@salesforce/core 4.0.0-v3.0 → 4.0.1

package/lib/org/authInfo.js

@@ -5,160 +5,30 @@
  * Licensed under the BSD 3-Clause license.
  * For full license text, see LICENSE.txt file in the repo root or https://opensource.org/licenses/BSD-3-Clause
  */
+/* eslint-disable class-methods-use-this */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthInfo = exports.DEFAULT_CONNECTED_APP_INFO = exports.getJwtAudienceUrl = exports.SfdcUrl = exports.OAuth2WithVerifier = void 0;
+exports.AuthInfo = exports.DEFAULT_CONNECTED_APP_INFO = void 0;
 const crypto_1 = require("crypto");
-const url_1 = require("url");
-const dns = require("dns");
 const path_1 = require("path");
-const url_2 = require("url");
 const os = require("os");
+const fs = require("fs");
 const kit_1 = require("@salesforce/kit");
 const ts_types_1 = require("@salesforce/ts-types");
 const jsforce_1 = require("jsforce");
-// No typings directly available for jsforce/lib/transport
-// eslint-disable-next-line @typescript-eslint/ban-ts-ignore
-// @ts-ignore
-const Transport = require("jsforce/lib/transport");
+const transport_1 = require("jsforce/lib/transport");
 const jwt = require("jsonwebtoken");
-const aliases_1 = require("../config/aliases");
 const config_1 = require("../config/config");
 const configAggregator_1 = require("../config/configAggregator");
 const logger_1 = require("../logger");
-const sfdxError_1 = require("../sfdxError");
-const fs_1 = require("../util/fs");
+const sfError_1 = require("../sfError");
 const sfdc_1 = require("../util/sfdc");
-const myDomainResolver_1 = require("../status/myDomainResolver");
-const globalInfoConfig_1 = require("../config/globalInfoConfig");
+const stateAggregator_1 = require("../stateAggregator");
 const messages_1 = require("../messages");
+const sfdcUrl_1 = require("../util/sfdcUrl");
 const connection_1 = require("./connection");
-messages_1.Messages.importMessagesDirectory(__dirname);
-const messages = messages_1.Messages.load('@salesforce/core', 'core', [
-    'authInfoCreationError',
-    'authInfoOverwriteError',
-    'namedOrgNotFound',
-    'orgDataNotAvailableError',
-    'orgDataNotAvailableError.actions',
-    'refreshTokenAuthError',
-    'jwtAuthError',
-    'authCodeUsernameRetrievalError',
-    'authCodeExchangeError',
-]);
-// Extend OAuth2 to add JWT Bearer Token Flow support.
-class JwtOAuth2 extends jsforce_1.OAuth2 {
-    constructor(options) {
-        super(options);
-    }
-    jwtAuthorize(innerToken, callback) {
-        // eslint-disable-next-line @typescript-eslint/ban-ts-ignore
-        // @ts-ignore
-        return super._postParams({
-            grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-            assertion: innerToken,
-        }, callback);
-    }
-}
-/**
- * Extend OAuth2 to add code verifier support for the auth code (web auth) flow
- * const oauth2 = new OAuth2WithVerifier({ loginUrl, clientSecret, clientId, redirectUri });
- *
- * const authUrl = oauth2.getAuthorizationUrl({
- *    state: 'foo',
- *    prompt: 'login',
- *    scope: 'api web'
- * });
- * console.log(authUrl);
- * const authCode = await retrieveCode();
- * const authInfo = await AuthInfo.create({ oauth2Options: { clientId, clientSecret, loginUrl, authCode }, oauth2});
- * console.log(`access token: ${authInfo.getFields(true).accessToken}`);
- */
-class OAuth2WithVerifier extends jsforce_1.OAuth2 {
-    constructor(options) {
-        super(options);
-        // Set a code verifier string for OAuth authorization
-        this.codeVerifier = base64UrlEscape(crypto_1.randomBytes(Math.ceil(128)).toString('base64'));
-    }
-    /**
-     * Overrides jsforce.OAuth2.getAuthorizationUrl.  Get Salesforce OAuth2 authorization page
-     * URL to redirect user agent, adding a verification code for added security.
-     *
-     * @param params
-     */
-    getAuthorizationUrl(params) {
-        // code verifier must be a base 64 url encoded hash of 128 bytes of random data. Our random data is also
-        // base 64 url encoded. See Connection.create();
-        const codeChallenge = base64UrlEscape(crypto_1.createHash('sha256').update(this.codeVerifier).digest('base64'));
-        kit_1.set(params, 'code_challenge', codeChallenge);
-        return super.getAuthorizationUrl(params);
-    }
-    async requestToken(code, callback) {
-        return super.requestToken(code, callback);
-    }
-    /**
-     * Overrides jsforce.OAuth2._postParams because jsforce's oauth impl doesn't support
-     * coder_verifier and code_challenge. This enables the server to disallow trading a one-time auth code
-     * for an access/refresh token when the verifier and challenge are out of alignment.
-     *
-     * See https://github.com/jsforce/jsforce/issues/665
-     */
-    async _postParams(params, callback) {
-        kit_1.set(params, 'code_verifier', this.codeVerifier);
-        // eslint-disable-next-line @typescript-eslint/ban-ts-ignore
-        // @ts-ignore TODO: need better typings for jsforce
-        return super._postParams(params, callback);
-    }
-}
-exports.OAuth2WithVerifier = OAuth2WithVerifier;
-/**
- * Salesforce URLs.
