +515 -0
  76. package/dist/server/api-client-core/apis/cms/tags.generated.d.ts +7 -0
  77. package/dist/server/api-client-core/apis/cms/tags.generated.js +163 -0
  78. package/dist/server/api-client-core/apis/cms/tags.generated.js.map +1 -0
  79. package/dist/server/api-client-core/apis/cms/url-mappings-types.generated.d.ts +177 -0
  80. package/dist/server/api-client-core/apis/cms/url-mappings.generated.d.ts +7 -0
  81. package/dist/server/api-client-core/apis/cms/url-mappings.generated.js +14 -0
  82. package/dist/server/api-client-core/apis/cms/url-mappings.generated.js.map +1 -0
  83. package/dist/server/api-client-core/apis/cms/url-redirects-types.generated.d.ts +226 -0
  84. package/dist/server/api-client-core/apis/cms/url-redirects.generated.d.ts +7 -0
  85. package/dist/server/api-client-core/apis/cms/url-redirects.generated.js +26 -0
  86. package/dist/server/api-client-core/apis/cms/url-redirects.generated.js.map +1 -0
  87. package/dist/server/api-client-core/apis/communication-preferences/subscriptions-types.generated.d.ts +802 -0
  88. package/dist/server/api-client-core/apis/communication-preferences/subscriptions.generated.d.ts +7 -0
  89. package/dist/server/api-client-core/apis/communication-preferences/subscriptions.generated.js +74 -0
  90. package/dist/server/api-client-core/apis/communication-preferences/subscriptions.generated.js.map +1 -0
  91. package/dist/server/api-client-core/apis/conversations/custom-channels-types.generated.d.ts +551 -0
  92. package/dist/server/api-client-core/apis/conversations/custom-channels.generated.d.ts +7 -0
  93. package/dist/server/api-client-core/apis/conversations/custom-channels.generated.js +80 -0
  94. package/dist/server/api-client-core/apis/conversations/custom-channels.generated.js.map +1 -0
  95. package/dist/server/api-client-core/apis/conversations/visitor-identification-types.generated.d.ts +60 -0
  96. package/dist/server/api-client-core/apis/conversations/visitor-identification.generated.d.ts +7 -0
  97. package/dist/server/api-client-core/apis/conversations/visitor-identification.generated.js +6 -0
  98. package/dist/server/api-client-core/apis/conversations/visitor-identification.generated.js.map +1 -0
  99. package/dist/server/api-client-core/apis/conversations-types.generated.d.ts +908 -0
  100. package/dist/server/api-client-core/apis/conversations.generated.d.ts +7 -0
  101. package/dist/server/api-client-core/apis/conversations.generated.js +108 -0
  102. package/dist/server/api-client-core/apis/conversations.generated.js.map +1 -0
  103. package/dist/server/api-client-core/apis/crm/app-uninstalls-types.generated.d.ts +37 -0
  104. package/dist/server/api-client-core/apis/crm/app-uninstalls.generated.d.ts +7 -0
  105. package/dist/server/api-client-core/apis/crm/app-uninstalls.generated.js +6 -0
  106. package/dist/server/api-client-core/apis/crm/app-uninstalls.generated.js.map +1 -0
  107. package/dist/server/api-client-core/apis/crm/appointments-types.generated.d.ts +989 -0
  108. package/dist/server/api-client-core/apis/crm/appointments.generated.d.ts +7 -0
  109. package/dist/server/api-client-core/apis/crm/appointments.generated.js +118 -0
  110. package/dist/server/api-client-core/apis/crm/appointments.generated.js.map +1 -0
  111. package/dist/server/api-client-core/apis/crm/associations-schema-types.generated.d.ts +329 -0
  112. package/dist/server/api-client-core/apis/crm/associations-schema.generated.d.ts +7 -0
  113. package/dist/server/api-client-core/apis/crm/associations-schema.generated.js +60 -0
  114. package/dist/server/api-client-core/apis/crm/associations-schema.generated.js.map +1 -0
  115. package/dist/server/api-client-core/apis/crm/associations-types.generated.d.ts +661 -0
  116. package/dist/server/api-client-core/apis/crm/associations.generated.d.ts +7 -0
  117. package/dist/server/api-client-core/apis/crm/associations.generated.js +83 -0
  118. package/dist/server/api-client-core/apis/crm/associations.generated.js.map +1 -0
  119. package/dist/server/api-client-core/apis/crm/calling-extensions-types.generated.d.ts +466 -0
  120. package/dist/server/api-client-core/apis/crm/calling-extensions.generated.d.ts +7 -0
  121. package/dist/server/api-client-core/apis/crm/calling-extensions.generated.js +42 -0
  122. package/dist/server/api-client-core/apis/crm/calling-extensions.generated.js.map +1 -0
  123. package/dist/server/api-client-core/apis/crm/calls-types.generated.d.ts +850 -0
  124. package/dist/server/api-client-core/apis/crm/calls.generated.d.ts +7 -0
  125. package/dist/server/api-client-core/apis/crm/calls.generated.js +66 -0
  126. package/dist/server/api-client-core/apis/crm/calls.generated.js.map +1 -0
  127. package/dist/server/api-client-core/apis/crm/carts-types.generated.d.ts +850 -0
  128. package/dist/server/api-client-core/apis/crm/carts.generated.d.ts +7 -0
  129. package/dist/server/api-client-core/apis/crm/carts.generated.js +66 -0
  130. package/dist/server/api-client-core/apis/crm/carts.generated.js.map +1 -0
  131. package/dist/server/api-client-core/apis/crm/commerce-payments-types.generated.d.ts +850 -0
  132. package/dist/server/api-client-core/apis/crm/commerce-payments.generated.d.ts +7 -0
  133. package/dist/server/api-client-core/apis/crm/commerce-payments.generated.js +66 -0
  134. package/dist/server/api-client-core/apis/crm/commerce-payments.generated.js.map +1 -0
  135. package/dist/server/api-client-core/apis/crm/commerce-subscriptions-types.generated.d.ts +847 -0
  136. package/dist/server/api-client-core/apis/crm/commerce-subscriptions.generated.d.ts +7 -0
  137. package/dist/server/api-client-core/apis/crm/commerce-subscriptions.generated.js +66 -0
  138. package/dist/server/api-client-core/apis/crm/commerce-subscriptions.generated.js.map +1 -0
  139. package/dist/server/api-client-core/apis/crm/communications-types.generated.d.ts +850 -0
  140. package/dist/server/api-client-core/apis/crm/communications.generated.d.ts +7 -0
  141. package/dist/server/api-client-core/apis/crm/communications.generated.js +66 -0
  142. package/dist/server/api-client-core/apis/crm/communications.generated.js.map +1 -0
  143. package/dist/server/api-client-core/apis/crm/companies-types.generated.d.ts +884 -0
  144. package/dist/server/api-client-core/apis/crm/companies.generated.d.ts +7 -0
  145. package/dist/server/api-client-core/apis/crm/companies.generated.js +67 -0
  146. package/dist/server/api-client-core/apis/crm/companies.generated.js.map +1 -0
  147. package/dist/server/api-client-core/apis/crm/contacts-types.generated.d.ts +899 -0
  148. package/dist/server/api-client-core/apis/crm/contacts.generated.d.ts +7 -0
  149. package/dist/server/api-client-core/apis/crm/contacts.generated.js +70 -0
  150. package/dist/server/api-client-core/apis/crm/contacts.generated.js.map +1 -0
  151. package/dist/server/api-client-core/apis/crm/contracts-types.generated.d.ts +850 -0
  152. package/dist/server/api-client-core/apis/crm/contracts.generated.d.ts +7 -0
  153. package/dist/server/api-client-core/apis/crm/contracts.generated.js +66 -0
  154. package/dist/server/api-client-core/apis/crm/contracts.generated.js.map +1 -0
  155. package/dist/server/api-client-core/apis/crm/courses-types.generated.d.ts +853 -0
  156. package/dist/server/api-client-core/apis/crm/courses.generated.d.ts +7 -0
  157. package/dist/server/api-client-core/apis/crm/courses.generated.js +66 -0
  158. package/dist/server/api-client-core/apis/crm/courses.generated.js.map +1 -0
  159. package/dist/server/api-client-core/apis/crm/crm-owners-types.generated.d.ts +140 -0
  160. package/dist/server/api-client-core/apis/crm/crm-owners.generated.d.ts +7 -0
  161. package/dist/server/api-client-core/apis/crm/crm-owners.generated.js +20 -0
  162. package/dist/server/api-client-core/apis/crm/crm-owners.generated.js.map +1 -0
  163. package/dist/server/api-client-core/apis/crm/custom-objects-types.generated.d.ts +934 -0
  164. package/dist/server/api-client-core/apis/crm/custom-objects.generated.d.ts +7 -0
  165. package/dist/server/api-client-core/apis/crm/custom-objects.generated.js +101 -0
  166. package/dist/server/api-client-core/apis/crm/custom-objects.generated.js.map +1 -0
  167. package/dist/server/api-client-core/apis/crm/deal-splits-types.generated.d.ts +196 -0
  168. package/dist/server/api-client-core/apis/crm/deal-splits.generated.d.ts +7 -0
  169. package/dist/server/api-client-core/apis/crm/deal-splits.generated.js +9 -0
  170. package/dist/server/api-client-core/apis/crm/deal-splits.generated.js.map +1 -0
  171. package/dist/server/api-client-core/apis/crm/deals-types.generated.d.ts +872 -0
  172. package/dist/server/api-client-core/apis/crm/deals.generated.d.ts +7 -0
  173. package/dist/server/api-client-core/apis/crm/deals.generated.js +67 -0
  174. package/dist/server/api-client-core/apis/crm/deals.generated.js.map +1 -0
  175. package/dist/server/api-client-core/apis/crm/discounts-types.generated.d.ts +846 -0
  176. package/dist/server/api-client-core/apis/crm/discounts.generated.d.ts +7 -0
  177. package/dist/server/api-client-core/apis/crm/discounts.generated.js +66 -0
  178. package/dist/server/api-client-core/apis/crm/discounts.generated.js.map +1 -0
  179. package/dist/server/api-client-core/apis/crm/emails-types.generated.d.ts +850 -0
  180. package/dist/server/api-client-core/apis/crm/emails.generated.d.ts +7 -0
  181. package/dist/server/api-client-core/apis/crm/emails.generated.js +66 -0
  182. package/dist/server/api-client-core/apis/crm/emails.generated.js.map +1 -0
  183. package/dist/server/api-client-core/apis/crm/exports-types.generated.d.ts +281 -0
  184. package/dist/server/api-client-core/apis/crm/exports.generated.d.ts +7 -0
  185. package/dist/server/api-client-core/apis/crm/exports.generated.js +12 -0
  186. package/dist/server/api-client-core/apis/crm/exports.generated.js.map +1 -0
  187. package/dist/server/api-client-core/apis/crm/feedback-submissions-types.generated.d.ts +616 -0
  188. package/dist/server/api-client-core/apis/crm/feedback-submissions.generated.d.ts +7 -0
  189. package/dist/server/api-client-core/apis/crm/feedback-submissions.generated.js +55 -0
  190. package/dist/server/api-client-core/apis/crm/feedback-submissions.generated.js.map +1 -0
  191. package/dist/server/api-client-core/apis/crm/fees-types.generated.d.ts +850 -0
  192. package/dist/server/api-client-core/apis/crm/fees.generated.d.ts +7 -0
  193. package/dist/server/api-client-core/apis/crm/fees.generated.js +66 -0
  194. package/dist/server/api-client-core/apis/crm/fees.generated.js.map +1 -0
  195. package/dist/server/api-client-core/apis/crm/goal-targets-types.generated.d.ts +850 -0
  196. package/dist/server/api-client-core/apis/crm/goal-targets.generated.d.ts +7 -0
  197. package/dist/server/api-client-core/apis/crm/goal-targets.generated.js +66 -0
  198. package/dist/server/api-client-core/apis/crm/goal-targets.generated.js.map +1 -0
  199. package/dist/server/api-client-core/apis/crm/imports-types.generated.d.ts +371 -0
  200. package/dist/server/api-client-core/apis/crm/imports.generated.d.ts +7 -0
  201. package/dist/server/api-client-core/apis/crm/imports.generated.js +30 -0
  202. package/dist/server/api-client-core/apis/crm/imports.generated.js.map +1 -0
  203. package/dist/server/api-client-core/apis/crm/invoices-types.generated.d.ts +850 -0
  204. package/dist/server/api-client-core/apis/crm/invoices.generated.d.ts +7 -0
  205. package/dist/server/api-client-core/apis/crm/invoices.generated.js +66 -0
  206. package/dist/server/api-client-core/apis/crm/invoices.generated.js.map +1 -0
  207. package/dist/server/api-client-core/apis/crm/leads-types.generated.d.ts +850 -0
  208. package/dist/server/api-client-core/apis/crm/leads.generated.d.ts +7 -0
  209. package/dist/server/api-client-core/apis/crm/leads.generated.js +66 -0
  210. package/dist/server/api-client-core/apis/crm/leads.generated.js.map +1 -0
  211. package/dist/server/api-client-core/apis/crm/limits-tracking-types.generated.d.ts +331 -0
  212. package/dist/server/api-client-core/apis/crm/limits-tracking.generated.d.ts +7 -0
  213. package/dist/server/api-client-core/apis/crm/limits-tracking.generated.js +22 -0
  214. package/dist/server/api-client-core/apis/crm/limits-tracking.generated.js.map +1 -0
