@mintlify/cli 4.0.1098 → 4.0.1099

package/__test__/analytics/client.test.ts

@@ -12,6 +12,8 @@ import {
 
 vi.mock('../../src/keyring.js', () => ({
   getAccessToken: vi.fn().mockResolvedValue(null),
+  getRefreshToken: vi.fn().mockResolvedValue(null),
+  storeCredentials: vi.fn().mockResolvedValue(undefined),
 }));
 
 const mockFetch = vi.fn();
@@ -30,6 +32,7 @@ afterEach(() => {
 function mockOk(data: unknown) {
   mockFetch.mockResolvedValueOnce({
     ok: true,
+    status: 200,
     json: () => Promise.resolve(data),
   });
 }
@@ -43,8 +46,13 @@ function mockError(status: number, body: string) {
   });
 }
 
-function calledUrl(): URL {
-  return mockFetch.mock.calls[0]![0] as URL;
+function calledUrl(): string {
+  const arg = mockFetch.mock.calls[0]![0];
+  return typeof arg === 'string' ? arg : String(arg);
+}
+
+function calledUrlObj(): URL {
+  return new URL(calledUrl());
 }
 
 describe('client auth', () => {
@@ -59,7 +67,7 @@ describe('client auth', () => {
     mockOk({ feedback: [], nextCursor: null, hasMore: false });
     await getFeedback({ dateFrom: '2024-01-01', dateTo: '2024-01-31' }, 'test');
     expect(mockFetch).toHaveBeenCalledWith(
-      expect.any(URL),
+      expect.any(String),
       expect.objectContaining({
         headers: expect.objectContaining({
           Authorization: 'Bearer test-token',
@@ -80,14 +88,14 @@ describe('client request handling', () => {
   it('passes subdomain as query param when provided', async () => {
     mockOk({ feedback: [], nextCursor: null, hasMore: false });
     await getFeedback({ dateFrom: '2024-01-01', dateTo: '2024-01-31' }, 'my-docs');
-    expect(calledUrl().searchParams.get('subdomain')).toBe('my-docs');
-    expect(calledUrl().pathname).toBe('/api/cli/analytics/feedback');
+    expect(calledUrlObj().searchParams.get('subdomain')).toBe('my-docs');
+    expect(calledUrlObj().pathname).toBe('/api/cli/analytics/feedback');
   });
 
   it('omits subdomain param when not provided', async () => {
     mockOk({ feedback: [], nextCursor: null, hasMore: false });
     await getFeedback({ dateFrom: '2024-01-01', dateTo: '2024-01-31' });
-    expect(calledUrl().searchParams.has('subdomain')).toBe(false);
+    expect(calledUrlObj().searchParams.has('subdomain')).toBe(false);
   });
 
   it('sets query params and omits undefined values', async () => {
@@ -98,9 +106,9 @@ describe('client request handling', () => {
       limit: 10,
       cursor: undefined,
     });
-    expect(calledUrl().searchParams.get('dateFrom')).toBe('2024-01-01');
-    expect(calledUrl().searchParams.get('limit')).toBe('10');
-    expect(calledUrl().searchParams.has('cursor')).toBe(false);
+    expect(calledUrlObj().searchParams.get('dateFrom')).toBe('2024-01-01');
+    expect(calledUrlObj().searchParams.get('limit')).toBe('10');
+    expect(calledUrlObj().searchParams.has('cursor')).toBe(false);
   });
 });
 
@@ -108,51 +116,51 @@ describe('endpoint paths', () => {
   it('getKpi', async () => {
     mockOk({ humanVisitors: 0 });
     await getKpi({ dateFrom: '2024-01-01', dateTo: '2024-01-31' }, 'docs');
-    expect(calledUrl().pathname).toBe('/api/cli/analytics/kpi');
-    expect(calledUrl().searchParams.get('subdomain')).toBe('docs');
+    expect(calledUrlObj().pathname).toBe('/api/cli/analytics/kpi');
+    expect(calledUrlObj().searchParams.get('subdomain')).toBe('docs');
   });
 