- */
-var SfdcUrl;
-(function (SfdcUrl) {
-    SfdcUrl["SANDBOX"] = "https://test.salesforce.com";
-    SfdcUrl["PRODUCTION"] = "https://login.salesforce.com";
-})(SfdcUrl = exports.SfdcUrl || (exports.SfdcUrl = {}));
-function isSandboxUrl(options) {
-    var _a;
-    const createdOrgInstance = ts_types_1.getString(options, 'createdOrgInstance', '').trim().toLowerCase();
-    const loginUrl = (_a = options.loginUrl) !== null && _a !== void 0 ? _a : '';
-    return (/^cs|s$/gi.test(createdOrgInstance) ||
-        /sandbox\.my\.salesforce\.com/gi.test(loginUrl) || // enhanced domains >= 230
-        /(cs[0-9]+(\.my|)\.salesforce\.com)/gi.test(loginUrl) || // my domains on CS instance OR CS instance without my domain
-        /([a-z]{3}[0-9]+s\.sfdc-.+\.salesforce\.com)/gi.test(loginUrl) || // falcon sandbox ex: usa2s.sfdc-whatever.salesforce.com
-        /([a-z]{3}[0-9]+s\.sfdc-.+\.force\.com)/gi.test(loginUrl) || // falcon sandbox ex: usa2s.sfdc-whatever.salesforce.com
-        url_2.parse(loginUrl).hostname === 'test.salesforce.com');
-}
-async function resolvesToSandbox(options) {
-    if (isSandboxUrl(options)) {
-        return true;
-    }
-    let cnames = [];
-    if (options.loginUrl) {
-        const myDomainResolver = await myDomainResolver_1.MyDomainResolver.create({ url: new url_1.URL(options.loginUrl) });
-        cnames = await myDomainResolver.getCnames();
-    }
-    return cnames.some((cname) => isSandboxUrl(Object.assign(Object.assign({}, options), { loginUrl: cname })));
-}
-async function getJwtAudienceUrl(options) {
-    var _a;
-    // environment variable is used as an override
-    if (process.env.SFDX_AUDIENCE_URL) {
-        return process.env.SFDX_AUDIENCE_URL;
-    }
-    if (options.loginUrl && sfdc_1.sfdc.isInternalUrl(options.loginUrl)) {
-        // This is for internal developers when just doing authorize;
-        return options.loginUrl;
-    }
-    if (await resolvesToSandbox(options)) {
-        return SfdcUrl.SANDBOX;
-    }
-    const createdOrgInstance = ts_types_1.getString(options, 'createdOrgInstance', '').trim().toLowerCase();
-    if (/^gs1/gi.test(createdOrgInstance) || /(gs1.my.salesforce.com)/gi.test((_a = options.loginUrl) !== null && _a !== void 0 ? _a : '')) {
-        return 'https://gs1.salesforce.com';
-    }
-    return SfdcUrl.PRODUCTION;
-}
-exports.getJwtAudienceUrl = getJwtAudienceUrl;
+const orgConfigProperties_1 = require("./orgConfigProperties");
+const org_1 = require("./org");
+const messages = new messages_1.Messages('@salesforce/core', 'core', new Map([["authInfoCreationError", "Must pass a username and/or OAuth options when creating an AuthInfo instance."], ["authInfoOverwriteError", "Cannot create an AuthInfo instance that will overwrite existing auth data."], ["authInfoOverwriteError.actions", ["Create the AuthInfo instance using existing auth data by just passing the username. E.g., `AuthInfo.create({ username: 'my@user.org' });`."]], ["authCodeExchangeError", "Error authenticating with auth code due to: %s"], ["authCodeUsernameRetrievalError", "Could not retrieve the username after successful auth code exchange.\n\nDue to: %s"], ["jwtAuthError", "Error authenticating with JWT config due to: %s"], ["jwtAuthErrors", "Error authenticating with JWT.\nErrors encountered:\n%s"], ["refreshTokenAuthError", "Error authenticating with the refresh token due to: %s"], ["orgDataNotAvailableError", "An attempt to refresh the authentication token failed with a 'Data Not Found Error'. The org identified by username %s does not appear to exist. Likely cause is that the org was deleted by another user or has expired."], ["orgDataNotAvailableError.actions", ["Run `sfdx force:org:list --clean` to remove stale org authentications.", "Use `sfdx force:config:set` to update the defaultusername.", "Use `sfdx force:org:create` to create a new org.", "Use `sfdx auth` to authenticate an existing org."]], ["namedOrgNotFound", "No authorization information found for %s."], ["noAliasesFound", "Nothing to set."], ["invalidFormat", "Setting aliases must be in the format <key>=<value> but found: [%s]."], ["invalidJsonCasing", "All JSON input must have heads down camelcase keys. E.g., `{ sfdcLoginUrl: \"https://login.salesforce.com\" }`\nFound \"%s\" at %s"], ["missingClientId", "Client ID is required for JWT authentication."]]));
 // parses the id field returned from jsForce oauth2 methods to get
 // user ID and org ID.
 function parseIdUrl(idUrl) {
@@ -173,23 +43,8 @@ function parseIdUrl(idUrl) {
 }
 exports.DEFAULT_CONNECTED_APP_INFO = {
     clientId: 'PlatformCLI',
-    // Legacy. The connected app info is owned by the thing that
-    // creates new AuthInfos. Currently that is the auth:* commands which
-    // aren't owned by this core library. These values need to be here
-    // for any old auth files where the id and secret aren't stored.
-    //
-    // Ideally, this would be removed at some point in the distant future
-    // when all auth files now have the clientId stored in it.
-    legacyClientId: 'SalesforceDevelopmentExperience',
-    legacyClientSecret: '1384510088588713504',
+    clientSecret: '',
 };
-// Makes a nodejs base64 encoded string compatible with rfc4648 alternative encoding for urls.
-// @param base64Encoded a nodejs base64 encoded string
-function base64UrlEscape(base64Encoded) {
-    // builtin node js base 64 encoding is not 64 url compatible.
-    // See https://toolsn.ietf.org/html/rfc4648#section-5
-    return base64Encoded.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-}
 /**
  * Handles persistence and fetching of user authentication information using
  * JWT, OAuth, or refresh tokens. Sets up the refresh flows that jsForce will
@@ -235,7 +90,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         super(options);
         // Possibly overridden in create
         this.usingAccessToken = false;
-        this.options = options || {};
+        this.options = options ?? {};
     }
     /**
      * Returns the default instance url
@@ -243,63 +98,83 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @returns {string}
      */
     static getDefaultInstanceUrl() {
-        const configuredInstanceUrl = configAggregator_1.ConfigAggregator.getValue('instanceUrl').value;
-        return configuredInstanceUrl || 'https://login.salesforce.com';
+        const configuredInstanceUrl = configAggregator_1.ConfigAggregator.getValue(orgConfigProperties_1.OrgConfigProperties.ORG_INSTANCE_URL)?.value;
+        return configuredInstanceUrl ?? sfdcUrl_1.SfdcUrl.PRODUCTION;
     }
     /**
      * Get a list of all authorizations based on auth files stored in the global directory.
+     * One can supply a filter (see @param orgAuthFilter) and calling this function without
+     * a filter will return all authorizations.
      *
-     * @returns {Promise<SfOrg[]>}
+     * @param orgAuthFilter A predicate function that returns true for those org authorizations that are to be retained.
