@salesforce/core 3.19.1 → 3.19.2

package/CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [3.19.2](https://github.com/forcedotcom/sfdx-core/compare/v3.19.1...v3.19.2) (2022-06-02)
+
+### Bug Fixes
+
+- loosen audience url determination ([#588](https://github.com/forcedotcom/sfdx-core/issues/588)) ([a58ab89](https://github.com/forcedotcom/sfdx-core/commit/a58ab89e2ada34fbdb6d8c72d88966a5281db60b))
+
 ### [3.19.1](https://github.com/forcedotcom/sfdx-core/compare/v3.19.0...v3.19.1) (2022-05-27)
 
 ### Bug Fixes

package/lib/org/authInfo.d.ts

@@ -289,7 +289,8 @@ export declare class AuthInfo extends AsyncOptionalCreatable<AuthInfo.Options> {
     private loadDecryptedAuthFromConfig;
     private isTokenOptions;
     private refreshFn;
-    private buildJwtConfig;
+    private authJwt;
+    private tryJwtAuth;
     private buildRefreshTokenConfig;
     /**
      * Performs an authCode exchange but the Oauth2 feature of jsforce is extended to include a code_challenge

package/lib/org/authInfo.js

@@ -38,6 +38,7 @@ const messages = messages_1.Messages.load('@salesforce/core', 'core', [
     'jwtAuthError',
     'authCodeUsernameRetrievalError',
     'authCodeExchangeError',
+    'missingClientId',
 ]);
 // Extend OAuth2 to add JWT Bearer Token Flow support.
 class JwtOAuth2 extends jsforce_1.OAuth2 {
@@ -607,7 +608,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
                     options.privateKey = (0, path_1.resolve)(options.privateKeyFile);
                 }
                 if (options.privateKey) {
-                    authConfig = await this.buildJwtConfig(options);
+                    authConfig = await this.authJwt(options);
                 }
                 else if (!options.authCode && options.refreshToken) {
                     // refresh token flow (from sfdxUrl or OAuth refreshFn)
@@ -667,27 +668,32 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         }
     }
     // Build OAuth config for a JWT auth flow
-    async buildJwtConfig(options) {
+    async authJwt(options) {
+        if (!options.clientId) {
+            throw messages.createError('missingClientId');
+        }
         const privateKeyContents = await fs.promises.readFile((0, ts_types_1.ensure)(options.privateKey), 'utf8');
         const { loginUrl = sfdcUrl_1.SfdcUrl.PRODUCTION } = options;
         const url = new sfdcUrl_1.SfdcUrl(loginUrl);
         const createdOrgInstance = (0, ts_types_1.getString)(options, 'createdOrgInstance', '').trim().toLowerCase();
         const audienceUrl = await url.getJwtAudienceUrl(createdOrgInstance);
-        const jwtToken = jwt.sign({
-            iss: options.clientId,
-            sub: this.getUsername(),
-            aud: audienceUrl,
-            exp: Date.now() + 300,
-        }, privateKeyContents, {
-            algorithm: 'RS256',
-        });
-        const oauth2 = new JwtOAuth2({ loginUrl: options.loginUrl });
         let authFieldsBuilder;
-        try {
-            authFieldsBuilder = (0, ts_types_1.ensureJsonMap)(await oauth2.jwtAuthorize(jwtToken));
+        const authErrors = [];
+        // given that we can no longer depend on instance names or URls to determine audience, let's try them all
+        const loginAndAudienceUrls = (0, sfdcUrl_1.getLoginAudienceCombos)(audienceUrl, loginUrl);
+        for (const [login, audience] of loginAndAudienceUrls) {
+            try {
+                authFieldsBuilder = await this.tryJwtAuth(options.clientId, login, audience, privateKeyContents);
+                break;
+            }
+            catch (err) {
+                const error = err;
+                const message = error.message.includes('audience') ? `${error.message}-${login}:${audience}` : error.message;
+                authErrors.push(message);
+            }
         }
-        catch (err) {
-            throw messages.createError('jwtAuthError', [err.message]);
+        if (!authFieldsBuilder) {
+            throw messages.createError('jwtAuthError', [authErrors.join('\n')]);
         }
         const authFields = {
             accessToken: (0, ts_types_1.asString)(authFieldsBuilder.access_token),
@@ -709,6 +715,18 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         }
         return authFields;
     }
+    async tryJwtAuth(clientId, loginUrl, audienceUrl, privateKeyContents) {
+        const jwtToken = jwt.sign({
+            iss: clientId,
+            sub: this.getUsername(),
+            aud: audienceUrl,
+            exp: Date.now() + 300,
+        }, privateKeyContents, {
+            algorithm: 'RS256',
+        });
+        const oauth2 = new JwtOAuth2({ loginUrl });
+        return (0, ts_types_1.ensureJsonMap)(await oauth2.jwtAuthorize(jwtToken));
+    }
     // Build OAuth config for a refresh token auth flow
     async buildRefreshTokenConfig(options) {
         // Ideally, this would be removed at some point in the distant future when all auth files