   it('getFeedbackByPage', async () => {
     mockOk({ feedback: [], hasMore: false });
     await getFeedbackByPage({ dateFrom: '2024-01-01', dateTo: '2024-01-31' }, 'docs');
-    expect(calledUrl().pathname).toBe('/api/cli/analytics/feedback/by-page');
+    expect(calledUrlObj().pathname).toBe('/api/cli/analytics/feedback/by-page');
   });
 
   it('getConversations', async () => {
     mockOk({ conversations: [], nextCursor: null, hasMore: false });
     await getConversations({ dateFrom: '2024-01-01', dateTo: '2024-01-31' }, 'docs');
-    expect(calledUrl().pathname).toBe('/api/cli/analytics/assistant');
+    expect(calledUrlObj().pathname).toBe('/api/cli/analytics/assistant');
   });
 
   it('getSearches', async () => {
     mockOk({ searches: [], totalSearches: 0, nextCursor: null });
     await getSearches({ dateFrom: '2024-01-01', dateTo: '2024-01-31' }, 'docs');
-    expect(calledUrl().pathname).toBe('/api/cli/analytics/searches');
+    expect(calledUrlObj().pathname).toBe('/api/cli/analytics/searches');
   });
 
   it('getViews', async () => {
     mockOk({ totals: {}, views: [], hasMore: false });
     await getViews({ dateFrom: '2024-01-01', dateTo: '2024-01-31' }, 'docs');
-    expect(calledUrl().pathname).toBe('/api/cli/analytics/views');
+    expect(calledUrlObj().pathname).toBe('/api/cli/analytics/views');
   });
 
   it('getVisitors', async () => {
     mockOk({ totals: {}, visitors: [], hasMore: false });
     await getVisitors({ dateFrom: '2024-01-01', dateTo: '2024-01-31' }, 'docs');
-    expect(calledUrl().pathname).toBe('/api/cli/analytics/visitors');
+    expect(calledUrlObj().pathname).toBe('/api/cli/analytics/visitors');
   });
 
   it('getBuckets', async () => {
     mockOk({ data: [], pagination: { total: 0 } });
     await getBuckets({ dateFrom: '2024-01-01', dateTo: '2024-01-31' }, 'docs');
-    expect(calledUrl().pathname).toBe('/api/cli/analytics/conversations/buckets');
-    expect(calledUrl().searchParams.get('subdomain')).toBe('docs');
+    expect(calledUrlObj().pathname).toBe('/api/cli/analytics/conversations/buckets');
+    expect(calledUrlObj().searchParams.get('subdomain')).toBe('docs');
   });
 
   it('getBucketThreads', async () => {
     mockOk({ data: [], pagination: { total: 0, hasMore: false, nextCursor: null } });
     await getBucketThreads('bucket-123', { dateFrom: '2024-01-01' }, 'docs');
-    expect(calledUrl().pathname).toBe('/api/cli/analytics/conversations/buckets/bucket-123');
-    expect(calledUrl().searchParams.get('subdomain')).toBe('docs');
+    expect(calledUrlObj().pathname).toBe('/api/cli/analytics/conversations/buckets/bucket-123');
+    expect(calledUrlObj().searchParams.get('subdomain')).toBe('docs');
   });
 });