+     *
+     * @returns {Promise<OrgAuthorization[]>}
      */
-    static async listAllAuthorizations() {
-        const globalInfo = await globalInfoConfig_1.GlobalInfo.getInstance();
-        const auths = Object.values(globalInfo.getOrgs());
-        const aliases = await aliases_1.Aliases.create(aliases_1.Aliases.getDefaultOptions());
+    static async listAllAuthorizations(orgAuthFilter = (orgAuth) => !!orgAuth) {
+        const stateAggregator = await stateAggregator_1.StateAggregator.getInstance();
+        const config = (await configAggregator_1.ConfigAggregator.create()).getConfigInfo();
+        const orgs = await stateAggregator.orgs.readAll();
         const final = [];
-        for (const auth of auths) {
-            const username = ts_types_1.ensureString(auth.username);
-            const [alias] = aliases.getKeysByValue(username);
+        for (const org of orgs) {
+            const username = (0, ts_types_1.ensureString)(org.username);
+            const aliases = stateAggregator.aliases.getAll(username) ?? undefined;
+            // Get a list of configuration values that are set to either the username or one
+            // of the aliases
+            const configs = config
+                .filter((c) => aliases.includes(c.value) || c.value === username)
+                .map((c) => c.key);
             try {
+                // prevent ConfigFile collision bug
+                // eslint-disable-next-line no-await-in-loop
                 const authInfo = await AuthInfo.create({ username });
-                const { orgId, instanceUrl } = authInfo.getFields();
+                const { orgId, instanceUrl, devHubUsername, expirationDate, isDevHub } = authInfo.getFields();
                 final.push({
-                    alias,
+                    aliases,
+                    configs,
                     username,
-                    orgId,
                     instanceUrl,
+                    isScratchOrg: Boolean(devHubUsername),
+                    isDevHub: isDevHub ?? false,
+                    // eslint-disable-next-line no-await-in-loop
+                    isSandbox: await stateAggregator.sandboxes.hasFile(orgId),
+                    orgId: orgId,
                     accessToken: authInfo.getConnectionOptions().accessToken,
                     oauthMethod: authInfo.isJwt() ? 'jwt' : authInfo.isOauth() ? 'web' : 'token',
-                    timestamp: auth.timestamp,
+                    isExpired: Boolean(devHubUsername) && expirationDate
+                        ? new Date((0, ts_types_1.ensureString)(expirationDate)).getTime() < new Date().getTime()
+                        : 'unknown',
                 });
             }
             catch (err) {
                 final.push({
-                    alias,
+                    aliases,
+                    configs,
                     username,
-                    orgId: auth.orgId,
-                    instanceUrl: auth.instanceUrl,
+                    orgId: org.orgId,
+                    instanceUrl: org.instanceUrl,
                     accessToken: undefined,
                     oauthMethod: 'unknown',
                     error: err.message,
-                    timestamp: auth.timestamp,
+                    isExpired: 'unknown',
                 });
             }
         }
-        return final;
+        return final.filter(orgAuthFilter);
     }
     /**
      * Returns true if one or more authentications are persisted.
      */
     static async hasAuthentications() {
         try {
-            const auths = (await globalInfoConfig_1.GlobalInfo.getInstance()).getOrgs();
-            return !kit_1.isEmpty(auths);
+            const auths = await (await stateAggregator_1.StateAggregator.getInstance()).orgs.list();
+            return !(0, kit_1.isEmpty)(auths);
         }
         catch (err) {
-            if (err.name === 'OrgDataNotAvailableError' || err.code === 'ENOENT') {
+            const error = err;
+            if (error.name === 'OrgDataNotAvailableError' || error.code === 'ENOENT') {
                 return false;
             }
-            throw err;
+            throw error;
         }
     }
     /**
@@ -308,14 +183,16 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @param options The options to generate the URL.
      */
     static getAuthorizationUrl(options, oauth2) {
-        const oauth2Verifier = oauth2 || new OAuth2WithVerifier(options);
+        // Always use a verifier for enhanced security
+        options.useVerifier = true;
+        const oauth2Verifier = oauth2 ?? new jsforce_1.OAuth2(options);
         // The state parameter allows the redirectUri callback listener to ignore request
         // that don't contain the state value.
         const params = {
-            state: crypto_1.randomBytes(Math.ceil(6)).toString('hex'),
+            state: (0, crypto_1.randomBytes)(Math.ceil(6)).toString('hex'),
             prompt: 'login',
             // Default connected app is 'refresh_token api web'
-            scope: options.scope || kit_1.env.getString('SFDX_AUTH_SCOPES', 'refresh_token api web'),
+            scope: options.scope ?? kit_1.env.getString('SFDX_AUTH_SCOPES', 'refresh_token api web'),
         };
         return oauth2Verifier.getAuthorizationUrl(params);
     }
@@ -331,7 +208,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
     static parseSfdxAuthUrl(sfdxAuthUrl) {
         const match = sfdxAuthUrl.match(/^force:\/\/([a-zA-Z0-9._-]+):([a-zA-Z0-9._-]*):([a-zA-Z0-9._-]+={0,2})@([a-zA-Z0-9._-]+)/);
         if (!match) {
-            throw new sfdxError_1.SfdxError('Invalid sfdx auth url. Must be in the format `force://<clientId>:<clientSecret>:<refreshToken>@<loginUrl>`. The instanceUrl must not have the protocol set.', 'INVALID_SFDX_AUTH_URL');
+            throw new sfError_1.SfError('Invalid SFDX auth URL. Must be in the format "force://<clientId>:<clientSecret>:<refreshToken>@<instanceUrl>".  Note that the SFDX auth URL uses the "force" protocol, and not "http" or "https".  Also note that the "instanceUrl" inside the SFDX auth URL doesn\'t include the protocol ("https://").', 'INVALID_SFDX_AUTH_URL');
         }
         const [, clientId, clientSecret, refreshToken, loginUrl] = match;
         return {
@@ -341,6 +218,64 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
             loginUrl: `https://${loginUrl}`,
         };
     }
+    /**
+     * Given a set of decrypted fields and an authInfo, determine if the org belongs to an available
+     * dev hub.
+     *
+     * @param fields
+     * @param orgAuthInfo
+     */
+    static async identifyPossibleScratchOrgs(fields, orgAuthInfo) {
+        // fields property is passed in because the consumers of this method have performed the decrypt.
+        // This is so we don't have to call authInfo.getFields(true) and decrypt again OR accidentally save an
+        // authInfo before it is necessary.