  215. package/dist/server/api-client-core/apis/crm/line-items-types.generated.d.ts +850 -0
  216. package/dist/server/api-client-core/apis/crm/line-items.generated.d.ts +7 -0
  217. package/dist/server/api-client-core/apis/crm/line-items.generated.js +66 -0
  218. package/dist/server/api-client-core/apis/crm/line-items.generated.js.map +1 -0
  219. package/dist/server/api-client-core/apis/crm/listings-types.generated.d.ts +853 -0
  220. package/dist/server/api-client-core/apis/crm/listings.generated.d.ts +7 -0
  221. package/dist/server/api-client-core/apis/crm/listings.generated.js +66 -0
  222. package/dist/server/api-client-core/apis/crm/listings.generated.js.map +1 -0
  223. package/dist/server/api-client-core/apis/crm/lists-types.generated.d.ts +2265 -0
  224. package/dist/server/api-client-core/apis/crm/lists.generated.d.ts +7 -0
  225. package/dist/server/api-client-core/apis/crm/lists.generated.js +105 -0
  226. package/dist/server/api-client-core/apis/crm/lists.generated.js.map +1 -0
  227. package/dist/server/api-client-core/apis/crm/meetings-types.generated.d.ts +850 -0
  228. package/dist/server/api-client-core/apis/crm/meetings.generated.d.ts +7 -0
  229. package/dist/server/api-client-core/apis/crm/meetings.generated.js +66 -0
  230. package/dist/server/api-client-core/apis/crm/meetings.generated.js.map +1 -0
  231. package/dist/server/api-client-core/apis/crm/notes-types.generated.d.ts +850 -0
  232. package/dist/server/api-client-core/apis/crm/notes.generated.d.ts +7 -0
  233. package/dist/server/api-client-core/apis/crm/notes.generated.js +66 -0
  234. package/dist/server/api-client-core/apis/crm/notes.generated.js.map +1 -0
  235. package/dist/server/api-client-core/apis/crm/object-library-types.generated.d.ts +60 -0
  236. package/dist/server/api-client-core/apis/crm/object-library.generated.d.ts +7 -0
  237. package/dist/server/api-client-core/apis/crm/object-library.generated.js +9 -0
  238. package/dist/server/api-client-core/apis/crm/object-library.generated.js.map +1 -0
  239. package/dist/server/api-client-core/apis/crm/objects-types.generated.d.ts +712 -0
  240. package/dist/server/api-client-core/apis/crm/objects.generated.d.ts +7 -0
  241. package/dist/server/api-client-core/apis/crm/objects.generated.js +76 -0
  242. package/dist/server/api-client-core/apis/crm/objects.generated.js.map +1 -0
  243. package/dist/server/api-client-core/apis/crm/orders-types.generated.d.ts +850 -0
  244. package/dist/server/api-client-core/apis/crm/orders.generated.d.ts +7 -0
  245. package/dist/server/api-client-core/apis/crm/orders.generated.js +66 -0
  246. package/dist/server/api-client-core/apis/crm/orders.generated.js.map +1 -0
  247. package/dist/server/api-client-core/apis/crm/partner-clients-types.generated.d.ts +725 -0
  248. package/dist/server/api-client-core/apis/crm/partner-clients.generated.d.ts +7 -0
  249. package/dist/server/api-client-core/apis/crm/partner-clients.generated.js +71 -0
  250. package/dist/server/api-client-core/apis/crm/partner-clients.generated.js.map +1 -0
  251. package/dist/server/api-client-core/apis/crm/partner-services-types.generated.d.ts +725 -0
  252. package/dist/server/api-client-core/apis/crm/partner-services.generated.d.ts +7 -0
  253. package/dist/server/api-client-core/apis/crm/partner-services.generated.js +71 -0
  254. package/dist/server/api-client-core/apis/crm/partner-services.generated.js.map +1 -0
  255. package/dist/server/api-client-core/apis/crm/pipelines-types.generated.d.ts +430 -0
  256. package/dist/server/api-client-core/apis/crm/pipelines.generated.d.ts +7 -0
  257. package/dist/server/api-client-core/apis/crm/pipelines.generated.js +94 -0
  258. package/dist/server/api-client-core/apis/crm/pipelines.generated.js.map +1 -0
  259. package/dist/server/api-client-core/apis/crm/postal-mail-types.generated.d.ts +844 -0
  260. package/dist/server/api-client-core/apis/crm/postal-mail.generated.d.ts +7 -0
  261. package/dist/server/api-client-core/apis/crm/postal-mail.generated.js +66 -0
  262. package/dist/server/api-client-core/apis/crm/postal-mail.generated.js.map +1 -0
  263. package/dist/server/api-client-core/apis/crm/products-types.generated.d.ts +850 -0
  264. package/dist/server/api-client-core/apis/crm/products.generated.d.ts +7 -0
  265. package/dist/server/api-client-core/apis/crm/products.generated.js +66 -0
  266. package/dist/server/api-client-core/apis/crm/products.generated.js.map +1 -0
  267. package/dist/server/api-client-core/apis/crm/projects-types.generated.d.ts +881 -0
  268. package/dist/server/api-client-core/apis/crm/projects.generated.d.ts +7 -0
  269. package/dist/server/api-client-core/apis/crm/projects.generated.js +67 -0
  270. package/dist/server/api-client-core/apis/crm/projects.generated.js.map +1 -0
  271. package/dist/server/api-client-core/apis/crm/properties-types.generated.d.ts +603 -0
  272. package/dist/server/api-client-core/apis/crm/properties.generated.d.ts +7 -0
  273. package/dist/server/api-client-core/apis/crm/properties.generated.js +86 -0
  274. package/dist/server/api-client-core/apis/crm/properties.generated.js.map +1 -0
  275. package/dist/server/api-client-core/apis/crm/property-validations-types.generated.d.ts +121 -0
  276. package/dist/server/api-client-core/apis/crm/property-validations.generated.d.ts +7 -0
  277. package/dist/server/api-client-core/apis/crm/property-validations.generated.js +25 -0
  278. package/dist/server/api-client-core/apis/crm/property-validations.generated.js.map +1 -0
  279. package/dist/server/api-client-core/apis/crm/public-app-crm-cards-types.generated.d.ts +486 -0
  280. package/dist/server/api-client-core/apis/crm/public-app-crm-cards.generated.d.ts +7 -0
  281. package/dist/server/api-client-core/apis/crm/public-app-crm-cards.generated.js +34 -0
  282. package/dist/server/api-client-core/apis/crm/public-app-crm-cards.generated.js.map +1 -0
  283. package/dist/server/api-client-core/apis/crm/public-app-feature-flags-types.generated.d.ts +247 -0
  284. package/dist/server/api-client-core/apis/crm/public-app-feature-flags.generated.d.ts +7 -0
  285. package/dist/server/api-client-core/apis/crm/public-app-feature-flags.generated.js +69 -0
  286. package/dist/server/api-client-core/apis/crm/public-app-feature-flags.generated.js.map +1 -0
  287. package/dist/server/api-client-core/apis/crm/quotes-types.generated.d.ts +850 -0
  288. package/dist/server/api-client-core/apis/crm/quotes.generated.d.ts +7 -0
  289. package/dist/server/api-client-core/apis/crm/quotes.generated.js +66 -0
  290. package/dist/server/api-client-core/apis/crm/quotes.generated.js.map +1 -0
  291. package/dist/server/api-client-core/apis/crm/schemas-types.generated.d.ts +669 -0
  292. package/dist/server/api-client-core/apis/crm/schemas.generated.d.ts +7 -0
  293. package/dist/server/api-client-core/apis/crm/schemas.generated.js +41 -0
  294. package/dist/server/api-client-core/apis/crm/schemas.generated.js.map +1 -0
  295. package/dist/server/api-client-core/apis/crm/services-types.generated.d.ts +853 -0
  296. package/dist/server/api-client-core/apis/crm/services.generated.d.ts +7 -0
  297. package/dist/server/api-client-core/apis/crm/services.generated.js +66 -0
  298. package/dist/server/api-client-core/apis/crm/services.generated.js.map +1 -0
  299. package/dist/server/api-client-core/apis/crm/tasks-types.generated.d.ts +850 -0
  300. package/dist/server/api-client-core/apis/crm/tasks.generated.d.ts +7 -0
  301. package/dist/server/api-client-core/apis/crm/tasks.generated.js +66 -0
  302. package/dist/server/api-client-core/apis/crm/tasks.generated.js.map +1 -0
  303. package/dist/server/api-client-core/apis/crm/taxes-types.generated.d.ts +850 -0
  304. package/dist/server/api-client-core/apis/crm/taxes.generated.d.ts +7 -0
  305. package/dist/server/api-client-core/apis/crm/taxes.generated.js +66 -0
  306. package/dist/server/api-client-core/apis/crm/taxes.generated.js.map +1 -0
  307. package/dist/server/api-client-core/apis/crm/tickets-types.generated.d.ts +884 -0
  308. package/dist/server/api-client-core/apis/crm/tickets.generated.d.ts +7 -0
  309. package/dist/server/api-client-core/apis/crm/tickets.generated.js +67 -0
  310. package/dist/server/api-client-core/apis/crm/tickets.generated.js.map +1 -0
  311. package/dist/server/api-client-core/apis/crm/timeline-types.generated.d.ts +187 -0
  312. package/dist/server/api-client-core/apis/crm/timeline.generated.d.ts +7 -0
  313. package/dist/server/api-client-core/apis/crm/timeline.generated.js +12 -0
  314. package/dist/server/api-client-core/apis/crm/timeline.generated.js.map +1 -0
  315. package/dist/server/api-client-core/apis/crm/transcriptions-types.generated.d.ts +152 -0
  316. package/dist/server/api-client-core/apis/crm/transcriptions.generated.d.ts +7 -0
  317. package/dist/server/api-client-core/apis/crm/transcriptions.generated.js +15 -0
  318. package/dist/server/api-client-core/apis/crm/transcriptions.generated.js.map +1 -0
  319. package/dist/server/api-client-core/apis/crm/users-types.generated.d.ts +850 -0
  320. package/dist/server/api-client-core/apis/crm/users.generated.d.ts +7 -0
  321. package/dist/server/api-client-core/apis/crm/users.generated.js +66 -0
  322. package/dist/server/api-client-core/apis/crm/users.generated.js.map +1 -0
  323. package/dist/server/api-client-core/apis/crm/video-conferencing-extension-types.generated.d.ts +72 -0
  324. package/dist/server/api-client-core/apis/crm/video-conferencing-extension.generated.d.ts +7 -0
  325. package/dist/server/api-client-core/apis/crm/video-conferencing-extension.generated.js +13 -0
  326. package/dist/server/api-client-core/apis/crm/video-conferencing-extension.generated.js.map +1 -0
  327. package/dist/server/api-client-core/apis/events/manage-event-definitions-types.generated.d.ts +1005 -0
  328. package/dist/server/api-client-core/apis/events/manage-event-definitions.generated.d.ts +7 -0
  329. package/dist/server/api-client-core/apis/events/manage-event-definitions.generated.js +39 -0
  330. package/dist/server/api-client-core/apis/events/manage-event-definitions.generated.js.map +1 -0
  331. package/dist/server/api-client-core/apis/events/send-event-completions-types.generated.d.ts +94 -0
  332. package/dist/server/api-client-core/apis/events/send-event-completions.generated.d.ts +7 -0
  333. package/dist/server/api-client-core/apis/events/send-event-completions.generated.js +9 -0
  334. package/dist/server/api-client-core/apis/events/send-event-completions.generated.js.map +1 -0
  335. package/dist/server/api-client-core/apis/events-types.generated.d.ts +137 -0
  336. package/dist/server/api-client-core/apis/events.generated.d.ts +7 -0
  337. package/dist/server/api-client-core/apis/events.generated.js +23 -0
  338. package/dist/server/api-client-core/apis/events.generated.js.map +1 -0
  339. package/dist/server/api-client-core/apis/files-types.generated.d.ts +791 -0
  340. package/dist/server/api-client-core/apis/files.generated.d.ts +7 -0
  341. package/dist/server/api-client-core/apis/files.generated.js +119 -0
  342. package/dist/server/api-client-core/apis/files.generated.js.map +1 -0
  343. package/dist/server/api-client-core/apis/marketing/campaigns-public-api-types.generated.d.ts +989 -0
  344. package/dist/server/api-client-core/apis/marketing/campaigns-public-api.generated.d.ts +7 -0
  345. package/dist/server/api-client-core/apis/marketing/campaigns-public-api.generated.js +139 -0
  346. package/dist/server/api-client-core/apis/marketing/campaigns-public-api.generated.js.map +1 -0
  347. package/dist/server/api-client-core/apis/marketing/marketing-emails-types.generated.d.ts +883 -0
  348. package/dist/server/api-client-core/apis/marketing/marketing-emails.generated.d.ts +7 -0
  349. package/dist/server/api-client-core/apis/marketing/marketing-emails.generated.js +108 -0
  350. package/dist/server/api-client-core/apis/marketing/marketing-emails.generated.js.map +1 -0
  351. package/dist/server/api-client-core/apis/marketing/marketing-events-types.generated.d.ts +1788 -0
  352. package/dist/server/api-client-core/apis/marketing/marketing-events.generated.d.ts +7 -0
  353. package/dist/server/api-client-core/apis/marketing/marketing-events.generated.js +176 -0
  354. package/dist/server/api-client-core/apis/marketing/marketing-events.generated.js.map +1 -0