package/__test__/authenticatedFetch.test.ts

@@ -0,0 +1,182 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+
+import { authenticatedFetch } from '../src/authenticatedFetch.js';
+
+const mockGetAccessToken = vi.fn();
+const mockGetRefreshToken = vi.fn();
+const mockStoreCredentials = vi.fn();
+
+vi.mock('../src/keyring.js', () => ({
+  getAccessToken: (...args: unknown[]) => mockGetAccessToken(...args),
+  getRefreshToken: (...args: unknown[]) => mockGetRefreshToken(...args),
+  storeCredentials: (...args: unknown[]) => mockStoreCredentials(...args),
+}));
+
+const mockFetch = vi.fn();
+global.fetch = mockFetch;
+
+function makeResponse(status: number, body: unknown = {}) {
+  return {
+    ok: status >= 200 && status < 300,
+    status,
+    statusText: status === 401 ? 'Unauthorized' : 'OK',
+    json: () => Promise.resolve(body),
+    text: () => Promise.resolve(JSON.stringify(body)),
+  };
+}
+
+describe('authenticatedFetch', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockFetch.mockReset();
+    vi.stubEnv('MINTLIFY_SESSION_TOKEN', '');
+  });
+
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });
+
+  it('sends access token from keyring', async () => {
+    mockGetAccessToken.mockResolvedValue('access-123');
+    mockFetch.mockResolvedValueOnce(makeResponse(200, { ok: true }));
+
+    await authenticatedFetch('http://test/api');
+
+    expect(mockFetch).toHaveBeenCalledWith('http://test/api', {
+      headers: { Authorization: 'Bearer access-123' },
+    });
+  });
+
+  it('falls back to MINTLIFY_SESSION_TOKEN env var', async () => {
+    mockGetAccessToken.mockResolvedValue(null);
+    vi.stubEnv('MINTLIFY_SESSION_TOKEN', 'env-token');
+    mockFetch.mockResolvedValueOnce(makeResponse(200));
+
+    await authenticatedFetch('http://test/api');
+
+    expect(mockFetch).toHaveBeenCalledWith('http://test/api', {
+      headers: { Authorization: 'Bearer env-token' },
+    });
+  });
+
+  it('throws when no token is available', async () => {
+    mockGetAccessToken.mockResolvedValue(null);
+
+    await expect(authenticatedFetch('http://test/api')).rejects.toThrow('Not authenticated');
+  });
+
+  it('refreshes token on 401 and retries', async () => {
+    mockGetAccessToken.mockResolvedValue('expired-token');
+    mockGetRefreshToken.mockResolvedValue('refresh-123');
+    mockStoreCredentials.mockResolvedValue(undefined);
+
+    mockFetch
+      .mockResolvedValueOnce(makeResponse(401))
+      .mockResolvedValueOnce(
+        makeResponse(200, {
+          access_token: 'new-access',
+          refresh_token: 'new-refresh',
+          token_type: 'bearer',
+          expires_in: 3600,
+        })
+      )
+      .mockResolvedValueOnce(makeResponse(200, { ok: true }));
+
+    const res = await authenticatedFetch('http://test/api');
+
+    expect(res.status).toBe(200);
+    expect(mockFetch).toHaveBeenCalledTimes(3);
+    expect(mockFetch).toHaveBeenLastCalledWith('http://test/api', {
+      headers: { Authorization: 'Bearer new-access' },
+    });
+  });
+
+  it('falls back to env token when refresh fails', async () => {
+    mockGetAccessToken.mockResolvedValue('expired-token');
+    mockGetRefreshToken.mockResolvedValue('bad-refresh');
+    vi.stubEnv('MINTLIFY_SESSION_TOKEN', 'env-token');
+
+    mockFetch
+      .mockResolvedValueOnce(makeResponse(401))
+      .mockResolvedValueOnce(makeResponse(400, { error: 'invalid_grant' }))
+      .mockResolvedValueOnce(makeResponse(200, { ok: true }));
+
+    const res = await authenticatedFetch('http://test/api');
+
+    expect(res.status).toBe(200);
+    expect(mockFetch).toHaveBeenCalledTimes(3);
+    expect(mockFetch).toHaveBeenLastCalledWith('http://test/api', {
+      headers: { Authorization: 'Bearer env-token' },
+    });
+  });
+
+  it('returns original 401 when refresh fails and no env token', async () => {
+    mockGetAccessToken.mockResolvedValue('expired-token');
+    mockGetRefreshToken.mockResolvedValue('bad-refresh');
+
+    mockFetch
+      .mockResolvedValueOnce(makeResponse(401))
+      .mockResolvedValueOnce(makeResponse(400, { error: 'invalid_grant' }));
+
+    const res = await authenticatedFetch('http://test/api');
+
+    expect(res.status).toBe(401);
+    expect(mockFetch).toHaveBeenCalledTimes(2);
+  });
+
+  it('falls back to env token when no refresh token exists', async () => {
+    mockGetAccessToken.mockResolvedValue('expired-token');
+    mockGetRefreshToken.mockResolvedValue(null);
+    vi.stubEnv('MINTLIFY_SESSION_TOKEN', 'env-token');
+
+    mockFetch
+      .mockResolvedValueOnce(makeResponse(401))
+      .mockResolvedValueOnce(makeResponse(200, { ok: true }));
+
+    const res = await authenticatedFetch('http://test/api');
+
+    expect(res.status).toBe(200);
+    expect(mockFetch).toHaveBeenCalledTimes(2);
+    expect(mockFetch).toHaveBeenLastCalledWith('http://test/api', {
+      headers: { Authorization: 'Bearer env-token' },
+    });
+  });
+
+  it('returns original 401 when no refresh token and no env token', async () => {
+    mockGetAccessToken.mockResolvedValue('expired-token');
+    mockGetRefreshToken.mockResolvedValue(null);
+
+    mockFetch.mockResolvedValueOnce(makeResponse(401));
+
+    const res = await authenticatedFetch('http://test/api');
+
+    expect(res.status).toBe(401);
+    expect(mockFetch).toHaveBeenCalledTimes(1);
+  });
+
+  it('does not attempt refresh when only env token is available', async () => {
+    mockGetAccessToken.mockResolvedValue(null);
+    vi.stubEnv('MINTLIFY_SESSION_TOKEN', 'env-token');
+
+    mockFetch.mockResolvedValueOnce(makeResponse(401));
+
+    const res = await authenticatedFetch('http://test/api');
+
+    expect(res.status).toBe(401);
+    expect(mockGetRefreshToken).not.toHaveBeenCalled();
+    expect(mockFetch).toHaveBeenCalledTimes(1);
+  });
+
+  it('merges custom headers with auth header', async () => {
+    mockGetAccessToken.mockResolvedValue('token-123');
+    mockFetch.mockResolvedValueOnce(makeResponse(200));
+
+    await authenticatedFetch('http://test/api', {
+      headers: { Accept: 'application/json' },
+    });
+
+    expect(mockFetch).toHaveBeenCalledWith('http://test/api', {
+      headers: { Accept: 'application/json', Authorization: 'Bearer token-123' },
+    });
+  });
+});