+        const logger = await logger_1.Logger.child('Common', { tag: 'identifyPossibleScratchOrgs' });
+        // return if we already know the hub org we know it is a devhub or prod-like or no orgId present
+        if (fields.isDevHub || fields.devHubUsername || !fields.orgId)
+            return;
+        logger.debug('getting devHubs');
+        // TODO: return if url is not sandbox-like to avoid constantly asking about production orgs
+        // TODO: someday we make this easier by asking the org if it is a scratch org
+        const hubAuthInfos = await AuthInfo.getDevHubAuthInfos();
+        logger.debug(`found ${hubAuthInfos.length} DevHubs`);
+        if (hubAuthInfos.length === 0)
+            return;
+        // ask all those orgs if they know this orgId
+        await Promise.all(hubAuthInfos.map(async (hubAuthInfo) => {
+            try {
+                const soi = await AuthInfo.queryScratchOrg(hubAuthInfo.username, fields.orgId);
+                // if any return a result
+                logger.debug(`found orgId ${fields.orgId} in devhub ${hubAuthInfo.username}`);
+                try {
+                    await orgAuthInfo.save({
+                        ...fields,
+                        devHubUsername: hubAuthInfo.username,
+                        expirationDate: soi.ExpirationDate,
+                        isScratch: true,
+                    });
+                    logger.debug(`set ${hubAuthInfo.username} as devhub and expirationDate ${soi.ExpirationDate} for scratch org ${orgAuthInfo.getUsername()}`);
+                }
+                catch (error) {
+                    logger.debug(`error updating auth file for ${orgAuthInfo.getUsername()}`, error);
+                }
+            }
+            catch (error) {
+                logger.error(`Error connecting to devhub ${hubAuthInfo.username}`, error);
+            }
+        }));
+    }
+    /**
+     * Find all dev hubs available in the local environment.
+     */
+    static async getDevHubAuthInfos() {
+        return AuthInfo.listAllAuthorizations((possibleHub) => possibleHub?.isDevHub ?? false);
+    }
+    static async queryScratchOrg(devHubUsername, scratchOrgId) {
+        const devHubOrg = await org_1.Org.create({ aliasOrUsername: devHubUsername });
+        const conn = devHubOrg.getConnection();
+        const data = await conn.singleRecordQuery(`select Id, ExpirationDate from ScratchOrgInfo where ScratchOrg = '${(0, sfdc_1.trimTo15)(scratchOrgId)}'`);
+        return data;
+    }
     /**
      * Get the username.
      */
@@ -381,12 +316,12 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      */
     async save(authData) {
         this.update(authData);
-        const username = ts_types_1.ensure(this.getUsername());
-        if (sfdc_1.sfdc.matchesAccessToken(username)) {
+        const username = (0, ts_types_1.ensure)(this.getUsername());
+        if ((0, sfdc_1.matchesAccessToken)(username)) {
             this.logger.debug('Username is an accesstoken. Skip saving authinfo to disk.');
             return this;
         }
-        await this.globalInfo.write();
+        await this.stateAggregator.orgs.write(username);
         this.logger.info(`Saved auth info for username: ${username}`);
         return this;
     }
@@ -397,13 +332,10 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @param authData Authorization fields to update.
      */
     update(authData) {
-        // todo move into configstore
-        if (authData && ts_types_1.isPlainObject(authData)) {
-            this.username = authData.username || this.username;
-            const existingFields = this.globalInfo.getOrg(this.getUsername());
-            const mergedFields = Object.assign({}, existingFields || {}, authData);
-            this.globalInfo.setOrg(this.getUsername(), mergedFields);
-            this.logger.info(`Updated auth info for username: ${this.getUsername()}`);
+        if (authData && (0, ts_types_1.isPlainObject)(authData)) {
+            this.username = authData.username ?? this.username;
+            this.stateAggregator.orgs.update(this.username, authData);
+            this.logger.info(`Updated auth info for username: ${this.username}`);
         }
         return this;
     }
@@ -436,9 +368,9 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
             // Decrypt a user provided client secret or use the default.
             opts = {
                 oauth2: {
-                    loginUrl: instanceUrl || 'https://login.salesforce.com',
-                    clientId: decryptedCopy.clientId || exports.DEFAULT_CONNECTED_APP_INFO.legacyClientId,
-                    redirectUri: 'http://localhost:1717/OauthRedirect',
+                    loginUrl: instanceUrl ?? sfdcUrl_1.SfdcUrl.PRODUCTION,
+                    clientId: this.getClientId(),
+                    redirectUri: this.getRedirectUri(),
                 },
                 accessToken,
                 instanceUrl,
@@ -448,21 +380,27 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         // decrypt the fields
         return opts;
     }
+    getClientId() {
+        return this.getFields()?.clientId ?? exports.DEFAULT_CONNECTED_APP_INFO.clientId;
+    }
+    getRedirectUri() {
+        return 'http://localhost:1717/OauthRedirect';
+    }
     /**
      * Get the authorization fields.
      *
      * @param decrypt Decrypt the fields.
      */
     getFields(decrypt) {
-        return this.globalInfo.getOrg(this.username, decrypt);
+        return this.stateAggregator.orgs.get(this.username, decrypt) ?? {};
     }
     /**
      * Get the org front door (used for web based oauth flows)
      */
     getOrgFrontDoorUrl() {
         const authFields = this.getFields(true);
-        const base = ts_types_1.ensureString(authFields.instanceUrl).replace(/\/+$/, '');
-        const accessToken = ts_types_1.ensureString(authFields.accessToken);
+        const base = (0, ts_types_1.ensureString)(authFields.instanceUrl).replace(/\/+$/, '');
+        const accessToken = (0, ts_types_1.ensureString)(authFields.accessToken);
         return `${base}/secur/frontdoor.jsp?sid=${accessToken}`;
     }
     /**
@@ -478,38 +416,64 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      */
     getSfdxAuthUrl() {
         const decryptedFields = this.getFields(true);
-        const instanceUrl = ts_types_1.ensure(decryptedFields.instanceUrl, 'undefined instanceUrl').replace(/^https?:\/\//, '');
+        const instanceUrl = (0, ts_types_1.ensure)(decryptedFields.instanceUrl, 'undefined instanceUrl').replace(/^https?:\/\//, '');
         let sfdxAuthUrl = 'force://';
         if (decryptedFields.clientId) {
-            sfdxAuthUrl += `${decryptedFields.clientId}:${decryptedFields.clientSecret || ''}:`;
+            sfdxAuthUrl += `${decryptedFields.clientId}:${decryptedFields.clientSecret ?? ''}:`;
         }
-        sfdxAuthUrl += `${ts_types_1.ensure(decryptedFields.refreshToken, 'undefined refreshToken')}@${instanceUrl}`;
+        sfdxAuthUrl += `${(0, ts_types_1.ensure)(decryptedFields.refreshToken, 'undefined refreshToken')}@${instanceUrl}`;
         return sfdxAuthUrl;
     }
     /**
-     * Set the defaultusername or the defaultdevhubusername to the alias if
+     * Convenience function to handle typical side effects encountered when dealing with an AuthInfo.