  355. package/dist/server/api-client-core/apis/marketing/single-send-types.generated.d.ts +123 -0
  356. package/dist/server/api-client-core/apis/marketing/single-send.generated.d.ts +7 -0
  357. package/dist/server/api-client-core/apis/marketing/single-send.generated.js +6 -0
  358. package/dist/server/api-client-core/apis/marketing/single-send.generated.js.map +1 -0
  359. package/dist/server/api-client-core/apis/marketing/transactional-single-send-types.generated.d.ts +257 -0
  360. package/dist/server/api-client-core/apis/marketing/transactional-single-send.generated.d.ts +7 -0
  361. package/dist/server/api-client-core/apis/marketing/transactional-single-send.generated.js +20 -0
  362. package/dist/server/api-client-core/apis/marketing/transactional-single-send.generated.js.map +1 -0
  363. package/dist/server/api-client-core/apis/meta/origins-types.generated.d.ts +77 -0
  364. package/dist/server/api-client-core/apis/meta/origins.generated.d.ts +7 -0
  365. package/dist/server/api-client-core/apis/meta/origins.generated.js +15 -0
  366. package/dist/server/api-client-core/apis/meta/origins.generated.js.map +1 -0
  367. package/dist/server/api-client-core/apis/scheduler/meetings-types.generated.d.ts +913 -0
  368. package/dist/server/api-client-core/apis/scheduler/meetings.generated.d.ts +7 -0
  369. package/dist/server/api-client-core/apis/scheduler/meetings.generated.js +34 -0
  370. package/dist/server/api-client-core/apis/scheduler/meetings.generated.js.map +1 -0
  371. package/dist/server/api-client-core/apis/settings/multicurrency-types.generated.d.ts +404 -0
  372. package/dist/server/api-client-core/apis/settings/multicurrency.generated.d.ts +7 -0
  373. package/dist/server/api-client-core/apis/settings/multicurrency.generated.js +38 -0
  374. package/dist/server/api-client-core/apis/settings/multicurrency.generated.js.map +1 -0
  375. package/dist/server/api-client-core/apis/settings/tax-rates-types.generated.d.ts +111 -0
  376. package/dist/server/api-client-core/apis/settings/tax-rates.generated.d.ts +7 -0
  377. package/dist/server/api-client-core/apis/settings/tax-rates.generated.js +13 -0
  378. package/dist/server/api-client-core/apis/settings/tax-rates.generated.js.map +1 -0
  379. package/dist/server/api-client-core/apis/settings/user-provisioning-types.generated.d.ts +297 -0
  380. package/dist/server/api-client-core/apis/settings/user-provisioning.generated.d.ts +7 -0
  381. package/dist/server/api-client-core/apis/settings/user-provisioning.generated.js +31 -0
  382. package/dist/server/api-client-core/apis/settings/user-provisioning.generated.js.map +1 -0
  383. package/dist/server/api-client-core/apis/webhooks-journal-types.generated.d.ts +643 -0
  384. package/dist/server/api-client-core/apis/webhooks-journal.generated.d.ts +7 -0
  385. package/dist/server/api-client-core/apis/webhooks-journal.generated.js +75 -0
  386. package/dist/server/api-client-core/apis/webhooks-journal.generated.js.map +1 -0
  387. package/dist/server/api-client-core/apis/webhooks-types.generated.d.ts +1016 -0
  388. package/dist/server/api-client-core/apis/webhooks.generated.d.ts +7 -0
  389. package/dist/server/api-client-core/apis/webhooks.generated.js +105 -0
  390. package/dist/server/api-client-core/apis/webhooks.generated.js.map +1 -0
  391. package/dist/server/api-client-core/binary-data.d.ts +33 -0
  392. package/dist/server/api-client-core/binary-data.js +29 -0
  393. package/dist/server/api-client-core/binary-data.js.map +1 -0
  394. package/dist/server/api-client-core/client.d.ts +14 -0
  395. package/dist/server/{binary-data-BOalJzKu.js → api-client-core/client.js} +3 -58
  396. package/dist/server/api-client-core/client.js.map +1 -0
  397. package/dist/server/api-client-core/codegen-helpers/file-op-wrappers.js +25 -0
  398. package/dist/server/api-client-core/codegen-helpers/file-op-wrappers.js.map +1 -0
  399. package/dist/server/api-client-core/errors.d.ts +27 -0
  400. package/dist/server/api-client-core/errors.js +33 -0
  401. package/dist/server/api-client-core/errors.js.map +1 -0
  402. package/dist/server/api-client-core/op.d.ts +37 -0
  403. package/dist/server/api-client-core/op.js +44 -0
  404. package/dist/server/api-client-core/op.js.map +1 -0
  405. package/dist/server/api-client-core/pagination.d.ts +60 -0
  406. package/dist/server/api-client-core/pagination.js +103 -0
  407. package/dist/server/api-client-core/pagination.js.map +1 -0
  408. package/dist/server/api-client-core/plugins/fetch-transport.js +76 -0
  409. package/dist/server/api-client-core/plugins/fetch-transport.js.map +1 -0
  410. package/dist/server/{types-DEOUH4wE.d.ts → api-client-core/types.d.ts} +2 -2
  411. package/dist/server/api-client.d.ts +197 -60625
  412. package/dist/server/api-client.js +100 -5826
  413. package/dist/server/constants.js +73 -0
  414. package/dist/server/constants.js.map +1 -0
  415. package/dist/server/deno/start.d.ts +12 -0
  416. package/dist/server/deno/start.js +21 -0
  417. package/dist/server/deno/start.js.map +1 -0
  418. package/dist/server/hono/hono-request-handler.js +59 -0
  419. package/dist/server/hono/hono-request-handler.js.map +1 -0
  420. package/dist/server/hono/hubspot-connect-routes/auth-complete.js +154 -0
  421. package/dist/server/hono/hubspot-connect-routes/auth-complete.js.map +1 -0
  422. package/dist/server/hono/hubspot-connect-routes/auth-init-session.js +101 -0
  423. package/dist/server/hono/hubspot-connect-routes/auth-init-session.js.map +1 -0
  424. package/dist/server/hono/hubspot-connect-routes/auth-logout.js +114 -0
  425. package/dist/server/hono/hubspot-connect-routes/auth-logout.js.map +1 -0
  426. package/dist/server/hono/hubspot-connect-routes/auth-refresh.js +107 -0
  427. package/dist/server/hono/hubspot-connect-routes/auth-refresh.js.map +1 -0
  428. package/dist/server/hono/hubspot-connect-routes/cimd-client-metadata-types.d.ts +16 -0
  429. package/dist/server/hono/hubspot-connect-routes/cimd-client-metadata-types.js +13 -0
  430. package/dist/server/hono/hubspot-connect-routes/cimd-client-metadata-types.js.map +1 -0
  431. package/dist/server/hono/hubspot-connect-routes/cimd-public-routes.js +42 -0
  432. package/dist/server/hono/hubspot-connect-routes/cimd-public-routes.js.map +1 -0
  433. package/dist/server/hono/hubspot-connect-routes/constants.js +8 -0
  434. package/dist/server/hono/hubspot-connect-routes/constants.js.map +1 -0
  435. package/dist/server/hono/hubspot-connect-routes/fetch-hubspot-client-metadata.js +43 -0
  436. package/dist/server/hono/hubspot-connect-routes/fetch-hubspot-client-metadata.js.map +1 -0
  437. package/dist/server/hono/hubspot-connect-routes/hubspot-connect-routes.js +37 -0
  438. package/dist/server/hono/hubspot-connect-routes/hubspot-connect-routes.js.map +1 -0
  439. package/dist/server/hono/hubspot-connect-routes/load-hubspot-connect-routes-env.js +34 -0
  440. package/dist/server/hono/hubspot-connect-routes/load-hubspot-connect-routes-env.js.map +1 -0
  441. package/dist/server/hono/hubspot-connect-routes/oauth-client.js +104 -0
  442. package/dist/server/hono/hubspot-connect-routes/oauth-client.js.map +1 -0
  443. package/dist/server/hono/hubspot-connect-routes/utils.js +120 -0
  444. package/dist/server/hono/hubspot-connect-routes/utils.js.map +1 -0
  445. package/dist/server/hono/index.js +4 -0
  446. package/dist/server/hono/types.d.ts +32 -0
  447. package/dist/server/hono/utils/cookie-utils.js +30 -0
  448. package/dist/server/hono/utils/cookie-utils.js.map +1 -0
  449. package/dist/server/hono/utils/cors-middleware.js +85 -0
  450. package/dist/server/hono/utils/cors-middleware.js.map +1 -0
  451. package/dist/server/import-app-keys.js +42 -0
  452. package/dist/server/import-app-keys.js.map +1 -0
  453. package/dist/server/lovable/create-app-function-start.d.ts +26 -0
  454. package/dist/server/lovable/create-app-function-start.js +28 -0
  455. package/dist/server/lovable/create-app-function-start.js.map +1 -0
  456. package/dist/server/lovable/hubspot-connect/index.d.ts +15 -0
  457. package/dist/server/lovable/hubspot-connect/index.js +20 -0
  458. package/dist/server/lovable/hubspot-connect/index.js.map +1 -0
  459. package/dist/server/lovable/hubspot-connect/run-hubspot-connect-lovable-server.js +27 -0
  460. package/dist/server/lovable/hubspot-connect/run-hubspot-connect-lovable-server.js.map +1 -0
  461. package/dist/server/lovable.d.ts +6 -117
  462. package/dist/server/lovable.js +3 -1458
  463. package/dist/server/oauth.d.ts +6 -128
  464. package/dist/server/oauth.js +4 -1
  465. package/dist/server/proxy.js +68 -0
  466. package/dist/server/proxy.js.map +1 -0
  467. package/dist/server/sanitize-request.js +55 -0
  468. package/dist/server/sanitize-request.js.map +1 -0
  469. package/dist/server/secure-start-core.d.ts +23 -0
  470. package/dist/server/secure-start-core.js +27 -0
  471. package/dist/server/secure-start-core.js.map +1 -0
  472. package/dist/server/shared/constants.js +30 -0
  473. package/dist/server/shared/constants.js.map +1 -0
  474. package/dist/server/shared/encoding/base64.js +45 -0
  475. package/dist/server/shared/encoding/base64.js.map +1 -0
  476. package/dist/server/shared/encoding/sha256.d.ts +10 -0
  477. package/dist/server/shared/encoding/sha256.js +15 -0
  478. package/dist/server/shared/encoding/sha256.js.map +1 -0
  479. package/dist/server/shared/logger.d.ts +15 -0
  480. package/dist/server/shared/logger.js +16 -0
  481. package/dist/server/shared/logger.js.map +1 -0
  482. package/dist/server/{types-5gfN91Fq.d.ts → types.d.ts} +4 -4
  483. package/dist/server/utils/cookie-utils.js +21 -0
  484. package/dist/server/utils/cookie-utils.js.map +1 -0
  485. package/dist/server/utils/dpop-utils.d.ts +67 -0
  486. package/dist/server/utils/dpop-utils.js +75 -0
  487. package/dist/server/utils/dpop-utils.js.map +1 -0
  488. package/dist/server/utils/env-utils.js +107 -0
  489. package/dist/server/utils/env-utils.js.map +1 -0
  490. package/dist/server/utils/jwk-utils.d.ts +16 -0
  491. package/dist/server/utils/jwk-utils.js +24 -0
  492. package/dist/server/utils/jwk-utils.js.map +1 -0
  493. package/dist/server/utils/jwt-utils.d.ts +39 -0
  494. package/dist/server/utils/jwt-utils.js +87 -0
  495. package/dist/server/utils/jwt-utils.js.map +1 -0
  496. package/package.json +3 -3
  497. package/src/browser/app-connect-controller/connect-start.ts +1 -2
  498. package/src/server/hono/hubspot-connect-routes/load-hubspot-connect-routes-env.test.ts +17 -24
  499. package/src/server/hono/hubspot-connect-routes/load-hubspot-connect-routes-env.ts +8 -8
  500. package/src/server/lovable/hubspot-connect/run-hubspot-connect-lovable-server.ts +2 -3
  501. package/src/server/proxy.test.ts +1 -1
  502. package/src/server/proxy.ts +7 -4
  503. package/src/server/secure-start-core.ts +7 -6
  504. package/src/server/types.ts +2 -2
  505. package/src/server/utils/env-utils.test.ts +140 -12
  506. package/src/server/utils/env-utils.ts +80 -6
  507. package/tsdown.config.ts +1 -1
  508. package/dist/browser/create-hzqjIhmO.js.map +0 -1
  509. package/dist/server/api-client.js.map +0 -1
  510. package/dist/server/binary-data-BOalJzKu.js.map +0 -1
  511. package/dist/server/lovable.js.map +0 -1
  512. package/dist/server/sha256-B7y8GBFB.js +0 -228
  513. package/dist/server/sha256-B7y8GBFB.js.map +0 -1
@@ -0,0 +1,73 @@
1
+ //#region src/server/constants.ts
2
+ /**
3
+ * Cookie name carrying the DPoP-bound access token. Uses the
4
+ * `__Host-` prefix so the browser only accepts it from a `Secure`
5
+ * response with `Path=/` — a defense-in-depth against subdomain
6
+ * cookie injection.
7
+ */
8
+ const HUBSPOT_ACCESS_TOKEN_COOKIE_NAME = "__Host-hs_access_token";
9
+ /**
10
+ * Cookie carrying the opaque app-session ID. Hashed before being put
11
+ * on the wire as a DPoP `sid` claim.
12
+ */
13
+ const HUBSPOT_APP_SID_COOKIE_NAME = "__Host-hs_app_sid";
14
+ /**
15
+ * Cookie pinning the browser-facing app origin (e.g.
16
+ * `https://app.example.com`) for the lifetime of an app session.
17
+ * Set by `auth/init-session` from the request's `Origin` header and
18
+ * read by:
19
+ *
20
+ * - The CORS middleware to emit a credentialed
21
+ * `Access-Control-Allow-Origin` value (`*` is forbidden when
22
+ * `Access-Control-Allow-Credentials: true`).