package/__test__/keyring.test.ts

@@ -33,6 +33,13 @@ describe('keyring', () => {
     expect(mockKeytar.getPassword).toHaveBeenCalledWith('mintlify', 'access_token');
   });
 
+  it('retrieves the refresh token via keytar', async () => {
+    const { getRefreshToken } = await import('../src/keyring.js');
+    const token = await getRefreshToken();
+    expect(token).toBe('test-token');
+    expect(mockKeytar.getPassword).toHaveBeenCalledWith('mintlify', 'refresh_token');
+  });
+
   it('deletes both tokens via keytar', async () => {
     const { clearCredentials } = await import('../src/keyring.js');
     await clearCredentials();

package/bin/analytics/client.js

@@ -7,24 +7,8 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
+import { authenticatedFetch } from '../authenticatedFetch.js';
 import { API_URL } from '../constants.js';
-function getAuthHeaders() {
-    return __awaiter(this, void 0, void 0, function* () {
-        try {
-            const { getAccessToken } = yield import('../keyring.js');
-            const token = yield getAccessToken();
-            if (token) {
-                return { Authorization: `Bearer ${token}` };
-            }
-        }
-        catch (_a) { }
-        const envToken = process.env.MINTLIFY_SESSION_TOKEN;
-        if (envToken) {
-            return { Authorization: `Bearer ${envToken}` };
-        }
-        throw new Error('Not authenticated. Run `mint login` to authenticate.');
-    });
-}
 function request(path_1) {
     return __awaiter(this, arguments, void 0, function* (path, params = {}) {
         const url = new URL(`${API_URL}/api/cli/analytics${path}`);
@@ -32,9 +16,8 @@ function request(path_1) {
             if (value !== undefined)
                 url.searchParams.set(key, String(value));
         }
-        const authHeaders = yield getAuthHeaders();
-        const res = yield fetch(url, {
-            headers: Object.assign(Object.assign({}, authHeaders), { Accept: 'application/json' }),
+        const res = yield authenticatedFetch(url.toString(), {
+            headers: { Accept: 'application/json' },
         });
         if (!res.ok) {
             const body = yield res.text().catch(() => '');