+     * Given the values supplied in parameter sideEffects, this function will set auth alias, default auth
+     * and default dev hub.
+     *
+     * @param sideEffects - instance of AuthSideEffects
+     */
+    async handleAliasAndDefaultSettings(sideEffects) {
+        if (sideEffects.alias ||
+            sideEffects.setDefault ||
+            sideEffects.setDefaultDevHub ||
+            typeof sideEffects.setTracksSource === 'boolean') {
+            if (sideEffects.alias)
+                await this.setAlias(sideEffects.alias);
+            if (sideEffects.setDefault)
+                await this.setAsDefault({ org: true });
+            if (sideEffects.setDefaultDevHub)
+                await this.setAsDefault({ devHub: true });
+            if (typeof sideEffects.setTracksSource === 'boolean') {
+                await this.save({ tracksSource: sideEffects.setTracksSource });
+            }
+            else {
+                await this.save();
+            }
+        }
+    }
+    /**
+     * Set the target-env (default) or the target-dev-hub to the alias if
      * it exists otherwise to the username. Method will try to set the local
      * config first but will default to global config if that fails.
      *
      * @param options
      */
-    async setAsDefault(options) {
+    async setAsDefault(options = { org: true }) {
         let config;
         // if we fail to create the local config, default to the global config
         try {
             config = await config_1.Config.create({ isGlobal: false });
         }
-        catch (_a) {
+        catch {
             config = await config_1.Config.create({ isGlobal: true });
         }
-        const username = ts_types_1.ensureString(this.getUsername());
-        const aliases = await aliases_1.Aliases.create(aliases_1.Aliases.getDefaultOptions());
-        const value = aliases.getKeysByValue(username)[0] || username;
-        if (options.defaultUsername) {
-            config.set(config_1.Config.DEFAULT_USERNAME, value);
+        const username = (0, ts_types_1.ensureString)(this.getUsername());
+        const alias = this.stateAggregator.aliases.get(username);
+        const value = alias ?? username;
+        if (options.org) {
+            config.set(orgConfigProperties_1.OrgConfigProperties.TARGET_ORG, value);
         }
-        if (options.defaultDevhubUsername) {
-            config.set(config_1.Config.DEFAULT_DEV_HUB_USERNAME, value);
+        if (options.devHub) {
+            config.set(orgConfigProperties_1.OrgConfigProperties.TARGET_DEV_HUB, value);
         }
         await config.write();
     }
@@ -519,17 +483,16 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @param alias alias to set
      */
     async setAlias(alias) {
-        const username = this.getUsername();
-        await aliases_1.Aliases.parseAndUpdate([`${alias}=${username}`]);
+        this.stateAggregator.aliases.set(alias, this.getUsername());
+        await this.stateAggregator.aliases.write();
     }
     /**
      * Initializes an instance of the AuthInfo class.
      */
     async init() {
-        // We have to set the global instance here because we need synchronous access to it later
-        this.globalInfo = await globalInfoConfig_1.GlobalInfo.getInstance();
+        this.stateAggregator = await stateAggregator_1.StateAggregator.getInstance();
         const username = this.options.username;
-        const authOptions = this.options.oauth2Options || this.options.accessTokenOptions;
+        const authOptions = this.options.oauth2Options ?? this.options.accessTokenOptions;
         // Must specify either username and/or options
         if (!username && !authOptions) {
             throw messages.createError('authInfoCreationError');
@@ -537,21 +500,21 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         // If a username AND oauth options, ensure an authorization for the username doesn't
         // already exist. Throw if it does so we don't overwrite the authorization.
         if (username && authOptions) {
-            const authExists = this.globalInfo.hasOrg(username);
-            if (authExists) {
+            if (await this.stateAggregator.orgs.hasFile(username)) {
                 throw messages.createError('authInfoOverwriteError');
             }
         }
-        const oauthUsername = username || ts_types_1.getString(authOptions, 'username');
+        const oauthUsername = username ?? authOptions?.username;
         if (oauthUsername) {
             this.username = oauthUsername;
+            await this.stateAggregator.orgs.read(oauthUsername, false, false);
         } // Else it will be set in initAuthOptions below.
         // If the username is an access token, use that for auth and don't persist
-        if (ts_types_1.isString(oauthUsername) && sfdc_1.sfdc.matchesAccessToken(oauthUsername)) {
+        if ((0, ts_types_1.isString)(oauthUsername) && (0, sfdc_1.matchesAccessToken)(oauthUsername)) {
             // Need to initAuthOptions the logger and authInfoCrypto since we don't call init()
             this.logger = await logger_1.Logger.child('AuthInfo');
             const aggregator = await configAggregator_1.ConfigAggregator.create();
-            const instanceUrl = this.getInstanceUrl(authOptions, aggregator);
+            const instanceUrl = this.getInstanceUrl(aggregator, authOptions);
             this.update({
                 accessToken: oauthUsername,
                 instanceUrl,
@@ -561,16 +524,16 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
             this.usingAccessToken = true;
         }
         // If a username with NO oauth options, ensure authorization already exist.
-        else if (username && !authOptions && !this.globalInfo.hasOrg(username)) {
+        else if (username && !authOptions && !(await this.stateAggregator.orgs.exists(username))) {
             throw messages.createError('namedOrgNotFound', [username]);
         }
         else {
             await this.initAuthOptions(authOptions);
         }
     }
-    getInstanceUrl(options, aggregator) {
-        const instanceUrl = ts_types_1.getString(options, 'instanceUrl') || aggregator.getPropertyValue('instanceUrl');
-        return instanceUrl || SfdcUrl.PRODUCTION;
+    getInstanceUrl(aggregator, options) {
+        const instanceUrl = options?.instanceUrl ?? aggregator.getPropertyValue(orgConfigProperties_1.OrgConfigProperties.ORG_INSTANCE_URL);
+        return instanceUrl ?? sfdcUrl_1.SfdcUrl.PRODUCTION;
     }
     /**
      * Initialize this AuthInfo instance with the specified options. If options are not provided, initialize it from cache
@@ -578,7 +541,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      *
      * @param options Options to be used for creating an OAuth2 instance.
      *
-     * **Throws** *{@link SfdxError}{ name: 'NamedOrgNotFoundError' }* Org information does not exist.