23
+ * - `auth/complete` to rebuild the OAuth `redirect_uri` it sent to
24
+ * HubSpot during `init-session` (the token endpoint validates that
25
+ * the two values match).
26
+ *
27
+ * `__Host-` prefixed (Path=/, Secure, no Domain), so the same
28
+ * function host can serve both `hubspot-connect` and `api` routes
29
+ * and read the cookie from either.
30
+ */
31
+ const HUBSPOT_APP_ORIGIN_COOKIE_NAME = "__Host-hs_app_origin";
32
+ /**
33
+ * Prefix used for refresh-token cookies. Each session gets its own
34
+ * cookie name (`hs_refresh_<sidHash>`) so multiple devices/tabs can
35
+ * coexist without overwriting each other's refresh tokens.
36
+ */
37
+ const HUBSPOT_REFRESH_COOKIE_PREFIX = "hs_refresh_";
38
+ const PROTECTED_COOKIE_NAMES = new Set([
39
+ HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
40
+ HUBSPOT_APP_SID_COOKIE_NAME,
41
+ HUBSPOT_APP_ORIGIN_COOKIE_NAME
42
+ ]);
43
+ /**
44
+ * Returns `true` for cookies the SDK manages internally
45
+ * (access token, session ID, any refresh-token cookie). The
46
+ * `sanitizeRequest` helper uses this to strip these cookies from the
47
+ * request before user code sees it, ensuring user route handlers
48
+ * cannot accidentally leak them in logs or proxy them upstream.
49
+ */
50
+ function isProtectedCookieName(cookieName) {
51
+ return PROTECTED_COOKIE_NAMES.has(cookieName) || cookieName.startsWith("hs_refresh_");
52
+ }
53
+ /**
54
+ * Cookie carrying the PKCE code verifier between `init-session` and
55
+ * `auth/complete`. Set with `SameSite=None; Secure; Partitioned` so the
56
+ * frontend's credentialed cross-site `POST /auth/complete` (made from
57
+ * the OAuth callback page on the app origin to the SDK's edge function
58
+ * origin) carries it through. `Lax` would silently drop it on that
59
+ * fetch, breaking every successful HubSpot redirect.
60
+ */
61
+ const TEMP_COOKIE_PKCE_VERIFIER = "__hs_pkce_verifier";
62
+ /**
63
+ * Cookie carrying the OAuth `state` value between `init-session` and
64
+ * `auth/complete`. Compared against the `state` query parameter as the
65
+ * primary CSRF defense. Same `SameSite=None; Secure; Partitioned`
66
+ * attributes as `TEMP_COOKIE_PKCE_VERIFIER` for the same cross-site
67
+ * `POST /auth/complete` reason.
68
+ */
69
+ const TEMP_COOKIE_OAUTH_STATE = "__hs_oauth_state";
70
+ //#endregion
71
+ export { HUBSPOT_ACCESS_TOKEN_COOKIE_NAME, HUBSPOT_APP_ORIGIN_COOKIE_NAME, HUBSPOT_APP_SID_COOKIE_NAME, HUBSPOT_REFRESH_COOKIE_PREFIX, TEMP_COOKIE_OAUTH_STATE, TEMP_COOKIE_PKCE_VERIFIER, isProtectedCookieName };
72
+
73
+ //# sourceMappingURL=constants.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"constants.js","names":[],"sources":["../../src/server/constants.ts"],"sourcesContent":["/**\n * Cookie name carrying the DPoP-bound access token. Uses the\n * `__Host-` prefix so the browser only accepts it from a `Secure`\n * response with `Path=/` — a defense-in-depth against subdomain\n * cookie injection.\n */\nexport const HUBSPOT_ACCESS_TOKEN_COOKIE_NAME = '__Host-hs_access_token';\n\n/**\n * Cookie carrying the opaque app-session ID. Hashed before being put\n * on the wire as a DPoP `sid` claim.\n */\nexport const HUBSPOT_APP_SID_COOKIE_NAME = '__Host-hs_app_sid';\n\n/**\n * Cookie pinning the browser-facing app origin (e.g.\n * `https://app.example.com`) for the lifetime of an app session.\n * Set by `auth/init-session` from the request's `Origin` header and\n * read by:\n *\n * - The CORS middleware to emit a credentialed\n * `Access-Control-Allow-Origin` value (`*` is forbidden when\n * `Access-Control-Allow-Credentials: true`).\n * - `auth/complete` to rebuild the OAuth `redirect_uri` it sent to\n * HubSpot during `init-session` (the token endpoint validates that\n * the two values match).\n *\n * `__Host-` prefixed (Path=/, Secure, no Domain), so the same\n * function host can serve both `hubspot-connect` and `api` routes\n * and read the cookie from either.\n */\nexport const HUBSPOT_APP_ORIGIN_COOKIE_NAME = '__Host-hs_app_origin';\n\n/**\n * Prefix used for refresh-token cookies. Each session gets its own\n * cookie name (`hs_refresh_<sidHash>`) so multiple devices/tabs can\n * coexist without overwriting each other's refresh tokens.\n */\nexport const HUBSPOT_REFRESH_COOKIE_PREFIX = 'hs_refresh_';\n\nconst PROTECTED_COOKIE_NAMES = new Set([\n HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n HUBSPOT_APP_SID_COOKIE_NAME,\n HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n]);\n\n/**\n * Returns `true` for cookies the SDK manages internally\n * (access token, session ID, any refresh-token cookie). The\n * `sanitizeRequest` helper uses this to strip these cookies from the\n * request before user code sees it, ensuring user route handlers\n * cannot accidentally leak them in logs or proxy them upstream.\n */\nexport function isProtectedCookieName(cookieName: string): boolean {\n return (\n PROTECTED_COOKIE_NAMES.has(cookieName) ||\n cookieName.startsWith(HUBSPOT_REFRESH_COOKIE_PREFIX)\n );\n}\n\n/**\n * Cookie carrying the PKCE code verifier between `init-session` and\n * `auth/complete`. Set with `SameSite=None; Secure; Partitioned` so the\n * frontend's credentialed cross-site `POST /auth/complete` (made from\n * the OAuth callback page on the app origin to the SDK's edge function\n * origin) carries it through. `Lax` would silently drop it on that\n * fetch, breaking every successful HubSpot redirect.\n */\nexport const TEMP_COOKIE_PKCE_VERIFIER = '__hs_pkce_verifier';\n\n/**\n * Cookie carrying the OAuth `state` value between `init-session` and\n * `auth/complete`. Compared against the `state` query parameter as the\n * primary CSRF defense. Same `SameSite=None; Secure; Partitioned`\n * attributes as `TEMP_COOKIE_PKCE_VERIFIER` for the same cross-site\n * `POST /auth/complete` reason.\n */\nexport const TEMP_COOKIE_OAUTH_STATE = '__hs_oauth_state';\n"],"mappings":";;;;;;;AAMA,MAAa,mCAAmC;;;;;AAMhD,MAAa,8BAA8B;;;;;;;;;;;;;;;;;;AAmB3C,MAAa,iCAAiC;;;;;;AAO9C,MAAa,gCAAgC;AAE7C,MAAM,yBAAyB,IAAI,IAAI;CACrC;CACA;CACA;CACD,CAAC;;;;;;;;AASF,SAAgB,sBAAsB,YAA6B;CACjE,OACE,uBAAuB,IAAI,WAAW,IACtC,WAAW,WAAA,cAAyC;;;;;;;;;;AAYxD,MAAa,4BAA4B;;;;;;;;AASzC,MAAa,0BAA0B"}
@@ -0,0 +1,12 @@
1
+ import { SecureStartContext, SecureStartLoader } from "../secure-start-core.js";
2
+
3
+ //#region src/server/deno/start.d.ts
4
+ /**
5
+ * Deno entrypoint helper. Reads `HUBSPOT_APP_PRIVATE_KEY` from `Deno.env`
6
+ * when CIMD or DPoP is enabled, imports the supplied loader, and invokes
7
+ * `start` with `AppKeys` or `null`.
8
+ */
9
+ declare function secureStart(loader: SecureStartLoader): Promise<void>;
10
+ //#endregion
11
+ export { secureStart };
12
+ //# sourceMappingURL=start.d.ts.map
@@ -0,0 +1,21 @@
1
+ import { runSecureStart } from "../secure-start-core.js";
2
+ //#region src/server/deno/start.ts
3
+ const denoSecureStartAdapter = {
4
+ readEnv: (key) => Deno.env.get(key),
5
+ deleteEnv: (key) => {
6
+ Deno.env.delete(key);
7
+ },
8
+ exit: (code) => Deno.exit(code)
9
+ };
10
+ /**
11
+ * Deno entrypoint helper. Reads `HUBSPOT_APP_PRIVATE_KEY` from `Deno.env`
12
+ * when CIMD or DPoP is enabled, imports the supplied loader, and invokes
13
+ * `start` with `AppKeys` or `null`.
14
+ */
15
+ function secureStart(loader) {
16
+ return runSecureStart(loader, denoSecureStartAdapter);
17
+ }
18
+ //#endregion
19
+ export { secureStart };
20
+
21
+ //# sourceMappingURL=start.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"start.js","names":[],"sources":["../../../src/server/deno/start.ts"],"sourcesContent":["import {\n runSecureStart,\n type SecureStartAdapter,\n type SecureStartContext,\n type SecureStartLoader,\n} from '../secure-start-core.ts';\n\nexport type { SecureStartContext, SecureStartLoader };\n\nconst denoSecureStartAdapter: SecureStartAdapter = {\n readEnv: (key) => Deno.env.get(key),\n deleteEnv: (key) => {\n Deno.env.delete(key);\n },\n exit: (code) => Deno.exit(code),\n};\n\n/**\n * Deno entrypoint helper. Reads `HUBSPOT_APP_PRIVATE_KEY` from `Deno.env`\n * when CIMD or DPoP is enabled, imports the supplied loader, and invokes\n * `start` with `AppKeys` or `null`.\n */\nexport function secureStart(loader: SecureStartLoader): Promise<void> {\n return runSecureStart(loader, denoSecureStartAdapter);\n}\n"],"mappings":";;AASA,MAAM,yBAA6C;CACjD,UAAU,QAAQ,KAAK,IAAI,IAAI,IAAI;CACnC,YAAY,QAAQ;EAClB,KAAK,IAAI,OAAO,IAAI;;CAEtB,OAAO,SAAS,KAAK,KAAK,KAAK;CAChC;;;;;;AAOD,SAAgB,YAAY,QAA0C;CACpE,OAAO,eAAe,QAAQ,uBAAuB"}
@@ -0,0 +1,59 @@
1
+ import { createHubSpotClient } from "../api-client-core/client.js";
2
+ import { noopLogger } from "../shared/logger.js";
3
+ import { fetchTransportPlugin } from "../api-client-core/plugins/fetch-transport.js";
4
+ import { HUBSPOT_ACCESS_TOKEN_COOKIE_NAME, HUBSPOT_APP_SID_COOKIE_NAME } from "../constants.js";
5
+ import { createHubSpotProxy } from "../proxy.js";
6
+ import { parseCookies } from "../utils/cookie-utils.js";
7
+ import { sanitizeRequest } from "../sanitize-request.js";
8
+ import { corsMiddleware } from "./utils/cors-middleware.js";
9
+ import { Hono } from "hono";
10
+ //#region src/server/hono/hono-request-handler.ts
11
+ /**
12
+ * Wraps a Hono app so its `fetch` handler additionally:
13
+ *
14
+ * - Strips SDK-managed cookies (access token, refresh, sid) from the
15
+ * request before the app sees them, via `sanitizeRequest`.
16
+ * - Exposes a `hubSpotProxy` on the Hono context so route handlers
17
+ * can issue authenticated calls to HubSpot's API on behalf of the
18
+ * browser session.