package/lib/org/scratchOrgCreate.js

@@ -24,7 +24,6 @@ const scratchOrgCache_1 = require("./scratchOrgCache");
 const scratchOrgErrorCodes_1 = require("./scratchOrgErrorCodes");
 messages_1.Messages.importMessagesDirectory(__dirname);
 const messages = messages_1.Messages.load('@salesforce/core', 'scratchOrgCreate', [
-    'SourceStatusResetFailureError',
     'DurationDaysValidationMaxError',
     'DurationDaysValidationMinError',
     'RetryNotIntError',

package/lib/util/sfdcUrl.d.ts

@@ -1,5 +1,6 @@
 /// <reference types="node" />
 import { URL } from 'url';
+export declare function getLoginAudienceCombos(audienceUrl: string, loginUrl: string): [string, string][];
 export declare class SfdcUrl extends URL {
     /**
      * Salesforce URLs
@@ -27,7 +28,7 @@ export declare class SfdcUrl extends URL {
     /**
      * Tests whether this url is an internal Salesforce domain
      *
-     * @returns {boolean} true if this is a internal domain
+     * @returns {boolean} true if this is an internal domain
      */
     isInternalUrl(): boolean;
     /**
@@ -57,6 +58,7 @@ export declare class SfdcUrl extends URL {
     /**
      * Tests whether this url is a sandbox url
      *
+     * @Deprecated - identification of a sandbox instance by URL alone is not deterministic
      * @param createdOrgInstance The Salesforce instance the org was created on. e.g. `cs42`
      * @returns {boolean}
      */
@@ -67,12 +69,4 @@ export declare class SfdcUrl extends URL {
      * @returns {boolean} true if this domain is a lightning domain
      */
     isLightningDomain(): boolean;
-    /**
-     * Tests whether this url is a sandbox url
-     * otherwise tries to resolve dns cnames and then look if any is sandbox url
-     *
-     * @param createdOrgInstance The Salesforce instance the org was created on. e.g. `cs42`
-     * @returns {Promise<boolean>} true if this domain resolves to sanbox url
-     */
-    private resolvesToSandbox;
 }

package/lib/util/sfdcUrl.js

@@ -6,13 +6,37 @@
  * For full license text, see LICENSE.txt file in the repo root or https://opensource.org/licenses/BSD-3-Clause
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SfdcUrl = void 0;
+exports.SfdcUrl = exports.getLoginAudienceCombos = void 0;
 const url_1 = require("url");
 const kit_1 = require("@salesforce/kit");
 const ts_types_1 = require("@salesforce/ts-types");
 const myDomainResolver_1 = require("../status/myDomainResolver");
 const logger_1 = require("../logger");
 const lifecycleEvents_1 = require("../lifecycleEvents");
+function getLoginAudienceCombos(audienceUrl, loginUrl) {
+    const filtered = [
+        [loginUrl, loginUrl],
+        [SfdcUrl.SANDBOX, SfdcUrl.SANDBOX],
+        [SfdcUrl.PRODUCTION, SfdcUrl.PRODUCTION],
+        [audienceUrl, audienceUrl],
+        [audienceUrl, SfdcUrl.PRODUCTION],
+        [audienceUrl, SfdcUrl.SANDBOX],
+        [loginUrl, audienceUrl],
+        [loginUrl, SfdcUrl.PRODUCTION],
+        [loginUrl, SfdcUrl.SANDBOX],
+        [SfdcUrl.PRODUCTION, audienceUrl],
+        [SfdcUrl.SANDBOX, audienceUrl],
+    ].filter(([login, audience]) => !((login === SfdcUrl.PRODUCTION && audience === SfdcUrl.SANDBOX) ||
+        (login === SfdcUrl.SANDBOX && audience === SfdcUrl.PRODUCTION)));
+    const reduced = filtered.reduce((acc, [login, audience]) => {
+        const l = new url_1.URL(login);
+        const a = new url_1.URL(audience);
+        acc.set(`${l.origin}:${a.origin}`, [login, audience]);
+        return acc;
+    }, new Map());
+    return [...reduced.values()];
+}
+exports.getLoginAudienceCombos = getLoginAudienceCombos;
 class SfdcUrl extends url_1.URL {
     constructor(input, base) {
         super(input.toString(), base);
@@ -45,13 +69,6 @@ class SfdcUrl extends url_1.URL {
             this.logger.debug(`Audience URL overridden by env var SFDX_AUDIENCE_URL=${envVarVal}`);
             return envVarVal;
         }
-        if (this.isInternalUrl()) {
-            // This is for internal developers when just doing authorize
-            return this.origin;
-        }
-        if (await this.resolvesToSandbox(createdOrgInstance)) {
-            return SfdcUrl.SANDBOX;
-        }
         if ((createdOrgInstance && /^gs1/gi.test(createdOrgInstance)) || /(gs1.my.salesforce.com)/gi.test(this.origin)) {
             return 'https://gs1.salesforce.com';
         }
@@ -81,7 +98,7 @@ class SfdcUrl extends url_1.URL {
     /**
      * Tests whether this url is an internal Salesforce domain
      *
-     * @returns {boolean} true if this is a internal domain
+     * @returns {boolean} true if this is an internal domain
      */
     isInternalUrl() {
         const INTERNAL_URL_PARTS = [
@@ -157,9 +174,11 @@ class SfdcUrl extends url_1.URL {
     /**
      * Tests whether this url is a sandbox url
      *
+     * @Deprecated - identification of a sandbox instance by URL alone is not deterministic
      * @param createdOrgInstance The Salesforce instance the org was created on. e.g. `cs42`
      * @returns {boolean}
      */
+    // TODO: how to get rid of this?
     isSandboxUrl(createdOrgInstance) {
         return ((createdOrgInstance && /^cs|s$/gi.test(createdOrgInstance)) ||
             this.origin.endsWith('sandbox.my.salesforce.mil') ||
@@ -177,25 +196,7 @@ class SfdcUrl extends url_1.URL {
      * @returns {boolean} true if this domain is a lightning domain
      */
     isLightningDomain() {
-        return /\.lightning\.force\.com/.test(this.origin);
-    }
-    /**
-     * Tests whether this url is a sandbox url
-     * otherwise tries to resolve dns cnames and then look if any is sandbox url
-     *
-     * @param createdOrgInstance The Salesforce instance the org was created on. e.g. `cs42`
-     * @returns {Promise<boolean>} true if this domain resolves to sanbox url
-     */
-    async resolvesToSandbox(createdOrgInstance) {
-        if (this.isSandboxUrl(createdOrgInstance)) {
-            return true;
-        }
-        const myDomainResolver = await myDomainResolver_1.MyDomainResolver.create({ url: this });
-        const cnames = await myDomainResolver.getCnames();
-        return cnames.some((cname) => {
-            const url = new SfdcUrl(`https://${cname}`);
-            return url.isSandboxUrl();
-        });
+        return /\.lightning\.force\.com/.test(this.origin) || /\.lightning\.crmforce\.mil/.test(this.origin);
     }
 }
 exports.SfdcUrl = SfdcUrl;