+     * **Throws** *{@link SfError}{ name: 'NamedOrgNotFoundError' }* Org information does not exist.
      * @returns {Promise<AuthInfo>}
      */
     async initAuthOptions(options) {
@@ -586,11 +549,11 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         // If options were passed, use those before checking cache and reading an auth file.
         let authConfig;
         if (options) {
-            options = kit_1.cloneJson(options);
+            options = (0, kit_1.cloneJson)(options);
             if (this.isTokenOptions(options)) {
                 authConfig = options;
-                const userInfo = await this.retrieveUserInfo(ts_types_1.ensureString(options.instanceUrl), ts_types_1.ensureString(options.accessToken));
-                this.update({ username: userInfo === null || userInfo === void 0 ? void 0 : userInfo.username, orgId: userInfo === null || userInfo === void 0 ? void 0 : userInfo.organizationId });
+                const userInfo = await this.retrieveUserInfo((0, ts_types_1.ensureString)(options.instanceUrl), (0, ts_types_1.ensureString)(options.accessToken));
+                this.update({ username: userInfo?.username, orgId: userInfo?.organizationId });
             }
             else {
                 if (this.options.parentUsername) {
@@ -603,48 +566,50 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
                         // Grab whatever flow is defined
                         Object.assign(options, {
                             clientSecret: parentFields.clientSecret,
-                            privateKey: parentFields.privateKey ? path_1.resolve(parentFields.privateKey) : parentFields.privateKey,
+                            privateKey: parentFields.privateKey ? (0, path_1.resolve)(parentFields.privateKey) : parentFields.privateKey,
                         });
                     }
                 }
                 // jwt flow
                 // Support both sfdx and jsforce private key values
                 if (!options.privateKey && options.privateKeyFile) {
-                    options.privateKey = path_1.resolve(options.privateKeyFile);
+                    options.privateKey = (0, path_1.resolve)(options.privateKeyFile);
                 }
                 if (options.privateKey) {
-                    authConfig = await this.buildJwtConfig(options);
+                    authConfig = await this.authJwt(options);
                 }
                 else if (!options.authCode && options.refreshToken) {
                     // refresh token flow (from sfdxUrl or OAuth refreshFn)
                     authConfig = await this.buildRefreshTokenConfig(options);
                 }
+                else if (this.options.oauth2 instanceof jsforce_1.OAuth2) {
+                    // authcode exchange / web auth flow
+                    authConfig = await this.exchangeToken(options, this.options.oauth2);
+                }
                 else {
-                    if (this.options.oauth2 instanceof OAuth2WithVerifier) {
-                        // authcode exchange / web auth flow
-                        authConfig = await this.exchangeToken(options, this.options.oauth2);
-                    }
-                    else {
-                        authConfig = await this.exchangeToken(options);
-                    }
+                    authConfig = await this.exchangeToken(options);
                 }
             }
+            authConfig.isDevHub = await this.determineIfDevHub((0, ts_types_1.ensureString)(authConfig.instanceUrl), (0, ts_types_1.ensureString)(authConfig.accessToken));
+            if (authConfig.username)
+                await this.stateAggregator.orgs.read(authConfig.username, false, false);
             // Update the auth fields WITH encryption
             this.update(authConfig);
         }
         return this;
     }
+    // eslint-disable-next-line @typescript-eslint/require-await
     async loadDecryptedAuthFromConfig(username) {
         // Fetch from the persisted auth file
-        const authInfo = this.globalInfo.getOrg(username, true);
+        const authInfo = this.stateAggregator.orgs.get(username, true);
         if (!authInfo) {
             throw messages.createError('namedOrgNotFound', [username]);
         }
         return authInfo;
     }
     isTokenOptions(options) {
-        // Although OAuth2Options does not contain refreshToken, privateKey, or privateKeyFile, a JS consumer could still pass those in
-        // which WILL have an access token as well, but it should be considered an OAuth2Options at that point.
+        // Although OAuth2Config does not contain refreshToken, privateKey, or privateKeyFile, a JS consumer could still pass those in
+        // which WILL have an access token as well, but it should be considered an OAuth2Config at that point.
         return ('accessToken' in options &&
             !('refreshToken' in options) &&
             !('privateKey' in options) &&
@@ -662,89 +627,119 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
             return await callback(null, fields.accessToken);
         }
         catch (err) {
-            if (err.message && err.message.includes('Data Not Available')) {
+            const error = err;
+            if (error?.message?.includes('Data Not Available')) {
                 // Set cause to keep original stacktrace
-                return await callback(messages.createError('orgDataNotAvailableError', [this.getUsername()], [], err));
+                return await callback(messages.createError('orgDataNotAvailableError', [this.getUsername()], [], error));
             }
-            return await callback(err);
+            return await callback(error);
         }
     }
+    async readJwtKey(keyFile) {
+        return fs.promises.readFile(keyFile, 'utf8');
+    }
     // Build OAuth config for a JWT auth flow
-    async buildJwtConfig(options) {
-        const privateKeyContents = await fs_1.fs.readFile(ts_types_1.ensure(options.privateKey), 'utf8');
-        const audienceUrl = await getJwtAudienceUrl(options);
-        const jwtToken = jwt.sign({
-            iss: options.clientId,
-            sub: this.getUsername(),
-            aud: audienceUrl,
-            exp: Date.now() + 300,
-        }, privateKeyContents, {
-            algorithm: 'RS256',
-        });
-        const oauth2 = new JwtOAuth2({ loginUrl: options.loginUrl });
+    async authJwt(options) {
+        if (!options.clientId) {
+            throw messages.createError('missingClientId');
+        }
+        const privateKeyContents = await this.readJwtKey((0, ts_types_1.ensureString)(options.privateKey));
+        const { loginUrl = sfdcUrl_1.SfdcUrl.PRODUCTION } = options;
+        const url = new sfdcUrl_1.SfdcUrl(loginUrl);
+        const createdOrgInstance = (this.getFields().createdOrgInstance ?? '').trim().toLowerCase();
+        const audienceUrl = await url.getJwtAudienceUrl(createdOrgInstance);
         let authFieldsBuilder;
-        try {
-            authFieldsBuilder = ts_types_1.ensureJsonMap(await oauth2.jwtAuthorize(jwtToken));
+        const authErrors = [];
+        // given that we can no longer depend on instance names or URls to determine audience, let's try them all
+        const loginAndAudienceUrls = (0, sfdcUrl_1.getLoginAudienceCombos)(audienceUrl, loginUrl);
+        for (const [login, audience] of loginAndAudienceUrls) {
+            try {
+                // sequentially, in probabilistic order
+                // eslint-disable-next-line no-await-in-loop
+                authFieldsBuilder = await this.tryJwtAuth(options.clientId, login, audience, privateKeyContents);
+                break;
+            }
+            catch (err) {
+                const error = err;
+                const message = error.message.includes('audience')
+                    ? `${error.message}  [audience=${audience} login=${login}]`
+                    : error.message;
+                authErrors.push(message);
+            }
         }
-        catch (err) {
-            throw messages.createError('jwtAuthError', [err.message]);
+        if (!authFieldsBuilder) {
+            // messages.createError expects names to end in `error` and this one says Errors so do it manually.