19
+ */
20
+ function createAppConnectRequestHandler(options) {
21
+ const { registerRoutes, appKeys, logger = noopLogger } = options;
22
+ const app = new Hono();
23
+ app.use("*", corsMiddleware());
24
+ app.use("*", async (c, next) => {
25
+ const { authenticated } = c.env.hubSpot;
26
+ if (!authenticated) return c.json({ error: "Unauthorized" }, 401);
27
+ await next();
28
+ });
29
+ registerRoutes(app);
30
+ return (request) => {
31
+ const cookie = request.headers.get("Cookie");
32
+ if (!cookie) throw new Error("Missing auth cookies");
33
+ const cookies = parseCookies(cookie);
34
+ const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];
35
+ const proxy = createHubSpotProxy({
36
+ userCredentials: {
37
+ accessToken,
38
+ sessionId: cookies[HUBSPOT_APP_SID_COOKIE_NAME]
39
+ },
40
+ appKeys,
41
+ logger
42
+ });
43
+ const client = createHubSpotClient({ plugins: [fetchTransportPlugin({ getAccessToken: () => {
44
+ if (!accessToken) throw new Error("Missing access token");
45
+ return accessToken;
46
+ } })] });
47
+ const sanitizedRequest = sanitizeRequest(request);
48
+ const honoBindings = { hubSpot: {
49
+ proxy,
50
+ client,
51
+ authenticated: proxy.authenticated
52
+ } };
53
+ return app.fetch(sanitizedRequest, honoBindings);
54
+ };
55
+ }
56
+ //#endregion
57
+ export { createAppConnectRequestHandler };
58
+
59
+ //# sourceMappingURL=hono-request-handler.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"hono-request-handler.js","names":[],"sources":["../../../src/server/hono/hono-request-handler.ts"],"sourcesContent":["import { Hono } from 'hono';\n\nimport { noopLogger, type Logger } from '../../shared/logger.ts';\nimport { createHubSpotClient } from '../api-client-core/client.ts';\nimport { fetchTransportPlugin } from '../api-client-core/plugins/fetch-transport.ts';\nimport {\n HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n HUBSPOT_APP_SID_COOKIE_NAME,\n} from '../constants.ts';\nimport { createHubSpotProxy } from '../proxy.ts';\nimport { sanitizeRequest } from '../sanitize-request.ts';\nimport type { AppKeys, UserCredentials } from '../types.ts';\nimport { parseCookies } from '../utils/cookie-utils.ts';\nimport type { AppConnectHonoBindings, AppConnectHonoEnv } from './types.ts';\nimport { corsMiddleware } from './utils/cors-middleware.ts';\n\n/**\n * Web-standard fetch handler signature returned by\n * {@link createAppConnectRequestHandler}.\n */\nexport type AppConnectFetchHandler = (\n request: Request\n) => Response | Promise<Response>;\n\n/**\n * Callback used to attach application routes to the SDK-owned Hono\n * app instance.\n */\nexport type RegisterAppConnectRoutesFunction = (\n app: Hono<AppConnectHonoEnv>\n) => void;\n\n/**\n * Options accepted by {@link createAppConnectRequestHandler}.\n */\nexport interface CreateAppConnectRequestHandlerOptions {\n /** Registers application routes on the SDK-owned Hono app. */\n registerRoutes: RegisterAppConnectRoutesFunction;\n /**\n * Imported app keys from `secureStart`, or `null` when CIMD and DPoP\n * are both disabled.\n */\n appKeys: AppKeys | null;\n /**\n * Optional logger. When omitted the SDK uses a no-op logger so\n * server-side state never leaks into the host application's\n * console.\n */\n logger?: Logger;\n}\n\n/**\n * Wraps a Hono app so its `fetch` handler additionally:\n *\n * - Strips SDK-managed cookies (access token, refresh, sid) from the\n * request before the app sees them, via `sanitizeRequest`.\n * - Exposes a `hubSpotProxy` on the Hono context so route handlers\n * can issue authenticated calls to HubSpot's API on behalf of the\n * browser session.\n */\nexport function createAppConnectRequestHandler(\n options: CreateAppConnectRequestHandlerOptions\n): AppConnectFetchHandler {\n const { registerRoutes, appKeys, logger = noopLogger } = options;\n const app = new Hono<AppConnectHonoEnv>();\n // Credentialed CORS first: preflights short-circuit with 204\n // before the auth check runs, and 401 responses still carry\n // `Access-Control-Allow-*` headers (the browser drops responses\n // without them on credentialed cross-site fetches).\n app.use('*', corsMiddleware());\n\n // Auth gate: every non-OPTIONS request must arrive with the\n // SDK-managed access-token + session-id cookies. The CORS\n // middleware above short-circuits OPTIONS, so this only runs on\n // real requests; missing cookies now surface as a normal 401 with\n // CORS headers attached on the way back out (the previous\n // implementation threw on a missing `Cookie` header before any\n // middleware ran, which broke browser preflights).\n app.use('*', async (c, next) => {\n const { authenticated } = c.env.hubSpot;\n if (!authenticated) {\n return c.json({ error: 'Unauthorized' }, 401);\n }\n\n await next();\n return;\n });\n\n registerRoutes(app);\n\n return (request: Request) => {\n const cookie = request.headers.get('Cookie');\n if (!cookie) {\n throw new Error('Missing auth cookies');\n }\n const cookies = parseCookies(cookie);\n const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];\n const sessionId = cookies[HUBSPOT_APP_SID_COOKIE_NAME];\n\n const userCredentials: UserCredentials = { accessToken, sessionId };\n\n const proxy = createHubSpotProxy({\n userCredentials,\n appKeys,\n logger,\n });\n\n const client = createHubSpotClient({\n plugins: [\n fetchTransportPlugin({\n getAccessToken: () => {\n if (!accessToken) {\n throw new Error('Missing access token');\n }\n return accessToken;\n },\n }),\n ],\n });\n\n const sanitizedRequest = sanitizeRequest(request);\n\n const honoBindings: AppConnectHonoBindings = {\n hubSpot: {\n proxy,\n client,\n authenticated: proxy.authenticated,\n },\n };\n\n return app.fetch(sanitizedRequest, honoBindings);\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AA4DA,SAAgB,+BACd,SACwB;CACxB,MAAM,EAAE,gBAAgB,SAAS,SAAS,eAAe;CACzD,MAAM,MAAM,IAAI,MAAyB;CAKzC,IAAI,IAAI,KAAK,gBAAgB,CAAC;CAS9B,IAAI,IAAI,KAAK,OAAO,GAAG,SAAS;EAC9B,MAAM,EAAE,kBAAkB,EAAE,IAAI;EAChC,IAAI,CAAC,eACH,OAAO,EAAE,KAAK,EAAE,OAAO,gBAAgB,EAAE,IAAI;EAG/C,MAAM,MAAM;GAEZ;CAEF,eAAe,IAAI;CAEnB,QAAQ,YAAqB;EAC3B,MAAM,SAAS,QAAQ,QAAQ,IAAI,SAAS;EAC5C,IAAI,CAAC,QACH,MAAM,IAAI,MAAM,uBAAuB;EAEzC,MAAM,UAAU,aAAa,OAAO;EACpC,MAAM,cAAc,QAAQ;EAK5B,MAAM,QAAQ,mBAAmB;GAC/B,iBAAA;IAHyC;IAAa,WAFtC,QAAQ;IAKT;GACf;GACA;GACD,CAAC;EAEF,MAAM,SAAS,oBAAoB,EACjC,SAAS,CACP,qBAAqB,EACnB,sBAAsB;GACpB,IAAI,CAAC,aACH,MAAM,IAAI,MAAM,uBAAuB;GAEzC,OAAO;KAEV,CAAC,CACH,EACF,CAAC;EAEF,MAAM,mBAAmB,gBAAgB,QAAQ;EAEjD,MAAM,eAAuC,EAC3C,SAAS;GACP;GACA;GACA,eAAe,MAAM;GACtB,EACF;EAED,OAAO,IAAI,MAAM,kBAAkB,aAAa"}
@@ -0,0 +1,154 @@
1
+ import { base64urlDecode } from "../../shared/encoding/base64.js";
2
+ import { HUBSPOT_ACCESS_TOKEN_COOKIE_NAME, HUBSPOT_APP_ORIGIN_COOKIE_NAME, HUBSPOT_REFRESH_COOKIE_PREFIX, TEMP_COOKIE_OAUTH_STATE, TEMP_COOKIE_PKCE_VERIFIER } from "../../constants.js";
3
+ import { parseCookies } from "../../utils/cookie-utils.js";
4
+ import { AUTH_COMPLETE_CODE_PARAM, AUTH_COMPLETE_STATE_PARAM } from "../../shared/constants.js";
5
+ import { serializeCookie, setResponseCookie } from "../utils/cookie-utils.js";
6
+ import { REFRESH_COOKIE_MAX_AGE_SEC } from "./constants.js";
7
+ import { buildClientAssertion, buildClientAssertionFormParams, buildClientSecretFormParams, buildTokenEndpointDpopProof, requestOAuthToken } from "./oauth-client.js";
8
+ import { buildCimdClientIdUrlFromRequest, buildFrontendOAuthRedirectUri, clearTempCookie, isPositiveFiniteNumber, isSafeReturnPath, parseAppOriginHeader } from "./utils.js";
9
+ //#region src/server/hono/hubspot-connect-routes/auth-complete.ts
10
+ /**
11
+ * Cross-origin OAuth completion endpoint.
12
+ *
13
+ * Called from the React app on the frontend OAuth callback path
14
+ * (`HUBSPOT_FRONTEND_CALLBACK_PATH`) once HubSpot has redirected the
15
+ * browser back with `?code` + `?state`. The browser POSTs both
16
+ * values here as a credentialed cross-site fetch — same partition as
17
+ * `init-session`, so the temp PKCE/state cookies are visible — and
18
+ * the SDK:
19
+ *
20
+ * 1. Validates `state` against the temp `__hs_oauth_state` cookie.
21
+ * 2. Pulls the PKCE verifier from `__hs_pkce_verifier`.
22
+ * 3. Rebuilds the same `redirect_uri` it sent to HubSpot during
23
+ * `init-session` (frontend origin + the fixed callback path);
24
+ * the OAuth token endpoint requires the two values to match.
25
+ * 4. Exchanges `code` for an access + refresh token (with DPoP /
26
+ * CIMD client-assertion when enabled).
27
+ * 5. Sets the durable session cookies (access token, refresh) with
28
+ * `SameSite=None; Secure; Partitioned` so they live in the
29
+ * `(frontend, edge)` partition where subsequent API fetches will
30
+ * read them.
31
+ * 6. Clears the temp cookies.
32
+ * 7. Returns `{ expires_at, return_path }` so the controller can
33
+ * update its session-storage expiry tracking and navigate back to
34
+ * the page the user started the connect flow from.
35
+ */
36
+ async function handleAuthComplete(c, options) {
37
+ const { appKeys, refreshCookiePath, hubspotConnectEnv } = options;
38
+ const xForwardedProto = c.req.header("x-forwarded-proto") ?? void 0;
39
+ const xForwardedHost = c.req.header("x-forwarded-host") ?? void 0;
40
+ const requestHostHeader = c.req.header("host") ?? void 0;
41
+ const code = c.req.query(AUTH_COMPLETE_CODE_PARAM);
42
+ const state = c.req.query(AUTH_COMPLETE_STATE_PARAM);
43
+ if (!code || !state) return c.json({ error: "Missing code or state" }, 400);
44
+ if (hubspotConnectEnv.isAppPrivateKeyRequired && !appKeys) return c.json({ error: "Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD or DPoP is enabled" }, 500);
45
+ const cookies = parseCookies(c.req.header("Cookie"));
46
+ const expectedState = cookies[TEMP_COOKIE_OAUTH_STATE];
47
+ const codeVerifier = cookies[TEMP_COOKIE_PKCE_VERIFIER];
48
+ const appOriginCookie = cookies[HUBSPOT_APP_ORIGIN_COOKIE_NAME];
49
+ if (!expectedState || state !== decodeURIComponent(expectedState)) return c.json({ error: "State mismatch" }, 403);
50
+ if (!codeVerifier) return c.json({ error: "Missing PKCE verifier" }, 400);
51
+ const appOrigin = parseAppOriginHeader(appOriginCookie);
52
+ if (!appOrigin) return c.json({ error: "Missing app origin cookie" }, 400);
53
+ let statePayload;
54
+ try {
55
+ statePayload = JSON.parse(new TextDecoder().decode(base64urlDecode(decodeURIComponent(state))));
56
+ } catch {
57
+ return c.json({ error: "Malformed state value" }, 400);
58
+ }
59
+ const returnPath = statePayload.return_path;
60
+ if (!returnPath || !isSafeReturnPath(returnPath)) return c.json({ error: "Invalid return path in state" }, 400);
61
+ const sessionId = statePayload.sid;
62
+ if (!sessionId) return c.json({ error: "Missing app session cookie" }, 400);
63
+ const decodedCodeVerifier = decodeURIComponent(codeVerifier);
64
+ const clientId = hubspotConnectEnv.isCimdEnabled ? buildCimdClientIdUrlFromRequest({