package/messages/core.md

@@ -24,6 +24,12 @@ Due to: %s
 
 Error authenticating with JWT config due to: %s
 
+# jwtAuthErrors
+
+Error authenticating with JWT.
+Errors encountered:
+%s
+
 # refreshTokenAuthError
 
 Error authenticating with the refresh token due to: %s
@@ -55,3 +61,7 @@ Setting aliases must be in the format <key>=<value> but found: [%s].
 
 All JSON input must have heads down camelcase keys. E.g., `{ sfdcLoginUrl: "https://login.salesforce.com" }`
 Found "%s" at %s
+
+# missingClientId
+
+Client ID is required for JWT authentication.

package/messages/scratchOrgCreate.md

@@ -2,10 +2,6 @@
 
 Org snapshots don’t support one or more options you specified: %s.
 
-# SourceStatusResetFailureError
-
-Successfully created org with ID: %s and name: %s. Unfortunately, source tracking isn’t working as expected. If you run force:source:status, the results may be incorrect. Try again by creating another scratch org.
-
 # DurationDaysValidationMinError
 
 Expected 'durationDays' greater than or equal to %s but received %s.

package/messages/scratchOrgInfoApi.md

@@ -9,3 +9,7 @@ You cannot use 'settings' and `'orgPreferences' in your scratch definition file,
 # DeprecatedPrefFormat
 
 We've deprecated OrgPreferences. Update the scratch org definition file to replace OrgPreferences with their corresponding settings.
+
+# SourceStatusResetFailureError
+
+Successfully created org with ID: %s and name: %s. Unfortunately, source tracking isn’t working as expected. If you run force:source:status, the results may be incorrect. Try again by creating another scratch org.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/core",
-  "version": "3.19.1",
+  "version": "3.19.2",
   "description": "Core libraries to interact with SFDX projects, orgs, and APIs.",
   "main": "lib/exported",
   "types": "lib/exported.d.ts",
@@ -68,14 +68,14 @@
     "@typescript-eslint/parser": "4.33.0",
     "chai": "^4.3.4",
     "commitizen": "^3.1.2",
-    "eslint": "^6.8.0",
+    "eslint": "^7.27.0",
     "eslint-config-prettier": "^6.15.0",
     "eslint-config-salesforce": "^0.1.6",
     "eslint-config-salesforce-license": "^0.1.6",
     "eslint-config-salesforce-typescript": "^0.2.8",
-    "eslint-plugin-header": "^3.1.1",
+    "eslint-plugin-header": "3.0.0",
     "eslint-plugin-import": "^2.25.4",
-    "eslint-plugin-jsdoc": "^27.1.2",
+    "eslint-plugin-jsdoc": "^35.1.2",
     "eslint-plugin-prettier": "^3.1.3",
     "husky": "^7.0.4",
     "mocha": "^9.1.3",