@newhomestar/sdk 0.8.16 → 0.8.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/credentials.js +48 -0
- package/package.json +1 -1
package/dist/credentials.js
CHANGED
|
@@ -190,6 +190,54 @@ async function performTokenExchange(slug, params) {
|
|
|
190
190
|
async function fetchCredentialsFromAuthServer(authBaseUrl, slug, bearerToken, forceRefresh = false) {
|
|
191
191
|
const url = `${authBaseUrl}/api/integrations/${encodeURIComponent(slug)}/credentials`;
|
|
192
192
|
console.log(`[nova-sdk] 🌐 Fetching credentials via HTTP: GET ${url}${forceRefresh ? " (force-refresh)" : ""}`);
|
|
193
|
+
// ── Outgoing bearer-token preview ──────────────────────────────────────────
|
|
194
|
+
// We log the JWT's structural claims (NOT the signature, NOT secrets) so we
|
|
195
|
+
// can correlate the SDK's outgoing token against what the auth server says
|
|
196
|
+
// it received on the other side. This is invaluable when diagnosing 401s
|
|
197
|
+
// from `resolveCredentialsViaServiceToken` (the relay path).
|
|
198
|
+
try {
|
|
199
|
+
const parts = bearerToken.split(".");
|
|
200
|
+
if (parts.length === 3) {
|
|
201
|
+
// base64url → JSON. atob handles base64; we normalize url-safe chars first.
|
|
202
|
+
const b64urlDecode = (s) => {
|
|
203
|
+
const b64 = s.replace(/-/g, "+").replace(/_/g, "/");
|
|
204
|
+
// Pad to a multiple of 4
|
|
205
|
+
const padded = b64 + "=".repeat((4 - (b64.length % 4)) % 4);
|
|
206
|
+
if (typeof Buffer !== "undefined") {
|
|
207
|
+
return Buffer.from(padded, "base64").toString("utf8");
|
|
208
|
+
}
|
|
209
|
+
// Browser-safe fallback
|
|
210
|
+
// eslint-disable-next-line no-undef
|
|
211
|
+
return decodeURIComponent(escape(atob(padded)));
|
|
212
|
+
};
|
|
213
|
+
const header = JSON.parse(b64urlDecode(parts[0]));
|
|
214
|
+
const payload = JSON.parse(b64urlDecode(parts[1]));
|
|
215
|
+
console.log(`[nova-sdk] 🪪 Outgoing bearer header:`, {
|
|
216
|
+
alg: header.alg,
|
|
217
|
+
typ: header.typ,
|
|
218
|
+
kid: header.kid,
|
|
219
|
+
});
|
|
220
|
+
console.log(`[nova-sdk] 🪪 Outgoing bearer payload preview:`, {
|
|
221
|
+
iss: payload.iss,
|
|
222
|
+
aud: payload.aud,
|
|
223
|
+
sub: payload.sub,
|
|
224
|
+
client_id: payload.client_id,
|
|
225
|
+
scope: payload.scope,
|
|
226
|
+
service_name: payload.service_name,
|
|
227
|
+
exp: payload.exp,
|
|
228
|
+
iat: payload.iat,
|
|
229
|
+
secondsUntilExp: typeof payload.exp === "number"
|
|
230
|
+
? payload.exp - Math.floor(Date.now() / 1000)
|
|
231
|
+
: null,
|
|
232
|
+
});
|
|
233
|
+
}
|
|
234
|
+
else {
|
|
235
|
+
console.log(`[nova-sdk] 🪪 Outgoing bearer is NOT a 3-part JWT (parts=${parts.length}, length=${bearerToken.length}). This is expected if the SDK is using INTERNAL_API_SECRET as a service token.`);
|
|
236
|
+
}
|
|
237
|
+
}
|
|
238
|
+
catch (decodeErr) {
|
|
239
|
+
console.warn(`[nova-sdk] ⚠️ Failed to decode outgoing bearer for preview:`, decodeErr instanceof Error ? decodeErr.message : String(decodeErr));
|
|
240
|
+
}
|
|
193
241
|
const headers = {
|
|
194
242
|
Authorization: `Bearer ${bearerToken}`,
|
|
195
243
|
Accept: "application/json",
|
package/package.json
CHANGED