package/bin/authenticatedFetch.js

@@ -0,0 +1,46 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import { getAccessToken } from './keyring.js';
+import { refreshAccessToken } from './tokenRefresh.js';
+function getKeyringToken() {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            return yield getAccessToken();
+        }
+        catch (_a) {
+            return null;
+        }
+    });
+}
+export function authenticatedFetch(url, init) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const keyringToken = yield getKeyringToken();
+        const envToken = process.env.MINTLIFY_SESSION_TOKEN;
+        const token = keyringToken !== null && keyringToken !== void 0 ? keyringToken : envToken;
+        if (!token) {
+            throw new Error('Not authenticated. Run `mint login` to authenticate.');
+        }
+        const makeRequest = (t) => fetch(url, Object.assign(Object.assign({}, init), { headers: Object.assign(Object.assign({}, init === null || init === void 0 ? void 0 : init.headers), { Authorization: `Bearer ${t}` }) }));
+        const res = yield makeRequest(token);
+        if (res.status !== 401)
+            return res;
+        // If the keyring token expired, try refreshing it
+        if (keyringToken) {
+            const refreshed = yield refreshAccessToken();
+            if (refreshed)
+                return makeRequest(refreshed);
+        }
+        // Fall back to the env session token if it wasn't already used
+        if (envToken && token !== envToken) {
+            return makeRequest(envToken);
+        }
+        return res;
+    });
+}

package/bin/keyring.js

@@ -38,6 +38,12 @@ export function getAccessToken() {
         return keytar.getPassword(SERVICE, ACCESS_TOKEN_ACCOUNT);
     });
 }
+export function getRefreshToken() {
+    return __awaiter(this, void 0, void 0, function* () {
+        const keytar = yield getKeytar();
+        return keytar.getPassword(SERVICE, REFRESH_TOKEN_ACCOUNT);
+    });
+}
 export function clearCredentials() {
     return __awaiter(this, void 0, void 0, function* () {
         const keytar = yield getKeytar();

package/bin/status.js

@@ -11,6 +11,7 @@ import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
 import { addLog, ErrorLog } from '@mintlify/previewing';
 import { Box, Text } from 'ink';
 import { z } from 'zod';
+import { authenticatedFetch } from './authenticatedFetch.js';
 import { getConfigValue } from './config.js';
 import { API_URL } from './constants.js';
 import { getCliVersion } from './helpers.js';
@@ -47,9 +48,7 @@ export function status() {
             return;
         }
         try {
-            const res = yield fetch(`${API_URL}/api/cli/status`, {
-                headers: { Authorization: `Bearer ${accessToken}` },
-            });
+            const res = yield authenticatedFetch(`${API_URL}/api/cli/status`);
             if (!res.ok) {
                 addLog(_jsx(ErrorLog, { message: "not logged in. Run `mint login` to authenticate." }));
                 return;

package/bin/tokenRefresh.js

@@ -0,0 +1,50 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import { STYTCH_CLIENT_ID, TOKEN_ENDPOINT } from './constants.js';
+import { getRefreshToken, storeCredentials } from './keyring.js';
+let inflightRefresh = null;
+export function refreshAccessToken() {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (inflightRefresh)
+            return inflightRefresh;
+        inflightRefresh = doRefresh().finally(() => {
+            inflightRefresh = null;
+        });
+        return inflightRefresh;
+    });
+}
+function doRefresh() {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const refreshToken = yield getRefreshToken();
+            if (!refreshToken)
+                return null;
+            const res = yield fetch(TOKEN_ENDPOINT, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    client_id: STYTCH_CLIENT_ID,
+                    grant_type: 'refresh_token',
+                    refresh_token: refreshToken,
+                }),
+            });
+            if (!res.ok)
+                return null;
+            const body = (yield res.json().catch(() => null));
+            if (!(body === null || body === void 0 ? void 0 : body.access_token) || !body.refresh_token)
+                return null;
+            yield storeCredentials(body.access_token, body.refresh_token);
+            return body.access_token;
+        }
+        catch (_a) {
+            return null;
+        }
+    });
+}