+            throw new sfError_1.SfError(messages.getMessage('jwtAuthErrors', [authErrors.join('\n')]), 'JwtAuthError');
         }
         const authFields = {
-            accessToken: ts_types_1.asString(authFieldsBuilder.access_token),
-            orgId: parseIdUrl(ts_types_1.ensureString(authFieldsBuilder.id)).orgId,
+            accessToken: (0, ts_types_1.asString)(authFieldsBuilder.access_token),
+            orgId: parseIdUrl((0, ts_types_1.ensureString)(authFieldsBuilder.id)).orgId,
             loginUrl: options.loginUrl,
             privateKey: options.privateKey,
             clientId: options.clientId,
         };
-        const instanceUrl = ts_types_1.ensureString(authFieldsBuilder.instance_url);
-        const parsedUrl = url_2.parse(instanceUrl);
+        const instanceUrl = (0, ts_types_1.ensureString)(authFieldsBuilder.instance_url);
+        const sfdcUrl = new sfdcUrl_1.SfdcUrl(instanceUrl);
         try {
             // Check if the url is resolvable. This can fail when my-domains have not been replicated.
-            await this.lookup(ts_types_1.ensure(parsedUrl.hostname));
+            await sfdcUrl.lookup();
             authFields.instanceUrl = instanceUrl;
         }
         catch (err) {
-            this.logger.debug(`Instance URL [${authFieldsBuilder.instance_url}] is not available.  DNS lookup failed. Using loginUrl [${options.loginUrl}] instead. This may result in a "Destination URL not reset" error.`);
+            this.logger.debug(
+            // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+            `Instance URL [${authFieldsBuilder.instance_url}] is not available.  DNS lookup failed. Using loginUrl [${options.loginUrl}] instead. This may result in a "Destination URL not reset" error.`);
             authFields.instanceUrl = options.loginUrl;
         }
         return authFields;
     }
+    async tryJwtAuth(clientId, loginUrl, audienceUrl, privateKeyContents) {
+        const jwtToken = jwt.sign({
+            iss: clientId,
+            sub: this.getUsername(),
+            aud: audienceUrl,
+            exp: Date.now() + 300,
+        }, privateKeyContents, {
+            algorithm: 'RS256',
+        });
+        const oauth2 = new jsforce_1.JwtOAuth2({ loginUrl });
+        // jsforce has it types as any
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+        return (0, ts_types_1.ensureJsonMap)(await oauth2.jwtAuthorize(jwtToken));
+    }
     // Build OAuth config for a refresh token auth flow
     async buildRefreshTokenConfig(options) {
         // Ideally, this would be removed at some point in the distant future when all auth files
         // now have the clientId stored in it.
         if (!options.clientId) {
-            options.clientId = exports.DEFAULT_CONNECTED_APP_INFO.legacyClientId;
-            options.clientSecret = exports.DEFAULT_CONNECTED_APP_INFO.legacyClientSecret;
+            options.clientId = exports.DEFAULT_CONNECTED_APP_INFO.clientId;
+            options.clientSecret = exports.DEFAULT_CONNECTED_APP_INFO.clientSecret;
+        }
+        if (!options.redirectUri) {
+            options.redirectUri = this.getRedirectUri();
         }
         const oauth2 = new jsforce_1.OAuth2(options);
         let authFieldsBuilder;
         try {
-            authFieldsBuilder = await oauth2.refreshToken(ts_types_1.ensure(options.refreshToken));
+            authFieldsBuilder = await oauth2.refreshToken((0, ts_types_1.ensure)(options.refreshToken));
         }
         catch (err) {
             throw messages.createError('refreshTokenAuthError', [err.message]);
         }
-        // eslint-disable-next-line @typescript-eslint/ban-ts-ignore
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore
         const { orgId } = parseIdUrl(authFieldsBuilder.id);
         let username = this.getUsername();
         if (!username) {
-            // eslint-disable-next-line @typescript-eslint/ban-ts-ignore
-            // @ts-ignore
             const userInfo = await this.retrieveUserInfo(authFieldsBuilder.instance_url, authFieldsBuilder.access_token);
-            username = ts_types_1.ensureString(userInfo === null || userInfo === void 0 ? void 0 : userInfo.username);
+            username = (0, ts_types_1.ensureString)(userInfo?.username);
         }
         return {
             orgId,
             username,
             accessToken: authFieldsBuilder.access_token,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-ignore
-            // @ts-ignore TODO: need better typings for jsforce
             instanceUrl: authFieldsBuilder.instance_url,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-ignore
-            // @ts-ignore TODO: need better typings for jsforce
-            loginUrl: options.loginUrl || authFieldsBuilder.instance_url,
+            loginUrl: options.loginUrl ?? authFieldsBuilder.instance_url,
             refreshToken: options.refreshToken,
             clientId: options.clientId,
             clientSecret: options.clientSecret,
@@ -757,37 +752,37 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @param oauth2 The oauth2 extension that includes a code_challenge
      */
     async exchangeToken(options, oauth2 = new jsforce_1.OAuth2(options)) {
+        if (!oauth2.redirectUri) {
+            oauth2.redirectUri = this.getRedirectUri();
+        }
+        if (!oauth2.clientId) {
+            oauth2.clientId = this.getClientId();
+        }
         // Exchange the auth code for an access token and refresh token.
         let authFields;
         try {
             this.logger.info(`Exchanging auth code for access token using loginUrl: ${options.loginUrl}`);
-            authFields = await oauth2.requestToken(ts_types_1.ensure(options.authCode));
+            authFields = await oauth2.requestToken((0, ts_types_1.ensure)(options.authCode));
         }
         catch (err) {
             throw messages.createError('authCodeExchangeError', [err.message]);
         }
-        // eslint-disable-next-line @typescript-eslint/ban-ts-ignore
-        // @ts-ignore TODO: need better typings for jsforce
         const { orgId } = parseIdUrl(authFields.id);
         let username = this.getUsername();
         // Only need to query for the username if it isn't known. For example, a new auth code exchange
         // rather than refreshing a token on an existing connection.