65
+ requestUrl: c.req.url,
66
+ basePath: options.basePath,
67
+ xForwardedProto,
68
+ xForwardedHost,
69
+ requestHostHeader
70
+ }) : hubspotConnectEnv.hubspotClientId;
71
+ const redirectUri = buildFrontendOAuthRedirectUri(appOrigin);
72
+ const tokenEndpointUrl = new URL("/oauth/v1/token", hubspotConnectEnv.hubspotOAuthApiOrigin).href;
73
+ let dpopProof;
74
+ if (hubspotConnectEnv.isDpopEnabled) dpopProof = await buildTokenEndpointDpopProof({
75
+ appKeys,
76
+ tokenEndpointUrl,
77
+ sessionIdHash: sessionId
78
+ });
79
+ let formParams;
80
+ if (hubspotConnectEnv.isCimdEnabled) formParams = {
81
+ grant_type: "authorization_code",
82
+ code,
83
+ code_verifier: decodedCodeVerifier,
84
+ redirect_uri: redirectUri,
85
+ ...buildClientAssertionFormParams({
86
+ clientId,
87
+ clientAssertion: await buildClientAssertion({
88
+ appKeys,
89
+ clientId,
90
+ audience: tokenEndpointUrl
91
+ })
92
+ })
93
+ };
94
+ else formParams = {
95
+ grant_type: "authorization_code",
96
+ code,
97
+ code_verifier: decodedCodeVerifier,
98
+ redirect_uri: redirectUri,
99
+ ...buildClientSecretFormParams({
100
+ clientId,
101
+ clientSecret: hubspotConnectEnv.hubspotClientSecret
102
+ })
103
+ };
104
+ const tokenResult = await requestOAuthToken({
105
+ tokenEndpointUrl,
106
+ isDpopEnabled: hubspotConnectEnv.isDpopEnabled,
107
+ ...dpopProof !== void 0 ? { dpopProof } : {},
108
+ formParams
109
+ });
110
+ if (!tokenResult.ok) return c.json({ error: `Token exchange failed: ${tokenResult.errorText}` }, 502);
111
+ const { access_token: accessToken, refresh_token: refreshToken, expires_in } = tokenResult.body;
112
+ if (!refreshToken) return c.json({ error: "Token response missing refresh_token" }, 502);
113
+ if (!isPositiveFiniteNumber(expires_in)) return c.json({ error: "Token response missing or invalid expires_in" }, 502);
114
+ const expiresAt = Date.now() + expires_in * 1e3;
115
+ const refreshCookieName = `${HUBSPOT_REFRESH_COOKIE_PREFIX}${sessionId}`;
116
+ setResponseCookie({
117
+ c,
118
+ value: serializeCookie({
119
+ name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
120
+ value: accessToken,
121
+ path: "/",
122
+ sameSite: "None",
123
+ partitioned: true,
124
+ maxAge: expires_in
125
+ })
126
+ });
127
+ setResponseCookie({
128
+ c,
129
+ value: serializeCookie({
130
+ name: refreshCookieName,
131
+ value: refreshToken,
132
+ path: refreshCookiePath,
133
+ sameSite: "None",
134
+ partitioned: true,
135
+ maxAge: REFRESH_COOKIE_MAX_AGE_SEC
136
+ })
137
+ });
138
+ setResponseCookie({
139
+ c,
140
+ value: clearTempCookie(TEMP_COOKIE_PKCE_VERIFIER)
141
+ });
142
+ setResponseCookie({
143
+ c,
144
+ value: clearTempCookie(TEMP_COOKIE_OAUTH_STATE)
145
+ });
146
+ return c.json({
147
+ expires_at: expiresAt,
148
+ return_path: returnPath
149
+ });
150
+ }
151
+ //#endregion
152
+ export { handleAuthComplete };
153
+
154
+ //# sourceMappingURL=auth-complete.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-complete.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-complete.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport {\n AUTH_COMPLETE_CODE_PARAM,\n AUTH_COMPLETE_STATE_PARAM,\n} from '../../../shared/constants.ts';\nimport {\n HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n HUBSPOT_REFRESH_COOKIE_PREFIX,\n TEMP_COOKIE_OAUTH_STATE,\n TEMP_COOKIE_PKCE_VERIFIER,\n} from '../../constants.ts';\nimport { base64urlDecode } from '../../utils/base64-utils.ts';\nimport { parseCookies } from '../../utils/cookie-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { REFRESH_COOKIE_MAX_AGE_SEC } from './constants.ts';\nimport {\n buildClientAssertion,\n buildClientAssertionFormParams,\n buildClientSecretFormParams,\n buildTokenEndpointDpopProof,\n requestOAuthToken,\n} from './oauth-client.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n buildCimdClientIdUrlFromRequest,\n buildFrontendOAuthRedirectUri,\n clearTempCookie,\n isPositiveFiniteNumber,\n isSafeReturnPath,\n parseAppOriginHeader,\n} from './utils.ts';\n\ninterface OAuthStatePayload {\n return_path?: string;\n sid?: string;\n}\n\n/**\n * Cross-origin OAuth completion endpoint.\n *\n * Called from the React app on the frontend OAuth callback path\n * (`HUBSPOT_FRONTEND_CALLBACK_PATH`) once HubSpot has redirected the\n * browser back with `?code` + `?state`. The browser POSTs both\n * values here as a credentialed cross-site fetch — same partition as\n * `init-session`, so the temp PKCE/state cookies are visible — and\n * the SDK:\n *\n * 1. Validates `state` against the temp `__hs_oauth_state` cookie.\n * 2. Pulls the PKCE verifier from `__hs_pkce_verifier`.\n * 3. Rebuilds the same `redirect_uri` it sent to HubSpot during\n * `init-session` (frontend origin + the fixed callback path);\n * the OAuth token endpoint requires the two values to match.\n * 4. Exchanges `code` for an access + refresh token (with DPoP /\n * CIMD client-assertion when enabled).\n * 5. Sets the durable session cookies (access token, refresh) with\n * `SameSite=None; Secure; Partitioned` so they live in the\n * `(frontend, edge)` partition where subsequent API fetches will\n * read them.\n * 6. Clears the temp cookies.\n * 7. Returns `{ expires_at, return_path }` so the controller can\n * update its session-storage expiry tracking and navigate back to\n * the page the user started the connect flow from.\n */\nexport async function handleAuthComplete(\n c: Context,\n options: HubSpotConnectOAuthRouteOptions\n) {\n const { appKeys, refreshCookiePath, hubspotConnectEnv } = options;\n const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n const requestHostHeader = c.req.header('host') ?? undefined;\n const code = c.req.query(AUTH_COMPLETE_CODE_PARAM);\n const state = c.req.query(AUTH_COMPLETE_STATE_PARAM);\n\n if (!code || !state) {\n return c.json({ error: 'Missing code or state' }, 400);\n }\n\n if (hubspotConnectEnv.isAppPrivateKeyRequired && !appKeys) {\n return c.json(\n {\n error:\n 'Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD or DPoP is enabled',\n },\n 500\n );\n }\n\n const cookies = parseCookies(c.req.header('Cookie'));\n const expectedState = cookies[TEMP_COOKIE_OAUTH_STATE];\n const codeVerifier = cookies[TEMP_COOKIE_PKCE_VERIFIER];\n const appOriginCookie = cookies[HUBSPOT_APP_ORIGIN_COOKIE_NAME];\n\n if (!expectedState || state !== decodeURIComponent(expectedState)) {\n return c.json({ error: 'State mismatch' }, 403);\n }\n if (!codeVerifier) {\n return c.json({ error: 'Missing PKCE verifier' }, 400);\n }\n // The redirect_uri the OAuth token endpoint validates must equal\n // the one we sent during init-session. We rebuild it from the\n // pinned origin cookie so that value is anchored server-side, not\n // taken from the (caller-controlled) request `Origin` on this call.\n const appOrigin = parseAppOriginHeader(appOriginCookie);\n if (!appOrigin) {\n return c.json({ error: 'Missing app origin cookie' }, 400);\n }\n\n let statePayload: OAuthStatePayload;\n try {\n statePayload = JSON.parse(\n new TextDecoder().decode(base64urlDecode(decodeURIComponent(state)))\n ) as OAuthStatePayload;\n } catch {\n return c.json({ error: 'Malformed state value' }, 400);\n }\n const returnPath = statePayload.return_path;\n if (!returnPath || !isSafeReturnPath(returnPath)) {\n return c.json({ error: 'Invalid return path in state' }, 400);\n }\n\n const sessionId = statePayload.sid;\n if (!sessionId) {\n return c.json({ error: 'Missing app session cookie' }, 400);\n }\n\n const decodedCodeVerifier = decodeURIComponent(codeVerifier);\n\n const clientId = hubspotConnectEnv.isCimdEnabled\n ? buildCimdClientIdUrlFromRequest({\n requestUrl: c.req.url,\n basePath: options.basePath,\n xForwardedProto,\n xForwardedHost,\n requestHostHeader,\n })\n : hubspotConnectEnv.hubspotClientId;\n\n const redirectUri = buildFrontendOAuthRedirectUri(appOrigin);\n\n const tokenEndpointUrl = new URL(\n '/oauth/v1/token',\n hubspotConnectEnv.hubspotOAuthApiOrigin\n ).href;\n\n let dpopProof: string | undefined;\n if (hubspotConnectEnv.isDpopEnabled) {\n dpopProof = await buildTokenEndpointDpopProof({\n appKeys: appKeys!,\n tokenEndpointUrl,\n sessionIdHash: sessionId,\n });\n }\n\n let formParams: Record<string, string>;\n if (hubspotConnectEnv.isCimdEnabled) {\n const clientAssertion = await buildClientAssertion({\n appKeys: appKeys!,\n clientId,\n audience: tokenEndpointUrl,\n });\n formParams = {\n grant_type: 'authorization_code',\n code,\n code_verifier: decodedCodeVerifier,\n redirect_uri: redirectUri,\n ...buildClientAssertionFormParams({ clientId, clientAssertion }),\n };\n } else {\n formParams = {\n grant_type: 'authorization_code',\n code,\n code_verifier: decodedCodeVerifier,\n redirect_uri: redirectUri,\n ...buildClientSecretFormParams({\n clientId,\n clientSecret: hubspotConnectEnv.hubspotClientSecret,\n }),\n };\n }\n\n const tokenResult = await requestOAuthToken({\n tokenEndpointUrl,\n isDpopEnabled: hubspotConnectEnv.isDpopEnabled,\n ...(dpopProof !== undefined ? { dpopProof } : {}),\n formParams,\n });\n if (!tokenResult.ok) {\n return c.json(\n { error: `Token exchange failed: ${tokenResult.errorText}` },\n 502\n );\n }\n\n const {\n access_token: accessToken,\n refresh_token: refreshToken,\n expires_in,\n } = tokenResult.body;\n if (!refreshToken) {\n return c.json({ error: 'Token response missing refresh_token' }, 502);\n }\n if (!isPositiveFiniteNumber(expires_in)) {\n return c.json(\n { error: 'Token response missing or invalid expires_in' },\n 502\n );\n }\n\n const expiresAt = Date.now() + expires_in * 1000;\n const refreshCookieName = `${HUBSPOT_REFRESH_COOKIE_PREFIX}${sessionId}`;\n\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n value: accessToken,\n path: '/',\n sameSite: 'None',\n partitioned: true,\n maxAge: expires_in,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: refreshCookieName,\n value: refreshToken,\n path: refreshCookiePath,\n sameSite: 'None',\n partitioned: true,\n maxAge: REFRESH_COOKIE_MAX_AGE_SEC,\n }),\n });\n setResponseCookie({ c, value: clearTempCookie(TEMP_COOKIE_PKCE_VERIFIER) });\n setResponseCookie({ c, value: clearTempCookie(TEMP_COOKIE_OAUTH_STATE) });\n\n return c.json({ expires_at: expiresAt, return_path: returnPath });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiEA,eAAsB,mBACpB,GACA,SACA;CACA,MAAM,EAAE,SAAS,mBAAmB,sBAAsB;CAC1D,MAAM,kBAAkB,EAAE,IAAI,OAAO,oBAAoB,IAAI,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,mBAAmB,IAAI,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,OAAO,IAAI,KAAA;CAClD,MAAM,OAAO,EAAE,IAAI,MAAM,yBAAyB;CAClD,MAAM,QAAQ,EAAE,IAAI,MAAM,0BAA0B;CAEpD,IAAI,CAAC,QAAQ,CAAC,OACZ,OAAO,EAAE,KAAK,EAAE,OAAO,yBAAyB,EAAE,IAAI;CAGxD,IAAI,kBAAkB,2BAA2B,CAAC,SAChD,OAAO,EAAE,KACP,EACE,OACE,6FACH,EACD,IACD;CAGH,MAAM,UAAU,aAAa,EAAE,IAAI,OAAO,SAAS,CAAC;CACpD,MAAM,gBAAgB,QAAQ;CAC9B,MAAM,eAAe,QAAQ;CAC7B,MAAM,kBAAkB,QAAQ;CAEhC,IAAI,CAAC,iBAAiB,UAAU,mBAAmB,cAAc,EAC/D,OAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,EAAE,IAAI;CAEjD,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,EAAE,OAAO,yBAAyB,EAAE,IAAI;CAMxD,MAAM,YAAY,qBAAqB,gBAAgB;CACvD,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,EAAE,IAAI;CAG5D,IAAI;CACJ,IAAI;EACF,eAAe,KAAK,MAClB,IAAI,aAAa,CAAC,OAAO,gBAAgB,mBAAmB,MAAM,CAAC,CAAC,CACrE;SACK;EACN,OAAO,EAAE,KAAK,EAAE,OAAO,yBAAyB,EAAE,IAAI;;CAExD,MAAM,aAAa,aAAa;CAChC,IAAI,CAAC,cAAc,CAAC,iBAAiB,WAAW,EAC9C,OAAO,EAAE,KAAK,EAAE,OAAO,gCAAgC,EAAE,IAAI;CAG/D,MAAM,YAAY,aAAa;CAC/B,IAAI,CAAC,WACH,OAAO,EAAE,KAAK,EAAE,OAAO,8BAA8B,EAAE,IAAI;CAG7D,MAAM,sBAAsB,mBAAmB,aAAa;CAE5D,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB,UAAU,QAAQ;EAClB;EACA;EACA;EACD,CAAC,GACF,kBAAkB;CAEtB,MAAM,cAAc,8BAA8B,UAAU;CAE5D,MAAM,mBAAmB,IAAI,IAC3B,mBACA,kBAAkB,sBACnB,CAAC;CAEF,IAAI;CACJ,IAAI,kBAAkB,eACpB,YAAY,MAAM,4BAA4B;EACnC;EACT;EACA,eAAe;EAChB,CAAC;CAGJ,IAAI;CACJ,IAAI,kBAAkB,eAMpB,aAAa;EACX,YAAY;EACZ;EACA,eAAe;EACf,cAAc;EACd,GAAG,+BAA+B;GAAE;GAAU,iBAAA,MAVlB,qBAAqB;IACxC;IACT;IACA,UAAU;IACX,CAAC;GAM+D,CAAC;EACjE;MAED,aAAa;EACX,YAAY;EACZ;EACA,eAAe;EACf,cAAc;EACd,GAAG,4BAA4B;GAC7B;GACA,cAAc,kBAAkB;GACjC,CAAC;EACH;CAGH,MAAM,cAAc,MAAM,kBAAkB;EAC1C;EACA,eAAe,kBAAkB;EACjC,GAAI,cAAc,KAAA,IAAY,EAAE,WAAW,GAAG,EAAE;EAChD;EACD,CAAC;CACF,IAAI,CAAC,YAAY,IACf,OAAO,EAAE,KACP,EAAE,OAAO,0BAA0B,YAAY,aAAa,EAC5D,IACD;CAGH,MAAM,EACJ,cAAc,aACd,eAAe,cACf,eACE,YAAY;CAChB,IAAI,CAAC,cACH,OAAO,EAAE,KAAK,EAAE,OAAO,wCAAwC,EAAE,IAAI;CAEvE,IAAI,CAAC,uBAAuB,WAAW,EACrC,OAAO,EAAE,KACP,EAAE,OAAO,gDAAgD,EACzD,IACD;CAGH,MAAM,YAAY,KAAK,KAAK,GAAG,aAAa;CAC5C,MAAM,oBAAoB,GAAG,gCAAgC;CAE7D,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAAE;EAAG,OAAO,gBAAgB,0BAA0B;EAAE,CAAC;CAC3E,kBAAkB;EAAE;EAAG,OAAO,gBAAgB,wBAAwB;EAAE,CAAC;CAEzE,OAAO,EAAE,KAAK;EAAE,YAAY;EAAW,aAAa;EAAY,CAAC"}
@@ -0,0 +1,101 @@
1
+ import { base64url } from "../../shared/encoding/base64.js";
2
+ import { sha256base64url } from "../../shared/encoding/sha256.js";
3
+ import { HUBSPOT_APP_ORIGIN_COOKIE_NAME, HUBSPOT_APP_SID_COOKIE_NAME, TEMP_COOKIE_OAUTH_STATE, TEMP_COOKIE_PKCE_VERIFIER } from "../../constants.js";
4
+ import { serializeCookie, setResponseCookie } from "../utils/cookie-utils.js";
5
+ import { OAUTH_TEMP_MAX_AGE_SEC, SESSION_MAX_AGE_SEC } from "./constants.js";
6
+ import { buildCimdClientIdUrlFromRequest, buildFrontendOAuthRedirectUri, isSafeReturnPath, parseAppOriginHeader } from "./utils.js";
7
+ import { deriveHubSpotAuthorizeScopesFromClientMetadata } from "./fetch-hubspot-client-metadata.js";
8
+ //#region src/server/hono/hubspot-connect-routes/auth-init-session.ts
9
+ async function handleAuthInitSession(c, options) {
10
+ const { hubspotConnectEnv, cimdClientMetadata } = options;
11
+ const xForwardedProto = c.req.header("x-forwarded-proto") ?? void 0;
12
+ const xForwardedHost = c.req.header("x-forwarded-host") ?? void 0;
13
+ const requestHostHeader = c.req.header("host") ?? void 0;
14
+ const returnPath = new URL(c.req.url).searchParams.get("return_path") ?? "/";
15
+ if (!isSafeReturnPath(returnPath)) return c.text("Invalid return_path", 400);
16
+ const appOrigin = parseAppOriginHeader(c.req.header("Origin"));
17
+ if (!appOrigin) return c.text("Missing or invalid Origin header; init-session must be called from a browser", 400);
18
+ const sessionIdBytes = new Uint8Array(32);
19
+ crypto.getRandomValues(sessionIdBytes);
20
+ const sessionId = base64url(sessionIdBytes);
21
+ const sessionIdHash = await sha256base64url(sessionId);
22
+ const codeVerifierBytes = new Uint8Array(32);
23
+ crypto.getRandomValues(codeVerifierBytes);
24
+ const codeVerifier = base64url(codeVerifierBytes);
25
+ const codeChallenge = await sha256base64url(codeVerifier);
26
+ const stateValue = base64url(new TextEncoder().encode(JSON.stringify({
27
+ return_path: returnPath,
28
+ sid: sessionIdHash
29
+ })));
30
+ const clientId = hubspotConnectEnv.isCimdEnabled ? buildCimdClientIdUrlFromRequest({
31
+ requestUrl: c.req.url,
32
+ basePath: options.basePath,
33
+ xForwardedProto,
34
+ xForwardedHost,
35
+ requestHostHeader
36
+ }) : hubspotConnectEnv.hubspotClientId;
37
+ const redirectUri = buildFrontendOAuthRedirectUri(appOrigin);
38
+ const authorizeUrl = new URL(hubspotConnectEnv.hubspotAuthorizationEndpoint);
39
+ authorizeUrl.searchParams.set("response_type", "code");
40
+ authorizeUrl.searchParams.set("client_id", clientId);
41
+ authorizeUrl.searchParams.set("redirect_uri", redirectUri);
42
+ authorizeUrl.searchParams.set("code_challenge", codeChallenge);
43
+ authorizeUrl.searchParams.set("code_challenge_method", "S256");
44
+ authorizeUrl.searchParams.set("state", stateValue);
45
+ authorizeUrl.searchParams.set("sid", sessionIdHash);
46
+ if (!hubspotConnectEnv.isCimdEnabled) {
47
+ const scopesResult = deriveHubSpotAuthorizeScopesFromClientMetadata(cimdClientMetadata);
48
+ if (!scopesResult.ok) return c.text(scopesResult.message, scopesResult.status);
49
+ authorizeUrl.searchParams.set("scope", scopesResult.scope);
50
+ if (scopesResult.optionalScope !== void 0) authorizeUrl.searchParams.set("optional_scope", scopesResult.optionalScope);
51
+ }
52
+ setResponseCookie({
53
+ c,
54
+ value: serializeCookie({
55
+ name: HUBSPOT_APP_ORIGIN_COOKIE_NAME,
56
+ value: appOrigin,
57
+ path: "/",
58
+ sameSite: "None",
59
+ partitioned: true,
60
+ maxAge: SESSION_MAX_AGE_SEC
61
+ })
62
+ });
63
+ setResponseCookie({
64
+ c,
65
+ value: serializeCookie({
66
+ name: HUBSPOT_APP_SID_COOKIE_NAME,
67
+ value: sessionId,
68
+ path: "/",
69
+ sameSite: "None",
70
+ partitioned: true,
71
+ maxAge: SESSION_MAX_AGE_SEC
72
+ })
73
+ });
74
+ setResponseCookie({
75
+ c,
76
+ value: serializeCookie({
77
+ name: TEMP_COOKIE_PKCE_VERIFIER,
78
+ value: encodeURIComponent(codeVerifier),
79
+ path: "/",
80
+ sameSite: "None",
81
+ partitioned: true,
82
+ maxAge: OAUTH_TEMP_MAX_AGE_SEC
83
+ })
84
+ });
85
+ setResponseCookie({
86
+ c,
87
+ value: serializeCookie({
88
+ name: TEMP_COOKIE_OAUTH_STATE,
89
+ value: encodeURIComponent(stateValue),
90
+ path: "/",
91
+ sameSite: "None",
92
+ partitioned: true,
93
+ maxAge: OAUTH_TEMP_MAX_AGE_SEC
94
+ })
95
+ });
96
+ return c.json({ authorization_url: authorizeUrl.toString() });
97
+ }
98
+ //#endregion
99
+ export { handleAuthInitSession };
100
+
101
+ //# sourceMappingURL=auth-init-session.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-init-session.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-init-session.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport {\n HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n HUBSPOT_APP_SID_COOKIE_NAME,\n TEMP_COOKIE_OAUTH_STATE,\n TEMP_COOKIE_PKCE_VERIFIER,\n} from '../../constants.ts';\nimport { base64url } from '../../utils/base64-utils.ts';\nimport { sha256base64url } from '../../utils/crypto-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { OAUTH_TEMP_MAX_AGE_SEC, SESSION_MAX_AGE_SEC } from './constants.ts';\nimport { deriveHubSpotAuthorizeScopesFromClientMetadata } from './fetch-hubspot-client-metadata.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport {\n buildCimdClientIdUrlFromRequest,\n buildFrontendOAuthRedirectUri,\n isSafeReturnPath,\n parseAppOriginHeader,\n} from './utils.ts';\n\nexport async function handleAuthInitSession(\n c: Context,\n options: HubSpotConnectOAuthRouteOptions\n) {\n const { hubspotConnectEnv, cimdClientMetadata } = options;\n const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n const requestHostHeader = c.req.header('host') ?? undefined;\n const url = new URL(c.req.url);\n const returnPath = url.searchParams.get('return_path') ?? '/';\n if (!isSafeReturnPath(returnPath)) {\n return c.text('Invalid return_path', 400);\n }\n\n // The app origin pins the OAuth `redirect_uri` (which lands on the\n // frontend, not on this edge function) and, via the persisted\n // `__Host-hs_app_origin` cookie, drives credentialed\n // `Access-Control-Allow-Origin` on every subsequent SDK response.\n const appOrigin = parseAppOriginHeader(c.req.header('Origin'));\n if (!appOrigin) {\n return c.text(\n 'Missing or invalid Origin header; init-session must be called from a browser',\n 400\n );\n }\n\n const sessionIdBytes = new Uint8Array(32);\n crypto.getRandomValues(sessionIdBytes);\n const sessionId = base64url(sessionIdBytes);\n const sessionIdHash = await sha256base64url(sessionId);\n\n const codeVerifierBytes = new Uint8Array(32);\n crypto.getRandomValues(codeVerifierBytes);\n const codeVerifier = base64url(codeVerifierBytes);\n const codeChallenge = await sha256base64url(codeVerifier);\n\n const stateValue = base64url(\n new TextEncoder().encode(\n JSON.stringify({\n return_path: returnPath,\n sid: sessionIdHash,\n })\n )\n );\n\n const clientId = hubspotConnectEnv.isCimdEnabled\n ? buildCimdClientIdUrlFromRequest({\n requestUrl: c.req.url,\n basePath: options.basePath,\n xForwardedProto,\n xForwardedHost,\n requestHostHeader,\n })\n : hubspotConnectEnv.hubspotClientId;\n\n const redirectUri = buildFrontendOAuthRedirectUri(appOrigin);\n\n const authorizeUrl = new URL(hubspotConnectEnv.hubspotAuthorizationEndpoint);\n authorizeUrl.searchParams.set('response_type', 'code');\n authorizeUrl.searchParams.set('client_id', clientId);\n authorizeUrl.searchParams.set('redirect_uri', redirectUri);\n authorizeUrl.searchParams.set('code_challenge', codeChallenge);\n authorizeUrl.searchParams.set('code_challenge_method', 'S256');\n authorizeUrl.searchParams.set('state', stateValue);\n authorizeUrl.searchParams.set('sid', sessionIdHash);\n\n if (!hubspotConnectEnv.isCimdEnabled) {\n const scopesResult =\n deriveHubSpotAuthorizeScopesFromClientMetadata(cimdClientMetadata);\n if (!scopesResult.ok) {\n return c.text(scopesResult.message, scopesResult.status as 500 | 502);\n }\n authorizeUrl.searchParams.set('scope', scopesResult.scope);\n if (scopesResult.optionalScope !