         if (!username) {
-            // eslint-disable-next-line @typescript-eslint/ban-ts-ignore
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
             // @ts-ignore
             const userInfo = await this.retrieveUserInfo(authFields.instance_url, authFields.access_token);
-            username = userInfo === null || userInfo === void 0 ? void 0 : userInfo.username;
+            username = userInfo?.username;
         }
         return {
             accessToken: authFields.access_token,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-ignore
-            // @ts-ignore TODO: need better typings for jsforce
             instanceUrl: authFields.instance_url,
             orgId,
             username,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-ignore
-            // @ts-ignore TODO: need better typings for jsforce
-            loginUrl: options.loginUrl || authFields.instance_url,
+            loginUrl: options.loginUrl ?? authFields.instance_url,
             refreshToken: authFields.refresh_token,
             clientId: options.clientId,
             clientSecret: options.clientSecret,
@@ -798,26 +793,27 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         // but we don't want to create circular dependencies or lots of snowflakes
         // within this file to support it.
         const apiVersion = 'v51.0'; // hardcoding to v51.0 just for this call is okay.
-        const instance = ts_types_1.ensure(instanceUrl);
-        const baseUrl = new url_1.URL(instance);
-        const userInfoUrl = `${baseUrl}services/oauth2/userinfo`;
+        const instance = (0, ts_types_1.ensure)(instanceUrl);
+        const baseUrl = new sfdcUrl_1.SfdcUrl(instance);
+        const userInfoUrl = `${baseUrl.toString()}services/oauth2/userinfo`;
         const headers = Object.assign({ Authorization: `Bearer ${accessToken}` }, connection_1.SFDX_HTTP_HEADERS);
         try {
             this.logger.info(`Sending request for Username after successful auth code exchange to URL: ${userInfoUrl}`);
-            let response = await new Transport().httpRequest({ url: userInfoUrl, headers });
+            let response = await new transport_1.default().httpRequest({ url: userInfoUrl, method: 'GET', headers });
             if (response.statusCode >= 400) {
                 this.throwUserGetException(response);
             }
             else {
-                const userInfoJson = kit_1.parseJsonMap(response.body);
-                const url = `${baseUrl}/services/data/${apiVersion}/sobjects/User/${userInfoJson.user_id}`;
+                const userInfoJson = (0, kit_1.parseJsonMap)(response.body);
+                const url = `${baseUrl.toString()}services/data/${apiVersion}/sobjects/User/${userInfoJson.user_id}`;
                 this.logger.info(`Sending request for User SObject after successful auth code exchange to URL: ${url}`);
-                response = await new Transport().httpRequest({ url, headers });
+                response = await new transport_1.default().httpRequest({ url, method: 'GET', headers });
                 if (response.statusCode >= 400) {
                     this.throwUserGetException(response);
                 }
                 else {
-                    userInfoJson.preferred_username = kit_1.parseJsonMap(response.body).Username;
+                    // eslint-disable-next-line camelcase
+                    userInfoJson.preferred_username = (0, kit_1.parseJsonMap)(response.body).Username;
                 }
                 return { username: userInfoJson.preferred_username, organizationId: userInfoJson.organization_id };
             }
@@ -833,37 +829,47 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @private
      */
     throwUserGetException(response) {
-        var _a;
         let errorMsg = '';
-        const bodyAsString = ts_types_1.getString(response, 'body', JSON.stringify({ message: 'UNKNOWN', errorCode: 'UNKNOWN' }));
+        const bodyAsString = response.body ?? JSON.stringify({ message: 'UNKNOWN', errorCode: 'UNKNOWN' });
         try {
-            const body = kit_1.parseJson(bodyAsString);
-            if (ts_types_1.isArray(body)) {
-                errorMsg = body
-                    .map((line) => { var _a; return (_a = ts_types_1.getString(line, 'message')) !== null && _a !== void 0 ? _a : ts_types_1.getString(line, 'errorCode', 'UNKNOWN'); })
-                    .join(os.EOL);
+            const body = (0, kit_1.parseJson)(bodyAsString);
+            if ((0, ts_types_1.isArray)(body)) {
+                errorMsg = body.map((line) => line.message ?? line.errorCode ?? 'UNKNOWN').join(os.EOL);
             }
             else {
-                errorMsg = (_a = ts_types_1.getString(body, 'message')) !== null && _a !== void 0 ? _a : ts_types_1.getString(body, 'errorCode', 'UNKNOWN');
+                errorMsg = body.message ?? body.errorCode ?? 'UNKNOWN';
             }
         }
         catch (err) {
             errorMsg = `${bodyAsString}`;
         }
-        throw new sfdxError_1.SfdxError(errorMsg);
+        throw new sfError_1.SfError(errorMsg);
     }
-    // See https://nodejs.org/api/dns.html#dns_dns_lookup_hostname_options_callback
-    async lookup(host) {
-        return new Promise((resolve, reject) => {
-            dns.lookup(host, (err, address, family) => {
-                if (err) {
-                    reject(err);
-                }
-                else {
-                    resolve({ address, family });
-                }
-            });
-        });
+    /**
+     * Returns `true` if the org is a Dev Hub.
+     *
+     * Check access to the ScratchOrgInfo object to determine if the org is a dev hub.
+     */
+    async determineIfDevHub(instanceUrl, accessToken) {
+        // Make a REST call for the ScratchOrgInfo obj directly.  Normally this is done via a connection
+        // but we don't want to create circular dependencies or lots of snowflakes
+        // within this file to support it.
+        const apiVersion = 'v51.0'; // hardcoding to v51.0 just for this call is okay.
+        const instance = (0, ts_types_1.ensure)(instanceUrl);
+        const baseUrl = new sfdcUrl_1.SfdcUrl(instance);
+        const scratchOrgInfoUrl = `${baseUrl.toString()}/services/data/${apiVersion}/query?q=SELECT%20Id%20FROM%20ScratchOrgInfo%20limit%201`;
+        const headers = Object.assign({ Authorization: `Bearer ${accessToken}` }, connection_1.SFDX_HTTP_HEADERS);
+        try {
+            const res = await new transport_1.default().httpRequest({ url: scratchOrgInfoUrl, method: 'GET', headers });
+            if (res.statusCode >= 400) {
+                return false;
+            }
+            return true;
+        }
+        catch (err) {
+            /* Not a dev hub */
+            return false;
+        }
     }
 }
 exports.AuthInfo = AuthInfo;