== undefined) {\n authorizeUrl.searchParams.set(\n 'optional_scope',\n scopesResult.optionalScope\n );\n }\n }\n\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n value: appOrigin,\n path: '/',\n sameSite: 'None',\n partitioned: true,\n maxAge: SESSION_MAX_AGE_SEC,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_APP_SID_COOKIE_NAME,\n value: sessionId,\n path: '/',\n sameSite: 'None',\n partitioned: true,\n maxAge: SESSION_MAX_AGE_SEC,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: TEMP_COOKIE_PKCE_VERIFIER,\n value: encodeURIComponent(codeVerifier),\n path: '/',\n sameSite: 'None',\n partitioned: true,\n maxAge: OAUTH_TEMP_MAX_AGE_SEC,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: TEMP_COOKIE_OAUTH_STATE,\n value: encodeURIComponent(stateValue),\n path: '/',\n sameSite: 'None',\n partitioned: true,\n maxAge: OAUTH_TEMP_MAX_AGE_SEC,\n }),\n });\n\n return c.json({ authorization_url: authorizeUrl.toString() });\n}\n"],"mappings":";;;;;;;;AAqBA,eAAsB,sBACpB,GACA,SACA;CACA,MAAM,EAAE,mBAAmB,uBAAuB;CAClD,MAAM,kBAAkB,EAAE,IAAI,OAAO,oBAAoB,IAAI,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,mBAAmB,IAAI,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,OAAO,IAAI,KAAA;CAElD,MAAM,aAAa,IADH,IAAI,EAAE,IAAI,IACJ,CAAC,aAAa,IAAI,cAAc,IAAI;CAC1D,IAAI,CAAC,iBAAiB,WAAW,EAC/B,OAAO,EAAE,KAAK,uBAAuB,IAAI;CAO3C,MAAM,YAAY,qBAAqB,EAAE,IAAI,OAAO,SAAS,CAAC;CAC9D,IAAI,CAAC,WACH,OAAO,EAAE,KACP,gFACA,IACD;CAGH,MAAM,iBAAiB,IAAI,WAAW,GAAG;CACzC,OAAO,gBAAgB,eAAe;CACtC,MAAM,YAAY,UAAU,eAAe;CAC3C,MAAM,gBAAgB,MAAM,gBAAgB,UAAU;CAEtD,MAAM,oBAAoB,IAAI,WAAW,GAAG;CAC5C,OAAO,gBAAgB,kBAAkB;CACzC,MAAM,eAAe,UAAU,kBAAkB;CACjD,MAAM,gBAAgB,MAAM,gBAAgB,aAAa;CAEzD,MAAM,aAAa,UACjB,IAAI,aAAa,CAAC,OAChB,KAAK,UAAU;EACb,aAAa;EACb,KAAK;EACN,CAAC,CACH,CACF;CAED,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB,UAAU,QAAQ;EAClB;EACA;EACA;EACD,CAAC,GACF,kBAAkB;CAEtB,MAAM,cAAc,8BAA8B,UAAU;CAE5D,MAAM,eAAe,IAAI,IAAI,kBAAkB,6BAA6B;CAC5E,aAAa,aAAa,IAAI,iBAAiB,OAAO;CACtD,aAAa,aAAa,IAAI,aAAa,SAAS;CACpD,aAAa,aAAa,IAAI,gBAAgB,YAAY;CAC1D,aAAa,aAAa,IAAI,kBAAkB,cAAc;CAC9D,aAAa,aAAa,IAAI,yBAAyB,OAAO;CAC9D,aAAa,aAAa,IAAI,SAAS,WAAW;CAClD,aAAa,aAAa,IAAI,OAAO,cAAc;CAEnD,IAAI,CAAC,kBAAkB,eAAe;EACpC,MAAM,eACJ,+CAA+C,mBAAmB;EACpE,IAAI,CAAC,aAAa,IAChB,OAAO,EAAE,KAAK,aAAa,SAAS,aAAa,OAAoB;EAEvE,aAAa,aAAa,IAAI,SAAS,aAAa,MAAM;EAC1D,IAAI,aAAa,kBAAkB,KAAA,GACjC,aAAa,aAAa,IACxB,kBACA,aAAa,cACd;;CAIL,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO,mBAAmB,aAAa;GACvC,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO,mBAAmB,WAAW;GACrC,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;GACT,CAAC;EACH,CAAC;CAEF,OAAO,EAAE,KAAK,EAAE,mBAAmB,aAAa,UAAU,EAAE,CAAC"}
@@ -0,0 +1,114 @@
1
+ import { HUBSPOT_ACCESS_TOKEN_COOKIE_NAME, HUBSPOT_APP_ORIGIN_COOKIE_NAME, HUBSPOT_APP_SID_COOKIE_NAME } from "../../constants.js";
2
+ import { parseCookies } from "../../utils/cookie-utils.js";
3
+ import { serializeCookie, setResponseCookie } from "../utils/cookie-utils.js";
4
+ import { buildClientAssertion } from "./oauth-client.js";
5
+ import { buildCimdClientIdUrlFromRequest } from "./utils.js";
6
+ //#region src/server/hono/hubspot-connect-routes/auth-logout.ts
7
+ async function revokeToken(options) {
8
+ const { revokeEndpointUrl, body, logger } = options;
9
+ try {
10
+ const response = await fetch(revokeEndpointUrl, {
11
+ method: "POST",
12
+ headers: { "Content-Type": "application/x-www-form-urlencoded" },
13
+ body
14
+ });
15
+ if (!response.ok) logger.warn(`HubSpot token revoke returned HTTP ${response.status} ${response.statusText}`);
16
+ } catch (error) {
17
+ logger.warn("HubSpot token revoke request failed", error);
18
+ }
19
+ }
20
+ async function handleAuthLogout(c, options) {
21
+ const { appKeys, refreshCookiePath, basePath, hubspotConnectEnv, logger } = options;
22
+ const xForwardedProto = c.req.header("x-forwarded-proto") ?? void 0;
23
+ const xForwardedHost = c.req.header("x-forwarded-host") ?? void 0;
24
+ const requestHostHeader = c.req.header("host") ?? void 0;
25
+ const cookies = parseCookies(c.req.header("Cookie"));
26
+ const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];
27
+ const clientId = hubspotConnectEnv.isCimdEnabled ? buildCimdClientIdUrlFromRequest({
28
+ requestUrl: c.req.url,
29
+ basePath,
30
+ xForwardedProto,
31
+ xForwardedHost,
32
+ requestHostHeader
33
+ }) : hubspotConnectEnv.hubspotClientId;
34
+ const revokeEndpointUrl = new URL("/oauth/v1/revoke", hubspotConnectEnv.hubspotOAuthApiOrigin).href;
35
+ if (accessToken) if (hubspotConnectEnv.isCimdEnabled) {
36
+ if (!appKeys) return c.json({ error: "Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD is enabled" }, 500);
37
+ const clientAssertion = await buildClientAssertion({
38
+ appKeys,
39
+ clientId,
40
+ audience: revokeEndpointUrl
41
+ });
42
+ await revokeToken({
43
+ revokeEndpointUrl,
44
+ body: new URLSearchParams({
45
+ token: accessToken,
46
+ token_type_hint: "access_token",
47
+ client_id: clientId,
48
+ client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
49
+ client_assertion: clientAssertion
50
+ }),
51
+ logger
52
+ });
53
+ } else await revokeToken({
54
+ revokeEndpointUrl,
55
+ body: new URLSearchParams({
56
+ token: accessToken,
57
+ token_type_hint: "access_token",
58
+ client_id: clientId,
59
+ client_secret: hubspotConnectEnv.hubspotClientSecret
60
+ }),
61
+ logger
62
+ });
63
+ setResponseCookie({
64
+ c,
65
+ value: serializeCookie({
66
+ name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
67
+ value: "",
68
+ path: "/",
69
+ sameSite: "None",
70
+ partitioned: true,
71
+ maxAge: 0
72
+ })
73
+ });
74
+ setResponseCookie({
75
+ c,
76
+ value: serializeCookie({
77
+ name: HUBSPOT_APP_SID_COOKIE_NAME,
78
+ value: "",
79
+ path: "/",
80
+ sameSite: "None",
81
+ partitioned: true,
82
+ maxAge: 0
83
+ })
84
+ });
85
+ setResponseCookie({
86
+ c,
87
+ value: serializeCookie({
88
+ name: HUBSPOT_APP_ORIGIN_COOKIE_NAME,
89
+ value: "",
90
+ path: "/",
91
+ sameSite: "None",
92
+ partitioned: true,
93
+ maxAge: 0
94
+ })
95
+ });
96
+ Object.keys(cookies).forEach((cookieName) => {
97
+ if (cookieName.startsWith("hs_refresh_")) setResponseCookie({
98
+ c,
99
+ value: serializeCookie({
100
+ name: cookieName,
101
+ value: "",
102
+ path: refreshCookiePath,
103
+ sameSite: "None",
104
+ partitioned: true,
105
+ maxAge: 0
106
+ })
107
+ });
108
+ });
109
+ return c.json({ redirect_to: "/" });
110
+ }
111
+ //#endregion
112
+ export { handleAuthLogout };
113
+
114
+ //# sourceMappingURL=auth-logout.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-logout.js","names":[],"sources":["../../../../src/server/hono/hubspot-connect-routes/auth-logout.ts"],"sourcesContent":["import type { Context } from 'hono';\n\nimport type { Logger } from '../../../shared/logger.ts';\nimport {\n HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n HUBSPOT_APP_SID_COOKIE_NAME,\n HUBSPOT_REFRESH_COOKIE_PREFIX,\n} from '../../constants.ts';\nimport { parseCookies } from '../../utils/cookie-utils.ts';\nimport { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';\nimport { buildClientAssertion } from './oauth-client.ts';\nimport type { HubSpotConnectOAuthRouteOptions } from './types.ts';\nimport { buildCimdClientIdUrlFromRequest } from './utils.ts';\n\nasync function revokeToken(options: {\n revokeEndpointUrl: string;\n body: URLSearchParams;\n logger: Logger;\n}): Promise<void> {\n const { revokeEndpointUrl, body, logger } = options;\n try {\n const response = await fetch(revokeEndpointUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body,\n });\n if (!response.ok) {\n logger.warn(\n `HubSpot token revoke returned HTTP ${response.status} ${response.statusText}`\n );\n }\n } catch (error) {\n logger.warn('HubSpot token revoke request failed', error);\n }\n}\n\nexport async function handleAuthLogout(\n c: Context,\n options: HubSpotConnectOAuthRouteOptions\n) {\n const { appKeys, refreshCookiePath, basePath, hubspotConnectEnv, logger } =\n options;\n const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;\n const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;\n const requestHostHeader = c.req.header('host') ?? undefined;\n const cookies = parseCookies(c.req.header('Cookie'));\n const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];\n\n const clientId = hubspotConnectEnv.isCimdEnabled\n ? buildCimdClientIdUrlFromRequest({\n requestUrl: c.req.url,\n basePath,\n xForwardedProto,\n xForwardedHost,\n requestHostHeader,\n })\n : hubspotConnectEnv.hubspotClientId;\n\n const revokeEndpointUrl = new URL(\n '/oauth/v1/revoke',\n hubspotConnectEnv.hubspotOAuthApiOrigin\n ).href;\n\n if (accessToken) {\n if (hubspotConnectEnv.isCimdEnabled) {\n if (!appKeys) {\n return c.json(\n {\n error:\n 'Server misconfiguration: HUBSPOT_APP_PRIVATE_KEY is required when CIMD is enabled',\n },\n 500\n );\n }\n const clientAssertion = await buildClientAssertion({\n appKeys,\n clientId,\n audience: revokeEndpointUrl,\n });\n await revokeToken({\n revokeEndpointUrl,\n body: new URLSearchParams({\n token: accessToken,\n token_type_hint: 'access_token',\n client_id: clientId,\n client_assertion_type:\n 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',\n client_assertion: clientAssertion,\n }),\n logger,\n });\n } else {\n await revokeToken({\n revokeEndpointUrl,\n body: new URLSearchParams({\n token: accessToken,\n token_type_hint: 'access_token',\n client_id: clientId,\n client_secret: hubspotConnectEnv.hubspotClientSecret,\n }),\n logger,\n });\n }\n }\n\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,\n value: '',\n path: '/',\n sameSite: 'None',\n partitioned: true,\n maxAge: 0,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_APP_SID_COOKIE_NAME,\n value: '',\n path: '/',\n sameSite: 'None',\n partitioned: true,\n maxAge: 0,\n }),\n });\n setResponseCookie({\n c,\n value: serializeCookie({\n name: HUBSPOT_APP_ORIGIN_COOKIE_NAME,\n value: '',\n path: '/',\n sameSite: 'None',\n partitioned: true,\n maxAge: 0,\n }),\n });\n\n Object.keys(cookies).forEach((cookieName) => {\n if (cookieName.startsWith(HUBSPOT_REFRESH_COOKIE_PREFIX)) {\n setResponseCookie({\n c,\n value: serializeCookie({\n name: cookieName,\n value: '',\n path: refreshCookiePath,\n sameSite: 'None',\n partitioned: true,\n maxAge: 0,\n }),\n });\n }\n });\n\n return c.json({ redirect_to: '/' });\n}\n"],"mappings":";;;;;;AAeA,eAAe,YAAY,SAIT;CAChB,MAAM,EAAE,mBAAmB,MAAM,WAAW;CAC5C,IAAI;EACF,MAAM,WAAW,MAAM,MAAM,mBAAmB;GAC9C,QAAQ;GACR,SAAS,EAAE,gBAAgB,qCAAqC;GAChE;GACD,CAAC;EACF,IAAI,CAAC,SAAS,IACZ,OAAO,KACL,sCAAsC,SAAS,OAAO,GAAG,SAAS,aACnE;UAEI,OAAO;EACd,OAAO,KAAK,uCAAuC,MAAM;;;AAI7D,eAAsB,iBACpB,GACA,SACA;CACA,MAAM,EAAE,SAAS,mBAAmB,UAAU,mBAAmB,WAC/D;CACF,MAAM,kBAAkB,EAAE,IAAI,OAAO,oBAAoB,IAAI,KAAA;CAC7D,MAAM,iBAAiB,EAAE,IAAI,OAAO,mBAAmB,IAAI,KAAA;CAC3D,MAAM,oBAAoB,EAAE,IAAI,OAAO,OAAO,IAAI,KAAA;CAClD,MAAM,UAAU,aAAa,EAAE,IAAI,OAAO,SAAS,CAAC;CACpD,MAAM,cAAc,QAAQ;CAE5B,MAAM,WAAW,kBAAkB,gBAC/B,gCAAgC;EAC9B,YAAY,EAAE,IAAI;EAClB;EACA;EACA;EACA;EACD,CAAC,GACF,kBAAkB;CAEtB,MAAM,oBAAoB,IAAI,IAC5B,oBACA,kBAAkB,sBACnB,CAAC;CAEF,IAAI,aACF,IAAI,kBAAkB,eAAe;EACnC,IAAI,CAAC,SACH,OAAO,EAAE,KACP,EACE,OACE,qFACH,EACD,IACD;EAEH,MAAM,kBAAkB,MAAM,qBAAqB;GACjD;GACA;GACA,UAAU;GACX,CAAC;EACF,MAAM,YAAY;GAChB;GACA,MAAM,IAAI,gBAAgB;IACxB,OAAO;IACP,iBAAiB;IACjB,WAAW;IACX,uBACE;IACF,kBAAkB;IACnB,CAAC;GACF;GACD,CAAC;QAEF,MAAM,YAAY;EAChB;EACA,MAAM,IAAI,gBAAgB;GACxB,OAAO;GACP,iBAAiB;GACjB,WAAW;GACX,eAAe,kBAAkB;GAClC,CAAC;EACF;EACD,CAAC;CAIN,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;GACT,CAAC;EACH,CAAC;CACF,kBAAkB;EAChB;EACA,OAAO,gBAAgB;GACrB,MAAM;GACN,OAAO;GACP,MAAM;GACN,UAAU;GACV,aAAa;GACb,QAAQ;GACT,CAAC;EACH,CAAC;CAEF,OAAO,KAAK,QAAQ,CAAC,SAAS,eAAe;EAC3C,IAAI,WAAW,WAAA,cAAyC,EACtD,kBAAkB;GAChB;GACA,OAAO,gBAAgB;IACrB,MAAM;IACN,OAAO;IACP,MAAM;IACN,UAAU;IACV,aAAa;IACb,QAAQ;IACT,CAAC;GACH,CAAC;GAEJ;CAEF,OAAO,EAAE,KAAK,EAAE,aAAa,KAAK,CAAC"}